MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 49d6552ae5c5027ce1e68edee2438564b50ddc384276fd97360c92503771d3ac. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


IceXLoader


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 49d6552ae5c5027ce1e68edee2438564b50ddc384276fd97360c92503771d3ac
SHA3-384 hash: 0087b1fc84abc028dc0bc3e64ae88f8be981d7a0f7b1a554ea9d3f3ca9a6b7c9206b8857717c7f28e5aead65c8f28560
SHA1 hash: 136a226e0f56c7bf53822ab116ea4304b8a636e6
MD5 hash: cb90f4dd9eb3424268b20a1581668acd
humanhash: sad-blossom-alanine-september
File name:file
Download: download sample
Signature IceXLoader
Create hunting rule
File size:617'984 bytes
First seen:2022-10-24 18:28:32 UTC
Last seen:2022-10-28 17:31:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cea7ae85c87ddc7295d39ff9cda31d1 (85 x RedLineStealer, 71 x LummaStealer, 62 x Rhadamanthys)
ssdeep 3072:QahKyd2n3165+HAsZsJBh6aH1wQwpSbr:QahOpqhvSn
TLSH T1ACD459C233949127E8579A301EA3C3DA8769FE91AE3530473368F76E173ADD25E64B01
TrID 83.7% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
7.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
4.4% (.EXE) Win64 Executable (generic) (10523/12/4)
2.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
0.8% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon e0e0c09898c8e060 (1 x IceXLoader)
Reporter andretavare5
Tags:exe IceXLoader


Avatar
andretavare5
Sample downloaded from https://vk.com/doc733883836_657474796?hash=ZyqBZvfKL3zoZtY6DijPQo7r4ZbfmVaWLDZBJt4FTJ0&dl=G4ZTGOBYGM4DGNQ:1666634870:cKZsAwvK3u99iWpxIZufOlGdLaFwSOJ3N8iutKOjbg8&api=1&no_preview=1#bis1410

Intelligence

File Origin
# of uploads :
83
# of downloads :
246
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
No threats detected
Analysis date:
2022-10-24 18:29:17 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e667315c-40c3-4bc2-88b2-be26b56a2ea1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/323600/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Сreating synchronization primitives
Sending a custom TCP request
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Creating a file in the system32 subdirectories
Sending an HTTP GET request
Creating a file
Launching a process
Unauthorized injection to a recently created process
Query of malicious DNS domain
Sending a TCP request to an infection source
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/45111/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionGetTickCount
EvasionQueryPerformanceCounter
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/fa3a65e9-f77e-43d0-83c7-4e9b4add33e3
Result
Threat name:
IceXLoader
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1096851
Signature
.NET source code contains potential unpacker
Creates multiple autostart registry keys
Disables Windows Defender (via service or powershell)
Drops PE files to the startup folder
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic
Yara detected Costura Assembly Loader
Yara detected IceXLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 729492 Sample: file.exe Startdate: 24/10/2022 Architecture: WINDOWS Score: 92 110 Snort IDS alert for network traffic 2->110 112 Multi AV Scanner detection for domain / URL 2->112 114 Yara detected IceXLoader 2->114 116 2 other signatures 2->116 12 file.exe 1 3 2->12         started        16 Opus.exe 3 2->16         started        19 Opus.exe 2->19         started        21 2 other processes 2->21 process3 dnsIp4 84 C:\Users\user\AppData\Local\...\STOREM~2.EXE, PE32 12->84 dropped 132 Creates multiple autostart registry keys 12->132 23 STOREM~2.EXE 15 4 12->23         started        86 192.168.2.1 unknown unknown 16->86 88 www.filifilm.com.br 16->88 90 filifilm.com.br 16->90 134 Encrypted powershell cmdline option found 16->134 27 powershell.exe 16->27         started        92 www.filifilm.com.br 19->92 94 filifilm.com.br 19->94 29 powershell.exe 19->29         started        96 www.filifilm.com.br 21->96 98 filifilm.com.br 21->98 31 powershell.exe 21->31         started        file5 signatures6 process7 dnsIp8 106 filifilm.com.br 108.179.193.18, 443, 49695, 49696 UNIFIEDLAYER-AS-1US United States 23->106 108 www.filifilm.com.br 23->108 126 Encrypted powershell cmdline option found 23->126 128 Drops PE files to the startup folder 23->128 130 Injects a PE file into a foreign processes 23->130 33 STOREM~2.EXE 2 2 23->33         started        37 powershell.exe 16 23->37         started        39 conhost.exe 27->39         started        41 conhost.exe 29->41         started        43 conhost.exe 31->43         started        signatures9 process10 file11 78 C:\Users\user\AppData\Roaming\Opus.exe, PE32 33->78 dropped 80 C:\Users\user\AppData\Roaming\...\Opus.exe, PE32 33->80 dropped 82 unknown (copy), PE32 33->82 dropped 118 Creates multiple autostart registry keys 33->118 45 cmd.exe 1 33->45         started        48 cmd.exe 1 33->48         started        50 conhost.exe 37->50         started        signatures12 process13 signatures14 136 Disables Windows Defender (via service or powershell) 45->136 52 Opus.exe 14 4 45->52         started        56 conhost.exe 45->56         started        58 timeout.exe 1 45->58         started        60 conhost.exe 48->60         started        62 timeout.exe 1 48->62         started        process15 dnsIp16 102 www.filifilm.com.br 52->102 104 filifilm.com.br 52->104 120 Encrypted powershell cmdline option found 52->120 122 Injects a PE file into a foreign processes 52->122 64 Opus.exe 52->64         started        67 powershell.exe 52->67         started        signatures17 process18 dnsIp19 100 stealthelite.one 64->100 69 cmd.exe 64->69         started        72 conhost.exe 67->72         started        process20 signatures21 124 Disables Windows Defender (via service or powershell) 69->124 74 conhost.exe 69->74         started        76 powershell.exe 69->76         started        process22
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/49d6552ae5c5027ce1e68edee2438564b50ddc384276fd97360c92503771d3ac/
Threat name:
ByteCode-MSIL.Trojan.Nekark
Create hunting rule
Status:
Malicious
First seen:
2022-10-24 19:16:52 UTC
AV detection:
14 of 26 (53.85%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jhlfkkxfyubhzypgr3poeq4fms2q3xbyij3p3fzwbsjfan3r2owa._file
Verdict:
malicious
Result
Malware family:
icexloader
Create hunting rule
Score:
  10/10
Tags:
family:icexloader loader persistence
Link:
https://tria.ge/reports/221024-w4ww2aaae7/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Drops startup file
Executes dropped EXE
Detects IceXLoader v3.0
icexloader
Malware Config
C2 Extraction:
http://stealthelite.one/magnumopus/Script.php
Unpacked files
SH256 hash:
49d6552ae5c5027ce1e68edee2438564b50ddc384276fd97360c92503771d3ac
MD5 hash:
cb90f4dd9eb3424268b20a1581668acd
SHA1 hash:
136a226e0f56c7bf53822ab116ea4304b8a636e6
Link:
https://www.unpac.me/results/d7d4e616-f7b6-41cd-aaf4-8a83a5cd7cd1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/49d6552ae5c5027ce1e68edee2438564b50ddc384276fd97360c92503771d3ac

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/323600/

Comments