MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f56ea10521a52f78bedbf51c0bbdf9c894e473a73f1da8d388afc85b4c95f727. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


IcedID


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f56ea10521a52f78bedbf51c0bbdf9c894e473a73f1da8d388afc85b4c95f727
SHA3-384 hash: a5401ad3b7faffef6f854288a2b733c2df19c01423c6d6f5717038c35f2ff45b1c013ef24dc340dbdc39f7b2669796e0
SHA1 hash: d7e7b126b04c075f0c2dd9a342715d0c3fa40045
MD5 hash: 8618deadab75f39b032b58f7f474a81f
humanhash: vermont-asparagus-yellow-rugby
File name:f56ea10521a52f78bedbf51c0bbdf9c894e473a73f1da8d388afc85b4c95f727
Download: download sample
Signature IcedID
Create hunting rule
File size:136'496 bytes
First seen:2020-10-16 11:14:05 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash fbe1cc29e5efaa91d962b112bd4e94a5 (1 x IcedID)
ssdeep 3072:t+zqAzYbo6TH6fJOguR9vQAnaO47WRBnURdXjYMxdpdwOFWmn:sCbZTANuR9vQA67HqOFWmn
Threatray 47 similar samples on MalwareBazaar
TLSH 71D37B0035918433ED7619345874DAAE973D3E501F6189EFB398266E9F349F08E34EAB
Reporter JAMESWT_WT
Tags:FABO SP Z O O IcedID

