MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8d076fe2d93a9ebd5701eb7a1acab37e9d390df7f50e6d155c6c7289934d2b54. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


IcedID


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8d076fe2d93a9ebd5701eb7a1acab37e9d390df7f50e6d155c6c7289934d2b54
SHA3-384 hash: 43e769e8dd1f24cd36283df262a1d146fc748d22912d80314cc6470c4cd231c14e5c11e43c3b0117f9711b182bf8d26f
SHA1 hash: 891a3d819556a94d3298bee3161c966e9ded57de
MD5 hash: e3212819b88bb83950bd7c0402766adc
humanhash: sink-ten-texas-jig
File name:e3212819b88bb83950bd7c0402766adc.dll
Download: download sample
Signature IcedID
Create hunting rule
File size:243'712 bytes
First seen:2023-02-22 11:02:51 UTC
Last seen:2023-02-23 19:49:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 54925e4d4b64f20cd15c3aad10271f30 (1 x IcedID)
ssdeep 6144:WFn7x2URlA+OSKMVD4cBrOnoEo7Xz62eV:sMU3VmcBWoEw+
Threatray 28 similar samples on MalwareBazaar
TLSH T171349E0AB6962CB5EC739532C8535A0AE6353C511324DBBF0314877AFE2F7919A77B20
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter abuse_ch
Tags:dll exe IcedID

Intelligence

File Origin
# of uploads :
4
# of downloads :
247
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e3212819b88bb83950bd7c0402766adc.dll
Verdict:
No threats detected
Analysis date:
2023-02-22 11:27:36 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2d89048d-929e-4975-a6c5-c6139a05cdc2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/368972/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Seheq.rfn.29188.16732.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Verdict:
No Threat
Threat level:
  2/10
Confidence:
67%
Tags:
greyware
Link:
https://www.filescan.io/uploads/63f5f66a42bf85850e3f3828/reports/18b2da97-33ea-432b-8235-f0919b0b2104/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/8d076fe2d93a9ebd5701eb7a1acab37e9d390df7f50e6d155c6c7289934d2b54
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9f2b5a66-0812-4fec-8d62-d36545e4e20e
Result
Threat name:
IcedID
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1180053
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected IcedID
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 812884 Sample: host.dll Startdate: 21/02/2023 Architecture: WINDOWS Score: 100 47 noosaerty.com 2->47 51 Snort IDS alert for network traffic 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 Antivirus detection for URL or domain 2->55 57 3 other signatures 2->57 9 loaddll64.exe 1 2->9         started        11 rundll32.exe 2->11         started        signatures3 process4 process5 13 rundll32.exe 9->13         started        16 rundll32.exe 6 9->16         started        20 rundll32.exe 2 9->20         started        22 5 other processes 9->22 dnsIp6 59 System process connects to network (likely due to code injection or exploit) 13->59 61 Contains functionality to detect hardware virtualization (CPUID execution measurement) 13->61 63 Tries to detect virtualization through RDTSC time measurements 13->63 24 WerFault.exe 9 13->24         started        41 palasedelareforma.com 37.252.6.77, 443, 49716, 49720 NEPHAX-ASPL United Kingdom 16->41 43 ituitem.net 5.61.47.8, 443, 49698, 49699 LEASEWEB-DE-FRA-10DE United Kingdom 16->43 45 2 other IPs or domains 16->45 37 C:\Users\user\AppData\Roaming\...\ugruuo2.dll, PE32+ 16->37 dropped 39 C:\Users\user\AppData\Local\...\ostrich32.tmp, PE32+ 16->39 dropped 26 WerFault.exe 9 22->26         started        29 rundll32.exe 22->29         started        31 WerFault.exe 4 9 22->31         started        33 conhost.exe 22->33         started        file7 signatures8 process9 dnsIp10 49 192.168.2.1 unknown unknown 26->49 35 WerFault.exe 17 9 29->35         started        process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8d076fe2d93a9ebd5701eb7a1acab37e9d390df7f50e6d155c6c7289934d2b54/
Threat name:
Win64.Trojan.IcedID
Create hunting rule
Status:
Malicious
First seen:
2023-02-21 22:32:10 UTC
File Type:
PE+ (Dll)
Extracted files:
1
AV detection:
19 of 25 (76.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rudw7ywzhkpl2vyb5n5bvsvtp2otsdpx6uhg2fk4nrzite2nfnka._file
Verdict:
malicious
Label(s):
icedid
Create hunting rule
Similar samples:
05a3a84096bcdc2a5cf87d07ede96aff7fd5037679f9585fee9a227c0d9cbf51
IcedID
17c84d77f79954acbe68cb2830ab27630a185091b1c084df1f112adc7b89fc3e
IcedID
2b317f6a1ffc33b390ef0f9ca4c7227c250dc6e46e9eb198e2ef56ce00e0d360
IcedID
4871d83c32ce40c24171ec40c4548dd320fe183a58d3866aa88c0b12d2d7b3ae
IcedID
52ceb2e476f5ba13ad4d56c5292d8c97cff9c24967b54fa7a50cc2a333f2527d
IcedID
66241149fd6ac0ec6bac32141748a8b5a1b0cd1610bd2687cae0c2cfa671945f
IcedID
923715af8f2e49242e18210c143ffd69300cdf675f61ae33c2f2fcbab6df07e2
IcedID
fbad60002286599ca06d0ecb3624740efbf13ee5fda545341b3e0bf4d5348cfe
IcedID
+ 18 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/230222-m5qa7scg6w/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
8d076fe2d93a9ebd5701eb7a1acab37e9d390df7f50e6d155c6c7289934d2b54
MD5 hash:
e3212819b88bb83950bd7c0402766adc
SHA1 hash:
891a3d819556a94d3298bee3161c966e9ded57de
Link:
https://www.unpac.me/results/d18f1e06-31e4-4399-b4ba-195005e6bca2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8d076fe2d93a9ebd5701eb7a1acab37e9d390df7f50e6d155c6c7289934d2b54

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

IcedID

Executable exe 8d076fe2d93a9ebd5701eb7a1acab37e9d390df7f50e6d155c6c7289934d2b54

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2547607/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/368972/

Comments