MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ea82f571c70046400d3e5967467d8b67c2e7592e353e3828d9bf20818d19ea87. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


IcedID


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ea82f571c70046400d3e5967467d8b67c2e7592e353e3828d9bf20818d19ea87
SHA3-384 hash: d6dcd9edfd8b52e896bfd60605e7f73d062b6f15c55b90404e6377821926716af4bd0aa4c82336fc99ff4295676c6a20
SHA1 hash: c1b33030c2852744dbe8d76b5bf01df90db48c8c
MD5 hash: a8536283bd36b3b9be4136573af0bd34
humanhash: crazy-ten-floor-emma
File name:a8536283bd36b3b9be4136573af0bd34
Download: download sample
Signature IcedID
Create hunting rule
File size:2'125'824 bytes
First seen:2023-02-11 15:41:03 UTC
Last seen:2023-02-11 18:30:44 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 49152:rr0cGUswx0jxX5YqajzK6i0IUXdeCefTZLGqJfnF3f/:rr0cfYxH0IUNBe9a0fnF3f/
Threatray 1'328 similar samples on MalwareBazaar
TLSH T1EDA59DC2B241D4EFF60549304DA2DBB672527CB7AE32469B36F8F79E2C739A31600654
TrID 88.4% (.MST) Windows SDK Setup Transform script (61000/1/5)
11.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter zbetcheckin
Tags:IcedID msi

Intelligence

File Origin
# of uploads :
2
# of downloads :
117
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/364054/
Detection(s):
SecuriteInfo.com.Gen.Variant.MSILHeracles.55063.31285.22245.UNOFFICIAL
Create hunting rule

Gathering data
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/ea82f571c70046400d3e5967467d8b67c2e7592e353e3828d9bf20818d19ea87
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/ea82f571c70046400d3e5967467d8b67c2e7592e353e3828d9bf20818d19ea87
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
IcedID
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1172149
Signature
.NET source code references suspicious native API functions
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected IcedID
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 804939 Sample: RFQ245wfcV.msi Startdate: 11/02/2023 Architecture: WINDOWS Score: 100 43 Malicious sample detected (through community Yara rule) 2->43 45 Antivirus detection for URL or domain 2->45 47 Multi AV Scanner detection for dropped file 2->47 49 5 other signatures 2->49 8 msiexec.exe 74 28 2->8         started        11 msiexec.exe 3 2->11         started        process3 file4 23 C:\Windows\Installer\MSI57A2.tmp, PE32+ 8->23 dropped 13 msiexec.exe 8->13         started        process5 process6 15 rundll32.exe 9 13->15         started        file7 25 C:\Windows\Installer\...\test.cs.dll, PE32 15->25 dropped 27 C:\Windows\Installer\...\WixSharp.dll, PE32 15->27 dropped 29 C:\Users\user\AppData\Local\MSI7f73c8c5.msi, PE32+ 15->29 dropped 31 Microsoft.Deployme...indowsInstaller.dll, PE32 15->31 dropped 37 System process connects to network (likely due to code injection or exploit) 15->37 39 Contains functionality to detect hardware virtualization (CPUID execution measurement) 15->39 41 Tries to detect virtualization through RDTSC time measurements 15->41 19 rundll32.exe 15->19         started        signatures8 process9 dnsIp10 33 afrodizajoy.com 157.230.23.215, 49700, 49701, 49702 DIGITALOCEAN-ASNUS United States 19->33 35 192.168.2.1 unknown unknown 19->35 51 System process connects to network (likely due to code injection or exploit) 19->51 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ea82f571c70046400d3e5967467d8b67c2e7592e353e3828d9bf20818d19ea87/
Threat name:
ByteCode-MSIL.Trojan.Heracles
Create hunting rule
Status:
Malicious
First seen:
2023-02-11 15:42:09 UTC
File Type:
Binary (Archive)
Extracted files:
32
AV detection:
13 of 39 (33.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5kbpk4ohabdeadj6lftum7mlm7boowjogu7dqkgzx4qiddiz5kdq._file
Verdict:
malicious
Label(s):
icedid
Create hunting rule
Similar samples:
01fcaac089adb57be61812b11860fb264cad44b7e3a60b3519ff964a9f459b73
IcedID
99dfb7baafec050861e152a036af86fc0c7663f3c719d58a56dfd9f06f4b8cef
IcedID
a5f81b3f092a05dc7026957e5d716e5976a38b152d1823ac76b84e189aa4a75b
IcedID
c0a063352598eae28f226207503d864a06f5490497b074a9390927793ea16bfd
IcedID
ca04842f4ead02f9ca4bb59856102b738ce2fb10bf18a4e087284e5a1b4d1380
IcedID
f4daa4b7976108d0eeae9cfd086b9410322ca3ef24acda9251272c3188abb627
IcedID
+ 1'318 additional samples on MalwareBazaar
Result
Malware family:
icedid
Create hunting rule
Score:
  10/10
Tags:
family:icedid campaign:3195585424 banker loader trojan
Link:
https://tria.ge/reports/230211-s5cb8shd8x/
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Enumerates connected drives
Checks computer location settings
Loads dropped DLL
Blocklisted process makes network request
IcedID, BokBot
Malware Config
C2 Extraction:
afrodizajoy.com
Malware family:
IcedID
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ea82f571c700/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
IcedID
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/ea82f571c70046400d3e5967467d8b67c2e7592e353e3828d9bf20818d19ea87

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

IcedID

Microsoft Software Installer (MSI) msi ea82f571c70046400d3e5967467d8b67c2e7592e353e3828d9bf20818d19ea87

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2537066/
Cape
Cape
https://www.capesandbox.com/analysis/364054/

Comments


Avatar
zbet commented on 2023-02-11 15:41:10 UTC

url : hxxps://ndcda.com/kem1/build-013.msi