MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7fa1fbd2c625269c408d515a7f7a2289e19f5f5d3cef46a96300212071215649. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

IcedID

Vendor detections: 4

Intelligence 4 IOCs 1 YARA 11 File information Comments

SHA256 hash:	7fa1fbd2c625269c408d515a7f7a2289e19f5f5d3cef46a96300212071215649
SHA3-384 hash:	d39b17f69c26700c67728a9ac0d13e708dde3dce148b443d3fa1b4b5eb0290ceb6131cf8b46cd550d81a1137d55e0102
SHA1 hash:	6042bd527323c6288e6c9be94a125c9c02f6011e
MD5 hash:	478057d87e40aef6a71453c27eb77649
humanhash:	pennsylvania-item-equal-crazy
File name:	Setup_Win_18-01-2023_17-44-15.zip
Download:	download sample
Signature	IcedID Create hunting rule
File size:	994'496 bytes
First seen:	2023-01-18 18:56:14 UTC
Last seen:	Never
File type:	zip
MIME type:	application/zip
ssdeep	6144:lbUfL0i+PajZFE9K9sv3H8dybHNuJw9MqR8I3v13jjJIAFef:yzSCZFEEs/I6tuO9MqRljjGAFef
TLSH	T11225221901BA12B4C6F581BB57A8AE6362E3D8DC3205E6F0AA52710B76F3C170799C7D
TrID	80.0% (.ZIP) ZIP compressed archive (4000/1) 20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter	malware_traffic
Tags:	3248465841 BokBot file-pumped IcedID qsertopinajil.com zip

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
qsertopinajil.com	https://threatfox.abuse.ch/ioc/1069691/

Intelligence

File Origin

# of uploads :

# of downloads :

188

Origin country :

File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:	Setup_Win_18-01-2023_17-44-13.exe
Pumped file	This file is pumped. MalwareBazaar has de-pumped it.
File size:	734'455'880 bytes
SHA256 hash:	030e7b73e8d7bb187183f3087b8ec5756a8c71698f198754cf5299c86e044199
MD5 hash:	6718a804f5d5064fa3b918d844fd727d
De-pumped file size:	441'856 bytes (Vs. original size of 734'455'880 bytes)
De-pumped SHA256 hash:	b1ef43379c1af0ed2bbc2dd710df65a550b3b80cce1b734438e20c64f1d5a42e
De-pumped MD5 hash:	55fabc6b83edfba269d697a7973cb837
MIME type:	application/x-dosexec
Signature	IcedID

Vendor Threat Intelligence

Gathering data

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/7fa1fbd2c625269c408d515a7f7a2289e19f5f5d3cef46a96300212071215649

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7fa1fbd2c625269c408d515a7f7a2289e19f5f5d3cef46a96300212071215649/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=p6q7xuwgeutjyqenkfnh66rcrhqz6x25htxunkldaaqsa4jbkzeq._file

Result

Malware family:

icedid

Score:

10/10

Tags:

family:icedid campaign:3248465841 banker loader trojan

Link:

https://tria.ge/reports/230118-ylyn1sda9t/

Behaviour

Suspicious behavior: EnumeratesProcesses

IcedID, BokBot

Malware Config

C2 Extraction:

qsertopinajil.com

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/7fa1fbd2c625269c408d515a7f7a2289e19f5f5d3cef46a96300212071215649

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	crime_win32_icedid_stage1 Create hunting rule
Author:	Rony (@r0ny_123)
Description:	Detects IcedID photoloader
Reference:	https://sysopfb.github.io/malware,/icedid/2020/04/28/IcedIDs-updated-photoloader.html

Rule name:	IcedIDLoader Create hunting rule
Author:	kevoreilly, threathive, enzo
Description:	IcedID Loader

Rule name:	IcedID_init_loader Create hunting rule
Author:	@bartblaze
Description:	Identifies IcedID (stage 1 and 2, initial loaders).

Rule name:	MALWARE_Win_IceID Create hunting rule
Author:	ditekSHen
Description:	Detects IceID / Bokbot variants

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	Windows_Trojan_IcedID_0b62e783 Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Trojan_IcedID_48029e37 Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Trojan_IcedID_91562d18 Create hunting rule
Author:	Elastic Security

Rule name:	win_photoloader_a0 Create hunting rule
Author:	Daniel Plohmann
Description:	Detects win.photoloader.

Rule name:	win_photoloader_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.photoloader.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample