MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2374fd5d049c1b8f1b7fd3115f035e9f154b1f04e1cc276507930811fe349399. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


IcedID


Vendor detections: 7


Intelligence 7 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2374fd5d049c1b8f1b7fd3115f035e9f154b1f04e1cc276507930811fe349399
SHA3-384 hash: 691416eea30eae84e1a167bc6c58a6f47cb9779dcc1b411f865a92d5e14bfadeb89feb738dfe859b2d7d30386f5ad44a
SHA1 hash: b7136c309dd803a1303c6d93c1aafebb00e1b6bd
MD5 hash: b13b0cf148e3a25cbad37604956df69d
humanhash: xray-eight-colorado-fourteen
File name:build-100.msi
Download: download sample
Signature IcedID
Create hunting rule
File size:2'134'016 bytes
First seen:2023-11-29 23:52:46 UTC
Last seen:2023-11-30 01:24:43 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 24576:fBlIwwkElBoKQs8pRUm6rPtWYW/x91J8/k:fBmQEjoY8Xbm
TLSH T10CA5295DAE3A806EC21DC53D9817957ABF703CD48B2AF2D742122A19DF3E3E41639358
TrID 88.4% (.MST) Windows SDK Setup Transform script (61000/1/5)
11.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter pr0xylife
Tags:IcedID msi

Intelligence

File Origin
# of uploads :
2
# of downloads :
179
Origin country :
US US
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/461279/
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.26469.1626.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Labled as:
Trojan.MSI.Agent
Link:
https://www.hybrid-analysis.com/sample/2374fd5d049c1b8f1b7fd3115f035e9f154b1f04e1cc276507930811fe349399
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/2374fd5d049c1b8f1b7fd3115f035e9f154b1f04e1cc276507930811fe349399
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
n/a
Detection:
malicious
Classification:
spre.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1350247
Signature
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs a network lookup / discovery via net view
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
System process connects to network (likely due to code injection or exploit)
Uses ipconfig to lookup or modify the Windows network settings
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1350247 Sample: build-100.msi Startdate: 30/11/2023 Architecture: WINDOWS Score: 84 71 prikhapert.com 2->71 73 arsimonopa.com 2->73 81 Antivirus detection for dropped file 2->81 83 Multi AV Scanner detection for dropped file 2->83 85 Multi AV Scanner detection for submitted file 2->85 12 msiexec.exe 75 34 2->12         started        15 msiexec.exe 3 2->15         started        signatures3 process4 file5 69 C:\Windows\Installer\MSIC9E1.tmp, PE32+ 12->69 dropped 17 msiexec.exe 12->17         started        process6 process7 19 rundll32.exe 10 17->19         started        file8 57 C:\Windows\Installer\...\test.old.cs.dll, PE32 19->57 dropped 59 C:\Windows\Installer\...\WixSharp.dll, PE32 19->59 dropped 61 C:\Users\user\AppData\Local\...\tmpD1B1.dll, PE32+ 19->61 dropped 63 Microsoft.Deployme...indowsInstaller.dll, PE32 19->63 dropped 22 rundll32.exe 2 19->22         started        process9 file10 65 C:\Users\user\AppData\...\Update_4c4457a9.dll, PE32+ 22->65 dropped 67 (copy), PE32+ 22->67 dropped 25 rundll32.exe 14 22->25         started        process11 dnsIp12 75 178.208.87.96, 443, 49717, 49722 VDSINA-ASRU Russian Federation 25->75 77 arsimonopa.com 104.21.10.98, 443, 49714, 49715 CLOUDFLARENETUS United States 25->77 79 prikhapert.com 172.67.148.77, 443, 49718, 49719 CLOUDFLARENETUS United States 25->79 87 System process connects to network (likely due to code injection or exploit) 25->87 29 cmd.exe 1 25->29         started        32 cmd.exe 1 25->32         started        34 cmd.exe 1 25->34         started        36 3 other processes 25->36 signatures13 process14 signatures15 91 Uses ipconfig to lookup or modify the Windows network settings 29->91 93 Performs a network lookup / discovery via net view 29->93 38 conhost.exe 29->38         started        40 ipconfig.exe 1 29->40         started        42 systeminfo.exe 2 1 32->42         started        45 conhost.exe 32->45         started        47 conhost.exe 34->47         started        49 net.exe 1 34->49         started        51 conhost.exe 36->51         started        53 conhost.exe 36->53         started        55 4 other processes 36->55 process16 signatures17 89 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 42->89
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2374fd5d049c1b8f1b7fd3115f035e9f154b1f04e1cc276507930811fe349399/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-11-29 22:06:40 UTC
File Type:
Binary (Archive)
Extracted files:
33
AV detection:
9 of 37 (24.32%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=en2p2xietqny6g372miv6a26t4kuwhye4hgcozihsmebd7rusomq._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/231129-3xahsadh87/
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
Drops file in Windows directory
Enumerates connected drives
Checks computer location settings
Loads dropped DLL
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.25
Link:
https://yomi.yoroi.company/submissions/2374fd5d049c1b8f1b7fd3115f035e9f154b1f04e1cc276507930811fe349399

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_OLE_file_magic_number
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:SPLCrypt
Create hunting rule
Author:James Quinn, Binary Defense
Description:Identifies SPLCrypt, a new crypter associated with Bazaloader

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/461279/

Comments