MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f677d2fffd8bce6f18a28b156c937e1e28a83bb2a29e2470e76d9314c2168678. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


IcedID


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f677d2fffd8bce6f18a28b156c937e1e28a83bb2a29e2470e76d9314c2168678
SHA3-384 hash: 6d0afaadd3a0af8a200194f19933ccc796af57eb5e1205d214510cf318de1f1eab8fe376d23ed3cfa6256905df9c5d9b
SHA1 hash: da2ab9ffa5011065e3caf4a6ee539790e514ab2f
MD5 hash: 123e08900a96c6f2f8edf6f7c8658436
humanhash: lithium-robin-idaho-coffee
File name:current_yet.msi
Download: download sample
Signature IcedID
Create hunting rule
File size:737'280 bytes
First seen:2022-12-05 20:52:41 UTC
Last seen:2022-12-12 16:02:01 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 12288:mwHL0D7BkCPumy9chfA+tk8B0igC+/NHBQ1SdwS:PHL0R/zyt++8BtZKBmS+
Threatray 1'025 similar samples on MalwareBazaar
TLSH T11CF4CF0677E808B9EC779239C9634609E7B37C110B60DA1F1364726AAF7B760A53DB31
TrID 53.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
39.2% (.MSP) Windows Installer Patch (44509/10/5)
7.0% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter pr0xylife
Tags:787509923 IcedID msi

Intelligence

File Origin
# of uploads :
2
# of downloads :
169
Origin country :
RU RU
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/343081/
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
fingerprint rundll32.exe shell32.dll stealer
Link:
https://www.filescan.io/uploads/638e5a310a5c344f30c1488f/reports/3b9f30d9-1afb-4e68-bfe2-9700fab7c157/overview
Result
Verdict:
SUSPICIOUS
Link:
https://labs.inquest.net/dfi/sha256/f677d2fffd8bce6f18a28b156c937e1e28a83bb2a29e2470e76d9314c2168678
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
IcedID
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1128438
Signature
.NET source code references suspicious native API functions
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected IcedID
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 761162 Sample: current_yet.msi Startdate: 05/12/2022 Architecture: WINDOWS Score: 88 43 Malicious sample detected (through community Yara rule) 2->43 45 Yara detected IcedID 2->45 47 .NET source code references suspicious native API functions 2->47 49 C2 URLs / IPs found in malware configuration 2->49 8 msiexec.exe 74 28 2->8         started        11 msiexec.exe 3 2->11         started        process3 file4 23 C:\Windows\Installer\MSID5EF.tmp, PE32+ 8->23 dropped 13 msiexec.exe 8->13         started        process5 process6 15 rundll32.exe 10 13->15         started        file7 25 C:\Windows\Installer\...\test.cs.dll, PE32 15->25 dropped 27 C:\Windows\Installer\...\WixSharp.dll, PE32 15->27 dropped 29 Microsoft.Deployme...indowsInstaller.dll, PE32 15->29 dropped 31 C:\Users\user\AppData\Local\...\tmpE8E8.dll, PE32+ 15->31 dropped 37 System process connects to network (likely due to code injection or exploit) 15->37 39 Contains functionality to detect hardware virtualization (CPUID execution measurement) 15->39 41 Tries to detect virtualization through RDTSC time measurements 15->41 19 rundll32.exe 15->19         started        signatures8 process9 dnsIp10 33 kamintrewftor.com 165.227.104.80, 49717, 49718, 49719 DIGITALOCEAN-ASNUS United States 19->33 35 192.168.2.1 unknown unknown 19->35 51 System process connects to network (likely due to code injection or exploit) 19->51 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f677d2fffd8bce6f18a28b156c937e1e28a83bb2a29e2470e76d9314c2168678/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6z35f775rphg6gfcrmkwze36dyukqo5sukpci4hhnwjrjqqwqz4a._file
Verdict:
malicious
Label(s):
icedid
Create hunting rule
Similar samples:
08d30d6646117cd96320447042fb3857b4f82d80a92f31ee91b16044b87929c0
IcedID
1234d3750769ce978742d88d0818b9b54be4cbb0dcbe4c63a407ddfb67b18028
IcedID
20a605a18b48b55adb6ae9c0024013be69ec884e7407ca50b39177035dc7b948
IcedID
30cbad20846a91025a064deba274103e7daf3cbd2e14e3dc4d72811be50d65c2
IcedID
4a5f37ff394af7a750b1933c3e77b927043e933bfa715c917c824fbc645c940c
IcedID
4e0f7777fd3ba58bb20f7ceaebaff50b6dcc3191cf27519d83b5ad3db30b8f5e
IcedID
a1b75a8b3848111c53d0287765fb5b8f6f2030a63a13cedcfb574a3f43bd836f
IcedID
c705008b6656feabe462ebb2363d6a259581cea574872cb1c6c440dbd23ad4fa
IcedID
c999ea822a03c90b70c8f7d4fa58711725bd69f2b0252238404b6f11bda1bd21
IcedID
de81ef356acc2e199252f8fe2a894c36c6e327d5efd3abaaa7df477f3942e33b
IcedID
+ 1'015 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://tria.ge/reports/221205-zpaa9saa6s/
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Drops file in Windows directory
Enumerates connected drives
Malware family:
IcedID
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f677d2fffd8b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
IcedID
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/f677d2fffd8bce6f18a28b156c937e1e28a83bb2a29e2470e76d9314c2168678

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/343081/

Comments