MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f75eb673f63060d1a8726b6d7255555eda5873b8a95c8efcea1bb9eb61972c1f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


IcedID


Vendor detections: 7


Maldoc score: 10


Intelligence 7 IOCs 1 YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f75eb673f63060d1a8726b6d7255555eda5873b8a95c8efcea1bb9eb61972c1f
SHA3-384 hash: 9753940dcce31e80fee0bfc8bd210bcae61282c3748fe1fd0273737a2ce86815073c0dcff931cf1d66b4ae8d78eecfb8
SHA1 hash: 0c34215a6757d1b4f5d468e67d76d1fde572d362
MD5 hash: e318c284205bd6df674722e362e89f84
humanhash: bulldog-virginia-solar-iowa
File name:document-1801844583.xlsm
Download: download sample
Signature IcedID
Create hunting rule
File size:108'063 bytes
First seen:2021-03-30 17:49:24 UTC
Last seen:2021-03-30 18:48:36 UTC
File type:Excel file xlsm
MIME type:application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
ssdeep 3072:k2CxNFcWr5qQDzPjEwqtDpko+bJ99K7meX7pD/:kzxjYDj+d9imeX7pD/
TLSH 57B3D0AD8B02F5BBD294DE3CD04AB4518EB691732F0F751B24AE439B0806DD61D1F62B
Reporter abuse_ch
Tags:IcedID xlsm


Avatar
abuse_ch
IcedID C2:
usaaforced.fun

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
usaaforced.fun https://threatfox.abuse.ch/ioc/6146/

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id
Maldoc score: 10
OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

TypeKeywordDescription
Base64Om5T201
Base64Sm5U201
Base64Wm5V201
Base64_m5X201
Base643m6M202
Base647m6N202
Base64Cm6Q202
Base64Gm6R202
Base64Km6S202
Base64Om6T202
Base64Sm6U202
Base64Wm6V202
Base64_m6X202
Base643m7M203
Base647m7N203
Base64Cm7Q203
Base64Gm7R203
Base64Km7S203
Base64Om7T203
Base64Sm7U203
Base64Wm7V203
Base64_m7X203
Base643m8M204
Base647m8N204
Base64Cm8Q204
Base64Gm8R204
Base64Km8S204
Base64Om8T204
Base64Sm8U204
Base64Wm8V204
Base64_m8X204
Base643m9M205
Base647m9N205
Base64Cm9Q205
Base64Gm9R205
Base64Km9S205
Base64Om9T205
Base64Sm9U205
Base64Wm9V205
Base64_m9X205
Base643mtM210
Base647mtN210
Base64CmtQ210
Base64GmtR210
Base64KmtS210
Base64OmtT210
Base64SmtU210
Base64WmtV210
Base64_mtX210
Base643muM211
Base647muN211
Base64CmuQ211
Base64GmuR211
Base64KmuS211
Base64OmuT211
Base64SmuU211
Base64WmuV211
Base64_muX211
Base643mvM212
Base647mvN212
Base64CmvQ212
Base64GmvR212
Base64KmvS212
Base64OmvT212
Base64SmvU212
Base64WmvV212
Base64_mvX212
Base643mwM213
Base647mwN213
Base64CmwQ213
Base64GmwR213
Base64KmwS213
Base64OmwT213
Base64SmwU213
Base64WmwV213
Base64_mwX213
Base643mxM214
Base647mxN214
Base64CmxQ214
Base64GmxR214
Base64KmxS214
Base64OmxT214
Base64SmxU214
Base64WmxV214
Base64_mxX214
Base643myM215
Base647myN215
Base64CmyQ215
Base64GmyR215
Base64KmyS215
Base64OmyT215
Base64SmyU215
Base64WmyV215
Base64_myX215
Base643mzM216
Base647mzN216
Base64CmzQ216
Base64GmzR216
Base64KmzS216
Base64OmzT216
Base64SmzU216
Base64WmzV216
Base64_mzX216
Base643n4M240
Base647n4N240
Base64Cn4Q240
Base64Gn4R240
Base64Kn4S240
Base64On4T240
Base64Sn4U240
Base64Wn4V240
Base64_n4X240
Base643n5M241
Base647n5N241
Base64Cn5Q241
Base64Gn5R241
Base64Kn5S241
Base64On5T241
Base64Sn5U241
Base64Wn5V241
Base64_n5X241
Base643n6M242
Base647n6N242
Base64Cn6Q242
Base64Gn6R242
Base643_4M180
Base64Kn6S242
Base647_4N180
Base64On6T242
Base64C_4Q180
Base64Sn6U242
Base64G_4R180
Base64Wn6V242
Base64K_4S180
Base64_n6X242
Base64O_4T180
Base643n7M243
Base64S_4U180
Base647n7N243
Base64W_4V180
Base64Cn7Q243
Base64__4X180
Base64Gn7R243
Base643_5M181
Base64Kn7S243
Base647_5N181
Base64On7T243
Base64C_5Q181
Base64Sn7U243
Base64G_5R181
Base64Wn7V243
Base64K_5S181
Base64_n7X243
Base64O_5T181
Base643n8M244
Base64S_5U181
Base647n8N244
Base64W_5V181
Base64Cn8Q244
Base64__5X181
Base64Gn8R244
Base643_6M182
Base64Kn8S244
Base647_6N182
Base64On8T244
Base64C_6Q182
Base64Sn8U244
Base64G_6R182
Base64Wn8V244
Base64K_6S182
Base64_n8X244
Base64O_6T182
Base643n9M245
Base64S_6U182
Base647n9N245
Base64W_6V182
Base64Cn9Q245
Base64__6X182
Base64Gn9R245
Base643_7M183
Base64Kn9S245
Base647_7N183
Base64On9T245
Base64C_7Q183
Base64Sn9U245
Base64G_7R183
Base64Wn9V245
Base64K_7S183
Base64_n9X245
Base64O_7T183
Base643ntM250
Base64S_7U183
Base647ntN250
Base64W_7V183
Base64CntQ250
Base64__7X183
Base64GntR250
Base643_8M184
Base64KntS250
Base647_8N184
Base64OntT250
Base64C_8Q184
Base64SntU250
Base64G_8R184
Base64WntV250
Base64K_8S184
Base64_ntX250
Base64O_8T184
Base643nuM251
Base64S_8U184
Base647nuN251
Base64W_8V184
Base64CnuQ251
Base64__8X184
Base64GnuR251
Base643_9M185
Base64KnuS251
Base647_9N185
Base64OnuT251
Base64C_9Q185
Base64SnuU251
Base64G_9R185
Base64WnuV251
Base64K_9S185
Base64_nuX251
Base64O_9T185
Base643nvM252
Base64S_9U185
Base647nvN252
Base64W_9V185
Base64CnvQ252
Base64__9X185
Base64GnvR252
Base643_tM190
Base64KnvS252
Base647_tN190
Base64OnvT252
Base64C_tQ190
Base64SnvU252
Base64G_tR190
Base64WnvV252
Base64K_tS190
Base64_nvX252
Base64O_tT190
Base643nwM253
Base64S_tU190
Base647nwN253
Base64W_tV190
Base64CnwQ253
Base64__tX190
Base64GnwR253
Base643_uM191
Base64KnwS253
Base647_uN191
Base64OnwT253
Base64C_uQ191
Base64SnwU253
Base64G_uR191
Base64WnwV253
Base64K_uS191
Base64_nwX253
Base64O_uT191
Base643nxM254
Base64S_uU191
Base647nxN254
Base64W_uV191
Base64CnxQ254
Base64__uX191
Base64GnxR254
Base643_vM192
Base64KnxS254
Base647_vN192
Base64OnxT254
Base64C_vQ192
Base64SnxU254
Base64G_vR192
Base64WnxV254
Base64K_vS192
Base64_nxX254
Base64O_vT192
Base643nyM255
Base64S_vU192
Base647nyN255
Base64W_vV192
Base64CnyQ255
Base64__vX192
Base64GnyR255
Base643_wM193
Base64KnyS255
Base647_wN193
Base64OnyT255
Base64C_wQ193
Base64SnyU255
Base64G_wR193
Base64WnyV255
Base64K_wS193
Base64_nyX255
Base64O_wT193
Base643nzM256
Base64S_wU193
Base647nzN256
Base64W_wV193
Base64CnzQ256
Base64__wX193
Base64GnzR256
Base643_xM194
Base64KnzS256
Base647_xN194
Base64OnzT256
Base64C_xQ194
Base64SnzU256
Base64G_xR194
Base64WnzV256
Base64K_xS194
Base64_nzX256
Base64O_xT194
Base643o4M280
Base64S_xU194
Base647o4N280
Base64W_xV194
Base64Co4Q280
Base64__xX194
Base64Go4R280
Base643_yM195
Base64Ko4S280
Base647_yN195
Base64Oo4T280
Base64C_yQ195
Base64So4U280
Base64G_yR195
Base64Wo4V280
Base64K_yS195
Base64_o4X280
Base64O_yT195
Base643o5M281
Base64S_yU195
Base647o5N281
Base64W_yV195
Base64Co5Q281
Base64__yX195
Base64Go5R281
Base643_zM196
Base64Ko5S281
Base647_zN196
Base64Oo5T281
Base64C_zQ196
Base64So5U281
Base64G_zR196
Base64Wo5V281
Base64K_zS196
Base64_o5X281
Base64O_zT196
Base643o6M282
Base64S_zU196
Base647o6N282
Base64W_zV196
Base64Co6Q282
Base64__zX196
Base64Go6R282
Base643m4M200
Base64Ko6S282
Base647m4N200
Base64Oo6T282
Base64Cm4Q200
Base64So6U282
Base64Gm4R200
Base64Wo6V282
Base64Km4S200
Base64_o6X282
Base64Om4T200
Base643o7M283
Base64Sm4U200
Base647o7N283
Base64Wm4V200
Base64Co7Q283
Base64_m4X200
Base64Go7R283
Base643m5M201
Base64Ko7S283
Base647m5N201
Base64Oo7T283
Base64Cm5Q201
Base64So7U283
Base64Gm5R201
Base64Wo7V283
Base64Km5S201
Base64_o7X283
SuspiciousXLM macrosheetXLM macrosheet found. It could contain malicious code
SuspiciousFORMULA.FILLMay modify Excel 4 Macro formulas at runtime
SuspiciousEXECMay run an executable file or a system
SuspiciousHex StringsHex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)
SuspiciousBase64 StringsBase64-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)

Intelligence

File Origin
# of uploads :
2
# of downloads :
121
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
document-1801844583.xlsm
Verdict:
No threats detected
Analysis date:
2021-03-31 00:20:06 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/db4eec54-9bca-4917-bdd2-c85845b4de02

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
File type:
application/vnd.ms-excel.sheet.macroEnabled.12
Has a screenshot:
False
Contains macros:
True
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/128534/
Detection(s):
TwinWave.EvilDoc.OXML.EvilMacroSheetMignightQakTrainToMemphis.20210121.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.EnjoyTheSilence.M2.20210317.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.XLMSumBodyToLove.M2.032421.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Creating a process with a hidden window
Sending a custom TCP request by exploiting the app vulnerability
Launching a process by exploiting the app vulnerability
Result
Verdict:
Malicious
File Type:
OOXML Excel File with Excel4Macro
Link:
https://app.docguard.net/f75eb673f63060d1a8726b6d7255555eda5873b8a95c8efcea1bb9eb61972c1f/results/dashboard
Document image
Image:
Download PNG
Document image
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/f75eb673f63060d1a8726b6d7255555eda5873b8a95c8efcea1bb9eb61972c1f
Details
Autostarting Excel Macro Sheet
Excel contains Macrosheet logic that will trigger automatically upon document open.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f75eb673f63060d1a8726b6d7255555eda5873b8a95c8efcea1bb9eb61972c1f/
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=65plm47wgbqndkdsnnwxevkvl3nfq45yvfoi57hkdo46wymxfqpq._file
Result
Malware family:
icedid
Create hunting rule
Score:
  10/10
Tags:
family:icedid banker loader macro trojan xlm
Link:
https://tria.ge/reports/210330-tw33m3gaws/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies system certificate store
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Loads dropped DLL
Blocklisted process makes network request
IcedID First Stage Loader
IcedID, BokBot
Process spawned unexpected child process
Malware Config
C2 Extraction:
usaaforced.fun
Dropper Extraction:
https://metaflip.io/ds/3003.gif
https://partsapp.com.br/ds/3003.gif
https://columbia.aula-web.net/ds/3003.gif
https://tajushariya.com/ds/3003.gif
https://agenbolatermurah.com/ds/3003.gif
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.40
Link:
https://yomi.yoroi.company/submissions/f75eb673f63060d1a8726b6d7255555eda5873b8a95c8efcea1bb9eb61972c1f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:buerloader_halo_generated
Create hunting rule
Author:Halogen Generated Rule, Corsin Camichel
Rule name:dridex_halo_generated
Create hunting rule
Author:Halogen Generated Rule, Corsin Camichel
Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Microsoft_XLSX_with_Macrosheet
Create hunting rule
Rule name:quakbot_halo_generated
Create hunting rule
Author:Halogen Generated Rule, Corsin Camichel
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:SharedStrings
Create hunting rule
Author:Katie Kleemola
Description:Internal names found in LURK0/CCTV0 samples
Rule name:silentbuilder_halo_generated
Create hunting rule
Author:Halogen Generated Rule, Corsin Camichel
Rule name:UAC_bypass_bin_mem
Create hunting rule
Author:James_inthe_box
Description:UAC bypass in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/128534/

Comments