MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ddccd3747d451eeefbab65dba37561e01c1658ee2a4ffd9174f473ecf860f494. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


IcedID


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ddccd3747d451eeefbab65dba37561e01c1658ee2a4ffd9174f473ecf860f494
SHA3-384 hash: a3c0c2c2f6c4577fbfaa9d0d1df3669723443e519a28a480ca9b73ed14d6a8bb4579bd6f0a60d1a9c93fb8bbc8715c71
SHA1 hash: 78af6746e909714af79ac7fbb25de9ebad993cf3
MD5 hash: 6c9929b09ca847533786356976ce2481
humanhash: low-river-quebec-uniform
File name:ddccd3747d451eeefbab65dba37561e01c1658ee2a4ff.dll
Download: download sample
Signature IcedID
Create hunting rule
File size:397'327 bytes
First seen:2021-04-29 06:56:08 UTC
Last seen:2021-04-29 10:30:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ec2d6fd6679385943a8a71982087e8d3 (2 x IcedID)
ssdeep 12288:3kK4KZKykKBK9nXeP/2pl1cT0nn5I7RvU/uWfHXCAE3zijczx0Ms6ex64U/ok8TL:35FAy5Y9nXeP/2pl1cT0nn5I7RvU/uWf
Threatray 1'732 similar samples on MalwareBazaar
TLSH AC84C62E55DD97C3C9A6D57510C4726EA347BAF390F653CF285C8A3B8BC37C26908268
Reporter abuse_ch
Tags:dll IcedID


Avatar
abuse_ch
IcedID C2:
quadrogorrila.casa

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
quadrogorrila.casa https://threatfox.abuse.ch/ioc/22244/

Intelligence

File Origin
# of uploads :
3
# of downloads :
141
Origin country :
n/a
Vendor Threat Intelligence
Detection:
IcedIDStage1
Create hunting rule
Link:
https://www.capesandbox.com/analysis/146431/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.36802578.1677.14810.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Deleting a recently created file
Creating a file in the Windows subdirectories
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
IcedID
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/703028
Signature
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected IcedID
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 400439 Sample: ddccd3747d451eeefbab65dba37... Startdate: 29/04/2021 Architecture: WINDOWS Score: 68 28 quadrogorrila.casa 2->28 30 essoandmobilcards.com 2->30 64 Multi AV Scanner detection for submitted file 2->64 66 Yara detected IcedID 2->66 8 loaddll64.exe 1 2->8         started        signatures3 68 System process connects to network (likely due to code injection or exploit) 30->68 process4 dnsIp5 44 quadrogorrila.casa 8->44 46 essoandmobilcards.com 8->46 48 3 other IPs or domains 8->48 74 Tries to detect virtualization through RDTSC time measurements 8->74 12 cmd.exe 1 8->12         started        14 regsvr32.exe 8->14         started        18 rundll32.exe 8->18         started        20 2 other processes 8->20 signatures6 process7 dnsIp8 22 rundll32.exe 12->22         started        50 essoandmobilcards.com 159.203.59.198, 443, 49713, 49716 DIGITALOCEAN-ASNUS United States 14->50 52 quadrogorrila.casa 14->52 58 3 other IPs or domains 14->58 76 System process connects to network (likely due to code injection or exploit) 14->76 78 Tries to detect virtualization through RDTSC time measurements 14->78 54 quadrogorrila.casa 18->54 60 2 other IPs or domains 18->60 56 quadrogorrila.casa 20->56 62 3 other IPs or domains 20->62 26 iexplore.exe 5 154 20->26         started        signatures9 process10 dnsIp11 32 quadrogorrila.casa 22->32 34 essoandmobilcards.com 22->34 40 3 other IPs or domains 22->40 70 System process connects to network (likely due to code injection or exploit) 22->70 72 Tries to detect virtualization through RDTSC time measurements 22->72 36 quadrogorrila.casa 26->36 38 essoandmobilcards.com 26->38 42 12 other IPs or domains 26->42 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ddccd3747d451eeefbab65dba37561e01c1658ee2a4ffd9174f473ecf860f494/
Threat name:
Win64.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2021-04-27 19:19:00 UTC
AV detection:
16 of 29 (55.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3xgng5d5iupo565lmxn2g5lb4aobmwhofjh73elu6rz6z6da6ska._file
Verdict:
malicious
Label(s):
icedid
Create hunting rule
Similar samples:
4c90ce519179a5a643a2328097a2b54cbc1a0a0b556259dca0d2dd8325b6764b
IcedID
5d8cd0de2bba3dc6b46cb875e0f52d3a914ca90fd56baa79517b64eff7a704be
IcedID
72a1d0fdb843daa7264abdd9c8cdbb8c58e8c8ebbb0d6f2b94cd15f2d6e6be67
IcedID
9573dc66ef69a076e57fe7a307a4403066d9c684fb9fac30ee99c2e7567878ff
IcedID
a3956aae0810a92ba67e04cc2a428c6da29282230f9ba7338125d2df74515935
IcedID
bd3031fa97436186d80950b934c4b3365d08a28fb1684c2c9ac88bc55d121bd6
IcedID
cac56b894e4cfed112ed21ec8d73596c0b67e159f1b04f3f115efe309d4f3615
IcedID
d82af53c1cef5d0a18c72ed357c076db5bc0010331e54b93c2f97b642fd236a2
IcedID
e73a9f45ec13bdbe996e2de6b0bed5d0b6e143e7d702e8d06f46b64c94cd1e0c
IcedID
eb479f2f3d0b1d7df00099ce70f96c91765ffd2319486e903f7d078a9dd6fb87
IcedID
+ 1'722 additional samples on MalwareBazaar
Result
Malware family:
icedid
Create hunting rule
Score:
  10/10
Tags:
family:icedid banker trojan
Link:
https://tria.ge/reports/210429-re3zgqdfsx/
Behaviour
Suspicious behavior: EnumeratesProcesses
IcedID, BokBot
Malware Config
C2 Extraction:
quadrogorrila.casa
Unpacked files
SH256 hash:
ddccd3747d451eeefbab65dba37561e01c1658ee2a4ffd9174f473ecf860f494
MD5 hash:
6c9929b09ca847533786356976ce2481
SHA1 hash:
78af6746e909714af79ac7fbb25de9ebad993cf3
Link:
https://www.unpac.me/results/64353863-9a07-4bbf-9231-c3876596e06d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Bazar
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ddccd3747d451eeefbab65dba37561e01c1658ee2a4ffd9174f473ecf860f494

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_win32_icedid_stage1
Create hunting rule
Author:Rony (@r0ny_123)
Description:Detects IcedID Photoloader
Reference:https://sysopfb.github.io/malware,/icedid/2020/04/28/IcedIDs-updated-photoloader.html
Rule name:IcedID
Create hunting rule
Author:@bartblaze
Description:Identifies IcedID (stage 1 and 2, loaders).
Rule name:IcedIDStage1
Create hunting rule
Author:kevoreilly, threathive, enzo
Description:IcedID Payload
Rule name:MALWARE_Win_IceID
Create hunting rule
Author:ditekSHen
Description:Detects IceID / Bokbot variants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/146431/

Comments