MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 20a605a18b48b55adb6ae9c0024013be69ec884e7407ca50b39177035dc7b948. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


IcedID


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 20a605a18b48b55adb6ae9c0024013be69ec884e7407ca50b39177035dc7b948
SHA3-384 hash: a6379dd2b487fa6ea37424f66a9e2b91bfed055ef43e1467ee14ab452c5ede79bf6fe74e619aeb726bb03296192a5d4c
SHA1 hash: 95c2c93e9874489a9c2e03177e083b12c0012d61
MD5 hash: 92e307d3ca590e80b08518e8d3db0fa0
humanhash: autumn-lemon-oxygen-eleven
File name:20a605a18b48b55adb6ae9c0024013be69ec884e7407ca50b39177035dc7b948
Download: download sample
Signature IcedID
Create hunting rule
File size:756'208 bytes
First seen:2022-01-03 10:57:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0ebb3c09b06b1666d307952e824c8697 (15 x RedLineStealer, 13 x LgoogLoader, 7 x NanoCore)
ssdeep 12288:IU9LhycMci8EAkBZGBExVnFFzWMSsLLLMW0oDLwZdTVirjWaYjz:I08cMci8rk8yRqM/nMWzDLSdRirKaiz
Threatray 1'284 similar samples on MalwareBazaar
TLSH T1A7F42302A1C4C07FD4D193F106FE27536D38BCC07BB4679B220D7AD219B12D56ABA36A
File icon (PE):PE icon
dhash icon 0040006222000000 (1 x IcedID)
Reporter JAMESWT_WT
Tags:exe IcedID Revo Security SRL signed

Code Signing Certificate

Organisation:Revo Security SRL
Issuer:DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
Algorithm:sha256WithRSAEncryption
Valid from:2021-11-27T00:00:00Z
Valid to:2022-11-24T23:59:59Z
Serial number: 06bcb74291d96096577bdb1e165dce85
Intelligence: 2 malware samples on MalwareBazaar are signed with this code signing certificate
MalwareBazaar Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:SHA256
Thumbprint: 8580fc689c62644b6df809491a210228756522c1074c98ebecf1d08fe4f9bf7a
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
351
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
20a605a18b48b55adb6ae9c0024013be69ec884e7407ca50b39177035dc7b948
Verdict:
Malicious activity
Analysis date:
2022-01-03 10:59:38 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e8382b95-99ba-40ae-830d-7ba13a40cf55

