MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 34328d5bc9027217ed0c59e54b701ae068c45561acb4acef61f21ef98264cd6b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


IcedID


Vendor detections: 7


Intelligence 7 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 34328d5bc9027217ed0c59e54b701ae068c45561acb4acef61f21ef98264cd6b
SHA3-384 hash: 581f3bda83d1701412b3cc165b5e63b01ac60e54cfd499eff1fd8d4aa965516f2ec654b3caa204ce787b113537d4f312
SHA1 hash: 58783830fb99153d803c89dc2756d7ae03692e26
MD5 hash: 628513fc58382daa181cc803bafcdf0b
humanhash: low-nineteen-seventeen-don
File name:628513FC58382DAA181CC803BAFCDF0B.exe
Download: download sample
Signature IcedID
Create hunting rule
File size:1'682'894 bytes
First seen:2021-05-26 16:55:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5a594319a0d69dbc452e748bcf05892e (21 x ParallaxRAT, 20 x Gh0stRAT, 15 x NetSupport)
ssdeep 24576:N4nXubIQGyxbPV0db263bqKnxC6+vogz2dbFFv0S6dS/01icZOEOR5QvrO:Nqe3f6P5L+DidXvh6dS/04OOR5QvrO
TLSH 0375CF3FB268A53EC4AA0B3245B39360997BBA61B81B8C1F47F0490DCF664711F3B655
Reporter abuse_ch
Tags:exe IcedID


Avatar
abuse_ch
IcedID C2:
185.230.143.208:1203

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.230.143.208:1203 https://threatfox.abuse.ch/ioc/64464/

Intelligence

File Origin
# of uploads :
1
# of downloads :
294
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
628513FC58382DAA181CC803BAFCDF0B.exe
Verdict:
No threats detected
Analysis date:
2021-05-26 16:57:25 UTC
Tags:
installer
Link:
https://app.any.run/tasks/67c704e3-d485-41dc-b762-20be9e204be5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/162450/
Detection(s):
PUA.Win.Packer.Exe-6
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/792907
Signature
Antivirus detection for URL or domain
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Multi AV Scanner detection for submitted file
Obfuscated command line found
Performs DNS queries to domains with low reputation
Sigma detected: Logon Scripts (UserInitMprLogonScript)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 425304 Sample: vjVsgjDOG8.exe Startdate: 26/05/2021 Architecture: WINDOWS Score: 56 113 www.happybrewfriends.com 2->113 115 www.allroadslimit.com 2->115 117 10 other IPs or domains 2->117 159 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->159 161 Antivirus detection for URL or domain 2->161 163 Multi AV Scanner detection for submitted file 2->163 165 3 other signatures 2->165 12 vjVsgjDOG8.exe 2 2->12         started        signatures3 process4 file5 111 C:\Users\user\AppData\...\vjVsgjDOG8.tmp, PE32 12->111 dropped 15 vjVsgjDOG8.tmp 3 24 12->15         started        process6 dnsIp7 139 st.priceyam.xyz 104.21.21.21, 49720, 80 CLOUDFLARENETUS United States 15->139 141 inloadfile.com 5.182.39.43, 49698, 80 ALEXHOSTMD Russian Federation 15->141 143 3 other IPs or domains 15->143 69 C:\Users\user\AppData\Local\...\setup_0.exe, PE32 15->69 dropped 71 C:\Users\user\AppData\Local\...\setup_3.exe, PE32 15->71 dropped 73 C:\Users\user\AppData\Local\...\setup_2.exe, PE32 15->73 dropped 75 2 other files (none is malicious) 15->75 dropped 145 Performs DNS queries to domains with low reputation 15->145 20 setup_0.exe 2 15->20         started        23 setup_2.exe 15->23         started        25 setup_3.exe 15->25         started        file8 signatures9 process10 file11 85 C:\Users\user\AppData\Local\...\setup_0.tmp, PE32 20->85 dropped 27 setup_0.tmp 26 24 20->27         started        87 C:\Users\user\AppData\Local\...\setup_2.tmp, PE32 23->87 dropped 31 setup_2.tmp 23->31         started        89 C:\Users\user\AppData\Roaming\...\decoder.dll, PE32 25->89 dropped 91 C:\Users\user\AppData\...\Windows Updater.exe, PE32 25->91 dropped 93 C:\Users\user\...\AdvancedWindowsManager.exe, PE32+ 25->93 dropped 95 4 other files (none is malicious) 25->95 dropped process12 file13 97 C:\Users\user\AppData\...\vdi_compiler.exe, PE32 27->97 dropped 99 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 27->99 dropped 101 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 27->101 dropped 109 8 other files (none is malicious) 27->109 dropped 167 Obfuscated command line found 27->167 33 vdi_compiler.exe 1 27->33         started        36 cmd.exe 1 27->36         started        38 cmd.exe 1 13 27->38         started        43 2 other processes 27->43 103 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 31->103 dropped 105 C:\Program Files (x86)\...\is-VNRFM.tmp, PE32 31->105 dropped 107 C:\Program Files (x86)\...\is-FDD92.tmp, PE32 31->107 dropped 40 takemyfile.exe 31->40         started        signatures14 process15 dnsIp16 147 Detected unpacking (changes PE section rights) 33->147 149 Detected unpacking (overwrites its own PE header) 33->149 45 cmd.exe 33->45         started        151 Uses ping.exe to sleep 36->151 153 Uses ping.exe to check the status of other devices and networks 36->153 48 expand.exe 24 36->48         started        51 conhost.exe 36->51         started        53 iexplore.exe 82 38->53         started        56 conhost.exe 38->56         started        127 rep.pe-wok.biz 40->127 129 d3vzyycpfbk7qm.cloudfront.net 13.224.194.152 AMAZON-02US United States 40->129 131 distribute.takemyfile.net 40->131 155 Tries to harvest and steal browser information (history, passwords, etc) 40->155 133 geo.netsupportsoftware.com 43->133 135 185.230.143.208, 1203, 49707 HostingvpsvilleruRU Russian Federation 43->135 137 2 other IPs or domains 43->137 58 reg.exe 1 1 43->58         started        60 conhost.exe 43->60         started        signatures17 157 Performs DNS queries to domains with low reputation 133->157 process18 dnsIp19 169 Uses ping.exe to sleep 45->169 62 conhost.exe 45->62         started        64 PING.EXE 45->64         started        77 C:\...\8ab636aa1b73ca4d9a03103bb5328a3e.tmp, PE32 48->77 dropped 79 C:\...\76183bddf4094c4c91d73f7d00026433.tmp, PE32 48->79 dropped 81 C:\...\5775405e4b1941499a12470d431236df.tmp, PE32 48->81 dropped 83 5 other files (none is malicious) 48->83 dropped 125 rndmclothes.xyz 53->125 66 iexplore.exe 53->66         started        171 Creates an undocumented autostart registry key 58->171 file20 signatures21 process22 dnsIp23 119 rndmclothes.xyz 66->119 121 141.94.11.54, 49708, 49709, 80 DFNVereinzurFoerderungeinesDeutschenForschungsnetzese Germany 66->121 123 3 other IPs or domains 66->123
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/34328d5bc9027217ed0c59e54b701ae068c45561acb4acef61f21ef98264cd6b/
Threat name:
Win32.Infostealer.ChePro
Create hunting rule
Status:
Malicious
First seen:
2021-05-23 01:10:50 UTC
AV detection:
12 of 29 (41.38%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gqzi2w6jajzbp3imlhsuw4a24bumivlbvs2kz33b6ipptatezvvq._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210526-ntzpnv6sen/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Loads dropped DLL
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/34328d5bc9027217ed0c59e54b701ae068c45561acb4acef61f21ef98264cd6b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/162450/

Comments