MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d97e7f1227990482a012744446a595d0da9efd4664f1526bcd83f417a0a4efdf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


IcedID


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d97e7f1227990482a012744446a595d0da9efd4664f1526bcd83f417a0a4efdf
SHA3-384 hash: 5913aed09223eacba8653b3ab2050b3a63cdb1cd18094da9c1ab4b6aec55899c2fa5ae9d25f91593b236b0a3f6bcf670
SHA1 hash: ab0a69cdaa00c2972fc406d795f3ab07deb709bb
MD5 hash: 39203e1f1d908681f4d0149c759f77e7
humanhash: west-ceiling-georgia-network
File name:39203e1f1d908681f4d0149c759f77e7.dll
Download: download sample
Signature IcedID
Create hunting rule
File size:170'496 bytes
First seen:2022-09-14 17:05:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3cf5cca2a9312a1985804cbce39fd3c0 (1 x IcedID)
ssdeep 3072:wkWom2D5IER4ug1vWTGrPgyC7k6dA8yndroT8z:w39tE6ug1Z8FoUA8yd8Q
Threatray 888 similar samples on MalwareBazaar
TLSH T1D0F37CD8B6D27163C7B735B840AF6107F136A8EAB50C8C51F068D9E16D34A44A07BF6E
TrID 37.7% (.SCR) Windows screen saver (13101/52/3)
30.3% (.EXE) Win64 Executable (generic) (10523/12/4)
14.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.8% (.EXE) OS/2 Executable (generic) (2029/13)
5.7% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter abuse_ch
Tags:dll exe IcedID


Avatar
abuse_ch
IcedID C2:
trakonicwe.com

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
trakonicwe.com https://threatfox.abuse.ch/ioc/848450/

Intelligence

File Origin
# of uploads :
1
# of downloads :
372
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/310071/
Detection(s):
SecuriteInfo.com.Trojan.Packed2.44441.15838.20640.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
IcedID
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5e8bc806-6678-46d3-be56-b6df02b63ec0
Result
Threat name:
IcedID
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1070458
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected IcedID
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d97e7f1227990482a012744446a595d0da9efd4664f1526bcd83f417a0a4efdf/
Threat name:
Win64.Trojan.IcedID
Create hunting rule
Status:
Malicious
First seen:
2022-09-13 14:50:41 UTC
File Type:
PE+ (Dll)
Extracted files:
1
AV detection:
21 of 40 (52.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3f7h6erhtecifiasorcenjmv2dnj57kgmtyve26nqp2bpife57pq._file
Verdict:
malicious
Label(s):
icedid
Create hunting rule
Similar samples:
3d58868239cba5ec29807d936e5ce35aa1f744084f553d4cbcef913caa6facb3
IcedID
4b312a119321503383fbf9aaf65659046656096a7551d5a581f5cbb0055493c3
IcedID
4ed8f43ba4289ed2e69b6055f5f8f66ec7910e72120895baff71dd6c57a6ca6e
IcedID
670790c8b4649865ef391bac63417c00ffbaa203c5df36d6c9720832b0949dcb
IcedID
88106951a7b882df60bdfc84cb5c568a005cd894138024dc3bbbad904e185898
IcedID
998d55533cc5b6e5941855da20318440d40bc3a1a59f335446399434732c979b
IcedID
b6e6c2de1242dd497c8fe4b115ea61b7c72cefefa4d2a0a1537381743c370b4b
IcedID
fd0e07ec492cb76abaca206083a13f5cad0a3ed563495c852f13b4876e63974c
IcedID
fd46ad3ef89011b4ec6eb3709f903f5212d94c98ab81296d5664b82e7f9d6493
IcedID
+ 878 additional samples on MalwareBazaar
Result
Malware family:
icedid
Create hunting rule
Score:
  10/10
Tags:
family:icedid campaign:2245380894 banker loader trojan
Link:
https://tria.ge/reports/220914-vmdtfsahd3/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Blocklisted process makes network request
IcedID, BokBot
Malware Config
C2 Extraction:
trakonicwe.com
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/aad9b3d9-a7a8-4bca-96af-07457ec3978f
Unpacked files
SH256 hash:
d97e7f1227990482a012744446a595d0da9efd4664f1526bcd83f417a0a4efdf
MD5 hash:
39203e1f1d908681f4d0149c759f77e7
SHA1 hash:
ab0a69cdaa00c2972fc406d795f3ab07deb709bb
Link:
https://www.unpac.me/results/22eb307d-d456-49a3-ae8f-f6f6c7a928b2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
IcedID
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/d97e7f1227990482a012744446a595d0da9efd4664f1526bcd83f417a0a4efdf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_win32_icedid_stage1
Create hunting rule
Author:Rony (@r0ny_123)
Description:Detects IcedID photoloader
Reference:https://sysopfb.github.io/malware,/icedid/2020/04/28/IcedIDs-updated-photoloader.html
Rule name:IcedIDLoader
Create hunting rule
Author:kevoreilly, threathive, enzo
Description:IcedID Loader
Rule name:IcedID_init_loader
Create hunting rule
Author:@bartblaze
Description:Identifies IcedID (stage 1 and 2, initial loaders).
Rule name:MALWARE_Win_IceID
Create hunting rule
Author:ditekSHen
Description:Detects IceID / Bokbot variants
Rule name:MAL_IcedID_GZIP_LDR_202104
Create hunting rule
Author:Thomas Barabosch, Telekom Security
Description:2021 initial Bokbot / Icedid loader for fake GZIP payloads
Reference:https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Rule name:RansomwareTest3
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:SPLCrypt
Create hunting rule
Author:James Quinn, Binary Defense
Description:Identifies SPLCrypt, a new crypter associated with Bazaloader
Rule name:win_iceid_gzip_ldr_202104
Create hunting rule
Author:Thomas Barabosch, Telekom Security
Description:2021 initial Bokbot / Icedid loader for fake GZIP payloads
Rule name:win_photoloader_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.photoloader.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/310071/

Comments