Code Signing Certificate

Organisation:FABO SP Z O O
Issuer:Sectigo RSA Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:Oct 12 00:00:00 2020 GMT
Valid to:Oct 12 23:59:59 2021 GMT
Serial number: CA7D54577243934F665FD1D443855A3D
MalwareBazaar Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:SHA256
Thumbprint: 2EA2C7625C1A42FFF63F0B17CFC4FD0C0F76D7EB45A86B18EC9A630D3D8AD913
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
131
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/71940/
Detection(s):
PUA.Win.Trojan.Generic-6629274-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
DNS request
Sending a custom TCP request
Connection attempt
Result
Threat name:
IcedID
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/493491
Signature
Allocates memory in foreign processes
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains VNC / remote desktop functionality (version string found)
Performs a network lookup / discovery via net view
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queues an APC in another process (thread injection)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses ipconfig to lookup or modify the Windows network settings
Uses net.exe to modify the status of services
Writes to foreign memory regions
Yara detected IcedID
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 299201 Sample: E6RzXi5kLc Startdate: 16/10/2020 Architecture: WINDOWS Score: 100 67 Yara detected IcedID 2->67 69 Contains VNC / remote desktop functionality (version string found) 2->69 71 Uses net.exe to modify the status of services 2->71 73 2 other signatures 2->73 9 loaddll32.exe 1 2->9         started        11 regsvr32.exe 2->11         started        process3 process4 13 rundll32.exe 2 9->13         started        17 rundll32.exe 1 9->17         started        19 regsvr32.exe 1 11->19         started        dnsIp5 61 monomonster.top 79.110.52.53, 443, 49746, 49748 V4ESCROW-ASRO Romania 13->61 63 muvludturki.top 13->63 87 Contains functionality to detect hardware virtualization (CPUID execution measurement) 13->87 89 Writes to foreign memory regions 13->89 91 Allocates memory in foreign processes 13->91 93 Queues an APC in another process (thread injection) 13->93 21 msiexec.exe 1 8 13->21         started        65 muvludturki.top 17->65 95 System process connects to network (likely due to code injection or exploit) 17->95 97 Tries to detect virtualization through RDTSC time measurements 19->97 signatures6 process7 dnsIp8 57 muvludturki.top 21->57 59 monomonster.top 21->59 53 C:\Users\user\AppData\...\atuvobbb1.dll, PE32 21->53 dropped 55 C:\Users\user\AppData\Local\...\sqlite64.dll, PE32+ 21->55 dropped 75 Tries to steal Mail credentials (via file access) 21->75 77 Contains functionality to detect hardware virtualization (CPUID execution measurement) 21->77 79 Tries to harvest and steal browser information (history, passwords, etc) 21->79 81 2 other signatures 21->81 26 systeminfo.exe 1 1 21->26         started        29 cmd.exe 1 21->29         started        31 net.exe 1 21->31         started        33 6 other processes 21->33 file9 signatures10 process11 signatures12 83 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 26->83 85 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 26->85 35 conhost.exe 26->35         started        37 conhost.exe 29->37         started        39 chcp.com 1 29->39         started        41 conhost.exe 31->41         started        43 net1.exe 1 31->43         started        45 conhost.exe 33->45         started        47 conhost.exe 33->47         started        49 conhost.exe 33->49         started        51 2 other processes 33->51 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f56ea10521a52f78bedbf51c0bbdf9c894e473a73f1da8d388afc85b4c95f727/
Threat name:
Win32.Trojan.IcedID
Create hunting rule
Status:
Malicious
First seen:
2020-10-16 10:42:02 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
19 of 29 (65.52%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
icedid
Create hunting rule
Similar samples:
341621050c83b242a1779e5a88f4c6389b7efc1406d5e5ba8e7828a0d74fbb86
IcedID
4015c3bdb45127f210d6e9f6b1607c804dca4ef562d7a86bb2cfad924f1f22da
IcedID
433916382658909eddfca653bb6e6b951a7fec66020b205590a88883ad04d65e
IcedID
48c44bfd12f93fdd1c971da0c38fc7ca50d41ca383406290f587c73c27d26f76
IcedID
648fa862ce3d2230c2754a31f45d20b74f70d8648a9ad5897ba0d6a35627b592
IcedID
75195784a153205aad34eea77c000358081fd1e1c8abab6e532b2ae8e983c44b
IcedID
9ad02a119c0df3fb652557b2b5c3136a3fb7f80e78774f1bffd5237eb2d9a514
IcedID
a49499eecf0330f3ece7c75bcb04989d2d62d31ed2a7a14e5e6da98a869a520a
IcedID
afd16577794eab427980d06631ccb30b157600b938376cc13cd79afd92b77d0e
IcedID
d748a00416baf3e4e5bf0a4e8312cd9c88872a6ab594628d7ff6d206e6705322
IcedID
+ 37 additional samples on MalwareBazaar
Result
Malware family:
icedid
Create hunting rule
Score:
  10/10
Tags:
trojan banker family:icedid
Link:
https://tria.ge/reports/201016-qvghgrrgfa/
Behaviour
Suspicious use of WriteProcessMemory
Blacklisted process makes network request
IcedID Core Payload
IcedID, BokBot
Unpacked files
SH256 hash:
f56ea10521a52f78bedbf51c0bbdf9c894e473a73f1da8d388afc85b4c95f727
MD5 hash:
8618deadab75f39b032b58f7f474a81f
SHA1 hash:
d7e7b126b04c075f0c2dd9a342715d0c3fa40045
Link:
https://www.unpac.me/results/8446abb0-3b8c-4b16-a005-5da2ea4222f9/
SH256 hash:
af573fdf73cae8ff43f41c99eb417c377342b979457eab6cceb22308f89b45eb
MD5 hash:
d8444ad709fc04a9ba08788744cc426c
SHA1 hash:
419ac258c0deed71d9e2dc770f894622e574b829
Link:
https://www.unpac.me/results/8446abb0-3b8c-4b16-a005-5da2ea4222f9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
IcedID
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f56ea10521a52f78bedbf51c0bbdf9c894e473a73f1da8d388afc85b4c95f727

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_win32_banker_iceid_ldr1
Create hunting rule
Author:@VK_Intel
Description:Detects IcedId/BokBot png loader (unpacked)
Reference:twitter

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/71940/

Comments