MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 63770070208c532df8a7d41a391faff7c5280814bebd13b0b935f0fa80fc8e27. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


IcedID


Vendor detections: 13


Intelligence 13 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 63770070208c532df8a7d41a391faff7c5280814bebd13b0b935f0fa80fc8e27
SHA3-384 hash: 318908b6b046509a2003a008cf69e96cc9244a2441e42ee0231dd7e7b25704098182a6f036c235b263357bc2a54d97bb
SHA1 hash: d7bfce77cad7d605e35538c2501a522015e3e3c2
MD5 hash: f425f1defd562e22a3a62fb5bc141cb1
humanhash: queen-violet-fruit-georgia
File name:3cbc08dc4f11379f6e080a7b6dad3e2f7c53202e08f461100f4ce4f5b869811a_unpacked
Download: download sample
Signature IcedID
Create hunting rule
File size:13'312 bytes
First seen:2022-05-11 05:48:29 UTC
Last seen:2022-05-11 06:42:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b8b6216613b83b9374da0ac1163e6c23 (4 x IcedID)
ssdeep 192:sHVMfa7TTCjJSixzPSAA56RCK7Yu/VPgw4oXBAQYfPq/3Kb:s1Mf0gJSix2AA56RCiZVqKGQYnq/6b
Threatray 223 similar samples on MalwareBazaar
TLSH T1C152079E272105CCD1BBD2BAC6112E13D2F238A40726875E04F0DDAF9F233126A6EF05
TrID 45.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.3% (.EXE) OS/2 Executable (generic) (2029/13)
18.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.0% (.EXE) DOS Executable Generic (2000/1)
Reporter Rony
Tags:dll exe IcedID photoloader unpacked


Avatar
r0ny_123
unpacked sample of 3cbc08dc4f11379f6e080a7b6dad3e2f7c53202e08f461100f4ce4f5b869811a

Intelligence

File Origin
# of uploads :
2
# of downloads :
386
Origin country :
n/a
Vendor Threat Intelligence
Detection:
IcedIDLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/269608/
Detection(s):
SecuriteInfo.com.Trojan.IcedID.78.27179.32036.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending an HTTP GET request
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/17083/overview
Behaviour
MalwareBazaar
CallSleep
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware icedid shell32.dll
Link:
https://www.filescan.io/uploads/627b4e6746aa9938705cd10e/reports/95c64bba-b893-4e69-97e9-773a358abe03/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
IcedID
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9da95d66-4c50-4aee-8f5a-eab8cc7872d4
Result
Threat name:
IcedID
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/991621
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Delayed program exit found
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected IcedID
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/63770070208c532df8a7d41a391faff7c5280814bebd13b0b935f0fa80fc8e27/
Threat name:
Win64.Trojan.IcedID
Create hunting rule
Status:
Malicious
First seen:
2022-05-11 05:49:06 UTC
File Type:
PE+ (Dll)
AV detection:
19 of 41 (46.34%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mn3qa4barrjs36fh2qndsh5p67csqcaux26rhmfzgxypvah4rytq._file
Verdict:
malicious
Label(s):
icedid
Create hunting rule
Similar samples:
0407d4283508af13a9616360c14796030d3e5669af0aca60c99ac11df3555a74
IcedID
071daa2f0bf9d587dd5a1abf995af47a25295242023c86ba8f3f95f1c317ddb6
IcedID
08d30d6646117cd96320447042fb3857b4f82d80a92f31ee91b16044b87929c0
IcedID
1b09fe2663baafee1ee17274c69ab41c98c6bfa1fd606bf75a40fa2756ff0f32
IcedID
2123ed9e1662ae4805361fb25f1389bcbbb096e0a975d98a133797481ed0ebcd
IcedID
96e2e63b51500cff2f266e0e4894a667b11d47245837bcb797b8899e04b16b8a
IcedID
a61b1d70d469b8ca7acdbd26fc859e6aeb229c4636fe9c92eac856914f326ac8
IcedID
e9a9233d64bd7c0ebab2f33ddece6ea0a97d8bd7ed45f9a43ef58557fd05e819
IcedID
eefc3f9adac700e0282849c294ac9dc7b6ef7caee0bad4ac88b9cd1f2d48bf34
IcedID
+ 213 additional samples on MalwareBazaar
Result
Malware family:
icedid
Create hunting rule
Score:
  10/10
Tags:
family:icedid campaign:3000901376 banker loader suricata trojan
Link:
https://tria.ge/reports/220511-gh1krsfgh8/
Behaviour
Suspicious behavior: EnumeratesProcesses
IcedID, BokBot
suricata: ET MALWARE Win32/IcedID Request Cookie
Malware Config
C2 Extraction:
yolneanz.com
Unpacked files
SH256 hash:
63770070208c532df8a7d41a391faff7c5280814bebd13b0b935f0fa80fc8e27
MD5 hash:
f425f1defd562e22a3a62fb5bc141cb1
SHA1 hash:
d7bfce77cad7d605e35538c2501a522015e3e3c2
Detections:
win_photoloader_auto
Create hunting rule
Link:
https://www.unpac.me/results/cbc46a75-19b3-4d0f-97e5-4d79df190f66/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.05
Link:
https://yomi.yoroi.company/submissions/63770070208c532df8a7d41a391faff7c5280814bebd13b0b935f0fa80fc8e27

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_win32_icedid_stage1
Create hunting rule
Author:Rony (@r0ny_123)
Description:Detects IcedID photoloader
Reference:https://sysopfb.github.io/malware,/icedid/2020/04/28/IcedIDs-updated-photoloader.html
Rule name:IcedIDLoader
Create hunting rule
Author:kevoreilly, threathive, enzo
Description:IcedID Loader
Rule name:IcedID_init_loader
Create hunting rule
Author:@bartblaze
Description:Identifies IcedID (stage 1 and 2, initial loaders).
Rule name:MALWARE_Win_IceID
Create hunting rule
Author:ditekSHen
Description:Detects IceID / Bokbot variants
Rule name:MAL_IcedID_GZIP_LDR_202104
Create hunting rule
Author:Thomas Barabosch, Telekom Security
Description:2021 initial Bokbot / Icedid loader for fake GZIP payloads
Reference:https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Rule name:win_iceid_gzip_ldr_202104
Create hunting rule
Author:Thomas Barabosch, Telekom Security
Description:2021 initial Bokbot / Icedid loader for fake GZIP payloads
Rule name:win_photoloader_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.photoloader.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/269608/

Comments