MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d25e3a7ed538968e9b78367cd8f8d20f8f55471a1eb27aae2774272fc8c1c1ce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


IcedID


Vendor detections: 5


Intelligence 5 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d25e3a7ed538968e9b78367cd8f8d20f8f55471a1eb27aae2774272fc8c1c1ce
SHA3-384 hash: 4865424d99bf1fa46d1a2efa0ce0576a573fcaaa7e63c505e400078dcc7f68ebc030f0e4aed362e1047f23968c11a45f
SHA1 hash: e107a9d8fdf4640eaaab929a447e7229f0bf6abd
MD5 hash: bf7b51974d9c8e90ac663f56b088db7c
humanhash: eleven-glucose-zulu-high
File name:~19228000.dll
Download: download sample
Signature IcedID
Create hunting rule
File size:125'952 bytes
First seen:2020-11-12 00:12:29 UTC
Last seen:2024-07-24 21:43:15 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash d073c44d6ffc37d97bdaa1c33a644c15 (3 x IcedID)
ssdeep 3072:uraX0zF2V7yfDyrcQiQ+QWUR++882w8kQ6ls0:uraX0RY76ObRtQpUC
Threatray 648 similar samples on MalwareBazaar
TLSH 9BC37C4071E185B0F1AF0A3E0466DA054BBEBD61DE789DFB3BC4158B4A752C16E32B63
Reporter malware_traffic
Tags:dll IcedID


Avatar
malware_traffic
run method: regsvr32.exe /s [filename]

Intelligence

File Origin
# of uploads :
4
# of downloads :
177
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.BScope.TrojanSpy.Ursnif.9517.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Connection attempt
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/531066
Signature
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d25e3a7ed538968e9b78367cd8f8d20f8f55471a1eb27aae2774272fc8c1c1ce/
Threat name:
Win32.Trojan.Zenpak
Create hunting rule
Status:
Malicious
First seen:
2020-11-12 00:29:07 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
icedid
Create hunting rule
Similar samples:
3dfb74874b9c0b32b66ce96a97170fc430fed51a7cfdbf361e6c4febe2935e5d
IcedID
485ce80c6972762a04ff59597bdd71381688c73750e1dddae91ad33e8e6f01b8
IcedID
5bc0e27e86d9a4d5e7005669c12b97b56a42ac17fb5cc93de24f38527b5e97e1
IcedID
818076cbf3b8323b674d476b2862b3495cddcc13ef957f5bd9ec7f18bd436791
IcedID
a24c5d4c11f1d46b03ae1539df341c7247e1f8809b27a3b873449a1be218bd1e
IcedID
ba4253b54cb921073ad49e34cf931ca6f1bcdd79a53366f36240d42b7f132ccb
IcedID
c034a9d379bc04593523f38b2e78ee67007c0f5cc89422087a9dcb25705d5282
IcedID
dc376b4c1d4acbdd5101df5d51bac34cc147b6fd499d741bc68145016fb3c574
IcedID
e75612b515f036b54d63ed2efa45afc9b167b78116d65a77b1f0fa69674ed51f
IcedID
f56ea10521a52f78bedbf51c0bbdf9c894e473a73f1da8d388afc85b4c95f727
IcedID
+ 638 additional samples on MalwareBazaar
Result
Malware family:
icedid
Create hunting rule
Score:
  10/10
Tags:
family:icedid banker trojan
Link:
https://tria.ge/reports/201112-eamjxg4x3j/
Behaviour
Suspicious use of WriteProcessMemory
Blacklisted process makes network request
IcedID Core Payload
IcedID, BokBot
Unpacked files
SH256 hash:
158273ee9685f21d69efdba710888f3f1c4279a8f29897cf8113f69c40170f98
MD5 hash:
4d693bda084374a8d1afb9c209ab2acc
SHA1 hash:
d656dbc04cc85ff04939150ea44c386a49294d8f
Link:
https://www.unpac.me/results/e7498fdf-dd97-4599-bf64-603d6ee39b74/
SH256 hash:
d25e3a7ed538968e9b78367cd8f8d20f8f55471a1eb27aae2774272fc8c1c1ce
MD5 hash:
bf7b51974d9c8e90ac663f56b088db7c
SHA1 hash:
e107a9d8fdf4640eaaab929a447e7229f0bf6abd
Link:
https://www.unpac.me/results/e7498fdf-dd97-4599-bf64-603d6ee39b74/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_win32_banker_iceid_ldr1
Create hunting rule
Author:@VK_Intel
Description:Detects IcedId/BokBot png loader (unpacked)
Reference:twitter

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments