MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e7f9b5692e7f51ee1711ef2f344f7fdacf4387712c38a82b1361679ab76da12a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


IcedID


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e7f9b5692e7f51ee1711ef2f344f7fdacf4387712c38a82b1361679ab76da12a
SHA3-384 hash: 8ac14a149d7a235542db97e3cf4743f770faaa1dc8554c9d821c97d3c3677f0011d9c27c229e0024c463bac282d8dfa6
SHA1 hash: f0e8d7c1b16adbb734d5254e70b3f6f5f616b09b
MD5 hash: 376064351308815baa1cedb83e67b356
humanhash: connecticut-blue-victor-thirteen
File name:otaxujuc64.dll
Download: download sample
Signature IcedID
Create hunting rule
File size:287'440 bytes
First seen:2020-11-30 18:39:03 UTC
Last seen:2020-11-30 20:59:30 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 307361dd86ec27ba4aec118d1cf145c9 (2 x IcedID)
ssdeep 6144:k+J6EWI9FatwUCLTlNy03xW3kLi7GfQpCsf2UAW:N6PeFatCLTlNy0hji7mZe2rW
Threatray 22 similar samples on MalwareBazaar
TLSH CF548C22E3954470F27B0A315077D1638BBDBA508BB48DD7639A202D3DA37F1A934B5E
Reporter malware_traffic
Tags:dll IcedID Shathak TA551


Avatar
malware_traffic
Run method: regsvr32.exe /s [filename]

Intelligence

File Origin
# of uploads :
2
# of downloads :
323
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/106091/
Detection(s):
SecuriteInfo.com.PE.Heur.InvalidSig.28703.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
DNS request
Sending a custom TCP request
Connection attempt
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/551270
Signature
Allocates memory in foreign processes
Changes memory attributes in foreign processes to executable or writable
Creates a thread in another existing process (thread injection)
Early bird code injection technique detected
Queues an APC in another process (thread injection)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 324750 Sample: otaxujuc64.dll Startdate: 30/11/2020 Architecture: WINDOWS Score: 80 33 ujkiol45.cyou 2->33 8 loaddll32.exe 1 2->8         started        process3 process4 10 regsvr32.exe 3 8->10         started        14 cmd.exe 1 8->14         started        dnsIp5 35 ujkiol45.cyou 68.183.89.248, 443, 49791, 49804 DIGITALOCEAN-ASNUS United States 10->35 49 System process connects to network (likely due to code injection or exploit) 10->49 51 Early bird code injection technique detected 10->51 53 Writes to foreign memory regions 10->53 55 3 other signatures 10->55 16 msiexec.exe 10->16         started        20 WerFault.exe 9 10->20         started        22 WerFault.exe 9 10->22         started        26 6 other processes 10->26 24 iexplore.exe 1 73 14->24         started        signatures6 process7 dnsIp8 31 ujkiol45.cyou 16->31 43 Changes memory attributes in foreign processes to executable or writable 16->43 45 Tries to detect virtualization through RDTSC time measurements 16->45 47 Creates a thread in another existing process (thread injection) 16->47 28 iexplore.exe 163 24->28         started        signatures9 process10 dnsIp11 37 img.img-taboola.com 28->37 39 edge.gycpi.b.yahoodns.net 87.248.118.23, 443, 49759, 49760 YAHOO-DEBDE United Kingdom 28->39 41 9 other IPs or domains 28->41
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e7f9b5692e7f51ee1711ef2f344f7fdacf4387712c38a82b1361679ab76da12a/
Threat name:
Win32.Trojan.GenCBL
Create hunting rule
Status:
Malicious
First seen:
2020-11-30 18:39:07 UTC
AV detection:
13 of 28 (46.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4743k2jop5i64fyr54xtit373lhuhb3rfq4kqkytmftzvn3nueva._file
Verdict:
malicious
Label(s):
icedid
Create hunting rule
Similar samples:
1a4f63c7c5b4e3e26cce157c4e0d6ed8c1fef956c4033b96df9159d27169445d
IcedID
3dfb74874b9c0b32b66ce96a97170fc430fed51a7cfdbf361e6c4febe2935e5d
IcedID
56c26ed446ff536e676969a770d3ca72bd5bb1faf20aa64ecb559cbaab4d36d2
IcedID
6610a12184a15e0fe2f3c8d2f730aa7a4497386a10487138cfe1e019ec3f1f2a
IcedID
818076cbf3b8323b674d476b2862b3495cddcc13ef957f5bd9ec7f18bd436791
IcedID
a09d8c487a135b973af532247d62f46695a53f37add6c66e561f1c14650290f5
IcedID
a24c5d4c11f1d46b03ae1539df341c7247e1f8809b27a3b873449a1be218bd1e
IcedID
c7a41aaae47af9ebc6bcabb267e1d11d903c937df275ab2bbdcda734efdbabbf
IcedID
d25e3a7ed538968e9b78367cd8f8d20f8f55471a1eb27aae2774272fc8c1c1ce
IcedID
f25862e2ae2bc1af4a3117c22317abac677b278645135013cdd43e47868d536b
IcedID
+ 12 additional samples on MalwareBazaar
Result
Malware family:
icedid
Create hunting rule
Score:
  10/10
Tags:
family:icedid banker trojan
Link:
https://tria.ge/reports/201130-52g29y4fae/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
IcedID Core Payload
ServiceHost packer
IcedID, BokBot
Unpacked files
SH256 hash:
13dcbbe00775f436348f75ad76c13d15b8ba3cba41814ae4c061fb5dc5087563
MD5 hash:
c461337861a6c99f3aab5d5b61f6ebeb
SHA1 hash:
d28c2a227c7bbe88d43f57f2b9011d5adb95e21d
Link:
https://www.unpac.me/results/506d2d1b-8224-4c13-a0fd-3a34ddd4b645/
SH256 hash:
e7f9b5692e7f51ee1711ef2f344f7fdacf4387712c38a82b1361679ab76da12a
MD5 hash:
376064351308815baa1cedb83e67b356
SHA1 hash:
f0e8d7c1b16adbb734d5254e70b3f6f5f616b09b
Link:
https://www.unpac.me/results/506d2d1b-8224-4c13-a0fd-3a34ddd4b645/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e7f9b5692e7f51ee1711ef2f344f7fdacf4387712c38a82b1361679ab76da12a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_win32_banker_iceid_ldr1
Create hunting rule
Author:@VK_Intel
Description:Detects IcedId/BokBot png loader (unpacked)
Reference:twitter

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/106091/

Comments