icedid | e7636efbaf3e170af8f7cbc36f4c030f3df0bc89547186ddfe03e66a5c8c0b92

Resubmissions

28-06-2024 11:41

240628-ntldjszgmq 10

28-06-2024 06:30

240628-g9vtlayblr 10

Analysis

max time kernel
137s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2024 06:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

191f0a5dd7622595d3d38decf8061c05_JaffaCakes118.dll
Size

3.0MB
MD5

191f0a5dd7622595d3d38decf8061c05
SHA1

bded0a27fd4b759642720f8fbd4470a168f75576
SHA256

e7636efbaf3e170af8f7cbc36f4c030f3df0bc89547186ddfe03e66a5c8c0b92
SHA512

a1d2f5b4055c705f4e6f0394ff8b10127c8802d96e87722a34a6eaa0968d34853a9279de497d837c8b45c439e763bb2a65f4207c7e9db1a1165cbc99c96fa952
SSDEEP

49152:EBKs6yFyQqn4ZvgZ3aj+wvLoK/DVcONC/LzUX0QrxwyrIrP1VRmmnsQYp:EB36Sy94y3ajroKbCDoWPRT

Score

10^/10

icedid 3744237144 banker loader trojan vmprotect

Malware Config

Extracted

Family

icedid

Campaign

3744237144

hommyfloppy.best

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
IcedID First Stage Loader 1 IoCs
loader

Processes:

resource yara_rule

behavioral2/memory/4768-0-0x00007FFA06060000-0x00007FFA064C9000-memory.dmp IcedidFirstLoader
VMProtect packed file 1 IoCs
Detects executables packed with VMProtect commercial packer.
vmprotect

Processes:

resource yara_rule

behavioral2/memory/4768-0-0x00007FFA06060000-0x00007FFA064C9000-memory.dmp vmprotect
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvr32.exe

pid process

4768 regsvr32.exe
4768 regsvr32.exe

resource	yara_rule
behavioral2/memory/4768-0-0x00007FFA06060000-0x00007FFA064C9000-memory.dmp	IcedidFirstLoader

resource	yara_rule
behavioral2/memory/4768-0-0x00007FFA06060000-0x00007FFA064C9000-memory.dmp	vmprotect

pid	process
4768	regsvr32.exe
4768	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\191f0a5dd7622595d3d38decf8061c05_JaffaCakes118.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3736 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8
1⤵
PID:2044

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4768-0-0x00007FFA06060000-0x00007FFA064C9000-memory.dmp

Filesize
4.4MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads