MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f564bf0fb0f89ff014faf854c597eb96103e13b79600826d6112d082b9e6d263. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


IcedID


Vendor detections: 6


Intelligence 6 IOCs 1 YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f564bf0fb0f89ff014faf854c597eb96103e13b79600826d6112d082b9e6d263
SHA3-384 hash: cb5210f4ee6c51ecaa882b74f804dd68bf215889f7de354b2141f998e34a333c82b0590535c1082c1ec81f90a80e9b24
SHA1 hash: 5bf461db22a087dced7b3f4577b0180b7fa8ec2b
MD5 hash: 2d43767909a6204a72bd791368908f27
humanhash: apart-july-whiskey-south
File name:Setup_Win_30-01-2023_19-39-36.zip
Download: download sample
Signature IcedID
Create hunting rule
File size:781'039 bytes
First seen:2023-01-30 19:50:30 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 1536:qMgtLzMkG1uzlDfFhJnT1MFa7NrJFAAscohumgNqK4Y:QVwdEZDdbakch1gNIY
TLSH T13BF4F224F832FE0AF1D9873B85C478E7EF3D6A3487D509C5CF24865AA10710D6B2A966
TrID 80.0% (.ZIP) ZIP compressed archive (4000/1)
20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter abuse_ch
Tags:4040403069 fake-installer file-pumped IcedID malvertising zip


Avatar
abuse_ch
IcedID distributed through malvertising campaign on Google Search:
https://www.tthunderbir.space/
-> https://us-thunderbird-soft.com/en-US/download/
--> https://firebasestorage.googleapis.com/v0/b/charged-polymer-370817.appspot.com/o/dxO5oIPxYA%2FSetup_Win_30-01-2023_19-39-36.zip?alt=media&token=1bf28115-0387-4e4d-bbe5-9af29f0b9dc5

IcedID C2:
sajimadurop.com

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
sajimadurop.com https://threatfox.abuse.ch/ioc/1075360/

Intelligence

File Origin
# of uploads :
1
# of downloads :
157
Origin country :
CH CH
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:Setup_Win_30-01-2023_19-39-33.exe
Pumped file This file is pumped. MalwareBazaar has de-pumped it.
File size:740'415'016 bytes
SHA256 hash: bc55285b6322235705b586b8cd5a2b9654fe2285a616338e7cbf9fe41abc4ebb
MD5 hash: 18d32cb2754596f2dc31038bf2c324ff
De-pumped file size:120'320 bytes (Vs. original size of 740'415'016 bytes)
De-pumped SHA256 hash: 00dfa5ffcc6c024a8c0c8f00a9cf388ead0dd47617dc341dd4df5874b68bd54e
De-pumped MD5 hash: fda906bee815ff6f8dada7406ce1799d
MIME type:application/x-dosexec
Signature IcedID
Vendor Threat Intelligence
Gathering data
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/f564bf0fb0f89ff014faf854c597eb96103e13b79600826d6112d082b9e6d263
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f564bf0fb0f89ff014faf854c597eb96103e13b79600826d6112d082b9e6d263/
Threat name:
Archive.Trojan.Hulk
Create hunting rule
Status:
Malicious
First seen:
2023-01-30 20:07:17 UTC
AV detection:
5 of 38 (13.16%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6vsl6d5q7cp7afh27bkmlf7lsyid4e5xsyaie3lbcliifopg2jrq._file
Result
Malware family:
icedid
Create hunting rule
Score:
  10/10
Tags:
family:icedid campaign:4040403069 banker loader trojan
Link:
https://tria.ge/reports/230130-yktcxace33/
Behaviour
Suspicious behavior: EnumeratesProcesses
IcedID, BokBot
Malware Config
C2 Extraction:
sajimadurop.com
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f564bf0fb0f89ff014faf854c597eb96103e13b79600826d6112d082b9e6d263

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_win32_icedid_stage1
Create hunting rule
Author:Rony (@r0ny_123)
Description:Detects IcedID photoloader
Reference:https://sysopfb.github.io/malware,/icedid/2020/04/28/IcedIDs-updated-photoloader.html
Rule name:IcedIDLoader
Create hunting rule
Author:kevoreilly, threathive, enzo
Description:IcedID Loader
Rule name:IcedID_init_loader
Create hunting rule
Author:@bartblaze
Description:Identifies IcedID (stage 1 and 2, initial loaders).
Rule name:MALWARE_Win_IceID
Create hunting rule
Author:ditekSHen
Description:Detects IceID / Bokbot variants
Rule name:Windows_Trojan_IcedID_0b62e783
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_IcedID_48029e37
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_IcedID_91562d18
Create hunting rule
Author:Elastic Security
Rule name:win_photoloader_a0
Create hunting rule
Author:Daniel Plohmann
Description:Detects win.photoloader.
Rule name:win_photoloader_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.photoloader.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

IcedID

zip f564bf0fb0f89ff014faf854c597eb96103e13b79600826d6112d082b9e6d263

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2522920/
  
Delivery method
Distributed via web download

Comments