MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2056b52f8c2f62e222107e6fb6ca82708cdae73a91671d40e61aef8698e3e139. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



IcedID


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 7 File information Comments

SHA256 hash: 2056b52f8c2f62e222107e6fb6ca82708cdae73a91671d40e61aef8698e3e139
SHA3-384 hash: 00da34dbbb639f71a891a38749f9ec89b93652465e77619d15d9e892878aedac674b5391bc8cd3e2e53ac016aaadd54d
SHA1 hash: f4fc619c58998dd136d8b096b69d60d06566dafa
MD5 hash: 217f003ed3ba32b0f5df3e8c08460eff
humanhash: south-pasta-cardinal-early
File name:file.docm
Download: download sample
Signature IcedID
File size:1'289'793 bytes
First seen:2022-09-18 05:40:31 UTC
Last seen:Never
File type: zip
MIME type:application/octet-stream
ssdeep 24576:CLJSlW2Oo6wewLPhHI38vYbiMefcVKFCk0RbtJ8wVpaIeOmZKAIIy7nQvx:CLJSlh6SLPhosvmSf+KCbcEsIyKAIznq
TLSH T17A55237385C4AC496B7F6618BCD748A19A1F3148412FFCB22A7B10F9B8DDC312758A6D
TrID 51.0% (.DOCX) Word Microsoft Office Open XML Format document (23500/1/4)
38.0% (.ZIP) Open Packaging Conventions container (17500/1/4)
8.6% (.ZIP) ZIP compressed archive (4000/1)
2.1% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter @abuse_ch
Tags:docm IcedID zip


Twitter
@abuse_ch
IcedID C2:
allozelkot.com

Intelligence


File Origin
# of uploads :
1
# of downloads :
1'890
Origin country :
n/a
Mail intelligence
No data
Vendor Threat Intelligence
Result
Verdict:
Malicious
File Type:
Legacy Office File
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
macros macros-on-open
Result
Verdict:
MALICIOUS
Details
Macro with Startup Hook
Detected macro logic that will automatically execute on document open. Most malware contains some execution hook.
Macro with File System Write
Detected macro logic that can write data to the file system.
Macro Contains Suspicious String
Detected a macro with a suspicious string. Suspicious strings include privileged function calls, obfuscations, odd registry keys, etc...
Threat name:
Document-Office.Trojan.Sadoca
Status:
Malicious
First seen:
2022-09-14 20:46:14 UTC
File Type:
Document
Extracted files:
26
AV detection:
6 of 39 (15.38%)
Threat level:
  5/5
Result
Malware family:
Score:
  10/10
Tags:
family:icedid campaign:809191839 banker loader trojan
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Office loads VBA resources, possible macro or embedded object present
Drops file in Windows directory
Loads dropped DLL
Blocklisted process makes network request
IcedID, BokBot
Process spawned unexpected child process
Malware Config
C2 Extraction:
allozelkot.com

YARA Signatures


MalareBazaar uses YARA rules from several public and non-public repositories, such as Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious proccess dumps they may create. Please note that only results from TLP:WHITE rules are being displayeyd.

Rule name:BitcoinAddress
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:malware_shellcode_hash
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:meth_get_eip
Author:Willi Ballenthin
Rule name:pdb_YARAify
Author:@wowabiy314
Description:PDB
Rule name:RansomwareTest2
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:RansomwareTest3
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:RansomwareTest4
Author:Daoyuan Wu
Description:Test Ransomware YARA rules

Indicators Of Compromise (IOCs)


Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
allozelkot.com https://threatfox.abuse.ch/ioc/849736

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments