MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4871d83c32ce40c24171ec40c4548dd320fe183a58d3866aa88c0b12d2d7b3ae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


IcedID


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4871d83c32ce40c24171ec40c4548dd320fe183a58d3866aa88c0b12d2d7b3ae
SHA3-384 hash: ea0f0a5b7bf72a6dc1c5493b50a827ced2d24f2010548c10f0e01b4615c4979fde6e72ff5cff6e6165018cbdf7df16ed
SHA1 hash: 91d48872f07c1f54203ec15ae0fd123e23d55bdf
MD5 hash: 5d9c2b17f30765462ff5e3eaa0931885
humanhash: oklahoma-gee-nine-charlie
File name:5d9c2b17f30765462ff5e3eaa0931885.dll
Download: download sample
Signature IcedID
Create hunting rule
File size:243'200 bytes
First seen:2023-02-22 11:02:41 UTC
Last seen:2023-02-22 13:24:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 72355b500b0174b38bc36b0e0ce9b934 (2 x IcedID)
ssdeep 6144:+EtfNCNSJQwq0a9WJPcOhuFqAD6pnoRsMwuth6P:+E4IE0jXm6doRTwuts
Threatray 6 similar samples on MalwareBazaar
TLSH T1C734BE15F39618BADD728535C8035A06FA3578510334DABF47A04B3AEE2F7D1663BB22
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter abuse_ch
Tags:dll exe IcedID

Intelligence

File Origin
# of uploads :
3
# of downloads :
257
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5d9c2b17f30765462ff5e3eaa0931885.dll
Verdict:
No threats detected
Analysis date:
2023-02-22 11:35:18 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4067befe-e6f5-4b07-8461-c9a6f3965bdc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/368971/
Detection(s):
SecuriteInfo.com.Win64.BankerX-gen.8843.6405.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Sending a custom TCP request
Enabling autorun by creating a file
Verdict:
No Threat
Threat level:
  2/10
Confidence:
67%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/63f5f668b53d126ad263af9f/reports/3a51b695-2bb9-41ed-b966-2355f85ef11c/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/4871d83c32ce40c24171ec40c4548dd320fe183a58d3866aa88c0b12d2d7b3ae
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/df20bd10-8a30-448e-a99a-fa0aaa2482ee
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1180550
Signature
Antivirus detection for URL or domain
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 813383 Sample: E0TGQ4pQgB.exe Startdate: 22/02/2023 Architecture: WINDOWS Score: 88 55 Malicious sample detected (through community Yara rule) 2->55 57 Antivirus detection for URL or domain 2->57 59 Multi AV Scanner detection for dropped file 2->59 61 Multi AV Scanner detection for submitted file 2->61 7 loaddll64.exe 3 2->7         started        10 rundll32.exe 2->10         started        12 rundll32.exe 2->12         started        14 2 other processes 2->14 process3 file4 43 C:\Users\user\AppData\Local\...\behoacak.dll, PE32+ 7->43 dropped 16 regsvr32.exe 10 7->16         started        21 cmd.exe 1 7->21         started        23 rundll32.exe 4 7->23         started        25 3 other processes 7->25 process5 dnsIp6 45 lepriconloots.com 87.251.67.224, 443, 49687, 49688 WELLWEBNL Russian Federation 16->45 35 C:\Users\user\AppData\Local\...\Pezoacfn1.dll, PE32+ 16->35 dropped 37 C:\Users\user\AppData\Local\...\bameou1.dll, PE32+ 16->37 dropped 39 C:\Users\user\AppData\Local\Temp\saleghost, PE32+ 16->39 dropped 63 Contains functionality to detect hardware virtualization (CPUID execution measurement) 16->63 65 Tries to detect virtualization through RDTSC time measurements 16->65 27 WerFault.exe 17 9 16->27         started        30 rundll32.exe 21->30         started        47 qertoplast.com 80.66.88.145, 443, 49699 RISS-ASRU Russian Federation 23->47 49 olponetox.com 85.239.52.234, 443, 49698, 49701 RAINBOW-HKRainbownetworklimitedHK Russian Federation 23->49 51 smplemente.net 89.23.107.39, 443, 49700, 49702 MAXITEL-ASRU Russian Federation 23->51 41 C:\Users\user\AppData\...\Awocacmi1.dll, PE32+ 23->41 dropped 67 System process connects to network (likely due to code injection or exploit) 23->67 33 WerFault.exe 17 9 25->33         started        file7 signatures8 process9 dnsIp10 53 192.168.2.1 unknown unknown 27->53 69 System process connects to network (likely due to code injection or exploit) 30->69 71 Contains functionality to detect hardware virtualization (CPUID execution measurement) 30->71 73 Tries to detect virtualization through RDTSC time measurements 30->73 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4871d83c32ce40c24171ec40c4548dd320fe183a58d3866aa88c0b12d2d7b3ae/
Threat name:
Win64.Trojan.IcedID
Create hunting rule
Status:
Malicious
First seen:
2023-02-22 11:03:06 UTC
File Type:
PE+ (Dll)
Extracted files:
1
AV detection:
20 of 25 (80.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jby5qpbszzameqlr5ramiven2mqp4gb2ldjym2virqfrfuwxwoxa._file
Verdict:
malicious
Label(s):
icedid
Create hunting rule
Similar samples:
17c84d77f79954acbe68cb2830ab27630a185091b1c084df1f112adc7b89fc3e
IcedID
2b317f6a1ffc33b390ef0f9ca4c7227c250dc6e46e9eb198e2ef56ce00e0d360
IcedID
66241149fd6ac0ec6bac32141748a8b5a1b0cd1610bd2687cae0c2cfa671945f
IcedID
8d076fe2d93a9ebd5701eb7a1acab37e9d390df7f50e6d155c6c7289934d2b54
IcedID
fbad60002286599ca06d0ecb3624740efbf13ee5fda545341b3e0bf4d5348cfe
IcedID
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/230222-m5qa7sba42/
Behaviour
Uses Task Scheduler COM API
Unpacked files
SH256 hash:
4871d83c32ce40c24171ec40c4548dd320fe183a58d3866aa88c0b12d2d7b3ae
MD5 hash:
5d9c2b17f30765462ff5e3eaa0931885
SHA1 hash:
91d48872f07c1f54203ec15ae0fd123e23d55bdf
Link:
https://www.unpac.me/results/51ce2c1a-c427-409f-a5be-05a22864dc0a/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4871d83c32ce/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4871d83c32ce40c24171ec40c4548dd320fe183a58d3866aa88c0b12d2d7b3ae

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:bumblebee_win_generic
Create hunting rule
Author:_kphi
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

IcedID

Executable exe 4871d83c32ce40c24171ec40c4548dd320fe183a58d3866aa88c0b12d2d7b3ae

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2547606/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/368971/

Comments