MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d4b2f91ae5c196d6b21e2a5eef18a319b27208aab834630b381afec32ea9455f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


IcedID


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d4b2f91ae5c196d6b21e2a5eef18a319b27208aab834630b381afec32ea9455f
SHA3-384 hash: 3e4a8a8a71b55350bcb1a3242220c6bc8d5f392dacdfb5b5200bedcabf4e4622182c422f07532c85a293ad84692ef1f0
SHA1 hash: 550a8f6ab59068df85c90173f05e397f79899b40
MD5 hash: 572e4d2b3b85abd4072c2770b033d79e
humanhash: triple-muppet-massachusetts-mango
File name:20220414_id75[1].dll
Download: download sample
Signature IcedID
Create hunting rule
File size:284'160 bytes
First seen:2022-04-14 16:09:06 UTC
Last seen:2022-04-15 08:47:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 18a851301f6c135a553c6c6c0068b1fa (1 x IcedID)
ssdeep 6144:4Q/XlfNNy0SxTKGqf2HncrE9lEBsmOBBsFR5FWi44XtF:9b2xTE2OClEBsmOTKFWp49
TLSH T1CB54BF65F75028E6E57E813DC6637896B3F23A124995CDCF812857C31E63B71EE2AB00
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter k3dg3___
Tags:dll exe IcedID

Intelligence

File Origin
# of uploads :
3
# of downloads :
456
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
20220414_id75[1].dll
Verdict:
No threats detected
Analysis date:
2022-04-14 17:04:59 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/59041a91-ce5d-49b3-a9e4-e6bc499e9044

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/263817/
Detection(s):
SecuriteInfo.com.generic.ml.28045.7576.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/13905/overview
Behaviour
MalwareBazaar
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/6258475feab80a7a6c14486d/reports/b82283df-e976-4ff0-a357-2fcd09a9c15e/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/86474446-092c-49f9-ba4f-4d2caffba1b1
Result
Threat name:
Unknown
Detection:
suspicious
Classification:
n/a
Score:
24 / 100
Link:
https://www.joesandbox.com/analysis/977050
Signature
Sigma detected: Suspicious Call by Ordinal
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 609536 Sample: 20220414_id75[1].dll Startdate: 14/04/2022 Architecture: WINDOWS Score: 24 37 Sigma detected: Suspicious Call by Ordinal 2->37 8 loaddll64.exe 1 2->8         started        process3 process4 10 rundll32.exe 8->10         started        12 cmd.exe 1 8->12         started        14 rundll32.exe 8->14         started        16 6 other processes 8->16 process5 18 WerFault.exe 20 9 10->18         started        21 rundll32.exe 12->21         started        23 WerFault.exe 9 14->23         started        25 WerFault.exe 9 16->25         started        27 WerFault.exe 9 16->27         started        29 WerFault.exe 9 16->29         started        31 2 other processes 16->31 dnsIp6 35 192.168.2.1 unknown unknown 18->35 33 WerFault.exe 9 21->33         started        process7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d4b2f91ae5c196d6b21e2a5eef18a319b27208aab834630b381afec32ea9455f/
Threat name:
Win64.Trojan.IcedID
Create hunting rule
Status:
Malicious
First seen:
2022-04-14 16:10:06 UTC
File Type:
PE+ (Dll)
AV detection:
15 of 26 (57.69%)
Threat level:
  5/5
Verdict:
unknown
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/220414-tmb47ageb6/
Behaviour
Program crash
Unpacked files
SH256 hash:
d4b2f91ae5c196d6b21e2a5eef18a319b27208aab834630b381afec32ea9455f
MD5 hash:
572e4d2b3b85abd4072c2770b033d79e
SHA1 hash:
550a8f6ab59068df85c90173f05e397f79899b40
Link:
https://www.unpac.me/results/87adc747-065a-4140-a09d-5666c54efc55/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d4b2f91ae5c196d6b21e2a5eef18a319b27208aab834630b381afec32ea9455f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SPLCrypt
Create hunting rule
Author:James Quinn, Binary Defense
Description:Identifies SPLCrypt, a new crypter associated with Bazaloader

File information

The table below shows additional information about this malware sample such as delivery method and external references.

482eb6fee62ec76f3469ca77c467430df8960b63e8bb79cfa6a5cd7d18bef359

IcedID

Executable exe d4b2f91ae5c196d6b21e2a5eef18a319b27208aab834630b381afec32ea9455f

(this sample)

  
Dropped by
SHA256 482eb6fee62ec76f3469ca77c467430df8960b63e8bb79cfa6a5cd7d18bef359
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/263817/
  
URLhaus
https://urlhaus.abuse.ch/url/2148954/

Comments