MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bae645306145f5ca847e16add3371e197b1efbf32c8e63dbb3c14726446ca975. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


IcedID


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bae645306145f5ca847e16add3371e197b1efbf32c8e63dbb3c14726446ca975
SHA3-384 hash: 4f4a404caceb11564be3a24ba03dd3cc1a1c4b7cd3eb899c0d73fea9f2b962996432c31f93a9198dfbde3fd7309f7c6a
SHA1 hash: 611266dd7611b9fbfa37c6850817efa0db0ed383
MD5 hash: 2103d55a7757a9941c46dcdb1fcd99c0
humanhash: delta-ohio-lemon-uniform
File name:Payment_02_16_#522.one
Download: download sample
Signature IcedID
Create hunting rule
File size:109'728 bytes
First seen:2023-02-16 17:38:24 UTC
Last seen:Never
File type:Microsoft OneNote (one) one
MIME type:application/octet-stream
ssdeep 1536:L+3tBXvjIc2eYO5ogsOTc3/7+M9IvYPRluYv4gjuCnahRIyCJ4wIQtQ0X:LuDb/2jQocc3D0YZluG4gqQyCJ4wIYlX
TLSH T126B3F1BAE960408CCA26A53DCD3E8FCB7737950159A49A0FDFB626397CF45488E41B0D
Reporter k3dg3___
Tags:1953131356 azergapolak IcedID one

Intelligence

File Origin
# of uploads :
1
# of downloads :
661
Origin country :
US US
Vendor Threat Intelligence
Detection(s):
TwinWave.EvilDoc.OneNotePkillExeExtDetonationRulingTheNation.20230125.UNOFFICIAL
Create hunting rule

Verdict:
No Threat
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/63ee6a37c7a082600e46454e/reports/9197e64e-5aa6-4169-9358-65f2e0d82a4b/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/bae645306145f5ca847e16add3371e197b1efbf32c8e63dbb3c14726446ca975
Result
Verdict:
UNKNOWN
Result
Threat name:
IcedID
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1177156
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Document exploit detected (process start blacklist hit)
Malicious sample detected (through community Yara rule)
Powershell drops PE file
Sigma detected: Execute DLL with spoofed extension
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected IcedID
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 809977 Sample: Payment_02_16_#522.one Startdate: 16/02/2023 Architecture: WINDOWS Score: 96 36 Malicious sample detected (through community Yara rule) 2->36 38 Antivirus detection for URL or domain 2->38 40 Yara detected IcedID 2->40 42 3 other signatures 2->42 8 ONENOTE.EXE 47 364 2->8         started        process3 file4 30 C:\Users\user\...\638121336423209150.cmd, ASCII 8->30 dropped 11 cmd.exe 1 8->11         started        13 ONENOTEM.EXE 1 8->13         started        process5 process6 15 rundll32.exe 11->15         started        17 powershell.exe 15 16 11->17         started        22 conhost.exe 11->22         started        dnsIp7 24 rundll32.exe 15->24         started        32 healthelevation360.com 72.167.65.68, 443, 49696 AS-26496-GO-DADDY-COM-LLCUS United States 17->32 28 C:\ProgramData\xLeI.jpg, PE32+ 17->28 dropped 44 Powershell drops PE file 17->44 file8 signatures9 process10 dnsIp11 34 azergapolak.com 162.33.177.93, 49697, 80 CORENETUS United States 24->34 46 System process connects to network (likely due to code injection or exploit) 24->46 48 Tries to detect virtualization through RDTSC time measurements 24->48 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bae645306145f5ca847e16add3371e197b1efbf32c8e63dbb3c14726446ca975/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-02-16 17:39:06 UTC
File Type:
Document
AV detection:
7 of 25 (28.00%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230216-v793dsah37/
Behaviour
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops startup file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
IcedID
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/bae645306145f5ca847e16add3371e197b1efbf32c8e63dbb3c14726446ca975

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:onenote_file
Create hunting rule
Description:Microsoft Onenote File
Rule name:OneNote_magic
Create hunting rule
Author:Stuart Gonzalez
Rule name:SUSP_OneNote
Create hunting rule
Author:spatronn
Description:Hard-Detect One

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

IcedID

Microsoft OneNote (one) one bae645306145f5ca847e16add3371e197b1efbf32c8e63dbb3c14726446ca975

(this sample)

IcedID

Executable exe 168e8a92e64f024346dd703ed9356f4e0bdf7d2130048e68da36291bbc9421a1

  
Dropping
SHA256 168e8a92e64f024346dd703ed9356f4e0bdf7d2130048e68da36291bbc9421a1
  
Delivery method
Distributed via e-mail attachment
  
Dropping
MD5 c8e0e743397406f6c7c15588ef767fda

Comments