MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6610a12184a15e0fe2f3c8d2f730aa7a4497386a10487138cfe1e019ec3f1f2a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


IcedID


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6610a12184a15e0fe2f3c8d2f730aa7a4497386a10487138cfe1e019ec3f1f2a
SHA3-384 hash: 0aaf71b9cbe89339e06c7feb354b42a47d2102b7efe06e10b2031821422b530d326ba3d69e7fef6fe82265722f157576
SHA1 hash: 3b72fecbabd585947cd9cf4b5d9c3795ab798d39
MD5 hash: 8dccd1c176f6b855e1a60b710d38a9e4
humanhash: mango-burger-mockingbird-delaware
File name:Accesshover.dat
Download: download sample
Signature IcedID
Create hunting rule
File size:108'032 bytes
First seen:2020-11-24 14:54:40 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 1ae6ba40e9dbf13143cd3d538d88f08a (3 x IcedID)
ssdeep 1536:7yRkPsWxFcd3pTwfUzk9HVOgiNXUjgzIBN6wfIPP26pw5ad2pl/H7ZvoZMBu+FIx:7K803NwTyEcIBN6u+26pKvoZMBpSx
Threatray 888 similar samples on MalwareBazaar
TLSH 6FB37C02B3D18032E57F1A390532C6B28A3E7D504FE09DAB674A253D5F706E1A735F6A
Reporter malware_traffic
Tags:dll IcedID Shathak TA551

Intelligence

File Origin
# of uploads :
1
# of downloads :
218
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
DNS request
Sending a custom TCP request
Connection attempt
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
IcedID
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/546115
Signature
Allocates memory in foreign processes
Changes memory attributes in foreign processes to executable or writable
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains VNC / remote desktop functionality (version string found)
Creates a thread in another existing process (thread injection)
Early bird code injection technique detected
Performs a network lookup / discovery via net view
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queues an APC in another process (thread injection)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses ipconfig to lookup or modify the Windows network settings
Uses net.exe to modify the status of services
Writes to foreign memory regions
Yara detected IcedID
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 322154 Sample: Accesshover.dat Startdate: 24/11/2020 Architecture: WINDOWS Score: 100 80 Yara detected IcedID 2->80 82 Contains VNC / remote desktop functionality (version string found) 2->82 84 Uses net.exe to modify the status of services 2->84 86 2 other signatures 2->86 9 loaddll32.exe 1 2->9         started        11 regsvr32.exe 2->11         started        process3 process4 13 regsvr32.exe 3 9->13         started        17 cmd.exe 1 9->17         started        19 regsvr32.exe 2 11->19         started        dnsIp5 74 initiativeuntimed.cyou 68.183.54.143, 443, 49753, 49757 DIGITALOCEAN-ASNUS United States 13->74 76 afromadness.club 13->76 78 192.168.2.1 unknown unknown 13->78 100 System process connects to network (likely due to code injection or exploit) 13->100 102 Early bird code injection technique detected 13->102 104 Contains functionality to detect hardware virtualization (CPUID execution measurement) 13->104 106 4 other signatures 13->106 21 msiexec.exe 1 47 13->21         started        26 iexplore.exe 1 73 17->26         started        signatures6 process7 dnsIp8 68 initiativeuntimed.cyou 21->68 70 afromadness.club 21->70 72 3 other IPs or domains 21->72 58 C:\Users\user\AppData\...\Huiqutmc3.dll, PE32 21->58 dropped 60 C:\Users\user\AppData\Local\...\sqlite64.dll, PE32+ 21->60 dropped 88 Tries to steal Mail credentials (via file access) 21->88 90 Changes memory attributes in foreign processes to executable or writable 21->90 92 Tries to harvest and steal browser information (history, passwords, etc) 21->92 94 3 other signatures 21->94 28 systeminfo.exe 21->28         started        31 cmd.exe 21->31         started        33 net.exe 21->33         started        38 6 other processes 21->38 35 iexplore.exe 165 26->35         started        file9 signatures10 process11 dnsIp12 96 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 28->96 98 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 28->98 40 conhost.exe 28->40         started        42 conhost.exe 31->42         started        44 chcp.com 31->44         started        46 conhost.exe 33->46         started        48 net1.exe 33->48         started        62 img.img-taboola.com 35->62 64 edge.gycpi.b.yahoodns.net 87.248.118.22, 443, 49734, 49735 YAHOO-DEBDE United Kingdom 35->64 66 9 other IPs or domains 35->66 50 conhost.exe 38->50         started        52 conhost.exe 38->52         started        54 conhost.exe 38->54         started        56 2 other processes 38->56 signatures13 process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6610a12184a15e0fe2f3c8d2f730aa7a4497386a10487138cfe1e019ec3f1f2a/
Threat name:
Win32.Trojan.Zenpak
Create hunting rule
Status:
Malicious
First seen:
2020-11-24 14:55:05 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
icedid
Create hunting rule
Similar samples:
3dfb74874b9c0b32b66ce96a97170fc430fed51a7cfdbf361e6c4febe2935e5d
IcedID
818076cbf3b8323b674d476b2862b3495cddcc13ef957f5bd9ec7f18bd436791
IcedID
a09d8c487a135b973af532247d62f46695a53f37add6c66e561f1c14650290f5
IcedID
a24c5d4c11f1d46b03ae1539df341c7247e1f8809b27a3b873449a1be218bd1e
IcedID
a9f651747ef040972d25a7f039a4853c9ed151ad252380e1e75af32ddc4ece82
IcedID
ba4253b54cb921073ad49e34cf931ca6f1bcdd79a53366f36240d42b7f132ccb
IcedID
c7a41aaae47af9ebc6bcabb267e1d11d903c937df275ab2bbdcda734efdbabbf
IcedID
d25e3a7ed538968e9b78367cd8f8d20f8f55471a1eb27aae2774272fc8c1c1ce
IcedID
e75612b515f036b54d63ed2efa45afc9b167b78116d65a77b1f0fa69674ed51f
IcedID
f56ea10521a52f78bedbf51c0bbdf9c894e473a73f1da8d388afc85b4c95f727
IcedID
+ 878 additional samples on MalwareBazaar
Result
Malware family:
icedid
Create hunting rule
Score:
  10/10
Tags:
family:icedid banker trojan
Link:
https://tria.ge/reports/201124-exr7s1vgle/
Behaviour
Suspicious use of WriteProcessMemory
IcedID Core Payload
IcedID, BokBot
Unpacked files
SH256 hash:
6610a12184a15e0fe2f3c8d2f730aa7a4497386a10487138cfe1e019ec3f1f2a
MD5 hash:
8dccd1c176f6b855e1a60b710d38a9e4
SHA1 hash:
3b72fecbabd585947cd9cf4b5d9c3795ab798d39
Link:
https://www.unpac.me/results/6a790ee1-37b8-4910-8c9d-8022e0274dc5/
SH256 hash:
3b5c4b0c804cfd2768b278dfb67ea95d0eb4af9627e222c4a3feff9bd478456f
MD5 hash:
8c2b3093a301e0d8a03b39d359c8759d
SHA1 hash:
8bc5ba96ed6db3ef8a1a2a32c9fa317e36b969d9
Link:
https://www.unpac.me/results/6a790ee1-37b8-4910-8c9d-8022e0274dc5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6610a12184a15e0fe2f3c8d2f730aa7a4497386a10487138cfe1e019ec3f1f2a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments