MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8f9b032ff6f56a685f4c6f9eb57784811d6c98aa83b0c6371e81814edbcd2738. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


IcedID


Vendor detections: 5


Intelligence 5 IOCs 1 YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8f9b032ff6f56a685f4c6f9eb57784811d6c98aa83b0c6371e81814edbcd2738
SHA3-384 hash: fe40e708e3825f52f19dad16ec0612fc27929ea9cccc5d8ce0c1043aef0e142742b738d5f22effc589b7aaaccc77d3d8
SHA1 hash: a39a2e78f941cd98542a6cd5c27d960e5e81c043
MD5 hash: dab66c277887c4fb2c55748681a768a1
humanhash: echo-charlie-maine-happy
File name:8f9b032ff6f56a685f4c6f9eb57784811d6c98aa83b0c.dll
Download: download sample
Signature IcedID
Create hunting rule
File size:347'648 bytes
First seen:2021-06-25 07:55:58 UTC
Last seen:2021-06-25 08:37:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b431941c337157e834b54d99a8a6e679 (3 x CobaltStrike, 2 x IcedID, 1 x Metasploit)
ssdeep 6144:rVRWiM5gaPSBqqadBXkjQLGwfgArtQLScLyt6Tt+hvwiOTRO9lQ9foF9:xRW7DPS8dBXu8byLetU+1wikR2
Threatray 109 similar samples on MalwareBazaar
TLSH 987422973AB07BBEEEDAB577A0D65DC13D7B23958D28BF8111042A435B97A4138290C3
Reporter abuse_ch
Tags:dll exe IcedID


Avatar
abuse_ch
IcedID C2:
feedbackportal.pro

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
feedbackportal.pro https://threatfox.abuse.ch/ioc/153599/

Intelligence

File Origin
# of uploads :
2
# of downloads :
489
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
8f9b032ff6f56a685f4c6f9eb57784811d6c98aa83b0c.dll
Verdict:
No threats detected
Analysis date:
2021-06-25 07:59:12 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e641f695-fe4f-4721-8f1f-e796fd351d56

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/168273/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.8732.4536.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2b7d2e06-4485-4dba-8889-6935068509a7
Result
Threat name:
IcedID
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/807993
Signature
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction which cause usermode exception
Yara detected IcedID
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 440404 Sample: 8f9b032ff6f56a685f4c6f9eb57... Startdate: 25/06/2021 Architecture: WINDOWS Score: 76 59 Multi AV Scanner detection for submitted file 2->59 61 Yara detected IcedID 2->61 7 loaddll64.exe 1 2->7         started        process3 dnsIp4 39 feedbackportal.pro 7->39 41 tp.8e49140c2-frontier.amazon.com 7->41 43 2 other IPs or domains 7->43 71 Contains functionality to detect hardware virtualization (CPUID execution measurement) 7->71 73 Tries to detect virtualization through RDTSC time measurements 7->73 11 cmd.exe 1 7->11         started        13 regsvr32.exe 7->13         started        17 rundll32.exe 7->17         started        19 20 other processes 7->19 signatures5 process6 dnsIp7 21 rundll32.exe 11->21         started        45 feedbackportal.pro 13->45 53 3 other IPs or domains 13->53 75 Contains functionality to detect hardware virtualization (CPUID execution measurement) 13->75 77 Tries to detect virtualization through RDTSC time measurements 13->77 47 feedbackportal.pro 17->47 55 2 other IPs or domains 17->55 79 System process connects to network (likely due to code injection or exploit) 17->79 49 feedbackportal.pro 19->49 51 feedbackportal.pro 19->51 57 11 other IPs or domains 19->57 25 iexplore.exe 2 156 19->25         started        signatures8 process9 dnsIp10 27 feedbackportal.pro 172.67.219.166, 49717, 49718, 49719 CLOUDFLARENETUS United States 21->27 29 tp.8e49140c2-frontier.amazon.com 21->29 35 2 other IPs or domains 21->35 63 System process connects to network (likely due to code injection or exploit) 21->63 65 Contains functionality to detect hardware virtualization (CPUID execution measurement) 21->65 67 Tries to evade analysis by execution special instruction which cause usermode exception 21->67 69 Tries to detect virtualization through RDTSC time measurements 21->69 31 edge.gycpi.b.yahoodns.net 87.248.118.22, 443, 49756, 49757 YAHOO-DEBDE United Kingdom 25->31 33 dart.l.doubleclick.net 142.250.186.70, 443, 49736, 49737 GOOGLEUS United States 25->33 37 16 other IPs or domains 25->37 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8f9b032ff6f56a685f4c6f9eb57784811d6c98aa83b0c6371e81814edbcd2738/
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=r6nqgl7w6vvgqx2mn6plk54eqeowzgfkqoymmny6qgau5w6ne44a._file
Verdict:
malicious
Label(s):
icedid
Create hunting rule
Similar samples:
194b0807d3cc0922a3d218b1628cf78c8bc01ba3e03446d1cf123469ffe045e2
IcedID
1c1cac311f126dd8a0a2b969af40fccbe62c6569fc9c1aea7ee7054f48f1d033
IcedID
35b236fbe87c82a8481485fcf00f3a08749e7a7b49bb2adbd6729c72906a1a60
IcedID
4411d8a69230284cb6238a2e8cf29878afbbef90935bb94d1a6f8d59af30c6cc
IcedID
5090fa74f83368086c1d197dcd28e51f8b36cd5d2c18e9a964d925a445ea0066
IcedID
58e1370fdd747d652f4c8e0dc59188f3dfabb6dfcd3491c6fe4b81c3305d5a46
IcedID
6c710694d270db91b550daf3177622514d2444e7484fb7a16aa2651cc20eb981
IcedID
6f7c097945c1602bbae27e4664004cf2139e66226f54b9499df311bdab804ebb
IcedID
a27fa7724da938df040a3e535f2be9cec4d6d93bd4f2e5ec2ba79560f84cb69c
IcedID
c394b83a255961adb3ec0c8e35b21e05ee432b3c758b25ceac7e3dc3a10486a7
IcedID
+ 99 additional samples on MalwareBazaar
Result
Malware family:
icedid
Create hunting rule
Score:
  10/10
Tags:
family:icedid campaign:1127496138 banker trojan
Link:
https://tria.ge/reports/210625-r8hcmzgvsx/
Behaviour
Suspicious behavior: EnumeratesProcesses
IcedID, BokBot
Malware Config
C2 Extraction:
feedbackportal.pro
Unpacked files
SH256 hash:
8f9b032ff6f56a685f4c6f9eb57784811d6c98aa83b0c6371e81814edbcd2738
MD5 hash:
dab66c277887c4fb2c55748681a768a1
SHA1 hash:
a39a2e78f941cd98542a6cd5c27d960e5e81c043
Link:
https://www.unpac.me/results/a4216266-690d-4481-a231-ee88b0cd5205/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.14
Link:
https://yomi.yoroi.company/submissions/8f9b032ff6f56a685f4c6f9eb57784811d6c98aa83b0c6371e81814edbcd2738

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_win32_icedid_stage1
Create hunting rule
Author:Rony (@r0ny_123)
Description:Detects IcedID Photoloader
Reference:https://sysopfb.github.io/malware,/icedid/2020/04/28/IcedIDs-updated-photoloader.html
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:IcedID
Create hunting rule
Author:@bartblaze
Description:Identifies IcedID (stage 1 and 2, loaders).
Rule name:MAL_IcedID_GZIP_LDR_202104
Create hunting rule
Author:Thomas Barabosch, Telekom Security
Description:2021 initial Bokbot / Icedid loader for fake GZIP payloads
Reference:https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Rule name:shad0w_beacon_16June
Create hunting rule
Author:SBousseaden
Description:Shad0w beacon compressed
Reference:https://github.com/bats3c/shad0w
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:win_iceid_gzip_ldr_202104
Create hunting rule
Author:Thomas Barabosch, Telekom Security
Description:2021 initial Bokbot / Icedid loader for fake GZIP payloads

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/168273/

Comments