MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5e3bb62b44636f502e387d4c00bd5a7bc1d040332028238ccd812f73e6d859ca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

IcedID

Vendor detections: 12

Intelligence 12 IOCs YARA 2 File information Comments

SHA256 hash:	5e3bb62b44636f502e387d4c00bd5a7bc1d040332028238ccd812f73e6d859ca
SHA3-384 hash:	a4c6c2b781b788277630911a5e8e42f8b6a73d0ae857fe144441f6ca0e3386f37d25629360719797b299c54523e18757
SHA1 hash:	b10fb1c24b1d4187e24ee1be76b6247b862b214c
MD5 hash:	bb7da19e0399724519724d44d7c331c7
humanhash:	timing-robin-sierra-rugby
File name:	0317-1.bin
Download:	download sample
Signature	IcedID Create hunting rule
File size:	335'872 bytes
First seen:	2023-10-11 23:45:45 UTC
Last seen:	2023-10-12 00:41:54 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	e7125b885fcd1eea77d2881eaaa53c4d (6 x IcedID)
ssdeep	6144:yN/F41OWGRkFtwxW6spj/JbUaeboh6EReEUHFmUC3qS7e/g1j:y5FCOWGRayW6sAowXFmUy4U
Threatray	39 similar samples on MalwareBazaar
TLSH	T12564BF4976D80CB9EDB39238C8576545EA72BC150374D66F03A0835ADF2FB90A92FF21
TrID	48.7% (.EXE) Win64 Executable (generic) (10523/12/4) 23.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.3% (.EXE) OS/2 Executable (generic) (2029/13) 9.2% (.EXE) Generic Win/DOS Executable (2002/3) 9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter	JAMESWT_WT
Tags:	exe gestionhqse-com IcedID

Intelligence

File Origin

# of uploads :

# of downloads :

395

Origin country :

Vendor Threat Intelligence

Malware family:

icedid

ID:

File name:

inquiry[2023.10.11_08-07].vbs

Verdict:

Malicious activity

Analysis date:

2023-10-11 23:16:55 UTC

Tags:

icedid bokbot loader

Link:

https://app.any.run/tasks/6701665d-bf14-48e7-9c92-a476e1b38005

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/453581/

Detection(s):

SecuriteInfo.com.Win64.TrojanX-gen.17837.26135.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Creating a file

Сreating synchronization primitives

Running batch commands

Creating a process with a hidden window

Launching a process

Enabling autorun by creating a file

Verdict:

No Threat

Threat level:

10/10

Confidence:

100%

Tags:

control greyware lolbin masquerade packed

Link:

https://www.filescan.io/uploads/652733c3a29a7002139fb88f/reports/6465b74c-53d8-43ab-91a4-c6077031df1a/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/5e3bb62b44636f502e387d4c00bd5a7bc1d040332028238ccd812f73e6d859ca

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ee7d76cd-2b08-4438-86e0-eec02ac369d6

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5e3bb62b44636f502e387d4c00bd5a7bc1d040332028238ccd812f73e6d859ca/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ly53mk2emnxvalrypvgabpk2ppa5aqbteauchdgnqexxhzwylhfa._file

Verdict:

malicious

Result

Malware family:

icedid

Score:

10/10

Tags:

family:icedid campaign:361893872 banker trojan

Link:

https://tria.ge/reports/231011-3scgksec35/

Behaviour

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Loads dropped DLL

Blocklisted process makes network request

IcedID, BokBot

Unpacked files

SH256 hash:

798ae198bdcf45cd7138bf44d27cb5d9b14e47e4d9a9e6541be9fafd4b92d214

MD5 hash:

7e868fdc01742362e371ca903d64606f

SHA1 hash:

f42531a11fd04835f957346ba164967851291d1e

Detections:

IcedIDLoaderFork

Link:

https://www.unpac.me/results/d0f06688-b93e-4d39-8f50-3e6c85e9e969/

Parent samples :

a12045a6177dd32af8b39dea93fa92962ff1716381d0d137dede1fc75ecd2c0c
5e3bb62b44636f502e387d4c00bd5a7bc1d040332028238ccd812f73e6d859ca
f324bb47090d388fca1015260f66f67b708e8451292cd5679791792c90d5b711
42cea91c813a490a0b590932c940d796fadfc97765291506813b0ae6f2a42fed
ead7621affb3dcfa1137359639f3df8060fca2e5aafd65322a7d67745726b88c
03b25f3a6a6612eca075b0253d7e8ae6ee556bb5375ab7f38b408da15c1b6af9
8901e289c92449e47212b5e6e948ee1d12e9d809af9026ea39834f595bc9f238

SH256 hash:

5e3bb62b44636f502e387d4c00bd5a7bc1d040332028238ccd812f73e6d859ca

MD5 hash:

bb7da19e0399724519724d44d7c331c7

SHA1 hash:

b10fb1c24b1d4187e24ee1be76b6247b862b214c

Link:

https://www.unpac.me/results/d0f06688-b93e-4d39-8f50-3e6c85e9e969/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5e3bb62b44636f502e387d4c00bd5a7bc1d040332028238ccd812f73e6d859ca

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	TrojanSpy_EMOTET_W4 Create hunting rule
Author:	Ian Kenefick (Trend Micro)
Description:	Emotet x64 Loader

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/453581/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample