MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fb188c80159174b092bc8ca3b0721b3550ad5943a999f79fd904e2dac19d9c07. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


IcedID


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fb188c80159174b092bc8ca3b0721b3550ad5943a999f79fd904e2dac19d9c07
SHA3-384 hash: 88cf7bb8e4b0493d2f5e5ac4b170eb898dfc106ad75da62e0e38f4c99f6e607dfb84fa86d76685726f8ec7f6b686e097
SHA1 hash: f9e9d40080329f86cba154dac3b3f7c135a9714d
MD5 hash: 1e7f6aae82bb4d32a5d9edfc23647c89
humanhash: pip-victor-salami-carpet
File name:file
Download: download sample
Signature IcedID
Create hunting rule
File size:655'360 bytes
First seen:2022-10-18 18:18:07 UTC
Last seen:2022-10-19 05:27:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e17bc2d997ad36106602257d0ad55795 (3 x IcedID)
ssdeep 12288:I5CfGwrAL0gfc2ifWWERzk3+BxMngu1/mbN37i:5fGwrAL0Uc2IWWERzk3+BxMng+0Zi
Threatray 955 similar samples on MalwareBazaar
TLSH T177D42A1BF7B388BCC52BC1798793D371A931B8294235B92E1A54D7322E10D609F6FB64
TrID 43.3% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
27.5% (.EXE) Win64 Executable (generic) (10523/12/4)
13.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.3% (.EXE) OS/2 Executable (generic) (2029/13)
5.2% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter andretavare5
Tags:exe IcedID


Avatar
andretavare5
Sample downloaded from http://67.43.234.64/load/wmic.exe

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
alconauytor.com https://threatfox.abuse.ch/ioc/891945/

Intelligence

File Origin
# of uploads :
16
# of downloads :
325
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/321473/
Detection(s):
SecuriteInfo.com.Mal.Generic-S.1430.9748.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Creating a file in the system32 subdirectories
Creating a file
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/43689/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug packed
Link:
https://www.filescan.io/uploads/634eee16b5f60e72b8c757a0/reports/548b8ba3-ccef-43e8-b3ae-dd4e16a48580/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
BazarBackdoor
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/70ad319a-0f07-409f-93ce-5e08950f46eb
Result
Threat name:
IcedID
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1092967
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Found evasive API chain (may stop execution after checking mutex)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Yara detected IcedID
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fb188c80159174b092bc8ca3b0721b3550ad5943a999f79fd904e2dac19d9c07/
Threat name:
Win64.Trojan.IcedID
Create hunting rule
Status:
Malicious
First seen:
2022-10-18 18:38:40 UTC
File Type:
PE+ (Exe)
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7mmizaavsf2lbev4rsr3a4q3gvik2wkdvgm7ph6zatrnvqm5tqdq._file
Verdict:
malicious
Label(s):
icedid
Create hunting rule
Similar samples:
1b7a277e3aa02c66b4a1da64cc2be281102decb97ff841d62c02e9fc1ade361f
IcedID
2a7964c5d7268f4b320e91ad133654d75edca3c15f9e5c76dee7bf68634b933f
IcedID
3b04e7f31c8ec3bd466ce5910277f241a6b3e7bf9d70a5fd41d7922601cc06ba
IcedID
3e647b84b510487b420bc6eac4cdd8dd246ead5632086b00ff3ccbbaff5efdd9
IcedID
690ff4ee36a9ee03248ce8e45a605e718eb48778ffbce1b48f9a5522175ba611
IcedID
c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5
IcedID
c81fe7326d72e662a185c7bccb19bd31481ffdf53ef0fb1019027d9d16e5a9d9
IcedID
d3f27f0ba1900e461e292bf8f62028b60cac902ef71cbe455115d008c0ed27c6
IcedID
f3f7756ced61f3872f07dd25b68f1824d8797730757a9a80bdbbe6522725a2de
IcedID
f8d69d5df025089474bfef71b5fb42c0e11bfcbb1d2dd915c474b11b74c0504b
IcedID
+ 945 additional samples on MalwareBazaar
Result
Malware family:
icedid
Create hunting rule
Score:
  10/10
Tags:
family:icedid campaign:3663790369 banker loader trojan
Link:
https://tria.ge/reports/221018-wx6gwsgfc8/
Behaviour
Suspicious behavior: EnumeratesProcesses
IcedID, BokBot
Malware Config
C2 Extraction:
alconauytor.com
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f74ea906-c7b8-4367-b5a9-536d6e097c86
Unpacked files
SH256 hash:
fb188c80159174b092bc8ca3b0721b3550ad5943a999f79fd904e2dac19d9c07
MD5 hash:
1e7f6aae82bb4d32a5d9edfc23647c89
SHA1 hash:
f9e9d40080329f86cba154dac3b3f7c135a9714d
Link:
https://www.unpac.me/results/39054b92-7f0a-441f-abed-cfce8c5fb7bd/
Malware family:
IcedID
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fb188c801591/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
IcedID
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/fb188c80159174b092bc8ca3b0721b3550ad5943a999f79fd904e2dac19d9c07

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_win32_icedid_stage1
Create hunting rule
Author:Rony (@r0ny_123)
Description:Detects IcedID photoloader
Reference:https://sysopfb.github.io/malware,/icedid/2020/04/28/IcedIDs-updated-photoloader.html
Rule name:IcedIDLoader
Create hunting rule
Author:kevoreilly, threathive, enzo
Description:IcedID Loader
Rule name:IcedID_init_loader
Create hunting rule
Author:@bartblaze
Description:Identifies IcedID (stage 1 and 2, initial loaders).
Rule name:MALWARE_Win_IceID
Create hunting rule
Author:ditekSHen
Description:Detects IceID / Bokbot variants
Rule name:win_photoloader_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.photoloader.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/321473/
  
URLhaus
https://urlhaus.abuse.ch/url/2377119/

Comments