MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f604ca55de802f334064610d65e23890ab81906cdac3f8a5c7c25126176289c8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



IcedID


Vendor detections: 9


Maldoc score: 9


Intelligence 9 IOCs YARA File information Comments

SHA256 hash: f604ca55de802f334064610d65e23890ab81906cdac3f8a5c7c25126176289c8
SHA3-384 hash: ed33f09fdedeb9918b31ff43ae489d143b5089247e7ee3f1327cb1e6508d8f0c1bc8bdf3acf6e0498860771251c6d610
SHA1 hash: 4bd0151fa9520c9886f7d7a250596687b52bfa81
MD5 hash: 5743e3edb2bf64fe08e5e9a6ea24cd7e
humanhash: dakota-island-montana-fish
File name:deed contract 12.15.2021.doc
Download: download sample
Signature IcedID
File size:43'457 bytes
First seen:2021-12-15 13:29:43 UTC
Last seen:Never
File type:Word file doc
MIME type:application/vnd.openxmlformats-officedocument.wordprocessingml.document
ssdeep 768:+csHZauGn0BKW2rq/eEflhRSfwdDQWk/HQFcEKTrLfxl1Ik1K:6HvGn8KWG0lhRSfwd8WgdrLfxzY
TLSH T1FD13D008D4229E05C7CE5A3C21FD11F06FB342C793D096265D92AE6F4C602FECA5F69A
Reporter proxylife
Tags:doc IcedID

Office OLE Information


This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id
Maldoc score: 9
OLE dump

MalwareBazaar was able to identify 11 sections in this file using oledump:

Section IDSection sizeSection name
A1402 bytesPROJECT
A256 bytesPROJECTwm
A32266 bytesVBA/ThisDocument
A42881 bytesVBA/_VBA_PROJECT
A51664 bytesVBA/__SRP_0
A6263 bytesVBA/__SRP_1
A7800 bytesVBA/__SRP_2
A8328 bytesVBA/__SRP_3
A9552 bytesVBA/dir
A101082 bytesVBA/main
OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

TypeKeywordDescription
AutoExecautoopenRuns when the Word document is opened
SuspiciousGetObjectMay get an OLE object with a running instance
SuspiciousStrReverseMay attempt to obfuscate specific strings (use option --deobf to deobfuscate)
SuspiciousexecMay run an executable file or a system
SuspiciousBase64 StringsBase64-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)

Intelligence


File Origin
# of uploads :
1
# of downloads :
398
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
deed contract 12.15.2021.doc
Verdict:
Malicious activity
Analysis date:
2021-12-15 13:32:08 UTC
Tags:
macros macros-on-open generated-doc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
DNS request
Sending a custom TCP request
Creating a window
Сreating synchronization primitives
Creating a file
Searching for synchronization primitives
Launching a process by exploiting the app vulnerability
Result
Verdict:
Malicious
File Type:
Word File with Macro
Document image
Document image
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
macros macros-on-open mshta regsvr32
Result
Threat name:
Unknown
Detection:
malicious
Classification:
expl.evad
Score:
80 / 100
Signature
Document contains an embedded VBA macro which may execute processes
Document exploit detected (process start blacklist hit)
Machine Learning detection for sample
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Register DLL with spoofed extension
Sigma detected: Regsvr32 Anomaly
Sigma detected: Regsvr32 Command Line Without DLL
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Suspicious Regsvr32 Execution With Image Extension
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 540382 Sample: deed contract 12.15.2021.doc Startdate: 15/12/2021 Architecture: WINDOWS Score: 80 23 Sigma detected: Register DLL with spoofed extension 2->23 25 Machine Learning detection for sample 2->25 27 Document contains an embedded VBA macro which may execute processes 2->27 29 6 other signatures 2->29 7 explorer.exe 3 2->7         started        9 WINWORD.EXE 38 42 2->9         started        process3 dnsIp4 12 mshta.exe 21 7->12         started        19 192.168.2.1 unknown unknown 9->19 15 explorer.exe 1 9->15         started        process5 dnsIp6 21 maldonadoposts.com 138.124.183.61, 49779, 80 NOKIA-ASFI Norway 12->21 17 regsvr32.exe 12->17         started        process7
Threat name:
Document-Office.Dropper.Powdow
Status:
Malicious
First seen:
2021-12-15 13:30:10 UTC
File Type:
Document
Extracted files:
29
AV detection:
21 of 43 (48.84%)
Threat level:
  3/5
Result
Malware family:
Score:
  10/10
Tags:
family:icedid campaign:1694525507 banker macro trojan
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Office loads VBA resources, possible macro or embedded object present
Enumerates physical storage devices
Drops file in Windows directory
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
IcedID, BokBot
Process spawned unexpected child process
Malware Config
C2 Extraction:
firenicatrible.com
Please note that we are no longer able to provide a coverage score for Virus Total.

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments