MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 714616fe3515adc2c2b44781aed900a9e8e37cc4e7239be92f1ca668f40945bd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


IcedID


Vendor detections: 5


Intelligence 5 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 714616fe3515adc2c2b44781aed900a9e8e37cc4e7239be92f1ca668f40945bd
SHA3-384 hash: 7eba98ca3c0c8f0e0775445ab362119d3de344720d698bf5149598b56cffcb3a8d282d5c0756ae3f7b67e4a40f6cf426
SHA1 hash: 0f283ca3c4041e3f915af729371405bec94c50b8
MD5 hash: c2326f5c2286b6272f7acde3e2d2915b
humanhash: mockingbird-jupiter-angel-wisconsin
File name:c2326f5c2286b6272f7acde3e2d2915b.dll
Download: download sample
Signature IcedID
Create hunting rule
File size:1'138'688 bytes
First seen:2021-12-06 16:45:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 41c5062490a03a46399e3adf1715b1aa (1 x IcedID, 1 x BazaLoader)
ssdeep 24576:izOPAC+uOkZAw8pOKJXpQhpwxYn6OK8g7YJQNeV:izqGcAw8pVOSU
TLSH T19F35AD0A325942A8D077D07CC9934B62E6B1B4058330ABDB13F557AE2F277E25A7FB11
Reporter abuse_ch
Tags:dll exe IcedID

Intelligence

File Origin
# of uploads :
1
# of downloads :
317
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a.exe
Verdict:
No threats detected
Analysis date:
2021-12-06 18:01:14 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f7a9c651-00ca-43ad-934a-2b7b83576aab

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/211877/
Result
Verdict:
Clean
Maliciousness:

Behaviour
DNS request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/61ae3e4dfa72c81b5b0eab31/reports/cfb11bea-f0b0-4ffa-87f7-e6397229d9e7/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/58d0d330-708a-4859-9938-7e41a7cf57ec
Result
Threat name:
IcedID
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/902474
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Multi AV Scanner detection for domain / URL
Yara detected IcedID
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 534960 Sample: C6PVEBqUeR.dll Startdate: 06/12/2021 Architecture: WINDOWS Score: 68 19 Multi AV Scanner detection for domain / URL 2->19 21 Found malware configuration 2->21 23 Yara detected IcedID 2->23 25 C2 URLs / IPs found in malware configuration 2->25 7 loaddll64.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 rundll32.exe 7->11         started        13 rundll32.exe 7->13         started        15 4 other processes 7->15 process5 17 rundll32.exe 9->17         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/714616fe3515adc2c2b44781aed900a9e8e37cc4e7239be92f1ca668f40945bd/
Threat name:
Win64.Trojan.Rozena
Create hunting rule
Status:
Suspicious
First seen:
2021-12-06 16:46:15 UTC
File Type:
PE+ (Dll)
Extracted files:
1
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Verdict:
unknown
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/211206-t9ztrseegp/
Unpacked files
SH256 hash:
714616fe3515adc2c2b44781aed900a9e8e37cc4e7239be92f1ca668f40945bd
MD5 hash:
c2326f5c2286b6272f7acde3e2d2915b
SHA1 hash:
0f283ca3c4041e3f915af729371405bec94c50b8
Link:
https://www.unpac.me/results/bc8d2988-f324-4933-971a-0b607ac1e0d4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/714616fe3515adc2c2b44781aed900a9e8e37cc4e7239be92f1ca668f40945bd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/211877/

Comments