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/217140/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.38030323.18253.11722.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% subdirectories
Launching a process
Creating a process with a hidden window
Running batch commands
Launching cmd.exe command interpreter
Creating a process from a recently created file
Сreating synchronization primitives
DNS request
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/3740/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
CheckCmdLine
EvasionGetTickCount
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/61d2d6be7837ada941a9e336/reports/ca571d10-4222-49fe-9bb6-bdc7371e7ab9/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/84538470-e165-4cbc-be7d-f5bc7f0b5d6a
Result
Threat name:
IcedID
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
99 / 100
Link:
https://www.joesandbox.com/analysis/914845
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Drops PE files with a suspicious file extension
Found malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Performs DNS queries with encoded ASCII data (may be used to data exfiltration)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses ipconfig to lookup or modify the Windows network settings
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected IcedID
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 547323 Sample: sB2eOH1lPr Startdate: 03/01/2022 Architecture: WINDOWS Score: 99 67 fp-afd.azurefd.us 2->67 69 carpricegoods.com 2->69 71 4 other IPs or domains 2->71 93 Found malware configuration 2->93 95 Multi AV Scanner detection for dropped file 2->95 97 Multi AV Scanner detection for submitted file 2->97 99 4 other signatures 2->99 14 sB2eOH1lPr.exe 1 5 2->14         started        16 rundll32.exe 2->16         started        signatures3 process4 signatures5 19 cmd.exe 1 14->19         started        22 extrac32.exe 14->22         started        85 System process connects to network (likely due to code injection or exploit) 16->85 87 Contains functionality to detect hardware virtualization (CPUID execution measurement) 16->87 89 Tries to detect virtualization through RDTSC time measurements 16->89 process6 signatures7 101 Obfuscated command line found 19->101 103 Uses ping.exe to sleep 19->103 105 Drops PE files with a suspicious file extension 19->105 107 Uses ping.exe to check the status of other devices and networks 19->107 24 cmd.exe 3 19->24         started        28 PING.EXE 1 19->28         started        31 conhost.exe 19->31         started        process8 dnsIp9 61 C:\Users\user\AppData\Local\...\Avra.exe.com, PE32 24->61 dropped 113 Obfuscated command line found 24->113 33 Avra.exe.com 24->33         started        36 findstr.exe 1 24->36         started        83 127.0.0.1 unknown unknown 28->83 file10 signatures11 process12 signatures13 91 Uses ipconfig to lookup or modify the Windows network settings 33->91 38 Avra.exe.com 1 33->38         started        process14 dnsIp15 79 ReYbiWPndXJ.ReYbiWPndXJ 38->79 57 C:\Users\user\AppData\Local\...\ipconfig.exe, PE32 38->57 dropped 59 C:\Users\...\eventbeacons.dat.~tmp (copy), PE32 38->59 dropped 111 Maps a DLL or memory area into another process 38->111 43 ipconfig.exe 14 38->43         started        file16 signatures17 process18 dnsIp19 81 setup6.com 172.67.154.157, 443, 49827 CLOUDFLARENETUS United States 43->81 63 C:\Users\user\AppData\...\vcredist64.dll, PE32+ 43->63 dropped 65 C:\Users\user\AppData\...\vcredist64[1].dll, PE32+ 43->65 dropped 47 cmd.exe 1 43->47         started        file20 process21 process22 49 rundll32.exe 47->49         started        51 conhost.exe 47->51         started        process23 53 rundll32.exe 49->53         started        dnsIp24 73 carpricegoods.com 5.181.80.215, 49877, 49878, 49879 TELEHOUSE-ASBG Bulgaria 53->73 75 dr49lng3n1n2s.cloudfront.net 13.224.92.74, 443, 49876 AMAZON-02US United States 53->75 77 3 other IPs or domains 53->77 109 System process connects to network (likely due to code injection or exploit) 53->109 signatures25
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/20a605a18b48b55adb6ae9c0024013be69ec884e7407ca50b39177035dc7b948/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-12-16 02:13:00 UTC
File Type:
PE (Exe)
Extracted files:
16
AV detection:
17 of 43 (39.53%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
icedid
Create hunting rule
Similar samples:
034e8e297165eeb14372eea7a7e68756e561df39b84c5be924e542a36dee7418
IcedID
0b1396805e736275f16550f3ecc5361cfcccc468094b4ea910ded8eaf430a5b3
IcedID
199f2dc4388a96b80edc0881ac6e70b33833ddb801d15a53981e0ce7624fe371
IcedID
2992c4b00c678a438b0b935e09e0fd341a44c46fe0dd2f18621570f55133e4df
IcedID
44e401aaf0b52528aa033257c1a1b8a09a2b10edf26edaafcef0f45a2c40e885
IcedID
5ecfe4ce56696312991f74569ffbe173a6dda8878dd2eb2c2ee109a4a4d4740f
IcedID
6d4b1031747308c41fc259009bda24ff434cf0efdcbbf256bf7121b8f8c28bab
IcedID
7dc5a00ea0996d4edb8fbee2a9d2caa97ece60b4d5f755c3e82a06205ee2a385
IcedID
aec584f657593d973f0e14a4cb30e6ceeb27c9173b72816a4123ba9cd4e90c1c
IcedID
c54ca1df46d817348c9bdf18f857459d7ca05c51f7f309e4d4de085136e3ed76
IcedID
+ 1'274 additional samples on MalwareBazaar
Result
Malware family:
icedid
Create hunting rule
Score:
  10/10
Tags:
family:icedid campaign:2970915518 banker persistence trojan
Link:
https://tria.ge/reports/220103-m2t5zsbcb8/
Behaviour
Gathers network information
Modifies system certificate store
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
IcedID, BokBot
Malware Config
C2 Extraction:
carpricegoods.com
Unpacked files
SH256 hash:
aa9f79423383e4cabbace73305ab3bf1684da50d7589fde87268f5a3c4896628
MD5 hash:
2698f0e38cf74503801cee2786392ad8
SHA1 hash:
02af0ad354246b05788e466ca2adf6f0ac4ad23a
Link:
https://www.unpac.me/results/7914f065-3e43-468f-8b8d-c56b779b5221/
SH256 hash:
20a605a18b48b55adb6ae9c0024013be69ec884e7407ca50b39177035dc7b948
MD5 hash:
92e307d3ca590e80b08518e8d3db0fa0
SHA1 hash:
95c2c93e9874489a9c2e03177e083b12c0012d61
Link:
https://www.unpac.me/results/7914f065-3e43-468f-8b8d-c56b779b5221/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/20a605a18b48b55adb6ae9c0024013be69ec884e7407ca50b39177035dc7b948

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/217140/

Comments