MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 55df2954add86715fc3d728459d79a6d2b88d34d9f23fafe9c5a573bb773d9e9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


IcedID


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 55df2954add86715fc3d728459d79a6d2b88d34d9f23fafe9c5a573bb773d9e9
SHA3-384 hash: 2e90eec07c8914928cab6d6bcad18142f2e2f4d27fb680d6903ee4772abf06d6b914ae27d9a3bbe52d10d158dc2507bf
SHA1 hash: 0f964caafc104b44d371a71809f01ceca7a39128
MD5 hash: 89a0e6601d22c145a7dd5f5dd65b1f04
humanhash: virginia-foxtrot-maryland-hot
File name:su.dll
Download: download sample
Signature IcedID
Create hunting rule
File size:154'112 bytes
First seen:2022-04-15 16:35:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1065bd24b1d3c49bf47020b0edf3bd79 (1 x IcedID)
ssdeep 3072:2c9iz7WflAhaj80fK+xzu7GfgD4B22PieLhHHQMH40Kb+vRk6pIo:b9JA6QGL226eIKi
Threatray 1 similar samples on MalwareBazaar
TLSH T198E38D07F2D200E7E47A8174C5A37952F77276410A64CF9F43684AE61F677B0DE2AB60
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter proxylife
Tags:exe IcedID

Intelligence

File Origin
# of uploads :
1
# of downloads :
409
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
su.dll
Verdict:
No threats detected
Analysis date:
2022-04-15 16:38:50 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/97cd1d3f-2dd5-46df-aac5-40b865f77836

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/264009/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.50138930.12407.22003.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/13980/overview
Behaviour
MalwareBazaar
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware icedid
Link:
https://www.filescan.io/uploads/62599ef3ffe27d5119dc6b1a/reports/a80d7a2f-cae1-4873-906b-f7d69b3e8734/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ec3a5660-0f3d-478b-8ac9-e6ff9f567946
Result
Threat name:
IcedID
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/977481
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Call by Ordinal
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected IcedID
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 609968 Sample: su.dll Startdate: 15/04/2022 Architecture: WINDOWS Score: 100 39 Multi AV Scanner detection for domain / URL 2->39 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 4 other signatures 2->45 8 loaddll64.exe 1 2->8         started        process3 process4 10 rundll32.exe 8->10         started        13 rundll32.exe 8->13         started        16 cmd.exe 1 8->16         started        18 6 other processes 8->18 dnsIp5 47 System process connects to network (likely due to code injection or exploit) 10->47 49 Contains functionality to detect hardware virtualization (CPUID execution measurement) 10->49 51 Tries to detect virtualization through RDTSC time measurements 10->51 20 WerFault.exe 20 9 10->20         started        37 ertimadifa.com 164.92.104.194, 49733, 80 ASN-DPSDUS United States 13->37 23 rundll32.exe 16->23         started        25 WerFault.exe 9 18->25         started        27 WerFault.exe 9 18->27         started        29 WerFault.exe 9 18->29         started        31 3 other processes 18->31 signatures6 process7 dnsIp8 35 192.168.2.1 unknown unknown 20->35 33 WerFault.exe 9 23->33         started        process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/55df2954add86715fc3d728459d79a6d2b88d34d9f23fafe9c5a573bb773d9e9/
Threat name:
Win64.Trojan.IcedID
Create hunting rule
Status:
Malicious
First seen:
2022-04-14 17:42:18 UTC
File Type:
PE+ (Dll)
Extracted files:
1
AV detection:
13 of 26 (50.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kxpssvfn3btrl7b5okcftv42nuvyru2nt4r7v7u4ljltxn3t3huq._file
Verdict:
unknown
Similar samples:
1cdddf182f161ab789edfcc68a0706d0b8412a9ba67a3f918fe60fab270eabff
IcedID
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/220415-t38hbscgh4/
Behaviour
Program crash
Unpacked files
SH256 hash:
55df2954add86715fc3d728459d79a6d2b88d34d9f23fafe9c5a573bb773d9e9
MD5 hash:
89a0e6601d22c145a7dd5f5dd65b1f04
SHA1 hash:
0f964caafc104b44d371a71809f01ceca7a39128
Link:
https://www.unpac.me/results/0dcf842f-8d34-43b0-b1b7-172967b0297d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/55df2954add86715fc3d728459d79a6d2b88d34d9f23fafe9c5a573bb773d9e9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SPLCrypt
Create hunting rule
Author:James Quinn, Binary Defense
Description:Identifies SPLCrypt, a new crypter associated with Bazaloader

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

IcedID

Executable exe 55df2954add86715fc3d728459d79a6d2b88d34d9f23fafe9c5a573bb773d9e9

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2148281/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2149483/
Cape
Cape
https://www.capesandbox.com/analysis/264009/

Comments