Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report Giowcosi64.dll

Overview

General Information

Sample Name:Giowcosi64.dll
Analysis ID:532354
MD5:8afee9d09b791bffd2372931cc9060ba
SHA1:fe27de2819b394e2b0824dd28531a4ab914aa855
SHA256:c340ae2dde2bd8fbae46b15abef0c7e706fe8953c837329bde409959836d6510
Tags:BokbotDLLexeIcedID
Infos:

Most interesting Screenshot:

Detection

IcedID
Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected IcedID
C2 URLs / IPs found in malware configuration
Yara signature match
Contains functionality to dynamically determine API calls
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Program does not show much activity (idle)
Uses code obfuscation techniques (call, push, ret)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll64.exe (PID: 4112 cmdline: loaddll64.exe "C:\Users\user\Desktop\Giowcosi64.dll" MD5: E0CC9D126C39A9D2FA1CAD5027EBBD18)
    • cmd.exe (PID: 4240 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Giowcosi64.dll",#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • rundll32.exe (PID: 3080 cmdline: rundll32.exe "C:\Users\user\Desktop\Giowcosi64.dll",#1 MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 3184 cmdline: rundll32.exe C:\Users\user\Desktop\Giowcosi64.dll,DllMain MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 3144 cmdline: rundll32.exe C:\Users\user\Desktop\Giowcosi64.dll,GeogtrHfbokouxgzMvmrq MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 6400 cmdline: rundll32.exe C:\Users\user\Desktop\Giowcosi64.dll,MabefshhHuruaftdQzntqpmiqf MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 1260 cmdline: rundll32.exe "C:\Users\user\Desktop\Giowcosi64.dll",DllMain MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 6708 cmdline: rundll32.exe "C:\Users\user\Desktop\Giowcosi64.dll",GeogtrHfbokouxgzMvmrq MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 6736 cmdline: rundll32.exe "C:\Users\user\Desktop\Giowcosi64.dll",MabefshhHuruaftdQzntqpmiqf MD5: 73C519F050C20580F8A62C849D49215A)
  • cleanup

Malware Configuration

Threatname: IcedID

{"url_path": "/news/", "C2 url": ["baeswea.com", "bersaww.com"], "Campaign ID": 1892568649}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.765347157.000001ED33860000.00000004.00000001.sdmpMAL_IcedId_Core_LDR_2021042021 loader for Bokbot / Icedid core (license.dat)Thomas Barabosch, Telekom Security
  • 0xdb2:$internal_name: sadl_64.dll
  • 0x1022:$string0: GetCommandLineA
  • 0xfa6:$string1: LoadLibraryA
  • 0xceb:$string2: ProgramData
  • 0xf54:$string3: SHLWAPI.dll
  • 0xf20:$string4: SHGetFolderPathA
  • 0xf32:$string7: SHELL32.dll
  • 0x104a:$string8: CreateThread
00000005.00000002.765347157.000001ED33860000.00000004.00000001.sdmpJoeSecurity_IcedID_6Yara detected IcedIDJoe Security
    00000005.00000002.765442198.000001ED33A60000.00000040.00000001.sdmpMAL_IcedId_Core_LDR_2021042021 loader for Bokbot / Icedid core (license.dat)Thomas Barabosch, Telekom Security
    • 0x21b2:$internal_name: sadl_64.dll
    • 0x2422:$string0: GetCommandLineA
    • 0x23a6:$string1: LoadLibraryA
    • 0x20eb:$string2: ProgramData
    • 0x2354:$string3: SHLWAPI.dll
    • 0x2320:$string4: SHGetFolderPathA
    • 0x2332:$string7: SHELL32.dll
    • 0x244a:$string8: CreateThread
    00000005.00000002.765442198.000001ED33A60000.00000040.00000001.sdmpJoeSecurity_IcedID_6Yara detected IcedIDJoe Security
      00000002.00000002.741382042.000001BB6E480000.00000040.00000001.sdmpMAL_IcedId_Core_LDR_2021042021 loader for Bokbot / Icedid core (license.dat)Thomas Barabosch, Telekom Security
      • 0x21b2:$internal_name: sadl_64.dll
      • 0x2422:$string0: GetCommandLineA
      • 0x23a6:$string1: LoadLibraryA
      • 0x20eb:$string2: ProgramData
      • 0x2354:$string3: SHLWAPI.dll
      • 0x2320:$string4: SHGetFolderPathA
      • 0x2332:$string7: SHELL32.dll
      • 0x244a:$string8: CreateThread
      Click to see the 27 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      10.2.rundll32.exe.208f72d0000.0.raw.unpackMAL_IcedId_Core_LDR_2021042021 loader for Bokbot / Icedid core (license.dat)Thomas Barabosch, Telekom Security
      • 0xdb2:$internal_name: sadl_64.dll
      • 0x1022:$string0: GetCommandLineA
      • 0xfa6:$string1: LoadLibraryA
      • 0xceb:$string2: ProgramData
      • 0xf54:$string3: SHLWAPI.dll
      • 0xf20:$string4: SHGetFolderPathA
      • 0xf32:$string7: SHELL32.dll
      • 0x104a:$string8: CreateThread
      10.2.rundll32.exe.208f72d0000.0.raw.unpackJoeSecurity_IcedID_6Yara detected IcedIDJoe Security
        2.2.rundll32.exe.1bb6e480000.1.unpackMAL_IcedId_Core_LDR_2021042021 loader for Bokbot / Icedid core (license.dat)Thomas Barabosch, Telekom Security
        • 0xdb2:$internal_name: sadl_64.dll
        • 0x1022:$string0: GetCommandLineA
        • 0xfa6:$string1: LoadLibraryA
        • 0xceb:$string2: ProgramData
        • 0xf54:$string3: SHLWAPI.dll
        • 0xf20:$string4: SHGetFolderPathA
        • 0xf32:$string7: SHELL32.dll
        • 0x104a:$string8: CreateThread
        2.2.rundll32.exe.1bb6e480000.1.unpackJoeSecurity_IcedID_6Yara detected IcedIDJoe Security
          9.2.rundll32.exe.21ea2870000.1.raw.unpackMAL_IcedId_Core_LDR_2021042021 loader for Bokbot / Icedid core (license.dat)Thomas Barabosch, Telekom Security
          • 0x21b2:$internal_name: sadl_64.dll
          • 0x2422:$string0: GetCommandLineA
          • 0x23a6:$string1: LoadLibraryA
          • 0x20eb:$string2: ProgramData
          • 0x2354:$string3: SHLWAPI.dll
          • 0x2320:$string4: SHGetFolderPathA
          • 0x2332:$string7: SHELL32.dll
          • 0x244a:$string8: CreateThread
          Click to see the 43 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 5.2.rundll32.exe.1ed33860000.0.raw.unpackMalware Configuration Extractor: IcedID {"url_path": "/news/", "C2 url": ["baeswea.com", "bersaww.com"], "Campaign ID": 1892568649}
          Multi AV Scanner detection for submitted fileShow sources
          Source: Giowcosi64.dllVirustotal: Detection: 20%Perma Link
          Yara detected IcedIDShow sources
          Source: Yara matchFile source: 10.2.rundll32.exe.208f72d0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.rundll32.exe.1bb6e480000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.rundll32.exe.21ea2870000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.rundll32.exe.207d1380000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.rundll32.exe.1ed33860000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.rundll32.exe.207d1370000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.rundll32.exe.208f7310000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.rundll32.exe.21ea2820000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.rundll32.exe.1bb6e480000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.rundll32.exe.1bb6e370000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.rundll32.exe.208f7310000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.rundll32.exe.1ed33a60000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.rundll32.exe.1c2d1340000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.rundll32.exe.1aebcf20000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.rundll32.exe.207d1380000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.rundll32.exe.1c2d1350000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.rundll32.exe.1ed33a60000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.loaddll64.exe.1b778a50000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.rundll32.exe.1aebcdf0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.loaddll64.exe.1b778a50000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.loaddll64.exe.1b778900000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.rundll32.exe.1aebcf20000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.rundll32.exe.1c2d1350000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.rundll32.exe.21ea2870000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000002.765347157.000001ED33860000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.765442198.000001ED33A60000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.741382042.000001BB6E480000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.832558945.00000208F7310000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.741362051.000001C2D1340000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.741362258.000001BB6E370000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.776377415.000001B778A50000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.825177682.0000021EA2820000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.765191936.00000207D1370000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.776350458.000001B778900000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.741365555.000001C2D1350000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.825233831.0000021EA2870000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.826014958.000001AEBCF20000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.765207841.00000207D1380000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.832543483.00000208F72D0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.825990184.000001AEBCDF0000.00000004.00000001.sdmp, type: MEMORY
          Source: Giowcosi64.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: baeswea.com
          Source: Malware configuration extractorURLs: bersaww.com

          E-Banking Fraud:

          barindex
          Yara detected IcedIDShow sources
          Source: Yara matchFile source: 10.2.rundll32.exe.208f72d0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.rundll32.exe.1bb6e480000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.rundll32.exe.21ea2870000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.rundll32.exe.207d1380000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.rundll32.exe.1ed33860000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.rundll32.exe.207d1370000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.rundll32.exe.208f7310000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.rundll32.exe.21ea2820000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.rundll32.exe.1bb6e480000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.rundll32.exe.1bb6e370000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.rundll32.exe.208f7310000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.rundll32.exe.1ed33a60000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.rundll32.exe.1c2d1340000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.rundll32.exe.1aebcf20000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.rundll32.exe.207d1380000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.rundll32.exe.1c2d1350000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.rundll32.exe.1ed33a60000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.loaddll64.exe.1b778a50000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.rundll32.exe.1aebcdf0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.loaddll64.exe.1b778a50000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.loaddll64.exe.1b778900000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.rundll32.exe.1aebcf20000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.rundll32.exe.1c2d1350000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.rundll32.exe.21ea2870000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000002.765347157.000001ED33860000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.765442198.000001ED33A60000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.741382042.000001BB6E480000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.832558945.00000208F7310000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.741362051.000001C2D1340000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.741362258.000001BB6E370000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.776377415.000001B778A50000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.825177682.0000021EA2820000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.765191936.00000207D1370000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.776350458.000001B778900000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.741365555.000001C2D1350000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.825233831.0000021EA2870000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.826014958.000001AEBCF20000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.765207841.00000207D1380000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.832543483.00000208F72D0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.825990184.000001AEBCDF0000.00000004.00000001.sdmp, type: MEMORY
          Source: 10.2.rundll32.exe.208f72d0000.0.raw.unpack, type: UNPACKEDPEMatched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
          Source: 2.2.rundll32.exe.1bb6e480000.1.unpack, type: UNPACKEDPEMatched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
          Source: 9.2.rundll32.exe.21ea2870000.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
          Source: 4.2.rundll32.exe.207d1380000.1.unpack, type: UNPACKEDPEMatched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
          Source: 5.2.rundll32.exe.1ed33860000.0.raw.unpack, type: UNPACKEDPEMatched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
          Source: 4.2.rundll32.exe.207d1370000.0.raw.unpack, type: UNPACKEDPEMatched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
          Source: 10.2.rundll32.exe.208f7310000.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
          Source: 9.2.rundll32.exe.21ea2820000.0.raw.unpack, type: UNPACKEDPEMatched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
          Source: 2.2.rundll32.exe.1bb6e480000.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
          Source: 2.2.rundll32.exe.1bb6e370000.0.raw.unpack, type: UNPACKEDPEMatched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
          Source: 10.2.rundll32.exe.208f7310000.1.unpack, type: UNPACKEDPEMatched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
          Source: 5.2.rundll32.exe.1ed33a60000.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
          Source: 3.2.rundll32.exe.1c2d1340000.0.raw.unpack, type: UNPACKEDPEMatched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
          Source: 8.2.rundll32.exe.1aebcf20000.1.unpack, type: UNPACKEDPEMatched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
          Source: 4.2.rundll32.exe.207d1380000.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
          Source: 3.2.rundll32.exe.1c2d1350000.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
          Source: 5.2.rundll32.exe.1ed33a60000.1.unpack, type: UNPACKEDPEMatched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
          Source: 0.2.loaddll64.exe.1b778a50000.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
          Source: 8.2.rundll32.exe.1aebcdf0000.0.raw.unpack, type: UNPACKEDPEMatched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
          Source: 0.2.loaddll64.exe.1b778a50000.1.unpack, type: UNPACKEDPEMatched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
          Source: 0.2.loaddll64.exe.1b778900000.0.raw.unpack, type: UNPACKEDPEMatched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
          Source: 8.2.rundll32.exe.1aebcf20000.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
          Source: 3.2.rundll32.exe.1c2d1350000.1.unpack, type: UNPACKEDPEMatched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
          Source: 9.2.rundll32.exe.21ea2870000.1.unpack, type: UNPACKEDPEMatched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
          Source: 00000005.00000002.765347157.000001ED33860000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
          Source: 00000005.00000002.765442198.000001ED33A60000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
          Source: 00000002.00000002.741382042.000001BB6E480000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
          Source: 0000000A.00000002.832558945.00000208F7310000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
          Source: 00000003.00000002.741362051.000001C2D1340000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
          Source: 00000002.00000002.741362258.000001BB6E370000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
          Source: 00000000.00000002.776377415.000001B778A50000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
          Source: 00000009.00000002.825177682.0000021EA2820000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
          Source: 00000004.00000002.765191936.00000207D1370000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
          Source: 00000000.00000002.776350458.000001B778900000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
          Source: 00000003.00000002.741365555.000001C2D1350000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
          Source: 00000009.00000002.825233831.0000021EA2870000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
          Source: 00000008.00000002.826014958.000001AEBCF20000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
          Source: 00000004.00000002.765207841.00000207D1380000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
          Source: 0000000A.00000002.832543483.00000208F72D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
          Source: 00000008.00000002.825990184.000001AEBCDF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
          Source: Giowcosi64.dllVirustotal: Detection: 20%
          Source: Giowcosi64.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: classification engineClassification label: mal68.troj.winDLL@17/0@0/0
          Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\Giowcosi64.dll,DllMain
          Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\Giowcosi64.dll"
          Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Giowcosi64.dll",#1
          Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\Giowcosi64.dll,DllMain
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Giowcosi64.dll",#1
          Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\Giowcosi64.dll,GeogtrHfbokouxgzMvmrq
          Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\Giowcosi64.dll,MabefshhHuruaftdQzntqpmiqf
          Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Giowcosi64.dll",DllMain
          Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Giowcosi64.dll",GeogtrHfbokouxgzMvmrq
          Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Giowcosi64.dll",MabefshhHuruaftdQzntqpmiqf
          Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Giowcosi64.dll",#1
          Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\Giowcosi64.dll,DllMain
          Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\Giowcosi64.dll,GeogtrHfbokouxgzMvmrq
          Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\Giowcosi64.dll,MabefshhHuruaftdQzntqpmiqf
          Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Giowcosi64.dll",DllMain
          Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Giowcosi64.dll",GeogtrHfbokouxgzMvmrq
          Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Giowcosi64.dll",MabefshhHuruaftdQzntqpmiqf
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Giowcosi64.dll",#1
          Source: Giowcosi64.dllStatic PE information: Image base 0x180000000 > 0x60000000
          Source: Giowcosi64.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
          Source: C:\Windows\System32\rundll32.exeCode function: 2_2_000001BB6E481340 LoadLibraryA,GetProcAddress,GetLastError,
          Source: C:\Windows\System32\rundll32.exeCode function: 2_2_000001BB6E482018 push rax; retf
          Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000001C2D1352018 push rax; retf
          Source: C:\Windows\System32\rundll32.exeCode function: 8_2_000001AEBCF22018 push rax; retf
          Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\loaddll64.exe TID: 2088Thread sleep time: -120000s >= -30000s
          Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
          Source: C:\Windows\System32\loaddll64.exeThread delayed: delay time: 120000
          Source: C:\Windows\System32\rundll32.exeCode function: 2_2_000001BB6E481340 LoadLibraryA,GetProcAddress,GetLastError,
          Source: C:\Windows\System32\rundll32.exeCode function: 2_2_000001BB6E482078 GetProcessHeap,memset,
          Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Giowcosi64.dll",#1

          Stealing of Sensitive Information:

          barindex
          Yara detected IcedIDShow sources
          Source: Yara matchFile source: 10.2.rundll32.exe.208f72d0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.rundll32.exe.1bb6e480000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.rundll32.exe.21ea2870000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.rundll32.exe.207d1380000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.rundll32.exe.1ed33860000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.rundll32.exe.207d1370000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.rundll32.exe.208f7310000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.rundll32.exe.21ea2820000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.rundll32.exe.1bb6e480000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.rundll32.exe.1bb6e370000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.rundll32.exe.208f7310000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.rundll32.exe.1ed33a60000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.rundll32.exe.1c2d1340000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.rundll32.exe.1aebcf20000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.rundll32.exe.207d1380000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.rundll32.exe.1c2d1350000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.rundll32.exe.1ed33a60000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.loaddll64.exe.1b778a50000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.rundll32.exe.1aebcdf0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.loaddll64.exe.1b778a50000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.loaddll64.exe.1b778900000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.rundll32.exe.1aebcf20000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.rundll32.exe.1c2d1350000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.rundll32.exe.21ea2870000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000002.765347157.000001ED33860000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.765442198.000001ED33A60000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.741382042.000001BB6E480000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.832558945.00000208F7310000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.741362051.000001C2D1340000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.741362258.000001BB6E370000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.776377415.000001B778A50000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.825177682.0000021EA2820000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.765191936.00000207D1370000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.776350458.000001B778900000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.741365555.000001C2D1350000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.825233831.0000021EA2870000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.826014958.000001AEBCF20000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.765207841.00000207D1380000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.832543483.00000208F72D0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.825990184.000001AEBCDF0000.00000004.00000001.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected IcedIDShow sources
          Source: Yara matchFile source: 10.2.rundll32.exe.208f72d0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.rundll32.exe.1bb6e480000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.rundll32.exe.21ea2870000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.rundll32.exe.207d1380000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.rundll32.exe.1ed33860000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.rundll32.exe.207d1370000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.rundll32.exe.208f7310000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.rundll32.exe.21ea2820000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.rundll32.exe.1bb6e480000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.rundll32.exe.1bb6e370000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.rundll32.exe.208f7310000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.rundll32.exe.1ed33a60000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.rundll32.exe.1c2d1340000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.rundll32.exe.1aebcf20000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.rundll32.exe.207d1380000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.rundll32.exe.1c2d1350000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.rundll32.exe.1ed33a60000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.loaddll64.exe.1b778a50000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.rundll32.exe.1aebcdf0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.loaddll64.exe.1b778a50000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.loaddll64.exe.1b778900000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.rundll32.exe.1aebcf20000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.rundll32.exe.1c2d1350000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.rundll32.exe.21ea2870000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000002.765347157.000001ED33860000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.765442198.000001ED33A60000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.741382042.000001BB6E480000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.832558945.00000208F7310000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.741362051.000001C2D1340000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.741362258.000001BB6E370000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.776377415.000001B778A50000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.825177682.0000021EA2820000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.765191936.00000207D1370000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.776350458.000001B778900000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.741365555.000001C2D1350000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.825233831.0000021EA2870000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.826014958.000001AEBCF20000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.765207841.00000207D1380000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.832543483.00000208F72D0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.825990184.000001AEBCDF0000.00000004.00000001.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsNative API1Path InterceptionProcess Injection11Rundll321OS Credential DumpingSecurity Software Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumApplication Layer Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion11LSASS MemoryVirtualization/Sandbox Evasion11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection11Security Account ManagerSystem Information Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information1NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 532354 Sample: Giowcosi64.dll Startdate: 02/12/2021 Architecture: WINDOWS Score: 68 19 Found malware configuration 2->19 21 Multi AV Scanner detection for submitted file 2->21 23 Yara detected IcedID 2->23 25 C2 URLs / IPs found in malware configuration 2->25 7 loaddll64.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 rundll32.exe 7->11         started        13 rundll32.exe 7->13         started        15 4 other processes 7->15 process5 17 rundll32.exe 9->17         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          Giowcosi64.dll20%VirustotalBrowse

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          bersaww.com0%Avira URL Cloudsafe
          baeswea.com0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          No contacted domains info

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          bersaww.comtrue
          • Avira URL Cloud: safe
          		unknown
          baeswea.comtrue
          • Avira URL Cloud: safe
          		unknown

          Contacted IPs

          No contacted IP infos

          General Information

          Joe Sandbox Version:34.0.0 Boulder Opal
          Analysis ID:532354
          Start date:02.12.2021
          Start time:04:19:15
          Joe Sandbox Product:CloudBasic
          Overall analysis duration:0h 7m 7s
          Hypervisor based Inspection enabled:false
          Report type:light
          Sample file name:Giowcosi64.dll
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
          Number of analysed new started processes analysed:21
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • HDC enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Detection:MAL
          Classification:mal68.troj.winDLL@17/0@0/0
          EGA Information:Failed
          HDC Information:
          • Successful, ratio: 37.3% (good quality ratio 27.5%)
          • Quality average: 45.6%
          • Quality standard deviation: 41.7%
          HCA Information:
          • Successful, ratio: 67%
          • Number of executed functions: 0
          • Number of non-executed functions: 0
          Cookbook Comments:
          • Adjust boot time
          • Enable AMSI
          • Found application associated with file extension: .dll
          • Override analysis time to 240s for rundll32
          Warnings:
          Show All
          • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, RuntimeBroker.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
          • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
          • Not all processes where analyzed, report is missing behavior information

          Simulations

          Behavior and APIs

          TimeTypeDescription
          04:21:06API Interceptor1x Sleep call for process: loaddll64.exe modified

          Joe Sandbox View / Context

          IPs

          No context

          Domains

          No context

          ASN

          No context

          JA3 Fingerprints

          No context

          Dropped Files

          No context

          Created / dropped Files

          No created / dropped files found

          Static File Info

          General

          File type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Entropy (8bit):6.413355690561383
          TrID:
          • Win64 Dynamic Link Library (generic) (102004/3) 86.43%
          • Win64 Executable (generic) (12005/4) 10.17%
          • Generic Win/DOS Executable (2004/3) 1.70%
          • DOS Executable Generic (2002/1) 1.70%
          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
          File name:Giowcosi64.dll
          File size:116224
          MD5:8afee9d09b791bffd2372931cc9060ba
          SHA1:fe27de2819b394e2b0824dd28531a4ab914aa855
          SHA256:c340ae2dde2bd8fbae46b15abef0c7e706fe8953c837329bde409959836d6510
          SHA512:7e13ae3e0a1c783ad19e34be8a921473b239eb21d66301a21a325aa245b5930f907182688ed819aef4cc85a0e1b4f407b5a76a40c907f8fb4eb0280e363d400e
          SSDEEP:1536:CzxBuW7NfJpGgiNrmcefpeuJDVrMOx4NQGroPYqWhO8sWKKhplKtBbM8izw8pCt2:eBnxfJgP4FfMCDVrYycoPj3QMUvvT
          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........8..AY..AY..AY...1..@Y..2;..BY..AY..KY...0..EY...0..@Y...0..@Y..RichAY..........PE..d......U.........." .......................

          File Icon

          Icon Hash:74f0e4ecccdce0e4

          Static PE Info

          General

          Entrypoint:0x18000eed0
          Entrypoint Section:.text
          Digitally signed:false
          Imagebase:0x180000000
          Subsystem:windows gui
          Image File Characteristics:EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
          Time Stamp:0x559AE088 [Mon Jul 6 20:09:44 2015 UTC]
          TLS Callbacks:
          CLR (.Net) Version:
          OS Version Major:6
          OS Version Minor:0
          File Version Major:6
          File Version Minor:0
          Subsystem Version Major:6
          Subsystem Version Minor:0
          Import Hash:f1a15344df95e4a35a13d3ab15c783e1

