MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c034a9d379bc04593523f38b2e78ee67007c0f5cc89422087a9dcb25705d5282. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


IcedID


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c034a9d379bc04593523f38b2e78ee67007c0f5cc89422087a9dcb25705d5282
SHA3-384 hash: 160f24163951419de08931a3d965d97e51ead6cfb58102175316dc3d082c43f701914c62fac43921768a7729b93363e8
SHA1 hash: 967a78523ed4b5b6af5645580b5d406ca99247e5
MD5 hash: 52fe50c0c7d3c19eaf9b6c4a8b49100e
humanhash: black-pluto-happy-white
File name:~841140.exe
Download: download sample
Signature IcedID
Create hunting rule
File size:124'416 bytes
First seen:2020-09-14 19:36:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7d666717e399a4038b5ea1fa4e008701 (1 x IcedID)
ssdeep 3072:kqXpli8Yd/8ugnfB+Xq1PjK9YhLZ6i9jubyrM8S/Om:p6duPHhLZ/jubyre/O
Threatray 403 similar samples on MalwareBazaar
TLSH 74C39D06B6D385F2E0F2083918A8DB619B3C39614A71DEBFB784152E4E345E05B36DB7
Reporter malware_traffic
Tags:exe IcedID Shathak TA551

Intelligence

File Origin
# of uploads :
1
# of downloads :
146
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/59565/
Detection(s):
SecuriteInfo.com.Gen.NN.ZexaE.34242.hu0@aKd@Uqli.8682.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
DNS request
Sending a custom TCP request
Connection attempt
Result
Threat name:
IcedID
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/465824
Signature
Allocates memory in foreign processes
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains VNC / remote desktop functionality (version string found)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Early bird code injection technique detected
Multi AV Scanner detection for submitted file
Performs a network lookup / discovery via net view
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses ipconfig to lookup or modify the Windows network settings
Uses net.exe to modify the status of services
Writes to foreign memory regions
Yara detected IcedID
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 285311 Sample: #U007e841140.exe Startdate: 14/09/2020 Architecture: WINDOWS Score: 100 68 Multi AV Scanner detection for submitted file 2->68 70 Yara detected IcedID 2->70 72 Contains VNC / remote desktop functionality (version string found) 2->72 74 3 other signatures 2->74 8 #U007e841140.exe 2 2->8         started        12 caekebpe2.exe 2->12         started        process3 dnsIp4 50 bcertyuo.cyou 79.141.171.157, 443, 49727, 49730 HZ-UK-ASGB Bulgaria 8->50 52 77hertykol.club 8->52 80 Detected unpacking (changes PE section rights) 8->80 82 Detected unpacking (overwrites its own PE header) 8->82 84 Early bird code injection technique detected 8->84 86 5 other signatures 8->86 14 msiexec.exe 1 5 8->14         started        signatures5 process6 dnsIp7 54 bcertyuo.cyou 14->54 56 90nesokret.top 14->56 58 77hertykol.club 14->58 46 C:\Users\user\AppData\...\caekebpe2.exe, PE32 14->46 dropped 48 C:\Users\user\AppData\Local\...\sqlite64.dll, PE32+ 14->48 dropped 60 Tries to steal Mail credentials (via file access) 14->60 62 Contains functionality to detect hardware virtualization (CPUID execution measurement) 14->62 64 Tries to harvest and steal browser information (history, passwords, etc) 14->64 66 2 other signatures 14->66 19 systeminfo.exe 1 1 14->19         started        22 cmd.exe 1 14->22         started        24 net.exe 1 14->24         started        26 6 other processes 14->26 file8 signatures9 process10 signatures11 76 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 19->76 78 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 19->78 28 conhost.exe 19->28         started        30 conhost.exe 22->30         started        32 chcp.com 1 22->32         started        34 conhost.exe 24->34         started        36 net1.exe 1 24->36         started        38 conhost.exe 26->38         started        40 conhost.exe 26->40         started        42 conhost.exe 26->42         started        44 3 other processes 26->44 process12
Detection:
icedid
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c034a9d379bc04593523f38b2e78ee67007c0f5cc89422087a9dcb25705d5282/
Threat name:
Win32.Trojan.IcedID
Create hunting rule
Status:
Malicious
First seen:
2020-09-14 19:38:07 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ya2ktu3zxqcfsnjd6ofs46hom4ahyd24zckcecd2txfsk4c5kkba._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
icedid
Create hunting rule
Similar samples:
0f77b1fb5f4848703da462f84d0de845268f7a1bfb6f08d59726a3e224a4567a
IcedID
379eba5d8122133d69c864cc01dd3a7be50c976be5616372dd065c2c52c08b5f
IcedID
3b95da4a63198b1250b585db653af3b21bb20cc1689bf768f042d62d815c6ee4
IcedID
485ce80c6972762a04ff59597bdd71381688c73750e1dddae91ad33e8e6f01b8
IcedID
5bc0e27e86d9a4d5e7005669c12b97b56a42ac17fb5cc93de24f38527b5e97e1
IcedID
8ce3415cbd2d4a9345a47b937a7af1eec4388d0e673ce7c701df043105b5134f
IcedID
e3be616e258172d4596cd61cbb6ec39b6e7aa0cf8138793783e21a4b6ab4c038
IcedID
f1bb1db729644b0135c8ad3e124a8d1b79755b027cda3b12c8200b31a6720069
IcedID
f9e63320c3a3c14847155de9abdbbf38e44866500402d8985312d92f149df23b
IcedID
fd9ed4c7107c4fb86d348d13f7e6c3b6c23e6c12084adc45ddfef4bc2ef2fbaf
IcedID
+ 393 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/200914-5hw6b7wz5e/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/59565/

Comments