MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f4daa4b7976108d0eeae9cfd086b9410322ca3ef24acda9251272c3188abb627. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


IcedID


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f4daa4b7976108d0eeae9cfd086b9410322ca3ef24acda9251272c3188abb627
SHA3-384 hash: 9943056e3084db158479ac6efbfd95d9f47e05a6a6eeffc98c9fa2e55c2b957bc3650e383405ceb7ad8a19c635e9a940
SHA1 hash: 10f81ce6fb0021d207831922bcbdaca17ac446ff
MD5 hash: 63c9d11a288f11f3345d6aaf3b75e719
humanhash: beer-single-montana-tango
File name:Document_07-12-2022_20-15-15_PDF.msi
Download: download sample
Signature IcedID
Create hunting rule
File size:1'302'537 bytes
First seen:2022-12-07 22:17:26 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 24576:aHL08Nrx5zH8h2q1ioC7Z6VVT+XirpTs7sx0QBnoNjla+idlpdIFlF3N9:ar08NrxeB1BG0F+uTsAx0tlpidvdklFD
TLSH T1BD558D47E2E710ECC56BC1704757A673FA32BC198220796B5794F7303E36F60A629B29
TrID 88.4% (.MST) Windows SDK Setup Transform script (61000/1/5)
11.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter k3dg3___
Tags:ewgahskoot IcedID msi

Intelligence

File Origin
# of uploads :
1
# of downloads :
208
Origin country :
US US
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/344137/
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed rundll32.exe
Link:
https://www.filescan.io/uploads/6391111b04e0e79bdf415e28/reports/895e2968-537b-4d56-96b3-d3cb51f1c963/overview
Result
Verdict:
UNKNOWN
Link:
https://labs.inquest.net/dfi/sha256/f4daa4b7976108d0eeae9cfd086b9410322ca3ef24acda9251272c3188abb627
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
IcedID
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1130346
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected IcedID
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 763070 Sample: Document_07-12-2022_20-15-1... Startdate: 07/12/2022 Architecture: WINDOWS Score: 92 43 Malicious sample detected (through community Yara rule) 2->43 45 Yara detected IcedID 2->45 47 .NET source code contains potential unpacker 2->47 49 2 other signatures 2->49 8 msiexec.exe 74 28 2->8         started        11 msiexec.exe 3 2->11         started        process3 file4 23 C:\Windows\Installer\MSIAD24.tmp, PE32+ 8->23 dropped 13 msiexec.exe 8->13         started        process5 process6 15 rundll32.exe 10 13->15         started        file7 25 C:\Windows\Installer\...\test.cs.dll, PE32 15->25 dropped 27 C:\Windows\Installer\...\WixSharp.dll, PE32 15->27 dropped 29 Microsoft.Deployme...indowsInstaller.dll, PE32 15->29 dropped 31 C:\Users\user\AppData\Local\...\tmp879D.dll, PE32+ 15->31 dropped 37 System process connects to network (likely due to code injection or exploit) 15->37 39 Contains functionality to detect hardware virtualization (CPUID execution measurement) 15->39 41 Tries to detect virtualization through RDTSC time measurements 15->41 19 rundll32.exe 15->19         started        signatures8 process9 dnsIp10 33 ewgahskoot.com 165.227.104.80, 49698, 49699, 49700 DIGITALOCEAN-ASNUS United States 19->33 35 192.168.2.1 unknown unknown 19->35 51 System process connects to network (likely due to code injection or exploit) 19->51 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f4daa4b7976108d0eeae9cfd086b9410322ca3ef24acda9251272c3188abb627/
Threat name:
ByteCode-MSIL.Trojan.Starter
Create hunting rule
Status:
Malicious
First seen:
2022-12-07 22:18:11 UTC
File Type:
Binary (Archive)
Extracted files:
33
AV detection:
1 of 39 (2.56%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6tnkjn4xmeenb3vott6qq24ucazczi7peswnvesre4wddcflwytq._file
Verdict:
malicious
Label(s):
icedid
Create hunting rule
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://tria.ge/reports/221207-17x1qabd31/
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Drops file in Windows directory
Enumerates connected drives
Malware family:
IcedID
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f4daa4b79761/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
IcedID
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/f4daa4b7976108d0eeae9cfd086b9410322ca3ef24acda9251272c3188abb627

File information

The table below shows additional information about this malware sample such as delivery method and external references.

IcedID

Microsoft Software Installer (MSI) msi f4daa4b7976108d0eeae9cfd086b9410322ca3ef24acda9251272c3188abb627

(this sample)

f9b8adac9adf850d60d1551e235164e1e14d3c452aa9c7fdf2c444c687e690e9

  
Dropping
SHA256 f9b8adac9adf850d60d1551e235164e1e14d3c452aa9c7fdf2c444c687e690e9
  
Delivery method
Distributed via e-mail link
Cape
Cape
https://www.capesandbox.com/analysis/344137/

Comments