MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4015c3bdb45127f210d6e9f6b1607c804dca4ef562d7a86bb2cfad924f1f22da. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


IcedID


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4015c3bdb45127f210d6e9f6b1607c804dca4ef562d7a86bb2cfad924f1f22da
SHA3-384 hash: 2717fcca176605a6613c9c380e9e7b5ccd78bf8d5501f7846e019fd75559c25ab44ddf972c592a18397be00a9bab4d2b
SHA1 hash: 1baf179e76935507471b594b3eb99f9e890f6ed0
MD5 hash: 8db89120cf9c07c99f35dfde3a0c668b
humanhash: bulldog-white-florida-vegan
File name:httpwwwenzeefxcomwpcontentthemesaccesspressmagimagespic000001amp
Download: download sample
Signature IcedID
Create hunting rule
File size:587'096 bytes
First seen:2020-07-17 16:47:34 UTC
Last seen:2020-07-17 18:10:47 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 33afac422d0aaeda4a6b1b7ee4717555 (1 x IcedID)
ssdeep 12288:rENLCHHen888888888888W88888888888/:+GHHep
Threatray 896 similar samples on MalwareBazaar
TLSH 89C46491A553CB3DD0AC21B1E0ED0A071852F4594F8B4B936D28896CFBF2DA3E5A474F
Reporter 001Bazaar
Tags:IcedID


Avatar
001Bazaar
Packed version of IcedID

Intelligence

File Origin
# of uploads :
2
# of downloads :
102
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/27508/
Detection(s):
SecuriteInfo.com.Mal.EncPk-APV.5291.1706.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Connection attempt to an infection source
Result
Threat name:
IcedID
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/389178
Signature
Allocates memory in foreign processes
Contains VNC / remote desktop functionality (version string found)
Early bird code injection technique detected
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Performs a network lookup / discovery via net view
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses ipconfig to lookup or modify the Windows network settings
Uses net.exe to modify the status of services
Writes to foreign memory regions
Yara detected IcedID
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 246783 Sample: httpwwwenzeefxcomwpcontentt... Startdate: 19/07/2020 Architecture: WINDOWS Score: 100 66 Multi AV Scanner detection for submitted file 2->66 68 Yara detected IcedID 2->68 70 Machine Learning detection for sample 2->70 72 5 other signatures 2->72 8 loaddll32.exe 3 2->8         started        12 regsvr32.exe 2->12         started        process3 dnsIp4 50 funnymemos.shop 161.35.100.78, 443, 49741, 49744 DIGITALOCEAN-ASNUS United States 8->50 78 Early bird code injection technique detected 8->78 80 Writes to foreign memory regions 8->80 82 Allocates memory in foreign processes 8->82 84 2 other signatures 8->84 14 msiexec.exe 1 11 8->14         started        19 WerFault.exe 8 10 8->19         started        signatures5 process6 dnsIp7 52 milanoshops.pw 167.99.75.136, 443, 49745, 49746 DIGITALOCEAN-ASNUS United States 14->52 54 funnymemos.shop 14->54 56 buytheone.best 14->56 48 C:\Users\user\AppData\Local\...\sqlite64.dll, PE32+ 14->48 dropped 58 Tries to steal Mail credentials (via file access) 14->58 60 Tries to harvest and steal browser information (history, passwords, etc) 14->60 62 Tries to detect virtualization through RDTSC time measurements 14->62 64 Performs a network lookup / discovery via net view 14->64 21 systeminfo.exe 1 1 14->21         started        24 cmd.exe 1 14->24         started        26 net.exe 1 14->26         started        28 6 other processes 14->28 file8 signatures9 process10 signatures11 74 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 21->74 76 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 21->76 30 conhost.exe 21->30         started        32 conhost.exe 24->32         started        34 chcp.com 1 24->34         started        36 conhost.exe 26->36         started        38 net1.exe 1 26->38         started        40 conhost.exe 28->40         started        42 conhost.exe 28->42         started        44 conhost.exe 28->44         started        46 3 other processes 28->46 process12
Detection:
icedid
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4015c3bdb45127f210d6e9f6b1607c804dca4ef562d7a86bb2cfad924f1f22da/
Threat name:
Win32.Trojan.IcedID
Create hunting rule
Status:
Malicious
First seen:
2020-07-17 16:49:04 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
icedid
Create hunting rule
Similar samples:
485ce80c6972762a04ff59597bdd71381688c73750e1dddae91ad33e8e6f01b8
IcedID
58215823021c2da84fcf725bbb9b118aba9b72178577cba1d4c69545b9ae7fa2
IcedID
5bc0e27e86d9a4d5e7005669c12b97b56a42ac17fb5cc93de24f38527b5e97e1
IcedID
654e574fb479af0a9f8d277ed12f2d86681b76b4cfe63d7c9e774f5144be8801
IcedID
9ad02a119c0df3fb652557b2b5c3136a3fb7f80e78774f1bffd5237eb2d9a514
IcedID
d197285f37378d669afe2da7d3c60dcb93c118acf0d059d14ca67dcd73708ed2
IcedID
d748a00416baf3e4e5bf0a4e8312cd9c88872a6ab594628d7ff6d206e6705322
IcedID
e3be616e258172d4596cd61cbb6ec39b6e7aa0cf8138793783e21a4b6ab4c038
IcedID
f9e63320c3a3c14847155de9abdbbf38e44866500402d8985312d92f149df23b
IcedID
fd9ed4c7107c4fb86d348d13f7e6c3b6c23e6c12084adc45ddfef4bc2ef2fbaf
IcedID
+ 886 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/200717-v1q3394wq6/
Behaviour
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Program crash
Loads dropped DLL
Reads user/profile data of web browsers
Blacklisted process makes network request
Blacklisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4015c3bdb45127f210d6e9f6b1607c804dca4ef562d7a86bb2cfad924f1f22da

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/27508/

Comments