MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d990bd3e807d60e7f8cf83b8e19a55f454f64182d190acf8ea24070418892d22. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


IcedID


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d990bd3e807d60e7f8cf83b8e19a55f454f64182d190acf8ea24070418892d22
SHA3-384 hash: 37f77624de5f3d99c6f1c4559bd98c5c1ac94c7f674b3b246fbfb4a7d7a65ca3721f77c3466795fc29d1ce37808f74d4
SHA1 hash: 1b27e007b0b55f3e39a79403b8c8229b64f90135
MD5 hash: cc45b7ef958eb814cbd250a499d6430b
humanhash: pizza-summer-lactose-georgia
File name:triage_dropped_file
Download: download sample
Signature IcedID
Create hunting rule
File size:118'919 bytes
First seen:2021-12-21 15:56:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 08dc3d43b276021a0704807103d3924a (12 x IcedID, 1 x BazaLoader)
ssdeep 3072:gEyAY5oxtdwlClN6lkYfZ+gwmWPhZbsv2hV04sl2+:gMYIimYf4mWbbk1/
Threatray 101 similar samples on MalwareBazaar
TLSH T16AC37C1B32A5007BE5768278C8634A55D7B7BC1217119FEF03A483A51E277E0AE3AF71
Reporter malwarelabnet
Tags:exe IcedID

Intelligence

File Origin
# of uploads :
1
# of downloads :
290
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
triage_dropped_file
Verdict:
No threats detected
Analysis date:
2021-12-21 15:59:36 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1c707ba9-a3d8-4648-b6a6-3bf0a4c787db

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/2857/overview
Behaviour
MalwareBazaar
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay
Link:
https://www.filescan.io/uploads/61c1f950ec6c6c14a9e7db32/reports/8ee8dde7-b7c0-442f-bbec-8378164d37cf/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
IcedID
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a22facb3-461f-435d-97bf-c9896281379c
Result
Threat name:
IcedID
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/911071
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Found malware configuration
Sigma detected: Suspicious Call by Ordinal
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected IcedID
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 543549 Sample: triage_dropped_file Startdate: 21/12/2021 Architecture: WINDOWS Score: 96 51 Found malware configuration 2->51 53 Antivirus detection for URL or domain 2->53 55 Yara detected IcedID 2->55 57 2 other signatures 2->57 7 loaddll64.exe 1 2->7         started        process3 dnsIp4 31 grendafolz.com 7->31 33 tp.8e49140c2-frontier.amazon.com 7->33 35 2 other IPs or domains 7->35 65 Contains functionality to detect hardware virtualization (CPUID execution measurement) 7->65 67 Tries to detect virtualization through RDTSC time measurements 7->67 11 cmd.exe 1 7->11         started        13 regsvr32.exe 7->13         started        17 rundll32.exe 7->17         started        19 2 other processes 7->19 signatures5 process6 dnsIp7 21 rundll32.exe 11->21         started        37 tp.8e49140c2-frontier.amazon.com 13->37 45 2 other IPs or domains 13->45 69 Contains functionality to detect hardware virtualization (CPUID execution measurement) 13->69 71 Tries to detect virtualization through RDTSC time measurements 13->71 39 tp.8e49140c2-frontier.amazon.com 17->39 47 2 other IPs or domains 17->47 73 System process connects to network (likely due to code injection or exploit) 17->73 41 grendafolz.com 185.99.133.24, 49760, 49762, 49764 ZAPPIE-HOST-ASZappieHostGB Belarus 19->41 43 tp.8e49140c2-frontier.amazon.com 19->43 49 5 other IPs or domains 19->49 signatures8 process9 dnsIp10 25 grendafolz.com 21->25 27 dr49lng3n1n2s.cloudfront.net 65.9.75.70, 443, 49757, 49758 AMAZON-02US United States 21->27 29 2 other IPs or domains 21->29 59 System process connects to network (likely due to code injection or exploit) 21->59 61 Contains functionality to detect hardware virtualization (CPUID execution measurement) 21->61 63 Tries to detect virtualization through RDTSC time measurements 21->63 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d990bd3e807d60e7f8cf83b8e19a55f454f64182d190acf8ea24070418892d22/
Threat name:
Win64.Trojan.IcedID
Create hunting rule
Status:
Malicious
First seen:
2021-12-21 15:57:09 UTC
File Type:
PE+ (Dll)
Extracted files:
1
AV detection:
14 of 28 (50.00%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
icedid
Create hunting rule
Similar samples:
2329018641118f8138f32a49b862312cb416c939854bb8fc953e08a5e25ced1d
IcedID
3839ea5f86c4ebc8036ab26cfee2b0e05893a6b276d39ba23b75980c4db4c8a4
IcedID
4a5f37ff394af7a750b1933c3e77b927043e933bfa715c917c824fbc645c940c
IcedID
6b213066b6c0587a9fdddd47ea81be8cfb05b58d90f0a4dce03260e0dde8eca8
IcedID
6c710694d270db91b550daf3177622514d2444e7484fb7a16aa2651cc20eb981
IcedID
8c8844cdcee69f1ad7b34bf10a07f246d97420948c9d42b93e996abccc916a14
IcedID
8f9b032ff6f56a685f4c6f9eb57784811d6c98aa83b0c6371e81814edbcd2738
IcedID
bace5399828edd5f5de4c7384a25a49d74069a35e2e97b295325db9509553379
IcedID
cdaed6e6cdcbde86a775f0fa3be338b4dd9e11a6bb418464287ed8a28fb7c429
IcedID
d5a4fcb0e552cad22b1a907e874295b08e83d58bd83f9b4788c90aaad263cd87
IcedID
+ 91 additional samples on MalwareBazaar
Result
Malware family:
icedid
Create hunting rule
Score:
  10/10
Tags:
family:icedid campaign:1778413602 banker suricata trojan
Link:
https://tria.ge/reports/211221-tdxpjaegbq/
Behaviour
Suspicious behavior: EnumeratesProcesses
IcedID, BokBot
suricata: ET MALWARE Win32/IcedID Request Cookie
Malware Config
C2 Extraction:
grendafolz.com
Unpacked files
SH256 hash:
d990bd3e807d60e7f8cf83b8e19a55f454f64182d190acf8ea24070418892d22
MD5 hash:
cc45b7ef958eb814cbd250a499d6430b
SHA1 hash:
1b27e007b0b55f3e39a79403b8c8229b64f90135
Link:
https://www.unpac.me/results/f4227895-7c48-411e-84c3-2e50ab71a6ba/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d990bd3e807d60e7f8cf83b8e19a55f454f64182d190acf8ea24070418892d22

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments