MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 52d3dd78d3f1a14e18d0689ed8c5b43372f9e76401ef1ff68522575e6251d2cf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


IcedID


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 52d3dd78d3f1a14e18d0689ed8c5b43372f9e76401ef1ff68522575e6251d2cf
SHA3-384 hash: 31bcc2bb4c710880eef0fee7a21fa386f037475716b02b415dbea9c8351c24de159b72ac2c5d713922ecaae1dfb46d17
SHA1 hash: 704b84d525eefca6fa7eeb1cf0c94f861310c224
MD5 hash: 2f4f205baba0b637386e781057c2163d
humanhash: utah-one-avocado-magnesium
File name:Docs_Inv_April_11_450.exe
Download: download sample
Signature IcedID
Create hunting rule
File size:131'168 bytes
First seen:2023-04-12 05:11:27 UTC
Last seen:2023-04-12 05:34:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c0db22558d1245a720459dbfc128cdf3 (3 x IcedID)
ssdeep 3072:D4Mrq59cNGzs1YNgG4kj4va2UiPJIx/V:MRuGzYIKax
Threatray 1'163 similar samples on MalwareBazaar
TLSH T1A2D38D4BAF1BDCF7C8024731A9E643080337E6611BC66B0F2D258D794A577B4EF8A685
TrID 41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
26.1% (.EXE) Win64 Executable (generic) (10523/12/4)
12.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.1% (.ICL) Windows Icons Library (generic) (2059/9)
5.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter malware_traffic
Tags:BokBot exe IcedID signed

Code Signing Certificate

Organisation:Southern Wall Systems, LLC
Issuer:SSL.com EV Code Signing Intermediate CA RSA R3
Algorithm:sha256WithRSAEncryption
Valid from:2023-03-27T15:32:55Z
Valid to:2024-03-26T15:32:55Z
Serial number: 40e27b7404aa9b485f8a2fc0c8e53af3
Intelligence: 14 malware samples on MalwareBazaar are signed with this code signing certificate
MalwareBazaar Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:SHA256
Thumbprint: 1c46f0a782730fd80b70849ca2133c5f8ba81feaebababb95157a24eaea682e7
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
353
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Docs_Inv_April_11_450.exe
Verdict:
No threats detected
Analysis date:
2023-04-12 05:14:07 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/896f661d-5d51-4a34-a60b-92bcaa785ff1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
IcedIDLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/381638/
Detection(s):
SecuriteInfo.com.Win64.Evo-gen.9980.9676.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/77508/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug overlay packed
Link:
https://www.filescan.io/uploads/64363da4f40ab7ac37f95c35/reports/65e96c3d-868e-47fd-810d-d42b80233dd2/overview
Verdict:
Suspicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/52d3dd78d3f1a14e18d0689ed8c5b43372f9e76401ef1ff68522575e6251d2cf
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
GzipLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/767a8a0b-90b6-4c35-a486-89009479afe8
Result
Threat name:
IcedID
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1212247
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Found API chain indicative of debugger detection
Malicious sample detected (through community Yara rule)
Tries to detect virtualization through RDTSC time measurements
Yara detected IcedID
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/52d3dd78d3f1a14e18d0689ed8c5b43372f9e76401ef1ff68522575e6251d2cf/
Threat name:
Win64.Trojan.IcedID
Create hunting rule
Status:
Malicious
First seen:
2023-04-12 05:12:07 UTC
File Type:
PE+ (Exe)
Extracted files:
13
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=klj526gt6gqu4ggqncpnrrnugnzptz3eahxr75ufejlv4ysr2lhq._file
Verdict:
malicious
Label(s):
icedid
Create hunting rule
Similar samples:
1d5cfd8ac58bd64648110862f39ccc421ad58920e99ed948de2dd832e6ecd0a4
IcedID
43ba07032ca007ed25935ef123c2d408b2f4fd1f0e428b5d03b58b476da336da
IcedID
534698f7d1d4f0fae6e100b64f27c48fd167bd238cc9279ad2e4bd4f5411cc9d
IcedID
a015f40cfa1ca770c0c7fa901974ad6178f2b913659aea1486fcc307fd735e8e
IcedID
cab63e05a4a6f0b825acb077ba6a1bbb3657488c584882124a31c45dfb39515d
IcedID
+ 1'153 additional samples on MalwareBazaar
Result
Malware family:
icedid
Create hunting rule
Score:
  10/10
Tags:
family:icedid campaign:1401071739 banker loader trojan
Link:
https://tria.ge/reports/230412-fvvdvaaa94/
Behaviour
Suspicious behavior: EnumeratesProcesses
IcedID, BokBot
Malware Config
C2 Extraction:
shoterqana.com
Unpacked files
SH256 hash:
fd37c98782453214bab6484f6045b796a5a3dc7ebba9a894f6783817eef6c9c7
MD5 hash:
0b8f38766c27c250db7919b10edf0d72
SHA1 hash:
e70020640415e3b24a56755657d7b76cc09cb1ab
Detections:
IcedIDLoader
Create hunting rule
win_photoloader_auto
Create hunting rule
win_photoloader_a0
Create hunting rule
Link:
https://www.unpac.me/results/9a3ecd30-7a24-429e-b60d-8f94d77f46b1/
Parent samples :
52d3dd78d3f1a14e18d0689ed8c5b43372f9e76401ef1ff68522575e6251d2cf
846dab665df0dd1febc5244482b955bf39dc92b80cee4561e0747b3d3c88a12c
d033105288280266f0336365245e18984c5fc684577beed5ad7430775ecd7c02
SH256 hash:
52d3dd78d3f1a14e18d0689ed8c5b43372f9e76401ef1ff68522575e6251d2cf
MD5 hash:
2f4f205baba0b637386e781057c2163d
SHA1 hash:
704b84d525eefca6fa7eeb1cf0c94f861310c224
Link:
https://www.unpac.me/results/9a3ecd30-7a24-429e-b60d-8f94d77f46b1/
Malware family:
IcedID
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/52d3dd78d3f1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/52d3dd78d3f1a14e18d0689ed8c5b43372f9e76401ef1ff68522575e6251d2cf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/381638/

Comments