MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ead7621affb3dcfa1137359639f3df8060fca2e5aafd65322a7d67745726b88c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

IcedID

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments

SHA256 hash:	ead7621affb3dcfa1137359639f3df8060fca2e5aafd65322a7d67745726b88c
SHA3-384 hash:	6c2156a066e2d559d0af77af1e31f13395961340d9f69a29ac7dfd803d6e2ff80f996a640cbc18b248c6e6fdb6b646b8
SHA1 hash:	088ba043196133dd255dd0e70106a6dd26aa788b
MD5 hash:	7088a08179ec6c352a8526afa9e13004
humanhash:	dakota-bacon-tennessee-alabama
File name:	0x00060000000231c5-2.dll
Download:	download sample
Signature	IcedID Create hunting rule
File size:	335'872 bytes
First seen:	2023-10-12 00:42:32 UTC
Last seen:	2023-10-12 01:42:05 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	e7125b885fcd1eea77d2881eaaa53c4d (6 x IcedID)
ssdeep	6144:hN/F41OWGRkFtwxW6spj/JbUaeboh6EReEUHFmUBRXzXcOkLz1KQzY:h5FCOWGRayW6sAowXFmUBtDgrz
Threatray	41 similar samples on MalwareBazaar
TLSH	T1F764AE0A36980CB9FDB29239CC576945EA72BC155335D66F0360831ADF2F790A92FF21
TrID	48.7% (.EXE) Win64 Executable (generic) (10523/12/4) 23.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.3% (.EXE) OS/2 Executable (generic) (2029/13) 9.2% (.EXE) Generic Win/DOS Executable (2002/3) 9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter	JAMESWT_WT
Tags:	exe gestionhqse-com IcedID

Intelligence

File Origin

# of uploads :

# of downloads :

444

Origin country :

Vendor Threat Intelligence

Malware family:

icedid

ID:

File name:

OFFER[2023.10.11_08-07]_5.vbs

Verdict:

Malicious activity

Analysis date:

2023-10-11 23:47:01 UTC

Tags:

icedid bokbot loader

Link:

https://app.any.run/tasks/cb714bc9-535f-4a70-ba46-0c3d51d5c143

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/453598/

Detection(s):

SecuriteInfo.com.Win64.TrojanX-gen.24815.25891.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Creating a file in the %AppData% subdirectories

Сreating synchronization primitives

Running batch commands

Creating a process with a hidden window

Launching a process

Enabling autorun by creating a file

Verdict:

No Threat

Threat level:

10/10

Confidence:

100%

Tags:

control greyware lolbin masquerade packed

Link:

https://www.filescan.io/uploads/65274119853e4f06480a2d45/reports/02b71db7-5561-4748-a1cc-10dbcbc94e95/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/ead7621affb3dcfa1137359639f3df8060fca2e5aafd65322a7d67745726b88c

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/0b2c792d-a2a5-4774-99f2-363eefc5e2f9

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ead7621affb3dcfa1137359639f3df8060fca2e5aafd65322a7d67745726b88c/

Threat name:

Win32.Trojan.Generic

Status:

Malicious

First seen:

2023-10-12 00:43:06 UTC

File Type:

PE+ (Dll)

Extracted files:

AV detection:

7 of 38 (18.42%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=5llwegx7wpopuejxgwldt467qbqpzixfvl6wkmrkpvtxivzgxcga._file

Verdict:

malicious

Result

Malware family:

icedid

Score:

10/10

Tags:

family:icedid campaign:361893872 banker trojan

Link:

https://tria.ge/reports/231012-a2xjwsfh37/

Behaviour

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Loads dropped DLL

Blocklisted process makes network request

IcedID, BokBot

Unpacked files

SH256 hash:

798ae198bdcf45cd7138bf44d27cb5d9b14e47e4d9a9e6541be9fafd4b92d214

MD5 hash:

7e868fdc01742362e371ca903d64606f

SHA1 hash:

f42531a11fd04835f957346ba164967851291d1e

Detections:

IcedIDLoaderFork

Link:

https://www.unpac.me/results/21c9dd75-4d43-47fb-ae15-cce5321f8528/

Parent samples :

a12045a6177dd32af8b39dea93fa92962ff1716381d0d137dede1fc75ecd2c0c
5e3bb62b44636f502e387d4c00bd5a7bc1d040332028238ccd812f73e6d859ca
f324bb47090d388fca1015260f66f67b708e8451292cd5679791792c90d5b711
42cea91c813a490a0b590932c940d796fadfc97765291506813b0ae6f2a42fed
ead7621affb3dcfa1137359639f3df8060fca2e5aafd65322a7d67745726b88c
03b25f3a6a6612eca075b0253d7e8ae6ee556bb5375ab7f38b408da15c1b6af9
8901e289c92449e47212b5e6e948ee1d12e9d809af9026ea39834f595bc9f238

SH256 hash:

ead7621affb3dcfa1137359639f3df8060fca2e5aafd65322a7d67745726b88c

MD5 hash:

7088a08179ec6c352a8526afa9e13004

SHA1 hash:

088ba043196133dd255dd0e70106a6dd26aa788b

Link:

https://www.unpac.me/results/21c9dd75-4d43-47fb-ae15-cce5321f8528/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ead7621affb3dcfa1137359639f3df8060fca2e5aafd65322a7d67745726b88c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	TrojanSpy_EMOTET_W4 Create hunting rule
Author:	Ian Kenefick (Trend Micro)
Description:	Emotet x64 Loader

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/453598/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample