MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 42605a1640895ba3d64833f8fc077c074710b142fcb0332607af8560feb64a24. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

IcedID

Vendor detections: 13

Intelligence 13 IOCs YARA 7 File information Comments

SHA256 hash:	42605a1640895ba3d64833f8fc077c074710b142fcb0332607af8560feb64a24
SHA3-384 hash:	e5e94823fabc5d7bb2bc3c5321d008cfa5c43b0dbc5fa69297ed7ebcbf58536e7c2cfb7aa1334724ef12eba495b9f814
SHA1 hash:	2a2e5b9bf49aca783574fcc2aa4a06dcb609a4c1
MD5 hash:	399e402d426f0675ffcc8efa609421a8
humanhash:	hotel-stream-yellow-johnny
File name:	0a497cdeb92189e1611c15669897de70e8aed2be2484346686252bea387abfa4_unpacked
Download:	download sample
Signature	IcedID Create hunting rule
File size:	13'312 bytes
First seen:	2022-05-20 16:51:32 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	b8b6216613b83b9374da0ac1163e6c23 (4 x IcedID)
ssdeep	192:sHVMfa7TTCjJSixzPSAA56RCK7Yu/VPgw4oXBAQYfPq/3KbT1:s1Mf0gJSix2AA56RCiZVqKGQYnq/6bZ
Threatray	227 similar samples on MalwareBazaar
TLSH	T1DB52079E272105CCD1BBD2BAC6152E13D2F238A41626875E05F0DD9F9F23311696EF05
TrID	45.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 18.3% (.EXE) OS/2 Executable (generic) (2029/13) 18.0% (.EXE) Generic Win/DOS Executable (2002/3) 18.0% (.EXE) DOS Executable Generic (2000/1)
Reporter	Rony
Tags:	exe IcedID photoloader unpacked

Intelligence

File Origin

# of uploads :

# of downloads :

464

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

0a497cdeb92189e1611c15669897de70e8aed2be2484346686252bea387abfa4_unpacked

Verdict:

No threats detected

Analysis date:

2022-05-20 16:57:33 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/8627ea2b-e07b-4e7a-b70c-153116f11768

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

IcedIDLoader

Link:

https://www.capesandbox.com/analysis/273103/

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Sending an HTTP GET request

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/19270/overview

Behaviour

MalwareBazaar

CallSleep

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware icedid shell32.dll

Link:

https://www.filescan.io/uploads/6287c76dafb61a3866611934/reports/82359a82-6444-4b02-a645-04fc73d38bbf/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

IcedID

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/2f902e57-bc7e-4b73-95bc-e5221c286aad

Result

Threat name:

IcedID

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/998754

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Delayed program exit found

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Tries to detect virtualization through RDTSC time measurements

Yara detected IcedID

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/42605a1640895ba3d64833f8fc077c074710b142fcb0332607af8560feb64a24/

Threat name:

Win64.Trojan.IcedID

Status:

Malicious

First seen:

2022-05-20 16:52:05 UTC

File Type:

PE+ (Dll)

AV detection:

19 of 26 (73.08%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ijqfufsarfn2hvsigp4pyb34a5drbmkc7sydgjqhv6cwb7vwjisa._file

Verdict:

malicious

Label(s):

icedid

IcedID

071daa2f0bf9d587dd5a1abf995af47a25295242023c86ba8f3f95f1c317ddb6

IcedID

08d30d6646117cd96320447042fb3857b4f82d80a92f31ee91b16044b87929c0

IcedID

0a497cdeb92189e1611c15669897de70e8aed2be2484346686252bea387abfa4

IcedID

2123ed9e1662ae4805361fb25f1389bcbbb096e0a975d98a133797481ed0ebcd

IcedID

63770070208c532df8a7d41a391faff7c5280814bebd13b0b935f0fa80fc8e27

IcedID

a61b1d70d469b8ca7acdbd26fc859e6aeb229c4636fe9c92eac856914f326ac8

IcedID

e0677236472f95f6c2570c02c885d0fbe459a8b9da0f77d826061c9d0537ccd9

IcedID

ed24c4f468bc20fe152badf719ad0b1596037e829ec8d02be2f0ec1c9760c3e8

IcedID

+ 217 additional samples on MalwareBazaar

Result

Malware family:

icedid

Score:

10/10

Tags:

family:icedid campaign:3118344709 banker loader suricata trojan

Link:

https://tria.ge/reports/220520-vdc6kaaeg2/

Behaviour

Suspicious behavior: EnumeratesProcesses

IcedID, BokBot

suricata: ET MALWARE Win32/IcedID Request Cookie

Malware Config

C2 Extraction:

speratinda.com

Unpacked files

SH256 hash:

42605a1640895ba3d64833f8fc077c074710b142fcb0332607af8560feb64a24

MD5 hash:

399e402d426f0675ffcc8efa609421a8

SHA1 hash:

2a2e5b9bf49aca783574fcc2aa4a06dcb609a4c1

Detections:

win_photoloader_auto

Link:

https://www.unpac.me/results/7830c2cd-e6ab-4c2b-b830-ed6be0fb51ad/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.05

Link:

https://yomi.yoroi.company/submissions/42605a1640895ba3d64833f8fc077c074710b142fcb0332607af8560feb64a24

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	crime_win32_icedid_stage1 Create hunting rule
Author:	Rony (@r0ny_123)
Description:	Detects IcedID photoloader
Reference:	https://sysopfb.github.io/malware,/icedid/2020/04/28/IcedIDs-updated-photoloader.html

Rule name:	IcedIDLoader Create hunting rule
Author:	kevoreilly, threathive, enzo
Description:	IcedID Loader

Rule name:	IcedID_init_loader Create hunting rule
Author:	@bartblaze
Description:	Identifies IcedID (stage 1 and 2, initial loaders).

Rule name:	MALWARE_Win_IceID Create hunting rule
Author:	ditekSHen
Description:	Detects IceID / Bokbot variants

Rule name:	MAL_IcedID_GZIP_LDR_202104 Create hunting rule
Author:	Thomas Barabosch, Telekom Security
Description:	2021 initial Bokbot / Icedid loader for fake GZIP payloads
Reference:	https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240

Rule name:	win_iceid_gzip_ldr_202104 Create hunting rule
Author:	Thomas Barabosch, Telekom Security
Description:	2021 initial Bokbot / Icedid loader for fake GZIP payloads

Rule name:	win_photoloader_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.photoloader.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/273103/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample