MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e22dc7e32dfb8e2f9f75c72dede8b4bbfad86c3e90d03f7b8ffa2d44165afff8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


IcedID


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e22dc7e32dfb8e2f9f75c72dede8b4bbfad86c3e90d03f7b8ffa2d44165afff8
SHA3-384 hash: caf0e7ca085954df62eb60f0beb6b46400bd7fb26676d1db9eab42bff8c79ffa2012a0c6c57ba3f8f824502f8996a586
SHA1 hash: c12fceb0c79b26b85ae6fb9134e56a2ddbd6b544
MD5 hash: f9329056c318c4b1be6931135dc76f9e
humanhash: nineteen-artist-lactose-grey
File name:5626.exe
Download: download sample
Signature IcedID
Create hunting rule
File size:462'848 bytes
First seen:2020-07-16 06:54:55 UTC
Last seen:2020-07-27 10:04:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 8b90e196e8cd13cac2efbe414098f9aa (2 x IcedID)
ssdeep 1536:seYG+XbSZ34n0FbLwBypA688uDKmGXqqU095i4KroqLIK5cRKllext6+g:sgeeZoAwAAL8uoXqzwyTlYv
Threatray 431 similar samples on MalwareBazaar
TLSH F9A46BCCF6956644C43C843845125CB78FE2D97E530DE3A18299BB4A33B9F252AB48DF
Reporter abuse_ch
Tags:exe IcedID


Avatar
abuse_ch
IcedID payload URL:
http://www.haeunkim.com/5626.exe

IcedID C2:
https://ldrmars.casa

Intelligence

File Origin
# of uploads :
2
# of downloads :
109
Origin country :
n/a
Vendor Threat Intelligence
Detection:
IcedID
Create hunting rule
Link:
https://www.capesandbox.com/analysis/26404/
Detection(s):
SecuriteInfo.com.Generic.mg.f9329056c318c4b1.25505.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Changing a file
DNS request
Sending a custom TCP request
Result
Threat name:
IcedID
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/389359
Signature
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected IcedID
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e22dc7e32dfb8e2f9f75c72dede8b4bbfad86c3e90d03f7b8ffa2d44165afff8/
Threat name:
Win32.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-07-16 06:56:06 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4iw4pyzn7ohc7h3vy4w632fuxp5nq3b6sdid664p7iwuifs2774a._file
Verdict:
malicious
Label(s):
icedid
Create hunting rule
Similar samples:
1fbede7e5ad40bf07aec1ad11f6fc4203c2cf2236c95dd5e81be4c742166054a
IcedID
33ee572238490c5fb2b183ebcbeeb67602dd1578aa2b8a4d189a735adc82d101
IcedID
503c06baa3c5e26f48acc637842e04bc30248c40adef3ee809cc0292cb8e4cc0
IcedID
7be97a8a8b5d1998868aeff9f0deba54482cd4c0d220423ed1f0ae3eb1442c27
IcedID
8b282e9e0af37774a537540971ffc1aa49fffc3279d630bf11cd7a3ef54083f0
IcedID
9855e6cab6dc7b89aa792aafd85bf39ac186954964427fc6e4c236a0a613d8e4
IcedID
b16be1a60cfaee5eee0df3fde99ee17bbe6ee3a32de4b4786492966f4c006193
IcedID
b742590b8b2d11205f4993f167f602b7f47b8ac07d5661bfd2ac336c9e7d750d
IcedID
c6fb63b8f9923126a10d8cdc2f8cdd5fb0ac2b5c76ffe41d8618f16097f31fce
IcedID
e13cd3e0597f4b7a641177eb56d8b1302490c06472a344d1663cd319fcae58cf
IcedID
+ 421 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/200716-9halk55fej/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Modifies system certificate store
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Cobalt_functions
Create hunting rule
Author:@j0sm1
Description:Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

IcedID

Word file doc 03aa3045bab94987cc94998a560af28274294d2a1c913b7b04a420acd5a4417b

IcedID

Executable exe e22dc7e32dfb8e2f9f75c72dede8b4bbfad86c3e90d03f7b8ffa2d44165afff8

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/413384/
  
Dropped by
MD5 64d0164d852e5a48714d088918e896fd
  
Dropped by
SHA256 03aa3045bab94987cc94998a560af28274294d2a1c913b7b04a420acd5a4417b
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/26404/

Comments