MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bd67e49c2ca15156c54956655928723063eca5b4d90ae22dd6ce1029ba596b35. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

IcedID

Vendor detections: 16

Intelligence 16 IOCs YARA 10 File information Comments

SHA256 hash:	bd67e49c2ca15156c54956655928723063eca5b4d90ae22dd6ce1029ba596b35
SHA3-384 hash:	6959ce2f4ba181558cb9c93a4ebf3fa6af73a1120ccbdeaa959d6bbbeb0754cf4e92deb443d3eb2e20d1eb03afe50209
SHA1 hash:	f12d6a892debcfeec812108ea8913eb6d09bbdc4
MD5 hash:	823e6ec59140043e4e850e4016018a77
humanhash:	cola-mirror-mango-nineteen
File name:	Setup_Win_18-01-2023_17-44-13-deflated.exe
Download:	download sample
Signature	IcedID Create hunting rule
File size:	453'896 bytes
First seen:	2023-01-18 18:53:29 UTC
Last seen:	2023-01-18 20:29:59 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	fbfcf00c38af43c32deb15a93d741895 (2 x IcedID)
ssdeep	6144:1zzkhbh8r2y6gudO7sBdvkJ5mXWboh4cd1gJkrW4MqR823v1djjJIAOV4Eq:1EhbGjyY7sncGXWbo3d9MqRnjjGAnR
Threatray	1'311 similar samples on MalwareBazaar
TLSH	T191A4BF0633A50CF6ED73827CC8524A49E672BC1517A0D6EF07906B5B6F336D06E3AB61
TrID	48.7% (.EXE) Win64 Executable (generic) (10523/12/4) 23.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.3% (.EXE) OS/2 Executable (generic) (2029/13) 9.2% (.EXE) Generic Win/DOS Executable (2002/3) 9.2% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):
dhash icon	00709070f0995c5c (2 x IcedID)
Reporter	malware_traffic
Tags:	3248465841 BokBot exe IcedID qsertopinajil.com

Intelligence

File Origin

# of uploads :

# of downloads :

311

Origin country :

Vendor Threat Intelligence

Malware family:

icedid

ID:

File name:

Setup_Win_18-01-2023_17-44-13-deflated.exe

Verdict:

Malicious activity

Analysis date:

2023-01-18 18:05:05 UTC

Tags:

trojan icedid

Link:

https://app.any.run/tasks/b3da3c6b-709c-4ae3-a89d-ee7092ef4dea

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

IcedIDLoader

Link:

https://www.capesandbox.com/analysis/354237/

Detection(s):

SecuriteInfo.com.Mal.Generic-S.468.30148.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

DNS request

Sending an HTTP GET request

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/61276/overview

Behaviour

MalwareBazaar

MeasuringTime

EvasionQueryPerformanceCounter

CheckCmdLine

Verdict:

No Threat

Threat level:

2/10

Confidence:

100%

Tags:

greyware overlay packed

Link:

https://www.filescan.io/uploads/63c8404b8352dc7065e3991e/reports/f8555110-92f0-439b-b964-6316185eeff8/overview

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

IcedID

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/099e1a1f-ac70-4ed4-a647-cc48ec4d706f

Result

Threat name:

IcedID

Detection:

malicious

Classification:

troj.evad

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/1154108

Signature

C2 URLs / IPs found in malware configuration

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Malicious sample detected (through community Yara rule)

Tries to detect virtualization through RDTSC time measurements

Yara detected IcedID

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/bd67e49c2ca15156c54956655928723063eca5b4d90ae22dd6ce1029ba596b35/

Threat name:

Win64.Trojan.IcedID

Status:

Malicious

First seen:

2023-01-18 18:54:08 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

21 of 26 (80.77%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xvt6jhbmufivnrkjkzsvskdsgbr6zjnu3efoelowzyictosznm2q._file

Verdict:

malicious

Label(s):

icedid

IcedID

2a7176a246d4d5108c1d9efcff7ae86e3c95345379e53226175968ec306a3c47

IcedID

99dfb7baafec050861e152a036af86fc0c7663f3c719d58a56dfd9f06f4b8cef

IcedID

a5f81b3f092a05dc7026957e5d716e5976a38b152d1823ac76b84e189aa4a75b

IcedID

b1d89aa18cd6e5e8e007713b1f79ae72238e85211c19d403b02ace2eac464e67

IcedID

ca04842f4ead02f9ca4bb59856102b738ce2fb10bf18a4e087284e5a1b4d1380

IcedID

ef5d3b474470570f295a378846d2487807e9c493a11c772852b9f0b53b0ff376

IcedID

f0bd3ee5f750d9bff17c13acfcdd96ab42e194319d766053104dee666b58e7bb

IcedID

+ 1'301 additional samples on MalwareBazaar

Result

Malware family:

icedid

Score:

10/10

Tags:

family:icedid campaign:3248465841 banker loader trojan

Link:

https://tria.ge/reports/230118-xj7ngafd63/

Behaviour

Suspicious behavior: EnumeratesProcesses

IcedID, BokBot

Malware Config

C2 Extraction:

qsertopinajil.com

Unpacked files

SH256 hash:

98984bc4bd9af65911d9102bde5cae341ffb9bcc913aca1fe69093466176a058

MD5 hash:

a5cb0c13aa09ee206322ad2ae74f43c6

SHA1 hash:

bc34697bd203914c04727b1f3482e46e11ce05fc

Detections:

win_photoloader_a0

win_photoloader_auto

Link:

https://www.unpac.me/results/f3469e95-b93f-46f1-9226-927d5513ab56/

Parent samples :

bd67e49c2ca15156c54956655928723063eca5b4d90ae22dd6ce1029ba596b35
b1ef43379c1af0ed2bbc2dd710df65a550b3b80cce1b734438e20c64f1d5a42e

SH256 hash:

bd67e49c2ca15156c54956655928723063eca5b4d90ae22dd6ce1029ba596b35

MD5 hash:

823e6ec59140043e4e850e4016018a77

SHA1 hash:

f12d6a892debcfeec812108ea8913eb6d09bbdc4

Link:

https://www.unpac.me/results/f3469e95-b93f-46f1-9226-927d5513ab56/

Malware family:

IcedID

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/bd67e49c2ca1/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

IcedID

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/bd67e49c2ca15156c54956655928723063eca5b4d90ae22dd6ce1029ba596b35

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	crime_win32_icedid_stage1 Create hunting rule
Author:	Rony (@r0ny_123)
Description:	Detects IcedID photoloader
Reference:	https://sysopfb.github.io/malware,/icedid/2020/04/28/IcedIDs-updated-photoloader.html

Rule name:	IcedIDLoader Create hunting rule
Author:	kevoreilly, threathive, enzo
Description:	IcedID Loader

Rule name:	IcedID_init_loader Create hunting rule
Author:	@bartblaze
Description:	Identifies IcedID (stage 1 and 2, initial loaders).

Rule name:	MALWARE_Win_IceID Create hunting rule
Author:	ditekSHen
Description:	Detects IceID / Bokbot variants

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	Windows_Trojan_IcedID_0b62e783 Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Trojan_IcedID_48029e37 Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Trojan_IcedID_91562d18 Create hunting rule
Author:	Elastic Security

Rule name:	win_photoloader_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.photoloader.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/354237/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample