MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3dfb74874b9c0b32b66ce96a97170fc430fed51a7cfdbf361e6c4febe2935e5d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


IcedID


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3dfb74874b9c0b32b66ce96a97170fc430fed51a7cfdbf361e6c4febe2935e5d
SHA3-384 hash: 6c5cedf9542f7d922f2d81d129aa7001e06bd82f4d781c2a2cf7e79939aa7c480ada2d4e8bc3df769545569655af29e0
SHA1 hash: 83caae2aa73ff35b871eb532d2b0f2d41fd5cf83
MD5 hash: d1d5ababfcb5af1e849e08e6cfdd1867
humanhash: tennessee-batman-arkansas-one
File name:~479562.dll
Download: download sample
Signature IcedID
Create hunting rule
File size:310'784 bytes
First seen:2020-10-19 15:36:28 UTC
Last seen:2020-10-19 16:55:21 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 86cfa1b93683e509c636e735c1cf53db (2 x IcedID)
ssdeep 6144:BEqQvGPPqCxZR3K/YzZ33pJeHKk2mfEhCZD7HehjiSAOlh8:BEqAkPvjR3PDJ6Kk2mfZbehuSd8
TLSH 12649E1271D18473D6BE86341824DBA51AFD7C210DA0EDAB6BD43A2F5E329C39734E72
Reporter malware_traffic
Tags:dll IcedID Shathak TA551

Intelligence

File Origin
# of uploads :
2
# of downloads :
132
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/73014/
Detection(s):
SecuriteInfo.com.W32.AIDetectVM.malware1.2923.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Result
Threat name:
IcedID
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/495677
Signature
Allocates memory in foreign processes
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains VNC / remote desktop functionality (version string found)
Performs a network lookup / discovery via net view
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queues an APC in another process (thread injection)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses ipconfig to lookup or modify the Windows network settings
Uses net.exe to modify the status of services
Writes to foreign memory regions
Yara detected IcedID
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 300292 Sample: #U007e479562.dll Startdate: 19/10/2020 Architecture: WINDOWS Score: 100 65 Yara detected IcedID 2->65 67 Contains VNC / remote desktop functionality (version string found) 2->67 69 Uses net.exe to modify the status of services 2->69 71 2 other signatures 2->71 9 loaddll32.exe 1 2->9         started        11 regsvr32.exe 2->11         started        process3 process4 13 rundll32.exe 3 9->13         started        17 rundll32.exe 2 9->17         started        19 regsvr32.exe 11->19         started        dnsIp5 63 pizzaeaters.top 68.183.125.188, 443, 49742, 49743 DIGITALOCEAN-ASNUS United States 13->63 85 Contains functionality to detect hardware virtualization (CPUID execution measurement) 13->85 87 Writes to foreign memory regions 13->87 89 Allocates memory in foreign processes 13->89 93 2 other signatures 13->93 21 msiexec.exe 1 9 13->21         started        91 System process connects to network (likely due to code injection or exploit) 17->91 signatures6 process7 dnsIp8 57 pizzaeaters.top 21->57 59 defthebeast.club 21->59 61 192.168.2.1 unknown unknown 21->61 53 C:\Users\user\AppData\Local\...\Azikehak.dll, PE32 21->53 dropped 55 C:\Users\user\AppData\Local\...\sqlite64.dll, PE32+ 21->55 dropped 73 Tries to steal Mail credentials (via file access) 21->73 75 Contains functionality to detect hardware virtualization (CPUID execution measurement) 21->75 77 Tries to harvest and steal browser information (history, passwords, etc) 21->77 79 2 other signatures 21->79 26 systeminfo.exe 1 1 21->26         started        29 cmd.exe 1 21->29         started        31 net.exe 1 21->31         started        33 6 other processes 21->33 file9 signatures10 process11 signatures12 81 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 26->81 83 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 26->83 35 conhost.exe 26->35         started        37 conhost.exe 29->37         started        39 chcp.com 1 29->39         started        41 conhost.exe 31->41         started        43 net1.exe 1 31->43         started        45 conhost.exe 33->45         started        47 conhost.exe 33->47         started        49 conhost.exe 33->49         started        51 3 other processes 33->51 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3dfb74874b9c0b32b66ce96a97170fc430fed51a7cfdbf361e6c4febe2935e5d/
Threat name:
Win32.Trojan.IcedID
Create hunting rule
Status:
Malicious
First seen:
2020-10-19 15:38:04 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
icedid
Create hunting rule
Result
Malware family:
icedid
Create hunting rule
Score:
  10/10
Tags:
trojan banker family:icedid
Link:
https://tria.ge/reports/201019-qmhw4bkcw6/
Behaviour
Suspicious use of WriteProcessMemory
Blacklisted process makes network request
IcedID Core Payload
IcedID, BokBot
Unpacked files
SH256 hash:
3dfb74874b9c0b32b66ce96a97170fc430fed51a7cfdbf361e6c4febe2935e5d
MD5 hash:
d1d5ababfcb5af1e849e08e6cfdd1867
SHA1 hash:
83caae2aa73ff35b871eb532d2b0f2d41fd5cf83
Link:
https://www.unpac.me/results/ed1d5b9e-10d4-4452-b879-7062c94e3d40/
SH256 hash:
80804755924e9c75786a98b878f7c95a938174152c34ee5ab12c7c43f61215e2
MD5 hash:
8dcc7aeaa8592ec02b3516e5384ac517
SHA1 hash:
4ab4f666f26cf281164ba413afe37dc0e62d347d
Link:
https://www.unpac.me/results/ed1d5b9e-10d4-4452-b879-7062c94e3d40/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3dfb74874b9c0b32b66ce96a97170fc430fed51a7cfdbf361e6c4febe2935e5d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_win32_banker_iceid_ldr1
Create hunting rule
Author:@VK_Intel
Description:Detects IcedId/BokBot png loader (unpacked)
Reference:twitter

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/73014/

Comments