MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4c9abe0afdebd672666be2be89e7525fee09f58628f5568afd1212e978fa0d20. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


IcedID


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4c9abe0afdebd672666be2be89e7525fee09f58628f5568afd1212e978fa0d20
SHA3-384 hash: a3d12b8b3dc06b0379fbf60d342e98d440a2cf4084d92e2e7cda4d0688c7ba6c9be5d6178a69f3c07aedb133b185424d
SHA1 hash: 5cccc29cdad921c2a755c856922d61ab5dbee966
MD5 hash: 43bc947bd8849f8f4b0d0626b88eea7e
humanhash: spaghetti-delta-muppet-robin
File name:43bc947bd8849f8f4b0d0626b88eea7e.dll
Download: download sample
Signature IcedID
Create hunting rule
File size:687'104 bytes
First seen:2022-07-10 10:35:14 UTC
Last seen:2022-07-10 12:00:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 882e11ed7b405b18a8dee32efc241a90 (4 x IcedID)
ssdeep 12288:roBmUG1wwQS2ijcSBC6nTSYkFzGC9055EnY/WAlibW4pBMLbN9vbu42oGHvAPIdI:rTUkQ5CTSYkFX9o5EnWllibZpBMvN5b3
Threatray 398 similar samples on MalwareBazaar
TLSH T1EAE4B0B875047DD6A67F577BDA96ACDC13B627228ACBA8CC806477C305A3375FE02805
TrID 33.6% (.EXE) OS/2 Executable (generic) (2029/13)
33.1% (.EXE) Generic Win/DOS Executable (2002/3)
33.1% (.EXE) DOS Executable Generic (2000/1)
Reporter abuse_ch
Tags:dll exe IcedID


Avatar
abuse_ch
IcedID C2:
carismorth.com

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
carismorth.com https://threatfox.abuse.ch/ioc/823203/

Intelligence

File Origin
# of uploads :
2
# of downloads :
304
Origin country :
n/a
Vendor Threat Intelligence
Detection:
IcedIDLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/285871/
Detection(s):
SecuriteInfo.com.Variant.Cerbu.146883.3920.32135.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
Sending a custom TCP request
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/62caab9311764e36f82bd0d5/reports/2ab2b510-60db-449a-99ba-3415efba5b37/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
IcedID
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2fe87c2b-bc0d-47e9-b3ad-d643117a57e7
Result
Threat name:
IcedID
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1027964
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected IcedID
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4c9abe0afdebd672666be2be89e7525fee09f58628f5568afd1212e978fa0d20/
Threat name:
Win64.Trojan.IcedID
Create hunting rule
Status:
Malicious
First seen:
2022-07-10 10:36:07 UTC
File Type:
PE+ (Dll)
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jsnl4cx55plheztl4k7itz2sl7xat5mgfd2vncx5cijos6h2buqa._file
Verdict:
malicious
Label(s):
icedid
Create hunting rule
Similar samples:
0581f0bf260a11a5662d58b99a82ec756c9365613833bce8f102ec1235a7d4f7
IcedID
0a497cdeb92189e1611c15669897de70e8aed2be2484346686252bea387abfa4
IcedID
2cd9b1c996463ca8295174726beeae03dc4da9ec8d6de127cc1c093597fa1a9b
IcedID
3dfe63d2c9a7e2f848d2f92171cc577158318b4e9cb62e74ec603be84ba13109
IcedID
4b312a119321503383fbf9aaf65659046656096a7551d5a581f5cbb0055493c3
IcedID
6302f08805736a80b939c7b4e226bc7c0201c8ea567f0aaa5ac058c87c6c829f
IcedID
670790c8b4649865ef391bac63417c00ffbaa203c5df36d6c9720832b0949dcb
IcedID
87b3990d898a8ccdaf5b4ef9b4c39150e21fb120293bbbd5c139bf3ec94072a9
IcedID
fd0e07ec492cb76abaca206083a13f5cad0a3ed563495c852f13b4876e63974c
IcedID
+ 388 additional samples on MalwareBazaar
Result
Malware family:
icedid
Create hunting rule
Score:
  10/10
Tags:
family:icedid campaign:1060798742 banker loader suricata trojan
Link:
https://tria.ge/reports/220710-mm8d3abaek/
Behaviour
Suspicious behavior: EnumeratesProcesses
Blocklisted process makes network request
IcedID, BokBot
suricata: ET MALWARE Win32/IcedID Request Cookie
Malware Config
C2 Extraction:
carismorth.com
Unpacked files
SH256 hash:
4c9abe0afdebd672666be2be89e7525fee09f58628f5568afd1212e978fa0d20
MD5 hash:
43bc947bd8849f8f4b0d0626b88eea7e
SHA1 hash:
5cccc29cdad921c2a755c856922d61ab5dbee966
Link:
https://www.unpac.me/results/08ccd2d2-03e9-4f16-8daf-e8db787daae7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/4c9abe0afdebd672666be2be89e7525fee09f58628f5568afd1212e978fa0d20

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SPLCrypt
Create hunting rule
Author:James Quinn, Binary Defense
Description:Identifies SPLCrypt, a new crypter associated with Bazaloader

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/285871/

Comments