Windows Analysis Report
unpacked_svchost.exe

Overview

General Information

Sample name: unpacked_svchost.exe
Analysis ID: 1417150
MD5: 22631afc7d9706f566995833748de97f
SHA1: f371c5f78437db887f1717b0eaf594295b0f4969
SHA256: 79449670340d763f164bbda0a32e38f3d06a2a3b6cee41d92c47f448710e015a
Tags: exeIcedID
Infos:

Detection

IcedID
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected IcedID
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Found stalling execution ending in API Sleep call
Machine Learning detection for sample
Performs DNS queries to domains with low reputation
Tries to detect virtualization through RDTSC time measurements
Contains functionality for execution timing, often used to detect debuggers
Contains functionality which may be used to detect a debugger (GetProcessHeap)
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Tries to load missing DLLs
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files

Classification

Name Description Attribution Blogpost URLs Link
IcedID According to Proofpoint, IcedID (aka BokBot) is a malware originally classified as a banking malware and was first observed in 2017. It also acts as a loader for other malware, including ransomware. The well-known IcedID version consists of an initial loader which contacts a Loader C2 server, downloads the standard DLL Loader, which then delivers the standard IcedID Bot. IcedID is developed and operated by the actor named LUNAR SPIDER.As previously published, historically there has been just one version of IcedID that has remained constant since 2017.* In November 2022, Proofpoint researchers observed the first new variant of IcedID Proofpoint dubbed 'IcedID Lite' distributed as a follow-on payload in a TA542 Emotet campaign. It was dropped by the Emotet malware soon after the actor returned to the e-crime landscape after a nearly four-month break.* The IcedID Lite Loader observed in November 2022 contains a static URL to download a 'Bot Pack' file with a static name (botpack.dat) which results in the IcedID Lite DLL Loader, and then delivers the Forked version of IcedID Bot, leaving out the webinjects and backconnect functionality that would typically be used for banking fraud.* Starting in February 2023, Proofpoint observed the new Forked variant of IcedID. This variant was distributed by TA581 and one unattributed threat activity cluster which acted as initial access facilitators. The campaigns used a variety of email attachments such as Microsoft OneNote attachments and somewhat rare to see .URL attachments, which led to the Forked variant of IcedID.
  • GOLD CABIN
  • Lunar Spider
 https://malpedia.caad.fkie.fraunhofer.de/details/win.icedid

