MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fa914c9914a9a663613c62467009adb9a283275863e0fd4a39b5e5e4f3a0f376. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


IcedID


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fa914c9914a9a663613c62467009adb9a283275863e0fd4a39b5e5e4f3a0f376
SHA3-384 hash: db6d08bb9b6d578d1ddf4f83bcc618d7c9bf433070740e3075a75063a3786dd53d417d268e725792e9988397f11140c9
SHA1 hash: c3b771ed998a4363e9eb00996c651bc560138503
MD5 hash: 6ee6fcde80cbf4967885454cfcdf22a5
humanhash: single-berlin-jig-hawaii
File name:pasteBorder.dll
Download: download sample
Signature IcedID
Create hunting rule
File size:345'688 bytes
First seen:2021-05-04 13:51:27 UTC
Last seen:2021-05-04 14:57:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 87bed5a7cba00c7e1f4015f1bdae2183 (3'034 x Jadtre, 23 x IcedID, 17 x Blackmoon)
ssdeep 6144:oHObBm3F9Y4IiLlKKJApI8A5UWNuKKHDTgul3ta+DaON2:ok4IElKKJApI8A5UWNuKKHDTDl3Q+uO8
TLSH 07749367829AD2BDF14768B1A03DAF4EC2546E902962CCC7B4D694126F239F523133DF
Reporter Scoobs_McGee
Tags:dll IcedID

Intelligence

File Origin
# of uploads :
2
# of downloads :
159
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.UDS.Trojan-Banker.Win32.IcedID.21450.31939.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
IcedID
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/710146
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Found malware configuration
Initial sample is a PE file and has a suspicious name
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected IcedID
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 403993 Sample: pasteBorder.dll Startdate: 04/05/2021 Architecture: WINDOWS Score: 80 53 Found malware configuration 2->53 55 Yara detected IcedID 2->55 57 C2 URLs / IPs found in malware configuration 2->57 59 Initial sample is a PE file and has a suspicious name 2->59 7 loaddll64.exe 1 2->7         started        process3 dnsIp4 27 barcafokliresd.top 7->27 29 tp.8e49140c2-frontier.amazon.com 7->29 31 2 other IPs or domains 7->31 67 Contains functionality to detect hardware virtualization (CPUID execution measurement) 7->67 69 Tries to detect virtualization through RDTSC time measurements 7->69 11 cmd.exe 1 7->11         started        13 regsvr32.exe 7->13         started        17 rundll32.exe 7->17         started        19 6 other processes 7->19 signatures5 process6 dnsIp7 21 rundll32.exe 11->21         started        39 barcafokliresd.top 194.5.249.85, 49716, 49750, 49752 NXTHOST-64398NXTHOSTCOM-NXTSERVERSSRLRO Romania 13->39 41 dr49lng3n1n2s.cloudfront.net 13.224.187.73, 443, 49713, 49749 AMAZON-02US United States 13->41 51 2 other IPs or domains 13->51 71 Contains functionality to detect hardware virtualization (CPUID execution measurement) 13->71 73 Tries to detect virtualization through RDTSC time measurements 13->73 43 tp.8e49140c2-frontier.amazon.com 17->43 45 aws.amazon.com 17->45 75 System process connects to network (likely due to code injection or exploit) 17->75 47 tp.8e49140c2-frontier.amazon.com 19->47 49 aws.amazon.com 19->49 24 iexplore.exe 148 19->24         started        signatures8 process9 dnsIp10 61 System process connects to network (likely due to code injection or exploit) 21->61 63 Contains functionality to detect hardware virtualization (CPUID execution measurement) 21->63 65 Tries to detect virtualization through RDTSC time measurements 21->65 33 edge.gycpi.b.yahoodns.net 87.248.118.23, 443, 49746, 49747 YAHOO-DEBDE United Kingdom 24->33 35 geolocation.onetrust.com 104.20.184.68, 443, 49730, 49731 CLOUDFLARENETUS United States 24->35 37 8 other IPs or domains 24->37 signatures11
Detection:
icedid
Create hunting rule
Link:
https://mwdb.cert.pl/sample/fa914c9914a9a663613c62467009adb9a283275863e0fd4a39b5e5e4f3a0f376/
Threat name:
Win64.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-05-04 13:52:13 UTC
AV detection:
14 of 29 (48.28%)
Threat level:
  5/5
Verdict:
unknown
Result
Malware family:
icedid
Create hunting rule
Score:
  10/10
Tags:
family:icedid banker trojan
Link:
https://tria.ge/reports/210504-hf6an9leje/
Behaviour
Suspicious behavior: EnumeratesProcesses
IcedID, BokBot
Malware Config
C2 Extraction:
barcafokliresd.top
Unpacked files
SH256 hash:
fa914c9914a9a663613c62467009adb9a283275863e0fd4a39b5e5e4f3a0f376
MD5 hash:
6ee6fcde80cbf4967885454cfcdf22a5
SHA1 hash:
c3b771ed998a4363e9eb00996c651bc560138503
Link:
https://www.unpac.me/results/e9d72ec1-9930-4178-9761-1ea8d019e06b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fa914c9914a9a663613c62467009adb9a283275863e0fd4a39b5e5e4f3a0f376

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

IcedID

Executable exe fa914c9914a9a663613c62467009adb9a283275863e0fd4a39b5e5e4f3a0f376

(this sample)

anyrun
any.run
https://app.any.run/tasks/66f52d77-5fd2-4123-b0a9-1e6f85792eed
  
Delivery method
Distributed via e-mail attachment

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-04 14:01:48 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [C0027.009] Cryptography Micro-objective::RC4::Encrypt Data
1) [C0021.004] Cryptography Micro-objective::RC4 PRGA::Generate Pseudo-random Sequence