MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a12045a6177dd32af8b39dea93fa92962ff1716381d0d137dede1fc75ecd2c0c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

IcedID

Vendor detections: 11

Intelligence 11 IOCs YARA 2 File information Comments

SHA256 hash:	a12045a6177dd32af8b39dea93fa92962ff1716381d0d137dede1fc75ecd2c0c
SHA3-384 hash:	9c65aeb0aabf89d3570ca5fdeaeb3e31977538f8e6a56a1c6b4738d1ad7d9754f79bb00722063c4d1c5fa01109cdeb02
SHA1 hash:	6c0cb0d21dde5ec87d30c4d15025f50ab293c062
MD5 hash:	510e0f061b1c3ff84f4cc810ff1dc6b2
humanhash:	washington-fruit-lithium-johnny
File name:	0050-1.dll
Download:	download sample
Signature	IcedID Create hunting rule
File size:	335'872 bytes
First seen:	2023-10-11 18:12:40 UTC
Last seen:	2023-10-31 16:52:29 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	e7125b885fcd1eea77d2881eaaa53c4d (6 x IcedID)
ssdeep	6144:tN/F41OWGRkFtwxW6spj/JbUaeboh6EReEUHFmUAkHecHYKjrygmsp:t5FCOWGRayW6sAowXFmUALjKjryg
Threatray	4 similar samples on MalwareBazaar
TLSH	T1C164AE0936D80CB9EDB39238C8576945EA72BC560375D66F0360871ADF2F790A92FF21
TrID	48.7% (.EXE) Win64 Executable (generic) (10523/12/4) 23.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.3% (.EXE) OS/2 Executable (generic) (2029/13) 9.2% (.EXE) Generic Win/DOS Executable (2002/3) 9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter	k3dg3___
Tags:	404tds exe Forked IcedID

Intelligence

File Origin

# of uploads :

# of downloads :

363

Origin country :

Vendor Threat Intelligence

Malware family:

icedid

ID:

File name:

OFFER[2023.10.11_08-07].vbs

Verdict:

Malicious activity

Analysis date:

2023-10-11 18:08:51 UTC

Tags:

icedid bokbot loader

Link:

https://app.any.run/tasks/816e2ef4-38b1-4b48-9205-115dbdfd827f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/453344/

Detection(s):

SecuriteInfo.com.W64.Kryptik.CXG.tr.30246.28867.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Creating a file in the %AppData% subdirectories

Сreating synchronization primitives

Running batch commands

Creating a process with a hidden window

Launching a process

Enabling autorun by creating a file

Gathering data

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/a12045a6177dd32af8b39dea93fa92962ff1716381d0d137dede1fc75ecd2c0c

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b1e4a951-2589-4242-bb6e-93389f50af80

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a12045a6177dd32af8b39dea93fa92962ff1716381d0d137dede1fc75ecd2c0c/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ueqeljqxpxjsv6fttxvjh6ussyx7c4ldqhincn663yp4oxwnfqga._file

Verdict:

malicious

IcedID

76a56c8d14604cc77de9d30ff8efb7b123a9ff793aac402774e8e55040087c99

IcedID

84652a0515f73f10af71032ee2273b7c73a2dd258d797bc20be350c74ed1d00d

IcedID

8c5c7a8cdda35d77ae8e90a14e0732b6b48e4efb453434ac4d5e7df0e625b06a

IcedID

Result

Malware family:

icedid

Score:

10/10

Tags:

family:icedid campaign:361893872 banker collection spyware stealer trojan

Link:

https://tria.ge/reports/231011-wtql9sff75/

Behaviour

Discovers systems in the same network

Gathers network information

Gathers system information

Modifies registry class

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Accesses Microsoft Outlook profiles

Loads dropped DLL

Reads user/profile data of web browsers

Blocklisted process makes network request

Downloads MZ/PE file

IcedID, BokBot

Unpacked files

SH256 hash:

798ae198bdcf45cd7138bf44d27cb5d9b14e47e4d9a9e6541be9fafd4b92d214

MD5 hash:

7e868fdc01742362e371ca903d64606f

SHA1 hash:

f42531a11fd04835f957346ba164967851291d1e

Detections:

IcedIDLoaderFork

Link:

https://www.unpac.me/results/5c253a95-363d-44ef-9fa2-c272c266bfeb/

Parent samples :

a12045a6177dd32af8b39dea93fa92962ff1716381d0d137dede1fc75ecd2c0c
5e3bb62b44636f502e387d4c00bd5a7bc1d040332028238ccd812f73e6d859ca
f324bb47090d388fca1015260f66f67b708e8451292cd5679791792c90d5b711
42cea91c813a490a0b590932c940d796fadfc97765291506813b0ae6f2a42fed
ead7621affb3dcfa1137359639f3df8060fca2e5aafd65322a7d67745726b88c
03b25f3a6a6612eca075b0253d7e8ae6ee556bb5375ab7f38b408da15c1b6af9
8901e289c92449e47212b5e6e948ee1d12e9d809af9026ea39834f595bc9f238

SH256 hash:

a12045a6177dd32af8b39dea93fa92962ff1716381d0d137dede1fc75ecd2c0c

MD5 hash:

510e0f061b1c3ff84f4cc810ff1dc6b2

SHA1 hash:

6c0cb0d21dde5ec87d30c4d15025f50ab293c062

Link:

https://www.unpac.me/results/5c253a95-363d-44ef-9fa2-c272c266bfeb/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a12045a6177dd32af8b39dea93fa92962ff1716381d0d137dede1fc75ecd2c0c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.