MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3dfe63d2c9a7e2f848d2f92171cc577158318b4e9cb62e74ec603be84ba13109. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


IcedID


Vendor detections: 9


Intelligence 9 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3dfe63d2c9a7e2f848d2f92171cc577158318b4e9cb62e74ec603be84ba13109
SHA3-384 hash: 5cb017891e747a4456db53e8369dd3fb37057798d31b81f38e0beff9e32b6ca3b51a0bbe230cdd4b6256da8bbd631b6d
SHA1 hash: 10f6f208907d25f5ec39060a8576ed8387d42c0e
MD5 hash: 5a0e570b13623c79c9261a8a2cc41f04
humanhash: apart-tango-tennis-mississippi
File name:1.dll
Download: download sample
Signature IcedID
Create hunting rule
File size:735'232 bytes
First seen:2022-05-23 16:54:33 UTC
Last seen:2022-05-23 18:56:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b60d18971f329cb5243e0198109a3914 (1 x IcedID)
ssdeep 12288:1IIX/KMsUM4ilTgZ51So74EONNuoMoOc9y21dRDXJy//zJOvcW:1IIXJgrUZfJEEONNuozxZXJWJkc
Threatray 202 similar samples on MalwareBazaar
TLSH T1A9F4BFB8B6246CD6E66F067BD9D67CED17B6276299CBB4CC8064B7C30563331EE02805
TrID 33.6% (.EXE) OS/2 Executable (generic) (2029/13)
33.1% (.EXE) Generic Win/DOS Executable (2002/3)
33.1% (.EXE) DOS Executable Generic (2000/1)
Reporter j_dubp
Tags:exe IcedID


Avatar
j_dubp
ZIP attachment > LNK > PowerShell > conderadio.tv (PS1) > conderadio.tv (DLL)

Intelligence

File Origin
# of uploads :
3
# of downloads :
305
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1.dll
Verdict:
No threats detected
Analysis date:
2022-05-23 20:05:59 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2982162d-0c4f-4fbd-bfc8-0ce57a1bc6c1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
IcedIDLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/273811/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for synchronization primitives
DNS request
Sending an HTTP GET request
Creating a file in the system32 subdirectories
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/628bbca7054dcf0ecae3e9f0/reports/f1dc0ee8-ba0d-485e-af98-d94c68847677/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/bc1954cf-300c-4d70-8a2a-e89cf7fe113d
Result
Threat name:
IcedID
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1000076
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Found malware configuration
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected IcedID
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3dfe63d2c9a7e2f848d2f92171cc577158318b4e9cb62e74ec603be84ba13109/
Threat name:
Win64.Trojan.IcedID
Create hunting rule
Status:
Malicious
First seen:
2022-05-23 16:55:08 UTC
File Type:
PE+ (Dll)
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hx7ghuwju7rpqsgs7eqxdtcxofmddc2ots3c45hmma56qs5bgeeq._file
Verdict:
malicious
Label(s):
icedid
Create hunting rule
Similar samples:
0407d4283508af13a9616360c14796030d3e5669af0aca60c99ac11df3555a74
IcedID
08d30d6646117cd96320447042fb3857b4f82d80a92f31ee91b16044b87929c0
IcedID
0a497cdeb92189e1611c15669897de70e8aed2be2484346686252bea387abfa4
IcedID
2123ed9e1662ae4805361fb25f1389bcbbb096e0a975d98a133797481ed0ebcd
IcedID
42605a1640895ba3d64833f8fc077c074710b142fcb0332607af8560feb64a24
IcedID
63770070208c532df8a7d41a391faff7c5280814bebd13b0b935f0fa80fc8e27
IcedID
a61b1d70d469b8ca7acdbd26fc859e6aeb229c4636fe9c92eac856914f326ac8
IcedID
ed24c4f468bc20fe152badf719ad0b1596037e829ec8d02be2f0ec1c9760c3e8
IcedID
+ 192 additional samples on MalwareBazaar
Result
Malware family:
icedid
Create hunting rule
Score:
  10/10
Tags:
family:icedid campaign:109932505 banker loader suricata trojan
Link:
https://tria.ge/reports/220523-ve4pxaahdq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
IcedID, BokBot
suricata: ET MALWARE Win32/IcedID Request Cookie
Malware Config
C2 Extraction:
ilekvoyn.com
Unpacked files
SH256 hash:
3dfe63d2c9a7e2f848d2f92171cc577158318b4e9cb62e74ec603be84ba13109
MD5 hash:
5a0e570b13623c79c9261a8a2cc41f04
SHA1 hash:
10f6f208907d25f5ec39060a8576ed8387d42c0e
Link:
https://www.unpac.me/results/852d6797-2ffa-4b75-9755-a1351f8e49ed/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.05
Link:
https://yomi.yoroi.company/submissions/3dfe63d2c9a7e2f848d2f92171cc577158318b4e9cb62e74ec603be84ba13109

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_win32_icedid_stage1
Create hunting rule
Author:Rony (@r0ny_123)
Description:Detects IcedID photoloader
Reference:https://sysopfb.github.io/malware,/icedid/2020/04/28/IcedIDs-updated-photoloader.html
Rule name:IcedIDLoader
Create hunting rule
Author:kevoreilly, threathive, enzo
Description:IcedID Loader
Rule name:IcedID_init_loader
Create hunting rule
Author:@bartblaze
Description:Identifies IcedID (stage 1 and 2, initial loaders).
Rule name:MALWARE_Win_IceID
Create hunting rule
Author:ditekSHen
Description:Detects IceID / Bokbot variants
Rule name:MAL_IcedID_GZIP_LDR_202104
Create hunting rule
Author:Thomas Barabosch, Telekom Security
Description:2021 initial Bokbot / Icedid loader for fake GZIP payloads
Reference:https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Rule name:SPLCrypt
Create hunting rule
Author:James Quinn, Binary Defense
Description:Identifies SPLCrypt, a new crypter associated with Bazaloader
Rule name:win_iceid_gzip_ldr_202104
Create hunting rule
Author:Thomas Barabosch, Telekom Security
Description:2021 initial Bokbot / Icedid loader for fake GZIP payloads
Rule name:win_photoloader_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.photoloader.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

IcedID

Executable exe 3dfe63d2c9a7e2f848d2f92171cc577158318b4e9cb62e74ec603be84ba13109

(this sample)

  
Delivery method
Distributed via e-mail attachment
  
URLhaus
https://urlhaus.abuse.ch/url/2208117/
Cape
Cape
https://www.capesandbox.com/analysis/273811/

Comments