MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f25862e2ae2bc1af4a3117c22317abac677b278645135013cdd43e47868d536b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


IcedID


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f25862e2ae2bc1af4a3117c22317abac677b278645135013cdd43e47868d536b
SHA3-384 hash: 867fa93c44e42df06fe7c85ba603bef8e38df1b150f30abff38ae5325baa43c58ba5477600e020547720418c533f6727
SHA1 hash: 37a2f9bdd672de1bfe7d55ac4b4c42ef9c63af83
MD5 hash: 3ab20b297e3b7fd853b7544c5ad3f142
humanhash: september-nitrogen-oscar-georgia
File name:nivude1.dll
Download: download sample
Signature IcedID
Create hunting rule
File size:108'032 bytes
First seen:2020-11-24 15:19:20 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 1ae6ba40e9dbf13143cd3d538d88f08a (3 x IcedID)
ssdeep 1536:GyRkPsWxFcd3pTwfUzk9HVOgiNXUjgzIBN6wfIPP26pw5ad2pl/H7ZvqZMBu+FIx:GK803NwTyEcIBN6u+26pKvqZMBpSx
Threatray 889 similar samples on MalwareBazaar
TLSH C6B37C02B7D18032E57F1A390432C6B28A3E7D504FE09DAB674A253D5F706E1A735F6A
Reporter malware_traffic
Tags:dll IcedID Shathak TA551

Intelligence

File Origin
# of uploads :
1
# of downloads :
212
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
DNS request
Sending a custom TCP request
Connection attempt
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
IcedID
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/546142
Signature
Allocates memory in foreign processes
Changes memory attributes in foreign processes to executable or writable
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains VNC / remote desktop functionality (version string found)
Creates a thread in another existing process (thread injection)
Early bird code injection technique detected
Queues an APC in another process (thread injection)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected IcedID
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 322167 Sample: nivude1.dll Startdate: 24/11/2020 Architecture: WINDOWS Score: 96 28 cdn.onenote.net 2->28 48 Yara detected IcedID 2->48 50 Contains VNC / remote desktop functionality (version string found) 2->50 9 loaddll32.exe 1 2->9         started        signatures3 process4 process5 11 regsvr32.exe 3 9->11         started        15 cmd.exe 1 9->15         started        dnsIp6 36 afromadness.club 68.183.54.143, 443, 49745, 49748 DIGITALOCEAN-ASNUS United States 11->36 38 192.168.2.1 unknown unknown 11->38 52 System process connects to network (likely due to code injection or exploit) 11->52 54 Early bird code injection technique detected 11->54 56 Contains functionality to detect hardware virtualization (CPUID execution measurement) 11->56 58 4 other signatures 11->58 17 msiexec.exe 1 39 11->17         started        21 iexplore.exe 2 83 15->21         started        signatures7 process8 dnsIp9 26 afromadness.club 17->26 40 Changes memory attributes in foreign processes to executable or writable 17->40 42 Contains functionality to detect hardware virtualization (CPUID execution measurement) 17->42 44 Tries to detect virtualization through RDTSC time measurements 17->44 46 Creates a thread in another existing process (thread injection) 17->46 23 iexplore.exe 5 158 21->23         started        signatures10 process11 dnsIp12 30 img.img-taboola.com 23->30 32 edge.gycpi.b.yahoodns.net 87.248.118.23, 443, 49731, 49732 YAHOO-DEBDE United Kingdom 23->32 34 9 other IPs or domains 23->34
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f25862e2ae2bc1af4a3117c22317abac677b278645135013cdd43e47868d536b/
Threat name:
Win32.Trojan.IcedID
Create hunting rule
Status:
Malicious
First seen:
2020-11-24 15:20:06 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
icedid
Create hunting rule
Similar samples:
3dfb74874b9c0b32b66ce96a97170fc430fed51a7cfdbf361e6c4febe2935e5d
IcedID
6610a12184a15e0fe2f3c8d2f730aa7a4497386a10487138cfe1e019ec3f1f2a
IcedID
818076cbf3b8323b674d476b2862b3495cddcc13ef957f5bd9ec7f18bd436791
IcedID
a09d8c487a135b973af532247d62f46695a53f37add6c66e561f1c14650290f5
IcedID
a24c5d4c11f1d46b03ae1539df341c7247e1f8809b27a3b873449a1be218bd1e
IcedID
a9f651747ef040972d25a7f039a4853c9ed151ad252380e1e75af32ddc4ece82
IcedID
c7a41aaae47af9ebc6bcabb267e1d11d903c937df275ab2bbdcda734efdbabbf
IcedID
d25e3a7ed538968e9b78367cd8f8d20f8f55471a1eb27aae2774272fc8c1c1ce
IcedID
e75612b515f036b54d63ed2efa45afc9b167b78116d65a77b1f0fa69674ed51f
IcedID
f56ea10521a52f78bedbf51c0bbdf9c894e473a73f1da8d388afc85b4c95f727
IcedID
+ 879 additional samples on MalwareBazaar
Result
Malware family:
icedid
Create hunting rule
Score:
  10/10
Tags:
family:icedid banker trojan
Link:
https://tria.ge/reports/201124-xatp5ez24e/
Behaviour
Suspicious use of WriteProcessMemory
IcedID Core Payload
IcedID, BokBot
Unpacked files
SH256 hash:
f25862e2ae2bc1af4a3117c22317abac677b278645135013cdd43e47868d536b
MD5 hash:
3ab20b297e3b7fd853b7544c5ad3f142
SHA1 hash:
37a2f9bdd672de1bfe7d55ac4b4c42ef9c63af83
Link:
https://www.unpac.me/results/a5732d98-0f8e-4a1e-8e5e-139855549c35/
SH256 hash:
dd99d98248b1719f075abfe8a19ff269d0d390c8a27b05d8356dc8f7a5ac2991
MD5 hash:
9c9ed68b9e1fcadfddded8a18d468d9e
SHA1 hash:
6ba86ffa5143a3751b3ae72e09291d0755f8732e
Link:
https://www.unpac.me/results/a5732d98-0f8e-4a1e-8e5e-139855549c35/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f25862e2ae2bc1af4a3117c22317abac677b278645135013cdd43e47868d536b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments