MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dc470d46519ad7e7330156f7516408de6797919842feac79de7ad74f16037a5d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


IcedID


Vendor detections: 10


Intelligence 10 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dc470d46519ad7e7330156f7516408de6797919842feac79de7ad74f16037a5d
SHA3-384 hash: e9df22c84c1393e300202a03145bd6fe23c81b2a719d9c98fdbdd6a731b06e4caf94b45e1e722ec9daa2dbec38b0ccda
SHA1 hash: 466c20b64d64015aa3d89ae0e51fca01d7ff91aa
MD5 hash: bbfee2210aaaad3fa8384c536e739455
humanhash: comet-kentucky-mockingbird-autumn
File name:bbfee2210aaaad3fa8384c536e739455.dll
Download: download sample
Signature IcedID
Create hunting rule
File size:117'382 bytes
First seen:2021-12-21 17:56:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 08dc3d43b276021a0704807103d3924a (12 x IcedID, 1 x BazaLoader)
ssdeep 3072:pCiWrk4232Jlpwqeh01jYku1SQ9A3N2AUTYz:gif2Jlpwq6yYki9AN
Threatray 110 similar samples on MalwareBazaar
TLSH T165B36B1762A9007FE13792B4C1839B12DBB27D0163646BEF039542691F5B7E0AE3AF71
Reporter abuse_ch
Tags:dll exe IcedID


Avatar
abuse_ch
IcedID C2:
grendafolz.com

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
grendafolz.com https://threatfox.abuse.ch/ioc/263350/

Intelligence

File Origin
# of uploads :
1
# of downloads :
272
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
bbfee2210aaaad3fa8384c536e739455.dll
Verdict:
No threats detected
Analysis date:
2021-12-21 18:01:08 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/fb37131c-1135-4e27-bb51-cb6e208b0e90

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Artemis7EA3260BF57E.9624.20276.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/2878/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
greyware overlay
Link:
https://www.filescan.io/uploads/61c215708991ba72b39090f2/reports/3af8c214-9489-4635-9f91-6abff479725c/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/5d1c2a98-f71c-435c-86c3-2cd479942b99
Result
Threat name:
IcedID
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/911129
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Found malware configuration
Multi AV Scanner detection for domain / URL
Sigma detected: Suspicious Call by Ordinal
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected IcedID
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 543607 Sample: W8jYpSWcur.dll Startdate: 21/12/2021 Architecture: WINDOWS Score: 100 51 Multi AV Scanner detection for domain / URL 2->51 53 Found malware configuration 2->53 55 Antivirus detection for URL or domain 2->55 57 3 other signatures 2->57 7 loaddll64.exe 1 2->7         started        process3 dnsIp4 31 grendafolz.com 7->31 33 tp.8e49140c2-frontier.amazon.com 7->33 35 2 other IPs or domains 7->35 65 Contains functionality to detect hardware virtualization (CPUID execution measurement) 7->65 67 Tries to detect virtualization through RDTSC time measurements 7->67 11 cmd.exe 1 7->11         started        13 regsvr32.exe 7->13         started        17 rundll32.exe 7->17         started        19 2 other processes 7->19 signatures5 process6 dnsIp7 21 rundll32.exe 11->21         started        37 grendafolz.com 13->37 45 3 other IPs or domains 13->45 69 Contains functionality to detect hardware virtualization (CPUID execution measurement) 13->69 71 Tries to detect virtualization through RDTSC time measurements 13->71 39 grendafolz.com 17->39 47 2 other IPs or domains 17->47 73 System process connects to network (likely due to code injection or exploit) 17->73 41 grendafolz.com 19->41 43 grendafolz.com 19->43 49 4 other IPs or domains 19->49 signatures8 process9 dnsIp10 25 grendafolz.com 185.99.133.24, 49773, 49775, 49777 ZAPPIE-HOST-ASZappieHostGB Belarus 21->25 27 tp.8e49140c2-frontier.amazon.com 21->27 29 2 other IPs or domains 21->29 59 System process connects to network (likely due to code injection or exploit) 21->59 61 Contains functionality to detect hardware virtualization (CPUID execution measurement) 21->61 63 Tries to detect virtualization through RDTSC time measurements 21->63 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dc470d46519ad7e7330156f7516408de6797919842feac79de7ad74f16037a5d/
Threat name:
Win64.Trojan.IcedID
Create hunting rule
Status:
Malicious
First seen:
2021-12-21 17:57:10 UTC
File Type:
PE+ (Dll)
Extracted files:
1
AV detection:
17 of 27 (62.96%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3rdq2rsrtll6omybk33vczai3ztzpemyil7ky6o6pllu6fqdpjoq._file
Verdict:
malicious
Label(s):
icedid
Create hunting rule
Similar samples:
5b9bd84a90158acd2ca0ec48d481e56a1944fe95185c55f6de81b9b451619d21
IcedID
706bdf5519c83077165e2b0dcb88f808994e4340a2b8b8d1887fd15dd6e43f16
IcedID
7bb52ca6ebde0f5558c9e7422f0fe63c66d4c1d332290767c6854baae3c176d9
IcedID
9035c7f39f0b9894cd46fc60036373ec73fad2ed3db1b39c2b8b3c8f4194a151
IcedID
a9fc00220322d5ff6ba7cb1d8507408c815cd3fafd3cafefa6515044a8e12d73
IcedID
bace5399828edd5f5de4c7384a25a49d74069a35e2e97b295325db9509553379
IcedID
bb2522383cacc58cb21b3b7d21d6171ef57bb9dc3b4636b226edf7f6fc09b6d9
IcedID
cec773b499c75432b3f2831ebe705fc9bf775dc2a1a050224fd189523fc3b2f0
IcedID
d51ee684682592c49d444c2b097d60eb9d8e971d72acd12def6ab041929678e3
IcedID
d990bd3e807d60e7f8cf83b8e19a55f454f64182d190acf8ea24070418892d22
IcedID
+ 100 additional samples on MalwareBazaar
Result
Malware family:
icedid
Create hunting rule
Score:
  10/10
Tags:
family:icedid campaign:1778413602 banker suricata trojan
Link:
https://tria.ge/reports/211221-wjky2afafm/
Behaviour
Suspicious behavior: EnumeratesProcesses
IcedID, BokBot
suricata: ET MALWARE Win32/IcedID Request Cookie
Malware Config
C2 Extraction:
grendafolz.com
Unpacked files
SH256 hash:
dc470d46519ad7e7330156f7516408de6797919842feac79de7ad74f16037a5d
MD5 hash:
bbfee2210aaaad3fa8384c536e739455
SHA1 hash:
466c20b64d64015aa3d89ae0e51fca01d7ff91aa
Link:
https://www.unpac.me/results/7959037e-415e-4088-96fb-5f351154fb6d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dc470d46519ad7e7330156f7516408de6797919842feac79de7ad74f16037a5d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

IcedID

Executable exe dc470d46519ad7e7330156f7516408de6797919842feac79de7ad74f16037a5d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1907786/
  
Delivery method
Distributed via web download

Comments