MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fe908cbcbbdea11d0540e038a23f1a377ab0861ad5f6d013ed22dbf02b943032. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


IcedID


Vendor detections: 15


Intelligence 15 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fe908cbcbbdea11d0540e038a23f1a377ab0861ad5f6d013ed22dbf02b943032
SHA3-384 hash: 480fa24298eb507826d51d11fee58029c2a7bd2efe062feb83bc1bcde5036563c26dddaf6a8609f135453f45923fde0b
SHA1 hash: 997bf9e5632f17bfad671b5252016effecc27533
MD5 hash: 9044436ca8ddc3ed05c5a1ab87cbdb43
humanhash: may-crazy-queen-happy
File name:Docs_03_21_INV#15.exe
Download: download sample
Signature IcedID
Create hunting rule
File size:486'944 bytes
First seen:2023-03-21 19:48:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c90c1d9ea33b38d68a9f1fc5584c8fe9 (2 x IcedID)
ssdeep 6144:iF8fQgr9ElYIn8MQpcYMZOFSlAcUwcNQNBZId6Ti6N05/bClsINtFBkoNM:iEhwYI8M6xl5cTc+dId+A/b8sINtFs
Threatray 10 similar samples on MalwareBazaar
TLSH T1C6A4E047D6920FFBD562D47FD4815417DB22BC43BF128BAA264CC1523EA39904FA6B2C
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter k3dg3___
Tags:3581911946 exe IcedID signed

Code Signing Certificate

Organisation:1105 SOFTWARE LLC
Issuer:SSL.com EV Code Signing Intermediate CA RSA R3
Algorithm:sha256WithRSAEncryption
Valid from:2023-03-17T13:56:48Z
Valid to:2024-03-16T13:56:48Z
Serial number: 5c9f5f96726a6e6fc3b8bb153ac82af2
Intelligence: 4 malware samples on MalwareBazaar are signed with this code signing certificate
MalwareBazaar Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:SHA256
Thumbprint: 285925b7c7c692f8d71d980dcf2ddb4c208a0f7b826ead34db402755d1a0f6de
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
k3dg3
PDF attachments

Intelligence

File Origin
# of uploads :
1
# of downloads :
326
Origin country :
US US
Vendor Threat Intelligence
Malware family:
icedid
Create hunting rule
ID:
1
File name:
Docs_03_21_INV#15.exe
Verdict:
Malicious activity
Analysis date:
2023-03-21 19:51:15 UTC
Tags:
icedid
Link:
https://app.any.run/tasks/a633e30b-c8b0-4649-a868-e93e732d2103

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/376265/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/641a0a2f00d9b27ec1312547/reports/4ab4b18f-6d88-4ecb-bde9-fce08c3469e8/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/fe908cbcbbdea11d0540e038a23f1a377ab0861ad5f6d013ed22dbf02b943032
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
GzipLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/434265ff-b0cc-41f5-97d2-7a88c6a6683d
Result
Threat name:
IcedID
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1198862
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Yara detected IcedID
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fe908cbcbbdea11d0540e038a23f1a377ab0861ad5f6d013ed22dbf02b943032/
Threat name:
Win64.Trojan.IcedID
Create hunting rule
Status:
Malicious
First seen:
2023-03-21 19:50:24 UTC
File Type:
PE+ (Exe)
Extracted files:
28
AV detection:
11 of 24 (45.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=72iizpf332qr2bka4a4kepy2g55lbbq22x3nae7neln7ak4ugaza._file
Verdict:
malicious
Label(s):
icedid
Create hunting rule
Similar samples:
1d5cfd8ac58bd64648110862f39ccc421ad58920e99ed948de2dd832e6ecd0a4
IcedID
43ba07032ca007ed25935ef123c2d408b2f4fd1f0e428b5d03b58b476da336da
IcedID
534698f7d1d4f0fae6e100b64f27c48fd167bd238cc9279ad2e4bd4f5411cc9d
IcedID
a015f40cfa1ca770c0c7fa901974ad6178f2b913659aea1486fcc307fd735e8e
IcedID
cab63e05a4a6f0b825acb077ba6a1bbb3657488c584882124a31c45dfb39515d
IcedID
Result
Malware family:
icedid
Create hunting rule
Score:
  10/10
Tags:
family:icedid campaign:3581911946 banker loader trojan
Link:
https://tria.ge/reports/230321-yjnq2acg89/
Behaviour
Suspicious behavior: EnumeratesProcesses
IcedID, BokBot
Malware Config
C2 Extraction:
smockalifatori.com
Unpacked files
SH256 hash:
fe908cbcbbdea11d0540e038a23f1a377ab0861ad5f6d013ed22dbf02b943032
MD5 hash:
9044436ca8ddc3ed05c5a1ab87cbdb43
SHA1 hash:
997bf9e5632f17bfad671b5252016effecc27533
Link:
https://www.unpac.me/results/04a057d7-ccd1-48e6-9965-6b7ef059f747/
Malware family:
IcedID
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fe908cbcbbde/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
IcedID
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/fe908cbcbbdea11d0540e038a23f1a377ab0861ad5f6d013ed22dbf02b943032

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_win32_icedid_stage1
Create hunting rule
Author:Rony (@r0ny_123)
Description:Detects IcedID photoloader
Reference:https://sysopfb.github.io/malware,/icedid/2020/04/28/IcedIDs-updated-photoloader.html
Rule name:IcedIDLoader
Create hunting rule
Author:kevoreilly, threathive, enzo, r0ny123
Description:IcedID Loader
Rule name:IcedID_init_loader
Create hunting rule
Author:@bartblaze
Description:Identifies IcedID (stage 1 and 2, initial loaders).
Rule name:MALWARE_Win_IceID
Create hunting rule
Author:ditekSHen
Description:Detects IceID / Bokbot variants
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Windows_Trojan_IcedID_0b62e783
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_IcedID_91562d18
Create hunting rule
Author:Elastic Security
Rule name:win_photoloader_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.photoloader.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

6ef02fd4757ece0d900652a80d9a21f8fdf96db288d5c7bfc985ea9ffca71c40

IcedID

Executable exe fe908cbcbbdea11d0540e038a23f1a377ab0861ad5f6d013ed22dbf02b943032

(this sample)

  
Dropped by
SHA256 6ef02fd4757ece0d900652a80d9a21f8fdf96db288d5c7bfc985ea9ffca71c40
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/376265/

Comments