MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b4046a6848ea2380e32ddf5aa6de79e4c16d0e2e16ecf942ff97287e725f32c7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


IcedID


Vendor detections: 5


Intelligence 5 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b4046a6848ea2380e32ddf5aa6de79e4c16d0e2e16ecf942ff97287e725f32c7
SHA3-384 hash: d239e5c8ec47380e79837aae866c82cb1b6db8c719ca35ca4570a3eeaaa2f354e42d1ea76d4d53d30bb8d1128ee50f39
SHA1 hash: 2389ec8e06fe1d1bed70f175730371b9ef66a94d
MD5 hash: 065984604a9f9976cb7a81a7a0b6a944
humanhash: princess-pennsylvania-sodium-undress
File name:personal_data#6509.html
Download: download sample
Signature IcedID
Create hunting rule
File size:287'522 bytes
First seen:2022-11-02 14:47:44 UTC
Last seen:Never
File type: html
MIME type:text/html
ssdeep 6144:bmB+LMfGGVYu5G/mNj3D7A9Ia7OVnUKv9vmzngeiZGQSyR/R:bRMfGWl6gn39N/R
TLSH T1FF5412499628A7EACB94691D04BD361F37A01DA98097E8C0FF9FEC035FAEE00511B9D4
Reporter k3dg3___
Tags:3479236560 html IcedID

Intelligence

File Origin
# of uploads :
1
# of downloads :
230
Origin country :
n/a
Vendor Threat Intelligence
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
qbot
Link:
https://www.filescan.io/uploads/63628329b8952e91d3d25982/reports/68b4362e-7578-49e6-9f59-e9971baf5ffe/overview
Result
Verdict:
UNKNOWN
Result
Threat name:
HtmlDropper, IcedID
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1103558
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses 7zip to decompress a password protected archive
Yara detected Html Dropper
Yara detected IcedID
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 736225 Sample: personal_data#6509.html Startdate: 02/11/2022 Architecture: WINDOWS Score: 100 55 Snort IDS alert for network traffic 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 Yara detected Html Dropper 2->59 61 2 other signatures 2->61 9 chrome.exe 18 8 2->9         started        12 chrome.exe 2->12         started        process3 dnsIp4 51 192.168.2.1 unknown unknown 9->51 53 239.255.255.250 unknown Reserved 9->53 14 unarchiver.exe 5 9->14         started        17 chrome.exe 9->17         started        process5 dnsIp6 69 Uses 7zip to decompress a password protected archive 14->69 20 cmd.exe 2 14->20         started        23 cmd.exe 1 14->23         started        25 7za.exe 2 14->25         started        43 clients.l.google.com 142.250.147.102, 443, 49699 GOOGLEUS United States 17->43 45 www.google.com 142.250.147.147, 443, 49705, 49742 GOOGLEUS United States 17->45 47 3 other IPs or domains 17->47 signatures7 process8 file9 41 C:\Users\user\AppData\...\mischiefWrecks.exe, PE32 20->41 dropped 27 mischiefWrecks.exe 20->27         started        29 conhost.exe 1 20->29         started        31 powershell.exe 34 23->31         started        33 conhost.exe 23->33         started        35 conhost.exe 25->35         started        process10 process11 37 rundll32.exe 27->37         started        dnsIp12 49 hardenpasedaken.com 165.232.156.81, 49737, 49738, 49739 ALLEGHENYHEALTHNETWORKUS United States 37->49 63 System process connects to network (likely due to code injection or exploit) 37->63 65 Contains functionality to detect hardware virtualization (CPUID execution measurement) 37->65 67 Tries to detect virtualization through RDTSC time measurements 37->67 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b4046a6848ea2380e32ddf5aa6de79e4c16d0e2e16ecf942ff97287e725f32c7/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wqcgu2ci5irybyzn35nknxtz4taw2droc3wpsqx7s4uh44s7gldq._file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.86
Link:
https://yomi.yoroi.company/submissions/b4046a6848ea2380e32ddf5aa6de79e4c16d0e2e16ecf942ff97287e725f32c7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:html_auto_download_b64
Create hunting rule
Author:Tdawg
Description:html auto download

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

IcedID

html b4046a6848ea2380e32ddf5aa6de79e4c16d0e2e16ecf942ff97287e725f32c7

(this sample)

08f355f7dca50d30cd288735151a4e6d5dfb5bf2336be6e4f3b44ba881e4b721

  
Link
https://tria.ge/221102-q573ssbhak
  
Dropping
SHA256 08f355f7dca50d30cd288735151a4e6d5dfb5bf2336be6e4f3b44ba881e4b721
  
Delivery method
Distributed via e-mail attachment

Comments