MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1c9e1807c9a1b6c46cf5d4a3747a005cdf39b5373ccf093723831ed1d6ca1950. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

IcedID

Vendor detections: 7

Intelligence 7 IOCs 1 YARA 11 File information Comments

SHA256 hash:	1c9e1807c9a1b6c46cf5d4a3747a005cdf39b5373ccf093723831ed1d6ca1950
SHA3-384 hash:	9fd5d461dccbdb2091bff1ab86eaa6588c4cb9cbfbe7d1cbc1dcd2cee4606f5cfb07a15b9c8b5f10889c983acc33c358
SHA1 hash:	a51291381ac2696a3a2587691b5871b989bc84c9
MD5 hash:	17bdc267a6726b32a6fca7e385917221
humanhash:	may-romeo-oven-edward
File name:	document-945314558.xlsm
Download:	download sample
Signature	IcedID Create hunting rule
File size:	108'063 bytes
First seen:	2021-03-31 02:17:06 UTC
Last seen:	Never
File type:	xlsm
MIME type:	application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
ssdeep	3072:k2CxNFcWr5qQDzPjEwqtDpko+bJ99K7meX7pD/:kzxjYDj+d9imeX7pD/
TLSH	5AB3D0AD8B02F5BBD294DE3CD04AB4518EB691732F0F751B24AE439B0806DD61D1F62B
Reporter	abuse_ch
Tags:	IcedID xlsm

abuse_ch

IcedID C2:
usaaforced.fun

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
usaaforced.fun	https://threatfox.abuse.ch/ioc/6146/

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

Type	Keyword	Description
Base64	7mu	N211
Base64	Cmu	Q211
Base64	Gmu	R211
Base64	Kmu	S211
Base64	Omu	T211
Base64	Smu	U211
Base64	Wmu	V211
Base64	_mu	X211
Base64	3mv	M212
Base64	7mv	N212
Base64	Cmv	Q212
Base64	Gmv	R212
Base64	Kmv	S212
Base64	Omv	T212
Base64	Smv	U212
Base64	Wmv	V212
Base64	_mv	X212
Base64	3mw	M213
Base64	7mw	N213
Base64	Cmw	Q213
Base64	Gmw	R213
Base64	Kmw	S213
Base64	Omw	T213
Base64	Smw	U213
Base64	Wmw	V213
Base64	_mw	X213
Base64	3mx	M214
Base64	7mx	N214
Base64	Cmx	Q214
Base64	Gmx	R214
Base64	Kmx	S214
Base64	Omx	T214
Base64	Smx	U214
Base64	Wmx	V214
Base64	_mx	X214
Base64	3my	M215
Base64	7my	N215
Base64	Cmy	Q215
Base64	Gmy	R215
Base64	Kmy	S215
Base64	Omy	T215
Base64	Smy	U215
Base64	Wmy	V215
Base64	_my	X215
Base64	3mz	M216
Base64	7mz	N216
Base64	Cmz	Q216
Base64	Gmz	R216
Base64	Kmz	S216
Base64	Omz	T216
Base64	Smz	U216
Base64	Wmz	V216
Base64	_mz	X216
Base64	3n4	M240
Base64	7n4	N240
Base64	Cn4	Q240
Base64	Gn4	R240
Base64	Kn4	S240
Base64	On4	T240
Base64	Sn4	U240
Base64	Wn4	V240
Base64	_n4	X240
Base64	3n5	M241
Base64	7n5	N241
Base64	Cn5	Q241
Base64	Gn5	R241
Base64	Kn5	S241
Base64	On5	T241
Base64	Sn5	U241
Base64	Wn5	V241
Base64	_n5	X241
Base64	3n6	M242
Base64	7n6	N242
Base64	Cn6	Q242
Base64	Gn6	R242
Base64	3_4	M180
Base64	Kn6	S242
Base64	7_4	N180
Base64	On6	T242
Base64	C_4	Q180
Base64	Sn6	U242
Base64	G_4	R180
Base64	Wn6	V242
Base64	K_4	S180
Base64	_n6	X242
Base64	O_4	T180
Base64	3n7	M243
Base64	S_4	U180
Base64	7n7	N243
Base64	W_4	V180
Base64	Cn7	Q243
Base64	__4	X180
Base64	Gn7	R243
Base64	3_5	M181
Base64	Kn7	S243
Base64	7_5	N181
Base64	On7	T243
Base64	C_5	Q181
Base64	Sn7	U243
Base64	G_5	R181
Base64	Wn7	V243
Base64	K_5	S181
Base64	_n7	X243
Base64	O_5	T181
Base64	S_5	U181
Base64	W_5	V181
Base64	__5	X181
Base64	3_6	M182
Base64	7_6	N182
Base64	C_6	Q182
Base64	G_6	R182
Base64	K_6	S182
Base64	O_6	T182
Base64	S_6	U182
Base64	W_6	V182
Base64	__6	X182
Base64	3_7	M183
Base64	7_7	N183
Base64	C_7	Q183
Base64	G_7	R183
Base64	K_7	S183
Base64	O_7	T183
Base64	S_7	U183
Base64	W_7	V183
Base64	__7	X183
Base64	3_8	M184
Base64	7_8	N184
Base64	C_8	Q184
Base64	G_8	R184
Base64	K_8	S184
Base64	O_8	T184
Base64	S_8	U184
Base64	W_8	V184
Base64	__8	X184
Base64	3_9	M185
Base64	7_9	N185
Base64	C_9	Q185
Base64	G_9	R185
Base64	K_9	S185
Base64	O_9	T185
Base64	S_9	U185
Base64	W_9	V185
Base64	__9	X185
Base64	3_t	M190
Base64	7_t	N190
Base64	C_t	Q190
Base64	G_t	R190
Base64	K_t	S190
Base64	O_t	T190
Base64	S_t	U190
Base64	W_t	V190
Base64	__t	X190
Base64	3_u	M191
Base64	7_u	N191
Base64	C_u	Q191
Base64	G_u	R191
Base64	K_u	S191
Base64	O_u	T191
Base64	S_u	U191
Base64	W_u	V191
Base64	__u	X191
Base64	3_v	M192
Base64	7_v	N192
Base64	C_v	Q192
Base64	G_v	R192
Base64	K_v	S192
Base64	O_v	T192
Base64	S_v	U192
Base64	W_v	V192
Base64	__v	X192
Base64	3_w	M193
Base64	7_w	N193
Base64	C_w	Q193
Base64	G_w	R193
Base64	K_w	S193
Base64	O_w	T193
Base64	S_w	U193
Base64	W_w	V193
Base64	__w	X193
Base64	3_x	M194
Base64	7_x	N194
Base64	C_x	Q194
Base64	G_x	R194
Base64	K_x	S194
Base64	O_x	T194
Base64	S_x	U194
Base64	W_x	V194
Base64	__x	X194
Base64	3_y	M195
Base64	7_y	N195
Base64	C_y	Q195
Base64	G_y	R195
Base64	K_y	S195
Base64	O_y	T195
Base64	S_y	U195
Base64	W_y	V195
Base64	__y	X195
Base64	3_z	M196
Base64	7_z	N196
Base64	C_z	Q196
Base64	G_z	R196
Base64	K_z	S196
Base64	O_z	T196
Base64	S_z	U196
Base64	W_z	V196
Base64	__z	X196
Base64	3m4	M200
Base64	7m4	N200
Base64	Cm4	Q200
Base64	Gm4	R200
Base64	Km4	S200
Base64	Om4	T200
Base64	Sm4	U200
Base64	Wm4	V200
Base64	_m4	X200
Base64	3m5	M201
Base64	7m5	N201
Base64	Cm5	Q201
Base64	Gm5	R201
Base64	Km5	S201
Base64	Om5	T201
Base64	Sm5	U201
Base64	Wm5	V201
Base64	_m5	X201
Base64	3m6	M202
Base64	7m6	N202
Base64	Cm6	Q202
Base64	Gm6	R202
Base64	Km6	S202
Base64	Om6	T202
Base64	Sm6	U202
Base64	Wm6	V202
Base64	_m6	X202
Base64	3m7	M203
Base64	7m7	N203
Base64	Cm7	Q203
Base64	Gm7	R203
Base64	Km7	S203
Base64	Om7	T203
Base64	Sm7	U203
Base64	Wm7	V203
Base64	_m7	X203
Base64	3m8	M204
Base64	7m8	N204
Base64	Cm8	Q204
Base64	Gm8	R204
Base64	Km8	S204
Base64	Om8	T204
Base64	Sm8	U204
Base64	Wm8	V204
Base64	_m8	X204
Base64	3m9	M205
Base64	7m9	N205
Base64	Cm9	Q205
Base64	Gm9	R205
Base64	Km9	S205
Base64	Om9	T205
Base64	Sm9	U205
Base64	Wm9	V205
Base64	_m9	X205
Base64	3mt	M210
Base64	7mt	N210
Base64	Cmt	Q210
Base64	Gmt	R210
Base64	Kmt	S210
Base64	Omt	T210
Base64	Smt	U210
Base64	Wmt	V210
Base64	_mt	X210
Base64	3mu	M211
Suspicious	FORMULA.FILL	May modify Excel 4 Macro formulas at runtime
Suspicious	EXEC	May run an executable file or a system
Suspicious	Hex Strings	Hex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)
Suspicious	Base64 Strings	Base64-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)

Intelligence

File Origin

# of uploads :

# of downloads :

106

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

document-945314558.xlsm

Verdict:

No threats detected

Analysis date:

2021-03-31 08:32:56 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/e081aad7-ec54-40e4-a935-fee8839291d9

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Verdict:

Malicious

File type:

application/vnd.ms-excel.sheet.macroEnabled.12

Has a screenshot:

False

Contains macros:

True

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/128882/

Detection(s):

TwinWave.EvilDoc.OXML.EvilMacroSheetMignightQakTrainToMemphis.20210121.UNOFFICIAL

TwinWave.EvilDoc.EnjoyTheSilence.M2.20210317.UNOFFICIAL

TwinWave.EvilDoc.XLMSumBodyToLove.M2.032421.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

DNS request

Creating a process with a hidden window

Sending a custom TCP request by exploiting the app vulnerability

Launching a process by exploiting the app vulnerability

Result

Verdict:

Malicious

File Type:

OOXML Excel File with Excel4Macro

Link:

https://app.docguard.net/1c9e1807c9a1b6c46cf5d4a3747a005cdf39b5373ccf093723831ed1d6ca1950/results/dashboard

Document image

Image:

Download PNG

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/1c9e1807c9a1b6c46cf5d4a3747a005cdf39b5373ccf093723831ed1d6ca1950

Details

Autostarting Excel Macro Sheet

Excel contains Macrosheet logic that will trigger automatically upon document open.

Gathering data

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=dspbqb6jug3mi3hv2srxi6qaltpttnjxhthqsnzdqmpndvwkdfia._file

Result

Malware family:

icedid

Score:

10/10

Tags:

family:icedid banker loader macro trojan xlm

Link:

https://tria.ge/reports/210331-xlt5gs9jn6/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Modifies Internet Explorer settings

Modifies system certificate store

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Loads dropped DLL

Blocklisted process makes network request

IcedID First Stage Loader

IcedID, BokBot

Process spawned unexpected child process

Malware Config

C2 Extraction:

usaaforced.fun

Dropper Extraction:

https://metaflip.io/ds/3003.gif
https://partsapp.com.br/ds/3003.gif
https://columbia.aula-web.net/ds/3003.gif
https://tajushariya.com/ds/3003.gif
https://agenbolatermurah.com/ds/3003.gif

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.40

Link:

https://yomi.yoroi.company/submissions/1c9e1807c9a1b6c46cf5d4a3747a005cdf39b5373ccf093723831ed1d6ca1950

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	buerloader_halo_generated Create hunting rule
Author:	Halogen Generated Rule, Corsin Camichel

Rule name:	dridex_halo_generated Create hunting rule
Author:	Halogen Generated Rule, Corsin Camichel

Rule name:	Email_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Email in files like avemaria

Rule name:	IPPort_combo_mem Create hunting rule
Author:	James_inthe_box
Description:	IP and port combo

Rule name:	Microsoft_XLSX_with_Macrosheet Create hunting rule

Rule name:	quakbot_halo_generated Create hunting rule
Author:	Halogen Generated Rule, Corsin Camichel

Rule name:	Select_from_enumeration Create hunting rule
Author:	James_inthe_box
Description:	IP and port combo

Rule name:	SharedStrings Create hunting rule
Author:	Katie Kleemola
Description:	Internal names found in LURK0/CCTV0 samples

Rule name:	silentbuilder_halo_generated Create hunting rule
Author:	Halogen Generated Rule, Corsin Camichel

Rule name:	UAC_bypass_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	UAC bypass in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/128882/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample