MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b1ef43379c1af0ed2bbc2dd710df65a550b3b80cce1b734438e20c64f1d5a42e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

IcedID

Vendor detections: 17

Intelligence 17 IOCs YARA 10 File information Comments

SHA256 hash:	b1ef43379c1af0ed2bbc2dd710df65a550b3b80cce1b734438e20c64f1d5a42e
SHA3-384 hash:	0c08cfd8bad526c6c7f0fa084f6a2dd74c83be7f39196c00ab3221237f7fe06afe85445c6b0b62dc61e68a1d03af516b
SHA1 hash:	13ca26df9e0f7fb04596cbf52aa542a54d0a2e10
MD5 hash:	55fabc6b83edfba269d697a7973cb837
humanhash:	pluto-illinois-quebec-burger
File name:	SetupWin18-01-202317-44-13.exe
Download:	download sample
Signature	IcedID Create hunting rule
File size:	441'856 bytes
First seen:	2023-01-19 03:30:37 UTC
Last seen:	2023-01-19 05:27:22 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	fbfcf00c38af43c32deb15a93d741895 (2 x IcedID)
ssdeep	6144:1zzkhbh8r2y6gudO7sBdvkJ5mXWboh4cd1gJkrW4MqR823v1djjJIAOVY:1EhbGjyY7sncGXWbo3d9MqRnjjGAH
Threatray	1'313 similar samples on MalwareBazaar
TLSH	T14494BE0633A50CF6EC73827CC8524A49E672BC1517A1D6EF0790AB5B6F336D06D3AB61
TrID	48.7% (.EXE) Win64 Executable (generic) (10523/12/4) 23.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.3% (.EXE) OS/2 Executable (generic) (2029/13) 9.2% (.EXE) Generic Win/DOS Executable (2002/3) 9.2% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):
dhash icon	00709070f0995c5c (2 x IcedID)
Reporter	abuse_ch
Tags:	exe IcedID

abuse_ch

IcedID C2:
qsertopinajil.com

Intelligence

File Origin

# of uploads :

# of downloads :

266

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

icedid

ID:

File name:

SetupWin18-01-202317-44-13.exe

Verdict:

Malicious activity

Analysis date:

2023-01-19 03:32:38 UTC

Tags:

trojan icedid

Link:

https://app.any.run/tasks/7b71fb1f-b06b-4f8e-84f2-6415c66c2ef1

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

IcedIDLoader

Link:

https://www.capesandbox.com/analysis/354343/

Detection(s):

SecuriteInfo.com.Win64.BotX-gen.15935.5698.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Creating a window

DNS request

Sending an HTTP GET request

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/61356/overview

Behaviour

MalwareBazaar

MeasuringTime

CheckCmdLine

EvasionQueryPerformanceCounter

Verdict:

No Threat

Threat level:

2/10

Confidence:

67%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/63c8b97ce56ca96f6d502e17/reports/7c0a479a-a4ec-443a-9079-93d31a098c41/overview

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

IcedID

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/26c1bbb4-1d4b-481c-8866-d06ca2825574

Result

Threat name:

IcedID

Detection:

malicious

Classification:

troj.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/1154372

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect virtualization through RDTSC time measurements

Yara detected IcedID

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b1ef43379c1af0ed2bbc2dd710df65a550b3b80cce1b734438e20c64f1d5a42e/

Threat name:

Win64.Trojan.IcedID

Status:

Malicious

First seen:

2023-01-19 03:31:10 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

16 of 26 (61.54%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=whxugn44dlyo2k54fxlrbx3fuvilhoamzynxgrby4iggj4ovuqxa._file

Verdict:

malicious

Label(s):

icedid

IcedID

99dfb7baafec050861e152a036af86fc0c7663f3c719d58a56dfd9f06f4b8cef

IcedID

b1d89aa18cd6e5e8e007713b1f79ae72238e85211c19d403b02ace2eac464e67

IcedID

bd67e49c2ca15156c54956655928723063eca5b4d90ae22dd6ce1029ba596b35

IcedID

ca04842f4ead02f9ca4bb59856102b738ce2fb10bf18a4e087284e5a1b4d1380

IcedID

ef5d3b474470570f295a378846d2487807e9c493a11c772852b9f0b53b0ff376

IcedID

f0bd3ee5f750d9bff17c13acfcdd96ab42e194319d766053104dee666b58e7bb

IcedID

+ 1'303 additional samples on MalwareBazaar

Result

Malware family:

icedid

Score:

10/10

Tags:

family:icedid campaign:3248465841 banker loader trojan

Link:

https://tria.ge/reports/230119-d23bxseb36/

Behaviour

Suspicious behavior: EnumeratesProcesses

IcedID, BokBot

Malware Config

C2 Extraction:

qsertopinajil.com

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/8d15b549-245a-478c-a8f3-549064f5713c

Unpacked files

SH256 hash:

98984bc4bd9af65911d9102bde5cae341ffb9bcc913aca1fe69093466176a058

MD5 hash:

a5cb0c13aa09ee206322ad2ae74f43c6

SHA1 hash:

bc34697bd203914c04727b1f3482e46e11ce05fc

Detections:

win_photoloader_a0

win_photoloader_auto

Link:

https://www.unpac.me/results/b84a9d1e-6322-4969-a0e2-2e775c634a1d/

Parent samples :

bd67e49c2ca15156c54956655928723063eca5b4d90ae22dd6ce1029ba596b35
b1ef43379c1af0ed2bbc2dd710df65a550b3b80cce1b734438e20c64f1d5a42e

SH256 hash:

b1ef43379c1af0ed2bbc2dd710df65a550b3b80cce1b734438e20c64f1d5a42e

MD5 hash:

55fabc6b83edfba269d697a7973cb837

SHA1 hash:

13ca26df9e0f7fb04596cbf52aa542a54d0a2e10

Link:

https://www.unpac.me/results/b84a9d1e-6322-4969-a0e2-2e775c634a1d/

Malware family:

IcedID

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/b1ef43379c1a/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

IcedID

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/b1ef43379c1af0ed2bbc2dd710df65a550b3b80cce1b734438e20c64f1d5a42e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	crime_win32_icedid_stage1 Create hunting rule
Author:	Rony (@r0ny_123)
Description:	Detects IcedID photoloader
Reference:	https://sysopfb.github.io/malware,/icedid/2020/04/28/IcedIDs-updated-photoloader.html

Rule name:	IcedIDLoader Create hunting rule
Author:	kevoreilly, threathive, enzo
Description:	IcedID Loader

Rule name:	IcedID_init_loader Create hunting rule
Author:	@bartblaze
Description:	Identifies IcedID (stage 1 and 2, initial loaders).

Rule name:	MALWARE_Win_IceID Create hunting rule
Author:	ditekSHen
Description:	Detects IceID / Bokbot variants

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	Windows_Trojan_IcedID_0b62e783 Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Trojan_IcedID_48029e37 Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Trojan_IcedID_91562d18 Create hunting rule
Author:	Elastic Security

Rule name:	win_photoloader_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.photoloader.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/354343/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample