MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 265c1857ac7c20432f36e3967511f1be0b84b1c52e4867889e367c0b5828a844. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


IcedID


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 265c1857ac7c20432f36e3967511f1be0b84b1c52e4867889e367c0b5828a844
SHA3-384 hash: bf8603f88d4719288f600ceb6bde42835637b29e698ed16f557f4519594d1ed2aaf952b88116eedb9ac2bc9f121d9d3a
SHA1 hash: 494b7f00ee4e2a47c3b6e25f7fc603ea9f3ae1d5
MD5 hash: d0515acd0a80ad5273ad189e72aca86f
humanhash: massachusetts-five-king-fifteen
File name:painstaking.dat
Download: download sample
Signature IcedID
Create hunting rule
File size:1'026'440 bytes
First seen:2023-01-20 00:32:51 UTC
Last seen:2023-01-23 13:53:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 24576:jkmZDEMHhp9v1Ikbn3ND0TAVOsIut8P4zlIKE2r/7Bk0:ImZFHhp9v1Io3h0TA3pJk0
Threatray 1'312 similar samples on MalwareBazaar
TLSH T1C825AE69FA6C0AA9D03BA07CC91B150FE9B23406477097DB03E64BB97E2B7D5163B311
TrID 91.3% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
4.8% (.EXE) Win64 Executable (generic) (10523/12/4)
0.9% (.ICL) Windows Icons Library (generic) (2059/9)
0.9% (.EXE) OS/2 Executable (generic) (2029/13)
0.9% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter pr0xylife
Tags:3108046779 exe IcedID ragpewleaK

Intelligence

File Origin
# of uploads :
3
# of downloads :
260
Origin country :
IE IE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Paid_Offer_256_Jan-19.pdf
Verdict:
Suspicious activity
Analysis date:
2023-01-19 20:18:45 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ea778332-7361-4ecc-a995-bd45a1f7313d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/354785/
Detection(s):
SecuriteInfo.com.TrojanSpy.Win64.ICEDID.SMYXCLGZA.18041.1720.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
icedid overlay packed
Link:
https://www.filescan.io/uploads/63c9e14589bd67c10fd8b9f0/reports/3e07d08e-547b-49c9-aaa3-e524057604a3/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/bf9a543a-ee76-4edc-a6af-c1eae27be948
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/1155197
Signature
Sigma detected: Execute DLL with spoofed extension
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 787929 Sample: painstaking.dat.exe Startdate: 20/01/2023 Architecture: WINDOWS Score: 48 37 Sigma detected: Execute DLL with spoofed extension 2->37 8 loaddll64.exe 1 2->8         started        process3 process4 10 cmd.exe 1 8->10         started        12 rundll32.exe 8->12         started        14 rundll32.exe 8->14         started        16 7 other processes 8->16 process5 18 rundll32.exe 10->18         started        20 WerFault.exe 3 9 12->20         started        23 WerFault.exe 9 14->23         started        25 WerFault.exe 9 16->25         started        27 WerFault.exe 9 16->27         started        29 WerFault.exe 9 16->29         started        31 2 other processes 16->31 dnsIp6 33 WerFault.exe 17 9 18->33         started        35 192.168.2.1 unknown unknown 20->35 process7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/265c1857ac7c20432f36e3967511f1be0b84b1c52e4867889e367c0b5828a844/
Threat name:
Win64.Trojan.IcedID
Create hunting rule
Status:
Malicious
First seen:
2023-01-19 21:47:30 UTC
File Type:
PE+ (Dll)
AV detection:
9 of 25 (36.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ezobqv5mpqqeglzw4olhkeprxyfyjmoffzegpce6gz6awwbivbca._file
Verdict:
malicious
Label(s):
icedid
Create hunting rule
Similar samples:
01fcaac089adb57be61812b11860fb264cad44b7e3a60b3519ff964a9f459b73
IcedID
0db4a196c637addd1bc0ecc0d0d616b8d757d606ab20a49d0c325ae0e4f1f6ae
IcedID
99dfb7baafec050861e152a036af86fc0c7663f3c719d58a56dfd9f06f4b8cef
IcedID
a5f81b3f092a05dc7026957e5d716e5976a38b152d1823ac76b84e189aa4a75b
IcedID
a85729bd8d5976b67662415b7d24bcc5c1a4230304a7b2ea4830fc6a76822fba
IcedID
ca04842f4ead02f9ca4bb59856102b738ce2fb10bf18a4e087284e5a1b4d1380
IcedID
+ 1'302 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/230120-av7raaeg3w/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
265c1857ac7c20432f36e3967511f1be0b84b1c52e4867889e367c0b5828a844
MD5 hash:
d0515acd0a80ad5273ad189e72aca86f
SHA1 hash:
494b7f00ee4e2a47c3b6e25f7fc603ea9f3ae1d5
Link:
https://www.unpac.me/results/4f907f04-6d0e-4dc3-a7c3-0c6c3c8e67bc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/265c1857ac7c20432f36e3967511f1be0b84b1c52e4867889e367c0b5828a844

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SPLCrypt
Create hunting rule
Author:James Quinn, Binary Defense
Description:Identifies SPLCrypt, a new crypter associated with Bazaloader

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/354785/

Comments