MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 78cba4c94ad3bbf06a43904c0281b95178aa56bcc56c14a6af48a7a151e1d360. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


IcedID


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 78cba4c94ad3bbf06a43904c0281b95178aa56bcc56c14a6af48a7a151e1d360
SHA3-384 hash: 69943f738022c645f6cf3618b6d407762efa4b1a83c6cbe297afa735c7840ae0bd57ceeaf8d76e4131032f244b17a370
SHA1 hash: 5b0642bc161297c7fa9a9a8827122debbbc39ec3
MD5 hash: 90694887bc0e78bc7deaefaa3de0f2d1
humanhash: aspen-north-cat-twelve
File name:~1636796.exe
Download: download sample
Signature IcedID
Create hunting rule
File size:665'088 bytes
First seen:2020-10-15 01:29:46 UTC
Last seen:2020-10-15 03:03:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 40d2568a983f1b5f506b8bdf83e17013 (1 x IcedID)
ssdeep 12288:zSXk1RJEzbi3cuh/IElBv3JhTfxgIQXHDpYlSJEIG6x1ao:MOssRpIElBv3JhdgvHDyEa
Threatray 643 similar samples on MalwareBazaar
TLSH 59E43B00A741D039E5F725F94AAE623DA72DBAD15B1092C792C817FE9F259F06E3034B
Reporter malware_traffic
Tags:exe IcedID Shathak TA551

Intelligence

File Origin
# of uploads :
2
# of downloads :
148
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/71146/
Detection(s):
SecuriteInfo.com.ML.PE-A.25941.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
DNS request
Connection attempt
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/491881
Signature
Allocates memory in foreign processes
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains VNC / remote desktop functionality (version string found)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Early bird code injection technique detected
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Performs a network lookup / discovery via net view
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses ipconfig to lookup or modify the Windows network settings
Uses net.exe to modify the status of services
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 298386 Sample: #U007e1636796.exe Startdate: 15/10/2020 Architecture: WINDOWS Score: 100 66 Multi AV Scanner detection for domain / URL 2->66 68 Multi AV Scanner detection for submitted file 2->68 70 Contains VNC / remote desktop functionality (version string found) 2->70 72 3 other signatures 2->72 8 #U007e1636796.exe 3 2->8         started        12 Tetuuluo64.exe 2->12         started        process3 dnsIp4 50 novemberdejudge.cyou 143.110.176.28, 443, 49741, 49742 COLLEGE-OF-ST-SCHOLASTICAUS United States 8->50 52 minishtab.cyou 8->52 78 Detected unpacking (changes PE section rights) 8->78 80 Detected unpacking (overwrites its own PE header) 8->80 82 Early bird code injection technique detected 8->82 84 5 other signatures 8->84 14 msiexec.exe 1 8 8->14         started        signatures5 process6 dnsIp7 54 minishtab.cyou 14->54 56 novemberdejudge.cyou 14->56 46 C:\Users\user\AppData\...\Tetuuluo64.exe, PE32 14->46 dropped 48 C:\Users\user\AppData\Local\...\sqlite64.dll, PE32+ 14->48 dropped 58 Tries to steal Mail credentials (via file access) 14->58 60 Tries to harvest and steal browser information (history, passwords, etc) 14->60 62 Tries to detect virtualization through RDTSC time measurements 14->62 64 Performs a network lookup / discovery via net view 14->64 19 systeminfo.exe 1 1 14->19         started        22 cmd.exe 1 14->22         started        24 net.exe 1 14->24         started        26 6 other processes 14->26 file8 signatures9 process10 signatures11 74 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 19->74 76 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 19->76 28 conhost.exe 19->28         started        30 conhost.exe 22->30         started        32 chcp.com 1 22->32         started        34 conhost.exe 24->34         started        36 net1.exe 1 24->36         started        38 conhost.exe 26->38         started        40 conhost.exe 26->40         started        42 conhost.exe 26->42         started        44 3 other processes 26->44 process12
Detection:
icedid
Create hunting rule
Link:
https://mwdb.cert.pl/sample/78cba4c94ad3bbf06a43904c0281b95178aa56bcc56c14a6af48a7a151e1d360/
Threat name:
Win32.Trojan.IcedID
Create hunting rule
Status:
Malicious
First seen:
2020-10-15 01:31:06 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
icedid
Create hunting rule
Similar samples:
08f3b51c8493c5ed8948ab35c956a465e0043094248d2f27a5d8fa9a696e3cbf
IcedID
278593e60722d691fe1b23b22cab15294662bbd2ef8ca1ba8e80ca78e872a813
IcedID
302b22ef958f04eeef47eaef2fe2d2fd062a17c16683ec8f2cf0b899f19c2acb
IcedID
3700f2c5fe27c80e41984b2a55f236655a09f0781c05b265bccb26165318d78a
IcedID
433916382658909eddfca653bb6e6b951a7fec66020b205590a88883ad04d65e
IcedID
5bd66c88148005029d20c92e1d793f8d41f47a273a9334f9a85ec31148d0b040
IcedID
8d1b83eff1b3c604365fd29de1bb43204852de842c0bb148975fe7a7485310e4
IcedID
927a8d1445750400db3850d0b2dc3522b0f373098385373efa3d7762120f3689
IcedID
a49499eecf0330f3ece7c75bcb04989d2d62d31ed2a7a14e5e6da98a869a520a
IcedID
f3ba5d0b27ff406dcd1c624aee919f394d231b878f040ec23e36c7f0cf81df99
IcedID
+ 633 additional samples on MalwareBazaar
Result
Malware family:
icedid
Create hunting rule
Score:
  10/10
Tags:
trojan banker family:icedid
Link:
https://tria.ge/reports/201015-hfy4jxr952/
Behaviour
IcedID Core Payload
IcedID, BokBot
Unpacked files
SH256 hash:
78cba4c94ad3bbf06a43904c0281b95178aa56bcc56c14a6af48a7a151e1d360
MD5 hash:
90694887bc0e78bc7deaefaa3de0f2d1
SHA1 hash:
5b0642bc161297c7fa9a9a8827122debbbc39ec3
Link:
https://www.unpac.me/results/214b852f-0b6e-4671-8979-bf36390b7ec2/
SH256 hash:
600c94128a3130b996760f06327ca50aa40d3e90344256000f7fa173ab200ac8
MD5 hash:
f041243ba9b971c1fe1ba37024fb6a2a
SHA1 hash:
27895b0ea34a7d16491a5c1ae5e811f0b72bdb61
Link:
https://www.unpac.me/results/214b852f-0b6e-4671-8979-bf36390b7ec2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/78cba4c94ad3bbf06a43904c0281b95178aa56bcc56c14a6af48a7a151e1d360

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/71146/

Comments