MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 66544c0d152db0cd4b46d6571381faafae70ce85f309a7e1990ea1bbb3b99017. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


IcedID


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 66544c0d152db0cd4b46d6571381faafae70ce85f309a7e1990ea1bbb3b99017
SHA3-384 hash: 26f4c683e73ad04c542961ba6525f5a4cedad28805bfd19c2c6ce2d89de23e8474218c99d403e9ea5d94ba57f1d7bda9
SHA1 hash: 62ccc389f89c5ea0cb42673c75dc395b36037fb5
MD5 hash: 3e89ed95c8e7fc7ef996ba83297556f7
humanhash: early-football-cold-ack
File name:Opdopbsaed.dll
Download: download sample
Signature IcedID
Create hunting rule
File size:631'808 bytes
First seen:2023-10-31 17:05:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b31ea98cca713b7e0ebd77013bfa9149 (2 x IcedID)
ssdeep 12288:e/cYjwx7s0zXoBA5ozd6IDqk0MzkC4sEEqtQGfbjcED/l6ZCJj:XYMx7s07h5ozdDntzTPEEVGfbjRD/l64
Threatray 64 similar samples on MalwareBazaar
TLSH T1A0D4F11877984CB5EC728139CD63A946E7B3B8264661DE2F03A0579EDF2F3606437722
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter smica83
Tags:exe IcedID TA571

Intelligence

File Origin
# of uploads :
1
# of downloads :
431
Origin country :
HU HU
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/457421/
Detection(s):
Win.Packed.Ulise-10012972-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %AppData% subdirectories
DNS request
Sending a custom TCP request
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control greyware lolbin masquerade packed shell32
Link:
https://www.filescan.io/uploads/654133fba6fa5eab936bee0a/reports/b2ff5098-b9f9-4ede-9356-396100f393a1/overview
Verdict:
Malicious
Labled as:
Ulise.Generic
Link:
https://www.hybrid-analysis.com/sample/66544c0d152db0cd4b46d6571381faafae70ce85f309a7e1990ea1bbb3b99017
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/7bc954d4-3ec0-4c24-ba25-d65470d0efe6
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1335007
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1335007 Sample: Opdopbsaed.dll.exe Startdate: 31/10/2023 Architecture: WINDOWS Score: 100 29 skrechelres.com 2->29 31 jkbarmossen.com 2->31 33 3 other IPs or domains 2->33 41 Malicious sample detected (through community Yara rule) 2->41 43 Antivirus detection for URL or domain 2->43 45 Antivirus detection for dropped file 2->45 47 4 other signatures 2->47 8 loaddll64.exe 1 2->8         started        11 rundll32.exe 2->11         started        signatures3 process4 signatures5 49 Contains functionality to detect hardware virtualization (CPUID execution measurement) 8->49 51 Tries to detect virtualization through RDTSC time measurements 8->51 13 regsvr32.exe 3 8->13         started        18 cmd.exe 1 8->18         started        20 rundll32.exe 8->20         started        22 3 other processes 8->22 process6 dnsIp7 35 evinakortu.com 94.232.46.27, 443, 49722, 49723 WELLWEBNL Russian Federation 13->35 37 jerryposter.com 77.105.140.181, 443, 49716, 49718 PLUSTELECOM-ASRU Russian Federation 13->37 39 3 other IPs or domains 13->39 27 C:\Users\user\AppData\Roaming\...\Ocbimt.dll, PE32+ 13->27 dropped 57 System process connects to network (likely due to code injection or exploit) 13->57 59 Contains functionality to detect hardware virtualization (CPUID execution measurement) 13->59 61 Tries to detect virtualization through RDTSC time measurements 13->61 24 rundll32.exe 18->24         started        file8 signatures9 process10 signatures11 53 Contains functionality to detect hardware virtualization (CPUID execution measurement) 24->53 55 Tries to detect virtualization through RDTSC time measurements 24->55
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/66544c0d152db0cd4b46d6571381faafae70ce85f309a7e1990ea1bbb3b99017
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/66544c0d152db0cd4b46d6571381faafae70ce85f309a7e1990ea1bbb3b99017/
Threat name:
Win64.Trojan.IcedID
Create hunting rule
Status:
Malicious
First seen:
2023-10-30 01:29:19 UTC
File Type:
PE+ (Dll)
Extracted files:
8
AV detection:
21 of 38 (55.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mzkeydivfwym2s2g2zlrhap2v6xhbtuf6me2pymzb2q3xm5zsalq._file
Verdict:
malicious
Similar samples:
09f7e968376ea4a0ec8a8edc1281ad3d884f34b251c225e0cae5fa10cb7b2707
IcedID
0a61d734db49fdf92f018532b2d5e512e90ae0b1657c277634aa06e7b71833c4
IcedID
8a271be660b40e3b923bc8ba9479aa54d38cb232dd27e1217ad26e547e3a73bc
IcedID
b5bc094bbd3cc9ed9642938c98a480fa36e45d7d6e13adb8fe73f4315831291f
IcedID
b8c26e94d120e5193d02e67b46313427744398e3654c9c0f43b6e517d89013b4
IcedID
caa09099489dc5dcd994adf43661f299a8ef955e0077187ff1a529fd57337281
IcedID
ead7621affb3dcfa1137359639f3df8060fca2e5aafd65322a7d67745726b88c
IcedID
f8036b4993d07ca0d117b299c9111370cfbb01c69da2ee831d8064c7f0da899e
IcedID
f88d55b9c8e1b7c93350a046afd38c8ab4dda64821e23592f51fe0f90c309399
IcedID
fb9f13f4f0c36adf1afbffefc66ebe94a96d9f09e9b9c35e47bac5cea97abacb
IcedID
+ 54 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/231031-vmeqrabe4s/
Behaviour
Uses Task Scheduler COM API
Unpacked files
SH256 hash:
3351db381fab3ae6cb0f8819c471b352ec55fc5aca791d76f17e4ebf11ea6d39
MD5 hash:
78a1c4ffd1e89195b63bcbc1645384e1
SHA1 hash:
3e6e064b36874db5603cd68fe3b3533eff23b76d
Detections:
IcedIDCoreLoaderFork
Create hunting rule
Link:
https://www.unpac.me/results/6ef8494a-9ee0-40a1-8359-cb56810c15f8/
Parent samples :
766653b6e5db8d5ffc46735bc95d73aa75ec2e3776136076f76a1fd6483518c5
5d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1
f8036b4993d07ca0d117b299c9111370cfbb01c69da2ee831d8064c7f0da899e
66544c0d152db0cd4b46d6571381faafae70ce85f309a7e1990ea1bbb3b99017
SH256 hash:
66544c0d152db0cd4b46d6571381faafae70ce85f309a7e1990ea1bbb3b99017
MD5 hash:
3e89ed95c8e7fc7ef996ba83297556f7
SHA1 hash:
62ccc389f89c5ea0cb42673c75dc395b36037fb5
Link:
https://www.unpac.me/results/6ef8494a-9ee0-40a1-8359-cb56810c15f8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/66544c0d152db0cd4b46d6571381faafae70ce85f309a7e1990ea1bbb3b99017

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/457421/

Comments