          Entrypoint Preview

          Instruction
          dec esp
          mov dword ptr [esp+18h], eax
          mov dword ptr [esp+10h], edx
          dec eax
          mov dword ptr [esp+08h], ecx
          dec eax
          sub esp, 48h
          mov eax, dword ptr [esp+58h]
          mov dword ptr [esp+24h], eax
          cmp dword ptr [esp+24h], 01h
          je 00007F9F84B68917h
          jmp 00007F9F84B6899Dh
          dec eax
          mov eax, dword ptr [esp+50h]
          dec eax
          mov dword ptr [0000F11Eh], eax
          call 00007F9F84B689A6h
          movsd xmm0, qword ptr [0000E159h]
          movsd qword ptr [esp+30h], xmm0
          mov dword ptr [esp+28h], F6299570h
          mov dword ptr [esp+20h], 00000000h
          jmp 00007F9F84B6891Ch
          mov eax, dword ptr [esp+20h]
          inc eax
          mov dword ptr [esp+20h], eax
          mov eax, dword ptr [esp+28h]
          cmp dword ptr [esp+20h], eax
          jnc 00007F9F84B68928h
          movsd xmm0, qword ptr [esp+30h]
          mulsd xmm0, qword ptr [0000E117h]
          movsd qword ptr [esp+30h], xmm0
          jmp 00007F9F84B688E8h
          call 00007F9F84B6867Bh
          dec esp
          lea eax, dword ptr [0000E0FBh]
          mov edx, dword ptr [0000F09Dh]
          dec eax
          mov ecx, dword ptr [0000F0A6h]
          call 00007F9F84B75F32h
          mov eax, dword ptr [0000F0A3h]
          test eax, eax
          je 00007F9F84B68917h
          call 00007F9F84B68783h
          mov eax, 00000001h
          dec eax
          add esp, 48h
          ret
          mov eax, 00000002h
          ret
          int3
          int3
          mov eax, 00000001h
          ret
          int3

          Data Directories

          NameVirtual AddressVirtual Size Is in Section
          IMAGE_DIRECTORY_ENTRY_EXPORT0x1d0e00x94.rdata
          IMAGE_DIRECTORY_ENTRY_IMPORT0x1d1740x28.rdata
          IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x1f0000xb4.pdata
          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IAT0x1d0000x58.rdata
          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

          Sections

          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
          .text0x10000x1b9c20x1ba00False0.498488758484data6.47559683926IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          .rdata0x1d0000x2c40x400False0.412109375data3.30084623637IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .data0x1e0000x500x200False0.04296875Non-ISO extended-ASCII text, with no line terminators0.188056906087IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
          .pdata0x1f0000xb40x200False0.267578125data1.85750400314IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

          Imports

          DLLImport
          KERNEL32.dllCreateFileA, GetLastError, QueryPerformanceCounter, HeapAlloc, HeapFree, EnterCriticalSection, WaitForSingleObject, TlsGetValue, GetCurrencyFormatA, GetUserDefaultUILanguage

          Exports

          NameOrdinalAddress
          DllMain10x18000ee88
          GeogtrHfbokouxgzMvmrq20x18000ef88
          MabefshhHuruaftdQzntqpmiqf30x18000ef90

          Network Behavior

          No network behavior found

          Code Manipulations

          Statistics

          Behavior

          Click to jump to process

          System Behavior

          Analysis Process: loaddll64.exe PID: 4112 Parent PID: 5444

          General

          Start time:04:20:11
          Start date:02/12/2021
          Path:C:\Windows\System32\loaddll64.exe
          Wow64 process (32bit):false
          Commandline:loaddll64.exe "C:\Users\user\Desktop\Giowcosi64.dll"
          Imagebase:0x7ff610d90000
          File size:1136128 bytes
          MD5 hash:E0CC9D126C39A9D2FA1CAD5027EBBD18
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: MAL_IcedId_Core_LDR_202104, Description: 2021 loader for Bokbot / Icedid core (license.dat), Source: 00000000.00000002.776377415.000001B778A50000.00000040.00000001.sdmp, Author: Thomas Barabosch, Telekom Security
          • Rule: JoeSecurity_IcedID_6, Description: Yara detected IcedID, Source: 00000000.00000002.776377415.000001B778A50000.00000040.00000001.sdmp, Author: Joe Security
          • Rule: MAL_IcedId_Core_LDR_202104, Description: 2021 loader for Bokbot / Icedid core (license.dat), Source: 00000000.00000002.776350458.000001B778900000.00000004.00000001.sdmp, Author: Thomas Barabosch, Telekom Security
          • Rule: JoeSecurity_IcedID_6, Description: Yara detected IcedID, Source: 00000000.00000002.776350458.000001B778900000.00000004.00000001.sdmp, Author: Joe Security
          Reputation:moderate

          Analysis Process: cmd.exe PID: 4240 Parent PID: 4112

          General

          Start time:04:20:12
          Start date:02/12/2021
          Path:C:\Windows\System32\cmd.exe
          Wow64 process (32bit):false
          Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Giowcosi64.dll",#1
          Imagebase:0x7ff622070000
          File size:273920 bytes
          MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          Analysis Process: rundll32.exe PID: 3184 Parent PID: 4112

          General

          Start time:04:20:12
          Start date:02/12/2021
          Path:C:\Windows\System32\rundll32.exe
          Wow64 process (32bit):false
          Commandline:rundll32.exe C:\Users\user\Desktop\Giowcosi64.dll,DllMain
          Imagebase:0x7ff716b90000
          File size:69632 bytes
          MD5 hash:73C519F050C20580F8A62C849D49215A
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: MAL_IcedId_Core_LDR_202104, Description: 2021 loader for Bokbot / Icedid core (license.dat), Source: 00000002.00000002.741382042.000001BB6E480000.00000040.00000001.sdmp, Author: Thomas Barabosch, Telekom Security
          • Rule: JoeSecurity_IcedID_6, Description: Yara detected IcedID, Source: 00000002.00000002.741382042.000001BB6E480000.00000040.00000001.sdmp, Author: Joe Security
          • Rule: MAL_IcedId_Core_LDR_202104, Description: 2021 loader for Bokbot / Icedid core (license.dat), Source: 00000002.00000002.741362258.000001BB6E370000.00000004.00000001.sdmp, Author: Thomas Barabosch, Telekom Security
          • Rule: JoeSecurity_IcedID_6, Description: Yara detected IcedID, Source: 00000002.00000002.741362258.000001BB6E370000.00000004.00000001.sdmp, Author: Joe Security
          Reputation:high

          Analysis Process: rundll32.exe PID: 3080 Parent PID: 4240

          General

          Start time:04:20:12
          Start date:02/12/2021
          Path:C:\Windows\System32\rundll32.exe
          Wow64 process (32bit):false
          Commandline:rundll32.exe "C:\Users\user\Desktop\Giowcosi64.dll",#1
          Imagebase:0x7ff716b90000
          File size:69632 bytes
          MD5 hash:73C519F050C20580F8A62C849D49215A
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: MAL_IcedId_Core_LDR_202104, Description: 2021 loader for Bokbot / Icedid core (license.dat), Source: 00000003.00000002.741362051.000001C2D1340000.00000004.00000001.sdmp, Author: Thomas Barabosch, Telekom Security
          • Rule: JoeSecurity_IcedID_6, Description: Yara detected IcedID, Source: 00000003.00000002.741362051.000001C2D1340000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: MAL_IcedId_Core_LDR_202104, Description: 2021 loader for Bokbot / Icedid core (license.dat), Source: 00000003.00000002.741365555.000001C2D1350000.00000040.00000001.sdmp, Author: Thomas Barabosch, Telekom Security
          • Rule: JoeSecurity_IcedID_6, Description: Yara detected IcedID, Source: 00000003.00000002.741365555.000001C2D1350000.00000040.00000001.sdmp, Author: Joe Security
          Reputation:high

          Analysis Process: rundll32.exe PID: 3144 Parent PID: 4112

          General

          Start time:04:20:16
          Start date:02/12/2021
          Path:C:\Windows\System32\rundll32.exe
          Wow64 process (32bit):false
          Commandline:rundll32.exe C:\Users\user\Desktop\Giowcosi64.dll,GeogtrHfbokouxgzMvmrq
          Imagebase:0x7ff716b90000
          File size:69632 bytes
          MD5 hash:73C519F050C20580F8A62C849D49215A
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: MAL_IcedId_Core_LDR_202104, Description: 2021 loader for Bokbot / Icedid core (license.dat), Source: 00000004.00000002.765191936.00000207D1370000.00000004.00000001.sdmp, Author: Thomas Barabosch, Telekom Security
          • Rule: JoeSecurity_IcedID_6, Description: Yara detected IcedID, Source: 00000004.00000002.765191936.00000207D1370000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: MAL_IcedId_Core_LDR_202104, Description: 2021 loader for Bokbot / Icedid core (license.dat), Source: 00000004.00000002.765207841.00000207D1380000.00000040.00000001.sdmp, Author: Thomas Barabosch, Telekom Security
          • Rule: JoeSecurity_IcedID_6, Description: Yara detected IcedID, Source: 00000004.00000002.765207841.00000207D1380000.00000040.00000001.sdmp, Author: Joe Security
          Reputation:high

          Analysis Process: rundll32.exe PID: 6400 Parent PID: 4112

          General

          Start time:04:20:23
          Start date:02/12/2021
          Path:C:\Windows\System32\rundll32.exe
          Wow64 process (32bit):false
          Commandline:rundll32.exe C:\Users\user\Desktop\Giowcosi64.dll,MabefshhHuruaftdQzntqpmiqf
          Imagebase:0x7ff716b90000
          File size:69632 bytes
          MD5 hash:73C519F050C20580F8A62C849D49215A
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: MAL_IcedId_Core_LDR_202104, Description: 2021 loader for Bokbot / Icedid core (license.dat), Source: 00000005.00000002.765347157.000001ED33860000.00000004.00000001.sdmp, Author: Thomas Barabosch, Telekom Security
          • Rule: JoeSecurity_IcedID_6, Description: Yara detected IcedID, Source: 00000005.00000002.765347157.000001ED33860000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: MAL_IcedId_Core_LDR_202104, Description: 2021 loader for Bokbot / Icedid core (license.dat), Source: 00000005.00000002.765442198.000001ED33A60000.00000040.00000001.sdmp, Author: Thomas Barabosch, Telekom Security
          • Rule: JoeSecurity_IcedID_6, Description: Yara detected IcedID, Source: 00000005.00000002.765442198.000001ED33A60000.00000040.00000001.sdmp, Author: Joe Security
          Reputation:high

          Analysis Process: rundll32.exe PID: 1260 Parent PID: 4112

          General

          Start time:04:21:02
          Start date:02/12/2021
          Path:C:\Windows\System32\rundll32.exe
          Wow64 process (32bit):false
          Commandline:rundll32.exe "C:\Users\user\Desktop\Giowcosi64.dll",DllMain
          Imagebase:0x7ff716b90000
          File size:69632 bytes
          MD5 hash:73C519F050C20580F8A62C849D49215A
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: MAL_IcedId_Core_LDR_202104, Description: 2021 loader for Bokbot / Icedid core (license.dat), Source: 00000008.00000002.826014958.000001AEBCF20000.00000040.00000001.sdmp, Author: Thomas Barabosch, Telekom Security
          • Rule: JoeSecurity_IcedID_6, Description: Yara detected IcedID, Source: 00000008.00000002.826014958.000001AEBCF20000.00000040.00000001.sdmp, Author: Joe Security
          • Rule: MAL_IcedId_Core_LDR_202104, Description: 2021 loader for Bokbot / Icedid core (license.dat), Source: 00000008.00000002.825990184.000001AEBCDF0000.00000004.00000001.sdmp, Author: Thomas Barabosch, Telekom Security
          • Rule: JoeSecurity_IcedID_6, Description: Yara detected IcedID, Source: 00000008.00000002.825990184.000001AEBCDF0000.00000004.00000001.sdmp, Author: Joe Security
          Reputation:high

          Analysis Process: rundll32.exe PID: 6708 Parent PID: 4112

          General

          Start time:04:21:03
          Start date:02/12/2021
          Path:C:\Windows\System32\rundll32.exe
          Wow64 process (32bit):false
          Commandline:rundll32.exe "C:\Users\user\Desktop\Giowcosi64.dll",GeogtrHfbokouxgzMvmrq
          Imagebase:0x7ff716b90000
          File size:69632 bytes
          MD5 hash:73C519F050C20580F8A62C849D49215A
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: MAL_IcedId_Core_LDR_202104, Description: 2021 loader for Bokbot / Icedid core (license.dat), Source: 00000009.00000002.825177682.0000021EA2820000.00000004.00000001.sdmp, Author: Thomas Barabosch, Telekom Security
          • Rule: JoeSecurity_IcedID_6, Description: Yara detected IcedID, Source: 00000009.00000002.825177682.0000021EA2820000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: MAL_IcedId_Core_LDR_202104, Description: 2021 loader for Bokbot / Icedid core (license.dat), Source: 00000009.00000002.825233831.0000021EA2870000.00000040.00000001.sdmp, Author: Thomas Barabosch, Telekom Security
          • Rule: JoeSecurity_IcedID_6, Description: Yara detected IcedID, Source: 00000009.00000002.825233831.0000021EA2870000.00000040.00000001.sdmp, Author: Joe Security
          Reputation:high

          Analysis Process: rundll32.exe PID: 6736 Parent PID: 4112

          General

          Start time:04:21:03
          Start date:02/12/2021
          Path:C:\Windows\System32\rundll32.exe
          Wow64 process (32bit):false
          Commandline:rundll32.exe "C:\Users\user\Desktop\Giowcosi64.dll",MabefshhHuruaftdQzntqpmiqf
          Imagebase:0x7ff716b90000
          File size:69632 bytes
          MD5 hash:73C519F050C20580F8A62C849D49215A
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: MAL_IcedId_Core_LDR_202104, Description: 2021 loader for Bokbot / Icedid core (license.dat), Source: 0000000A.00000002.832558945.00000208F7310000.00000040.00000001.sdmp, Author: Thomas Barabosch, Telekom Security
          • Rule: JoeSecurity_IcedID_6, Description: Yara detected IcedID, Source: 0000000A.00000002.832558945.00000208F7310000.00000040.00000001.sdmp, Author: Joe Security
          • Rule: MAL_IcedId_Core_LDR_202104, Description: 2021 loader for Bokbot / Icedid core (license.dat), Source: 0000000A.00000002.832543483.00000208F72D0000.00000004.00000001.sdmp, Author: Thomas Barabosch, Telekom Security
          • Rule: JoeSecurity_IcedID_6, Description: Yara detected IcedID, Source: 0000000A.00000002.832543483.00000208F72D0000.00000004.00000001.sdmp, Author: Joe Security
          Reputation:high

          Disassembly

          Code Analysis

          Reset < >