MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e70e28b0f0fd9ca707dcc37e2ef5e28f81d3f8fb27892f80a92f7f3093df1869. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


IcedID


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e70e28b0f0fd9ca707dcc37e2ef5e28f81d3f8fb27892f80a92f7f3093df1869
SHA3-384 hash: f02cdf55e37815a0fa658488265ee1bcf5a9bddca7d6368f904b79cadfbabc85bb987519c6047857cab01eb3ad5fd5b4
SHA1 hash: a8ab1d2d52728645982ce74506c7b1f3d2cede0a
MD5 hash: 2e6fd64466ba1383dcb34e4a5fbfd758
humanhash: five-spaghetti-friend-white
File name:~496078.exe
Download: download sample
Signature IcedID
Create hunting rule
File size:282'624 bytes
First seen:2020-09-14 16:27:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 724da8aaabe1380fe2651f0051c2deac (2 x IcedID)
ssdeep 3072:SOoHlm32akQAoRWyxSF5Um0sMlW1sgg3JDVdopKXYdKCDRttcmOnqG6e+ojw5uSs:TMmAognWm0JlWOggPBcc6Fuvnu6
Threatray 27 similar samples on MalwareBazaar
TLSH A054AE1237F1C873D6A711328DE29BFBB2B5FD604E318B472391AB1EED314919926361
Reporter malware_traffic
Tags:exe IcedID Shathak TA551

Intelligence

File Origin
# of uploads :
1
# of downloads :
138
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/59391/
Detection(s):
SecuriteInfo.com.ML.PE-A.18028.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
DNS request
Sending a custom TCP request
Connection attempt
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/465629
Signature
Allocates memory in foreign processes
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains VNC / remote desktop functionality (version string found)
Early bird code injection technique detected
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
Detection:
icedid
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e70e28b0f0fd9ca707dcc37e2ef5e28f81d3f8fb27892f80a92f7f3093df1869/
Threat name:
Win32.Trojan.EmotetCrypt
Create hunting rule
Status:
Malicious
First seen:
2020-09-14 16:29:04 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
icedid
Create hunting rule
trickbot
Create hunting rule
Similar samples:
4438467f45eedf09a6ddf01129a914bd3846bc7771bc15bfb512b85337b5d108
IcedID
485ce80c6972762a04ff59597bdd71381688c73750e1dddae91ad33e8e6f01b8
IcedID
5bc0e27e86d9a4d5e7005669c12b97b56a42ac17fb5cc93de24f38527b5e97e1
IcedID
654e574fb479af0a9f8d277ed12f2d86681b76b4cfe63d7c9e774f5144be8801
IcedID
691484e4df83d6f592a0ddebd8bd1afffc4568205a3b7f51c11c549124a1150c
IcedID
d197285f37378d669afe2da7d3c60dcb93c118acf0d059d14ca67dcd73708ed2
IcedID
d748a00416baf3e4e5bf0a4e8312cd9c88872a6ab594628d7ff6d206e6705322
IcedID
e3be616e258172d4596cd61cbb6ec39b6e7aa0cf8138793783e21a4b6ab4c038
IcedID
f9e63320c3a3c14847155de9abdbbf38e44866500402d8985312d92f149df23b
IcedID
fd9ed4c7107c4fb86d348d13f7e6c3b6c23e6c12084adc45ddfef4bc2ef2fbaf
IcedID
+ 17 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/200914-9ws3p8t1ze/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of SetWindowsHookEx
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Cobalt_functions
Create hunting rule
Author:@j0sm1
Description:Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT
Rule name:crime_win32_banker_iceid_ldr1
Create hunting rule
Author:@VK_Intel
Description:Detects IcedId/BokBot png loader (unpacked)
Reference:twitter
Rule name:win_sisfader_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/59391/

Comments