MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 42cea91c813a490a0b590932c940d796fadfc97765291506813b0ae6f2a42fed. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

IcedID

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments

SHA256 hash:	42cea91c813a490a0b590932c940d796fadfc97765291506813b0ae6f2a42fed
SHA3-384 hash:	7a6dbf9de0fc7e1a755e86f2a009eeac193e3489563a927ff6483eea9ca165fa0fce785110370788226833108475e958
SHA1 hash:	a06d64929c4df25fa798bb5aeba6c45dddb68c4f
MD5 hash:	d85f31f8c9a77b723f0b33c64aee0e25
humanhash:	september-october-shade-seven
File name:	0x0002000000022618-2.dll
Download:	download sample
Signature	IcedID Create hunting rule
File size:	335'872 bytes
First seen:	2023-10-12 00:42:25 UTC
Last seen:	2023-10-12 01:42:01 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	e7125b885fcd1eea77d2881eaaa53c4d (6 x IcedID)
ssdeep	6144:3N/F41OWGRkFtwxW6spj/JbUaeboh6EReEUHFmUwUBS8OgJU9P:35FCOWGRayW6sAowXFmUwUE1gI
Threatray	42 similar samples on MalwareBazaar
TLSH	T1AE64AE0976D80CB9EDB39238C9576945E972BC160774D66F03A0831ADF2F790A92FF21
TrID	48.7% (.EXE) Win64 Executable (generic) (10523/12/4) 23.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.3% (.EXE) OS/2 Executable (generic) (2029/13) 9.2% (.EXE) Generic Win/DOS Executable (2002/3) 9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter	JAMESWT_WT
Tags:	exe gestionhqse-com IcedID

Intelligence

File Origin

# of uploads :

# of downloads :

409

Origin country :

Vendor Threat Intelligence

Malware family:

icedid

ID:

File name:

Offer[2023.10.11_08-07]_3.vbs

Verdict:

Malicious activity

Analysis date:

2023-10-11 23:44:26 UTC

Tags:

icedid bokbot loader

Link:

https://app.any.run/tasks/4e386707-83ab-4027-966a-14031a9c6031

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/453597/

Detection(s):

SecuriteInfo.com.Win64.TrojanX-gen.30672.2208.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Creating a file in the %AppData% subdirectories

Сreating synchronization primitives

Running batch commands

Creating a process with a hidden window

Launching a process

Enabling autorun by creating a file

Gathering data

Verdict:

No Threat

Threat level:

10/10

Confidence:

100%

Tags:

control greyware lolbin masquerade packed

Link:

https://www.filescan.io/uploads/65274118853e4f06480a2d43/reports/9d95e116-7305-4a4c-bb4b-5242de28511f/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/42cea91c813a490a0b590932c940d796fadfc97765291506813b0ae6f2a42fed

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/998b7ffc-83ff-4a51-89ab-3b59ec304055

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/42cea91c813a490a0b590932c940d796fadfc97765291506813b0ae6f2a42fed/

Threat name:

Win32.Trojan.Generic

Status:

Malicious

First seen:

2023-10-12 00:43:06 UTC

File Type:

PE+ (Dll)

Extracted files:

AV detection:

7 of 38 (18.42%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ilhkshebhjequc2zbezmsqgxs35n7slxmuurkbubhmfon4vef7wq._file

Verdict:

malicious

Result

Malware family:

icedid

Score:

10/10

Tags:

family:icedid campaign:361893872 banker trojan

Link:

https://tria.ge/reports/231012-a2xjwsdg7w/

Behaviour

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Loads dropped DLL

Blocklisted process makes network request

IcedID, BokBot

Unpacked files

SH256 hash:

798ae198bdcf45cd7138bf44d27cb5d9b14e47e4d9a9e6541be9fafd4b92d214

MD5 hash:

7e868fdc01742362e371ca903d64606f

SHA1 hash:

f42531a11fd04835f957346ba164967851291d1e

Detections:

IcedIDLoaderFork

Link:

https://www.unpac.me/results/d5ec4217-c3ca-4b98-b194-471bf8a779e5/

Parent samples :

a12045a6177dd32af8b39dea93fa92962ff1716381d0d137dede1fc75ecd2c0c
5e3bb62b44636f502e387d4c00bd5a7bc1d040332028238ccd812f73e6d859ca
f324bb47090d388fca1015260f66f67b708e8451292cd5679791792c90d5b711
42cea91c813a490a0b590932c940d796fadfc97765291506813b0ae6f2a42fed
ead7621affb3dcfa1137359639f3df8060fca2e5aafd65322a7d67745726b88c
03b25f3a6a6612eca075b0253d7e8ae6ee556bb5375ab7f38b408da15c1b6af9
8901e289c92449e47212b5e6e948ee1d12e9d809af9026ea39834f595bc9f238

SH256 hash:

42cea91c813a490a0b590932c940d796fadfc97765291506813b0ae6f2a42fed

MD5 hash:

d85f31f8c9a77b723f0b33c64aee0e25

SHA1 hash:

a06d64929c4df25fa798bb5aeba6c45dddb68c4f

Link:

https://www.unpac.me/results/d5ec4217-c3ca-4b98-b194-471bf8a779e5/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/42cea91c813a490a0b590932c940d796fadfc97765291506813b0ae6f2a42fed

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	TrojanSpy_EMOTET_W4 Create hunting rule
Author:	Ian Kenefick (Trend Micro)
Description:	Emotet x64 Loader

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/453597/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample