MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ba4253b54cb921073ad49e34cf931ca6f1bcdd79a53366f36240d42b7f132ccb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


IcedID


Vendor detections: 5


Intelligence 5 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ba4253b54cb921073ad49e34cf931ca6f1bcdd79a53366f36240d42b7f132ccb
SHA3-384 hash: 8ffba779716ed1ef81b2b28a66e594b1b448e0f6c064c48d9f83de670481a7bbfa9c714d3c719ccb2d1c623fe7056e00
SHA1 hash: ba359b6d55462dd24ea6b93262595a804e7071d6
MD5 hash: 2c6693548df92baf03c481151ea6d64b
humanhash: sodium-ohio-vegan-green
File name:circle.dll
Download: download sample
Signature IcedID
Create hunting rule
File size:304'128 bytes
First seen:2020-10-21 22:17:17 UTC
Last seen:2020-10-21 23:19:50 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash a29324cde448adf2c5c9a401867cc147 (2 x IcedID)
ssdeep 6144:NPGeMzGiWopc+wcBinI2qp1huN9Cfequr88hAAO1RKNgt7pD:NPlMzGd+9wntquN9O288ugKt7pD
Threatray 33 similar samples on MalwareBazaar
TLSH B4547C01B592C036D5BE42381835DAE90ABD7C650F61DCEBB3D81E2F5E765C29B34E22
Reporter malware_traffic
Tags:dll IcedID Shathak TA551

Intelligence

File Origin
# of uploads :
2
# of downloads :
144
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/74314/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.44131018.12619.24299.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Connection attempt
Result
Threat name:
IcedID
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/506441
Signature
Allocates memory in foreign processes
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains VNC / remote desktop functionality (version string found)
Early bird code injection technique detected
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected IcedID
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 302325 Sample: circle.dll Startdate: 22/10/2020 Architecture: WINDOWS Score: 96 32 Multi AV Scanner detection for submitted file 2->32 34 Yara detected IcedID 2->34 36 Contains VNC / remote desktop functionality (version string found) 2->36 7 loaddll32.exe 1 2->7         started        9 regsvr32.exe 2->9         started        process3 process4 11 rundll32.exe 2 7->11         started        15 rundll32.exe 1 7->15         started        17 regsvr32.exe 1 9->17         started        dnsIp5 30 filopipilo.top 159.65.114.23, 443, 49759, 49760 DIGITALOCEAN-ASNUS United States 11->30 42 Contains functionality to detect hardware virtualization (CPUID execution measurement) 11->42 44 Writes to foreign memory regions 11->44 46 Allocates memory in foreign processes 11->46 48 Queues an APC in another process (thread injection) 11->48 19 msiexec.exe 2 11->19         started        50 System process connects to network (likely due to code injection or exploit) 15->50 52 Early bird code injection technique detected 17->52 54 Tries to detect virtualization through RDTSC time measurements 17->54 24 msiexec.exe 17->24         started        signatures6 process7 dnsIp8 28 filopipilo.top 19->28 26 C:\Users\user\AppData\Local\...\Uhahicba.dll, PE32 19->26 dropped 38 Contains functionality to detect hardware virtualization (CPUID execution measurement) 19->38 40 Tries to detect virtualization through RDTSC time measurements 19->40 file9 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ba4253b54cb921073ad49e34cf931ca6f1bcdd79a53366f36240d42b7f132ccb/
Threat name:
Win32.Trojan.IcedID
Create hunting rule
Status:
Malicious
First seen:
2020-10-20 17:19:00 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
icedid
Create hunting rule
Similar samples:
23be804db20cb450cf53fc82143ac34b9e741035c511af3e5c9880e7b3a70b3a
IcedID
4b0c5b4530a9218d6030a7040a10ea5be84ffa3696601732ee7212691521474f
IcedID
530001e38045813d7276694c428b64b4dc5a15b77f2b3cc757f64b8d34bcf815
IcedID
55bc7ae7ab1017eb75387291424a67b9655d52e9357005caacbbb997dada592c
IcedID
6571b88739b154807adbbe7b8d3ff75543887405f066489fb773a2186b862132
IcedID
7f40442df67f60ef984b393c8001c600047a19a51780d1466373e95cd3ea44bf
IcedID
9c2b9591aa625e3dd4d8eae345b24e331bf731c9d5fa6455ac8e79bd6ec5d0d0
IcedID
a95efda438fdee4b4866287c2cfe9d89772a46c5d9d22377c8c63e43b2c93295
IcedID
d67e1fd5d40e841c1aedbbf65d5f72a69da5ac54e48ae92da1f428c9f18d8363
IcedID
dc376b4c1d4acbdd5101df5d51bac34cc147b6fd499d741bc68145016fb3c574
IcedID
+ 23 additional samples on MalwareBazaar
Result
Malware family:
icedid
Create hunting rule
Score:
  10/10
Tags:
trojan banker family:icedid
Link:
https://tria.ge/reports/201021-getacwlj52/
Behaviour
Suspicious use of WriteProcessMemory
Blacklisted process makes network request
IcedID Core Payload
IcedID, BokBot
Unpacked files
SH256 hash:
84f90b50e6bb1c920756cc18a39a622294fff2cb44dc8fc78187e63fcd9ec137
MD5 hash:
b80220be666ccc1fd46a20464884a47f
SHA1 hash:
0494c57d772cf35f578fcbae8002c035134ca5e9
Link:
https://www.unpac.me/results/c066bab5-99a9-47fb-9b13-366324fa8c2e/
SH256 hash:
ba4253b54cb921073ad49e34cf931ca6f1bcdd79a53366f36240d42b7f132ccb
MD5 hash:
2c6693548df92baf03c481151ea6d64b
SHA1 hash:
ba359b6d55462dd24ea6b93262595a804e7071d6
Link:
https://www.unpac.me/results/c066bab5-99a9-47fb-9b13-366324fa8c2e/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_win32_banker_iceid_ldr1
Create hunting rule
Author:@VK_Intel
Description:Detects IcedId/BokBot png loader (unpacked)
Reference:twitter

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/74314/

Comments