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: unpacked_svchost.exe Avira: detected
Antivirus detection for URL or domain
Source: https://ilu21plane.xyz/ Avira URL Cloud: Label: malware
Source: https://nizaoplov.xyz/A_ Avira URL Cloud: Label: malware
Source: https://nizaoplov.xyz/photo.png?id=011E3D33FBC8A0E3EE00FF0000000000000000 Avira URL Cloud: Label: malware
Source: https://nizaoplov.xyz/photo.png?id=011E3D33FBC8A0E3EE00FF0000000000000000V)T Avira URL Cloud: Label: malware
Source: https://nizaoplov.xyz/photo.png?id=011E3D33FBC8A0E3EE00FF00000000000000000004 Avira URL Cloud: Label: malware
Source: https://153ishak.best/A_ Avira URL Cloud: Label: malware
Source: https://nizaoplov.xyz/ Avira URL Cloud: Label: malware
Source: https://boldidiotruss.xyz/photo.png?id=011E3D33FBC8A0E3EE00FF00000000000000004 Avira URL Cloud: Label: malware
Source: https://boldidiotruss.xyz/- Avira URL Cloud: Label: malware
Source: https://boldidiotruss.xyz/photo.png?id=011E3D33FBC8A0E3EE00FF0000000000000000 Avira URL Cloud: Label: malware
Source: https://boldidiotruss.xyz/ Avira URL Cloud: Label: malware
Source: https://boldidiotruss.xyz/1 Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: ilu21plane.xyz Virustotal: Detection: 7% Perma Link
Source: nizaoplov.xyz Virustotal: Detection: 10% Perma Link
Source: https://ilu21plane.xyz/ Virustotal: Detection: 7% Perma Link
Source: boldidiotruss.xyz Virustotal: Detection: 13% Perma Link
Source: 153ishak.best Virustotal: Detection: 6% Perma Link
Source: https://boldidiotruss.xyz/ Virustotal: Detection: 13% Perma Link
Source: https://nizaoplov.xyz/ Virustotal: Detection: 10% Perma Link
Multi AV Scanner detection for submitted file
Source: unpacked_svchost.exe ReversingLabs: Detection: 71%
Source: unpacked_svchost.exe Virustotal: Detection: 76% Perma Link
Yara detected IcedID
Source: Yara match File source: unpacked_svchost.exe, type: SAMPLE
Machine Learning detection for sample
Source: unpacked_svchost.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: unpacked_svchost.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Networking
barindex
Performs DNS queries to domains with low reputation
Source: DNS query: boldidiotruss.xyz
Source: DNS query: nizaoplov.xyz
Source: DNS query: ilu21plane.xyz
Source: DNS query: boldidiotruss.xyz
Source: DNS query: nizaoplov.xyz
Source: DNS query: ilu21plane.xyz
Source: DNS query: boldidiotruss.xyz
Source: DNS query: nizaoplov.xyz
Source: DNS query: ilu21plane.xyz
Source: DNS query: boldidiotruss.xyz
Source: DNS query: nizaoplov.xyz
Source: DNS query: ilu21plane.xyz
Source: DNS query: boldidiotruss.xyz
Source: DNS query: nizaoplov.xyz
Source: DNS query: ilu21plane.xyz
Source: DNS query: boldidiotruss.xyz
Source: DNS query: nizaoplov.xyz
Source: DNS query: ilu21plane.xyz
Source: DNS query: boldidiotruss.xyz
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Source: unknown DNS traffic detected: query: nizaoplov.xyz replaycode: Name error (3)
Source: unknown DNS traffic detected: query: 153ishak.best replaycode: Name error (3)
Source: unknown DNS traffic detected: query: boldidiotruss.xyz replaycode: Name error (3)
Source: unknown DNS traffic detected: query: ilu21plane.xyz replaycode: Name error (3)
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown DNS traffic detected: queries for: boldidiotruss.xyz
Source: unpacked_svchost.exe, 00000000.00000002.3304286481.0000000001328000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://153ishak.best/A_
Source: unpacked_svchost.exe, 00000000.00000002.3304286481.00000000012FE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://boldidiotruss.xyz/
Source: unpacked_svchost.exe, 00000000.00000002.3304286481.00000000012FE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://boldidiotruss.xyz/-
Source: unpacked_svchost.exe, 00000000.00000002.3304286481.00000000012FE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://boldidiotruss.xyz/1
Source: unpacked_svchost.exe, 00000000.00000002.3304286481.0000000001328000.00000004.00000020.00020000.00000000.sdmp, unpacked_svchost.exe, 00000000.00000002.3304286481.0000000001339000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://boldidiotruss.xyz/photo.png?id=011E3D33FBC8A0E3EE00FF0000000000000000
Source: unpacked_svchost.exe, 00000000.00000002.3304286481.0000000001328000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://boldidiotruss.xyz/photo.png?id=011E3D33FBC8A0E3EE00FF00000000000000004
Source: unpacked_svchost.exe, 00000000.00000002.3304286481.0000000001328000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ilu21plane.xyz/
Source: unpacked_svchost.exe, 00000000.00000003.2974640610.0000000001328000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://nizaoplov.xyz/
Source: unpacked_svchost.exe, 00000000.00000003.2974640610.0000000001328000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://nizaoplov.xyz/A_
Source: unpacked_svchost.exe, 00000000.00000003.2974640610.0000000001328000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://nizaoplov.xyz/photo.png?id=011E3D33FBC8A0E3EE00FF0000000000000000
Source: unpacked_svchost.exe, 00000000.00000003.2974640610.0000000001328000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://nizaoplov.xyz/photo.png?id=011E3D33FBC8A0E3EE00FF00000000000000000004
Source: unpacked_svchost.exe, 00000000.00000003.2974577476.000000000133B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://nizaoplov.xyz/photo.png?id=011E3D33FBC8A0E3EE00FF0000000000000000V)T

E-Banking Fraud
barindex
Yara detected IcedID
Source: Yara match File source: unpacked_svchost.exe, type: SAMPLE
Tries to load missing DLLs
Source: C:\Users\user\Desktop\unpacked_svchost.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\unpacked_svchost.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\unpacked_svchost.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\unpacked_svchost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\unpacked_svchost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\unpacked_svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\unpacked_svchost.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\unpacked_svchost.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\unpacked_svchost.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\unpacked_svchost.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\unpacked_svchost.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\unpacked_svchost.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\unpacked_svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\unpacked_svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\unpacked_svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\unpacked_svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\unpacked_svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\unpacked_svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\unpacked_svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\unpacked_svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\unpacked_svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\unpacked_svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\unpacked_svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\unpacked_svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\unpacked_svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\unpacked_svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\unpacked_svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\unpacked_svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\unpacked_svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\unpacked_svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\unpacked_svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\unpacked_svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\unpacked_svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\unpacked_svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\unpacked_svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\unpacked_svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Uses 32bit PE files
Source: unpacked_svchost.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal100.troj.evad.winEXE@1/0@25/0
Source: C:\Users\user\Desktop\unpacked_svchost.exe File created: C:\Users\user\AppData\Local\user Jump to behavior
Source: unpacked_svchost.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\unpacked_svchost.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unpacked_svchost.exe ReversingLabs: Detection: 71%
Source: unpacked_svchost.exe Virustotal: Detection: 76%

Malware Analysis System Evasion
barindex
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Source: C:\Users\user\Desktop\unpacked_svchost.exe Code function: 0_2_010010F6 wsprintfA, 0_2_010010F6
Found stalling execution ending in API Sleep call
Source: C:\Users\user\Desktop\unpacked_svchost.exe Stalling execution: Execution stalls by calling Sleep
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\unpacked_svchost.exe RDTSC instruction interceptor: First address: 1001131 second address: 1001151 instructions: 0x00000000 rdtsc 0x00000002 mov esi, eax 0x00000004 mov dword ptr [esp+1Ch], edx 0x00000008 xor eax, eax 0x0000000a lea edi, dword ptr [esp+28h] 0x0000000e inc eax 0x0000000f xor ecx, ecx 0x00000011 cpuid 0x00000013 mov dword ptr [edi], eax 0x00000015 mov eax, edi 0x00000017 mov dword ptr [eax+04h], ebx 0x0000001a mov dword ptr [eax+08h], ecx 0x0000001d mov dword ptr [eax+0Ch], edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\unpacked_svchost.exe RDTSC instruction interceptor: First address: 1001151 second address: 1001131 instructions: 0x00000000 rdtsc 0x00000002 sub eax, esi 0x00000004 sbb edx, dword ptr [esp+1Ch] 0x00000008 test edx, edx 0x0000000a jnbe 00007F61651D0F5Ah 0x0000000c jc 00007F61651D0F19h 0x0000000e cmp eax, 000000FAh 0x00000013 jnc 00007F61651D0F18h 0x00000015 inc byte ptr [esp+1Ah] 0x00000019 jmp 00007F61651D0F4Fh 0x0000001b sub ebp, 01h 0x0000001e jne 00007F61651D0E95h 0x00000020 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\unpacked_svchost.exe Code function: 0_2_01001224 rdtsc 0_2_01001224
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\unpacked_svchost.exe TID: 5320 Thread sleep time: -690000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\unpacked_svchost.exe Last function: Thread delayed
Source: unpacked_svchost.exe, 00000000.00000002.3304286481.00000000012FE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\unpacked_svchost.exe API call chain: ExitProcess graph end node
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\unpacked_svchost.exe Code function: 0_2_01001224 rdtsc 0_2_01001224
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\unpacked_svchost.exe Code function: 0_2_01001000 CreateFileA,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,GetProcessHeap,HeapFree,CloseHandle, 0_2_01001000
Source: C:\Users\user\Desktop\unpacked_svchost.exe Code function: 0_2_010014F9 SHGetFolderPathA,lstrcatA,lstrcatA,lstrlenA,GetUserNameA,CreateDirectoryA,lstrcatA, 0_2_010014F9

Stealing of Sensitive Information
barindex
Yara detected IcedID
Source: Yara match File source: unpacked_svchost.exe, type: SAMPLE

Remote Access Functionality
barindex
Yara detected IcedID
Source: Yara match File source: unpacked_svchost.exe, type: SAMPLE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1417150 Sample: unpacked_svchost.exe Startdate: 28/03/2024 Architecture: WINDOWS Score: 100 9 nizaoplov.xyz 2->9 11 ilu21plane.xyz 2->11 13 2 other IPs or domains 2->13 15 Multi AV Scanner detection for domain / URL 2->15 17 Antivirus detection for URL or domain 2->17 19 Antivirus / Scanner detection for submitted sample 2->19 23 3 other signatures 2->23 6 unpacked_svchost.exe 1 2->6         started        signatures3 21 Performs DNS queries to domains with low reputation 11->21 process4 signatures5 25 Found stalling execution ending in API Sleep call 6->25 27 Contains functionality to detect hardware virtualization (CPUID execution measurement) 6->27 29 Tries to detect virtualization through RDTSC time measurements 6->29
No contacted IP infos

Contacted Domains

Name IP Active
nizaoplov.xyz unknown unknown
153ishak.best unknown unknown
boldidiotruss.xyz unknown unknown
ilu21plane.xyz unknown unknown