Windows Analysis Report Giowcosi64.dll

Overview

General Information

Sample Name:	Giowcosi64.dll
Analysis ID:	532354
MD5:	8afee9d09b791bffd2372931cc9060ba
SHA1:	fe27de2819b394e2b0824dd28531a4ab914aa855
SHA256:	c340ae2dde2bd8fbae46b15abef0c7e706fe8953c837329bde409959836d6510
Tags:	BokbotDLLexeIcedID
Infos:
Most interesting Screenshot:

Detection

IcedID

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected IcedID

C2 URLs / IPs found in malware configuration

Yara signature match

Contains functionality to dynamically determine API calls

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Program does not show much activity (idle)

Uses code obfuscation techniques (call, push, ret)

Creates a process in suspended mode (likely to inject code)

Classification

Signatures

AV Detection:

Found malware configuration

Source: 1.2.loaddll64.exe.1a9c7890000.0.raw.unpack

Malware Configuration Extractor: IcedID {"url_path": "/news/", "C2 url": ["baeswea.com", "bersaww.com"], "Campaign ID": 1892568649}

Multi AV Scanner detection for submitted file

Source: Giowcosi64.dll	Virustotal: Detection: 20%			Perma Link
Source: Giowcosi64.dll	ReversingLabs: Detection: 13%

Yara detected IcedID

Source: Yara match	File source: 12.2.rundll32.exe.1473bb10000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.2332f2d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.136b1440000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll64.exe.1a9c7ae0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.23bae180000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.1c801d60000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.2bb4aa80000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.136b1440000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.1c801d10000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.136b1430000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.2ca7bee0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.1c801d60000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.2ca7bed0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.2bb4aa70000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.2332f2c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.2bb4aa80000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.1473bb00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.23bae170000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll64.exe.1a9c7890000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.23bae180000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll64.exe.1a9c7ae0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.2ca7bee0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.2332f2d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.1473bb10000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.753734569.000002BB4AA80000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1023202734.000001A9C7AE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.824770074.000001473BB10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.753421493.000002BB4AA70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.744528892.0000023BAE180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.760340152.000002332F2C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.826876248.000001C801D60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.824761939.000001473BB00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.760354110.000002332F2D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.825167289.00000136B1430000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.826795548.000001C801D10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.744526075.0000023BAE170000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.760108318.000002CA7BEE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.825171186.00000136B1440000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1023090624.000001A9C7890000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.760094169.000002CA7BED0000.00000004.00000001.sdmp, type: MEMORY

Source: Giowcosi64.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: baeswea.com
Source: Malware configuration extractor	URLs: bersaww.com

E-Banking Fraud:

Yara detected IcedID

Source: Yara match	File source: 12.2.rundll32.exe.1473bb10000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.2332f2d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.136b1440000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll64.exe.1a9c7ae0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.23bae180000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.1c801d60000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.2bb4aa80000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.136b1440000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.1c801d10000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.136b1430000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.2ca7bee0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.1c801d60000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.2ca7bed0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.2bb4aa70000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.2332f2c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.2bb4aa80000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.1473bb00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.23bae170000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll64.exe.1a9c7890000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.23bae180000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll64.exe.1a9c7ae0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.2ca7bee0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.2332f2d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.1473bb10000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.753734569.000002BB4AA80000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1023202734.000001A9C7AE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.824770074.000001473BB10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.753421493.000002BB4AA70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.744528892.0000023BAE180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.760340152.000002332F2C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.826876248.000001C801D60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.824761939.000001473BB00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.760354110.000002332F2D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.825167289.00000136B1430000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.826795548.000001C801D10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.744526075.0000023BAE170000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.760108318.000002CA7BEE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.825171186.00000136B1440000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1023090624.000001A9C7890000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.760094169.000002CA7BED0000.00000004.00000001.sdmp, type: MEMORY

System Summary:

Yara signature match

Source: 12.2.rundll32.exe.1473bb10000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 9.2.rundll32.exe.2332f2d0000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 13.2.rundll32.exe.136b1440000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 1.2.loaddll64.exe.1a9c7ae0000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 4.2.rundll32.exe.23bae180000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 10.2.rundll32.exe.1c801d60000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 5.2.rundll32.exe.2bb4aa80000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 13.2.rundll32.exe.136b1440000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 10.2.rundll32.exe.1c801d10000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 13.2.rundll32.exe.136b1430000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 6.2.rundll32.exe.2ca7bee0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 10.2.rundll32.exe.1c801d60000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 6.2.rundll32.exe.2ca7bed0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 5.2.rundll32.exe.2bb4aa70000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 9.2.rundll32.exe.2332f2c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 5.2.rundll32.exe.2bb4aa80000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 12.2.rundll32.exe.1473bb00000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 4.2.rundll32.exe.23bae170000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 1.2.loaddll64.exe.1a9c7890000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 4.2.rundll32.exe.23bae180000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 1.2.loaddll64.exe.1a9c7ae0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 6.2.rundll32.exe.2ca7bee0000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 9.2.rundll32.exe.2332f2d0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 12.2.rundll32.exe.1473bb10000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 00000005.00000002.753734569.000002BB4AA80000.00000040.00000001.sdmp, type: MEMORY	Matched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 00000001.00000002.1023202734.000001A9C7AE0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 0000000C.00000002.824770074.000001473BB10000.00000040.00000001.sdmp, type: MEMORY	Matched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 00000005.00000002.753421493.000002BB4AA70000.00000004.00000001.sdmp, type: MEMORY	Matched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 00000004.00000002.744528892.0000023BAE180000.00000040.00000001.sdmp, type: MEMORY	Matched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 00000009.00000002.760340152.000002332F2C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 0000000A.00000002.826876248.000001C801D60000.00000040.00000001.sdmp, type: MEMORY	Matched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 0000000C.00000002.824761939.000001473BB00000.00000004.00000001.sdmp, type: MEMORY	Matched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 00000009.00000002.760354110.000002332F2D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 0000000D.00000002.825167289.00000136B1430000.00000004.00000001.sdmp, type: MEMORY	Matched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 0000000A.00000002.826795548.000001C801D10000.00000004.00000001.sdmp, type: MEMORY	Matched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 00000004.00000002.744526075.0000023BAE170000.00000004.00000001.sdmp, type: MEMORY	Matched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 00000006.00000002.760108318.000002CA7BEE0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 0000000D.00000002.825171186.00000136B1440000.00000040.00000001.sdmp, type: MEMORY	Matched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 00000001.00000002.1023090624.000001A9C7890000.00000004.00000001.sdmp, type: MEMORY	Matched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 00000006.00000002.760094169.000002CA7BED0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240

Source: Giowcosi64.dll	Virustotal: Detection: 20%
Source: Giowcosi64.dll	ReversingLabs: Detection: 13%

Source: Giowcosi64.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: classification engine

Classification label: mal68.troj.winDLL@17/0@0/0

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\Giowcosi64.dll,DllMain

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\Giowcosi64.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Giowcosi64.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\Giowcosi64.dll,DllMain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Giowcosi64.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\Giowcosi64.dll,GeogtrHfbokouxgzMvmrq
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\Giowcosi64.dll,MabefshhHuruaftdQzntqpmiqf
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Giowcosi64.dll",DllMain
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Giowcosi64.dll",GeogtrHfbokouxgzMvmrq
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Giowcosi64.dll",MabefshhHuruaftdQzntqpmiqf
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Giowcosi64.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\Giowcosi64.dll,DllMain	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\Giowcosi64.dll,GeogtrHfbokouxgzMvmrq	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\Giowcosi64.dll,MabefshhHuruaftdQzntqpmiqf	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Giowcosi64.dll",DllMain	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Giowcosi64.dll",GeogtrHfbokouxgzMvmrq	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Giowcosi64.dll",MabefshhHuruaftdQzntqpmiqf	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Giowcosi64.dll",#1	Jump to behavior

Source: Giowcosi64.dll

Static PE information: Image base 0x180000000 > 0x60000000

Source: Giowcosi64.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Data Obfuscation:

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\rundll32.exe

Code function: 4_2_0000023BAE181340 LoadLibraryA,GetProcAddress,GetLastError,

4_2_0000023BAE181340

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000023BAE182018 push rax; retf	4_2_0000023BAE182021
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000002BB4AA82018 push rax; retf	5_2_000002BB4AA82021
Source: C:\Windows\System32\rundll32.exe	Code function: 10_2_000001C801D62018 push rax; retf	10_2_000001C801D62021

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\loaddll64.exe TID: 3400

Thread sleep time: -120000s >= -30000s

Jump to behavior

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\loaddll64.exe

Thread delayed: delay time: 120000

Jump to behavior

Anti Debugging:

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\rundll32.exe

Code function: 4_2_0000023BAE181340 LoadLibraryA,GetProcAddress,GetLastError,

4_2_0000023BAE181340

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\System32\rundll32.exe

Code function: 4_2_0000023BAE182078 GetProcessHeap,memset,

4_2_0000023BAE182078

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Giowcosi64.dll",#1

Jump to behavior

Stealing of Sensitive Information:

Yara detected IcedID

Source: Yara match	File source: 12.2.rundll32.exe.1473bb10000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.2332f2d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.136b1440000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll64.exe.1a9c7ae0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.23bae180000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.1c801d60000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.2bb4aa80000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.136b1440000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.1c801d10000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.136b1430000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.2ca7bee0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.1c801d60000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.2ca7bed0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.2bb4aa70000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.2332f2c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.2bb4aa80000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.1473bb00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.23bae170000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll64.exe.1a9c7890000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.23bae180000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll64.exe.1a9c7ae0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.2ca7bee0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.2332f2d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.1473bb10000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.753734569.000002BB4AA80000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1023202734.000001A9C7AE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.824770074.000001473BB10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.753421493.000002BB4AA70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.744528892.0000023BAE180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.760340152.000002332F2C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.826876248.000001C801D60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.824761939.000001473BB00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.760354110.000002332F2D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.825167289.00000136B1430000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.826795548.000001C801D10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.744526075.0000023BAE170000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.760108318.000002CA7BEE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.825171186.00000136B1440000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1023090624.000001A9C7890000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.760094169.000002CA7BED0000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected IcedID

Source: Yara match	File source: 12.2.rundll32.exe.1473bb10000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.2332f2d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.136b1440000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll64.exe.1a9c7ae0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.23bae180000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.1c801d60000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.2bb4aa80000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.136b1440000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.1c801d10000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.136b1430000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.2ca7bee0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.1c801d60000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.2ca7bed0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.2bb4aa70000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.2332f2c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.2bb4aa80000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.1473bb00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.23bae170000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll64.exe.1a9c7890000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.23bae180000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll64.exe.1a9c7ae0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.2ca7bee0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.2332f2d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.1473bb10000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.753734569.000002BB4AA80000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1023202734.000001A9C7AE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.824770074.000001473BB10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.753421493.000002BB4AA70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.744528892.0000023BAE180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.760340152.000002332F2C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.826876248.000001C801D60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.824761939.000001473BB00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.760354110.000002332F2D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.825167289.00000136B1430000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.826795548.000001C801D10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.744526075.0000023BAE170000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.760108318.000002CA7BEE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.825171186.00000136B1440000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1023090624.000001A9C7890000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.760094169.000002CA7BED0000.00000004.00000001.sdmp, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No contacted IP infos

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
bersaww.com	true	Avira URL Cloud: safe	unknown
baeswea.com	true	Avira URL Cloud: safe	unknown

AV Detection:

Found malware configuration

Source: 1.2.loaddll64.exe.1a9c7890000.0.raw.unpack

Malware Configuration Extractor: IcedID {"url_path": "/news/", "C2 url": ["baeswea.com", "bersaww.com"], "Campaign ID": 1892568649}

Multi AV Scanner detection for submitted file

Source: Giowcosi64.dll	Virustotal: Detection: 20%			Perma Link
Source: Giowcosi64.dll	ReversingLabs: Detection: 13%

Yara detected IcedID

Source: Yara match	File source: 12.2.rundll32.exe.1473bb10000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.2332f2d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.136b1440000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll64.exe.1a9c7ae0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.23bae180000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.1c801d60000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.2bb4aa80000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.136b1440000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.1c801d10000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.136b1430000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.2ca7bee0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.1c801d60000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.2ca7bed0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.2bb4aa70000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.2332f2c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.2bb4aa80000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.1473bb00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.23bae170000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll64.exe.1a9c7890000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.23bae180000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll64.exe.1a9c7ae0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.2ca7bee0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.2332f2d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.1473bb10000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.753734569.000002BB4AA80000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1023202734.000001A9C7AE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.824770074.000001473BB10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.753421493.000002BB4AA70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.744528892.0000023BAE180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.760340152.000002332F2C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.826876248.000001C801D60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.824761939.000001473BB00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.760354110.000002332F2D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.825167289.00000136B1430000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.826795548.000001C801D10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.744526075.0000023BAE170000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.760108318.000002CA7BEE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.825171186.00000136B1440000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1023090624.000001A9C7890000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.760094169.000002CA7BED0000.00000004.00000001.sdmp, type: MEMORY

Source: Giowcosi64.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: baeswea.com
Source: Malware configuration extractor	URLs: bersaww.com

E-Banking Fraud:

Yara detected IcedID

Source: Yara match	File source: 12.2.rundll32.exe.1473bb10000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.2332f2d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.136b1440000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll64.exe.1a9c7ae0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.23bae180000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.1c801d60000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.2bb4aa80000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.136b1440000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.1c801d10000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.136b1430000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.2ca7bee0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.1c801d60000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.2ca7bed0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.2bb4aa70000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.2332f2c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.2bb4aa80000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.1473bb00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.23bae170000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll64.exe.1a9c7890000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.23bae180000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll64.exe.1a9c7ae0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.2ca7bee0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.2332f2d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.1473bb10000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.753734569.000002BB4AA80000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1023202734.000001A9C7AE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.824770074.000001473BB10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.753421493.000002BB4AA70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.744528892.0000023BAE180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.760340152.000002332F2C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.826876248.000001C801D60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.824761939.000001473BB00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.760354110.000002332F2D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.825167289.00000136B1430000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.826795548.000001C801D10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.744526075.0000023BAE170000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.760108318.000002CA7BEE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.825171186.00000136B1440000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1023090624.000001A9C7890000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.760094169.000002CA7BED0000.00000004.00000001.sdmp, type: MEMORY

System Summary:

Yara signature match

Source: 12.2.rundll32.exe.1473bb10000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 9.2.rundll32.exe.2332f2d0000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 13.2.rundll32.exe.136b1440000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 1.2.loaddll64.exe.1a9c7ae0000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 4.2.rundll32.exe.23bae180000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 10.2.rundll32.exe.1c801d60000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 5.2.rundll32.exe.2bb4aa80000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 13.2.rundll32.exe.136b1440000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 10.2.rundll32.exe.1c801d10000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 13.2.rundll32.exe.136b1430000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 6.2.rundll32.exe.2ca7bee0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 10.2.rundll32.exe.1c801d60000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 6.2.rundll32.exe.2ca7bed0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 5.2.rundll32.exe.2bb4aa70000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 9.2.rundll32.exe.2332f2c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 5.2.rundll32.exe.2bb4aa80000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 12.2.rundll32.exe.1473bb00000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 4.2.rundll32.exe.23bae170000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 1.2.loaddll64.exe.1a9c7890000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 4.2.rundll32.exe.23bae180000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 1.2.loaddll64.exe.1a9c7ae0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 6.2.rundll32.exe.2ca7bee0000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 9.2.rundll32.exe.2332f2d0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 12.2.rundll32.exe.1473bb10000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 00000005.00000002.753734569.000002BB4AA80000.00000040.00000001.sdmp, type: MEMORY	Matched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 00000001.00000002.1023202734.000001A9C7AE0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 0000000C.00000002.824770074.000001473BB10000.00000040.00000001.sdmp, type: MEMORY	Matched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 00000005.00000002.753421493.000002BB4AA70000.00000004.00000001.sdmp, type: MEMORY	Matched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 00000004.00000002.744528892.0000023BAE180000.00000040.00000001.sdmp, type: MEMORY	Matched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 00000009.00000002.760340152.000002332F2C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 0000000A.00000002.826876248.000001C801D60000.00000040.00000001.sdmp, type: MEMORY	Matched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 0000000C.00000002.824761939.000001473BB00000.00000004.00000001.sdmp, type: MEMORY	Matched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 00000009.00000002.760354110.000002332F2D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 0000000D.00000002.825167289.00000136B1430000.00000004.00000001.sdmp, type: MEMORY	Matched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 0000000A.00000002.826795548.000001C801D10000.00000004.00000001.sdmp, type: MEMORY	Matched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 00000004.00000002.744526075.0000023BAE170000.00000004.00000001.sdmp, type: MEMORY	Matched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 00000006.00000002.760108318.000002CA7BEE0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 0000000D.00000002.825171186.00000136B1440000.00000040.00000001.sdmp, type: MEMORY	Matched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 00000001.00000002.1023090624.000001A9C7890000.00000004.00000001.sdmp, type: MEMORY	Matched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 00000006.00000002.760094169.000002CA7BED0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: MAL_IcedId_Core_LDR_202104 date = 2021-04-13, author = Thomas Barabosch, Telekom Security, description = 2021 loader for Bokbot / Icedid core (license.dat), reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240

Source: Giowcosi64.dll	Virustotal: Detection: 20%
Source: Giowcosi64.dll	ReversingLabs: Detection: 13%

Source: Giowcosi64.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: classification engine

Classification label: mal68.troj.winDLL@17/0@0/0

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\Giowcosi64.dll,DllMain

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\Giowcosi64.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Giowcosi64.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\Giowcosi64.dll,DllMain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Giowcosi64.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\Giowcosi64.dll,GeogtrHfbokouxgzMvmrq
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\Giowcosi64.dll,MabefshhHuruaftdQzntqpmiqf
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Giowcosi64.dll",DllMain
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Giowcosi64.dll",GeogtrHfbokouxgzMvmrq
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Giowcosi64.dll",MabefshhHuruaftdQzntqpmiqf
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Giowcosi64.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\Giowcosi64.dll,DllMain	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\Giowcosi64.dll,GeogtrHfbokouxgzMvmrq	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\Giowcosi64.dll,MabefshhHuruaftdQzntqpmiqf	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Giowcosi64.dll",DllMain	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Giowcosi64.dll",GeogtrHfbokouxgzMvmrq	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Giowcosi64.dll",MabefshhHuruaftdQzntqpmiqf	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Giowcosi64.dll",#1	Jump to behavior

Source: Giowcosi64.dll

Static PE information: Image base 0x180000000 > 0x60000000

Source: Giowcosi64.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Data Obfuscation:

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\rundll32.exe

Code function: 4_2_0000023BAE181340 LoadLibraryA,GetProcAddress,GetLastError,

4_2_0000023BAE181340

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000023BAE182018 push rax; retf	4_2_0000023BAE182021
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000002BB4AA82018 push rax; retf	5_2_000002BB4AA82021
Source: C:\Windows\System32\rundll32.exe	Code function: 10_2_000001C801D62018 push rax; retf	10_2_000001C801D62021

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\loaddll64.exe TID: 3400

Thread sleep time: -120000s >= -30000s

Jump to behavior

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\loaddll64.exe

Thread delayed: delay time: 120000

Jump to behavior

Anti Debugging:

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\rundll32.exe

Code function: 4_2_0000023BAE181340 LoadLibraryA,GetProcAddress,GetLastError,

4_2_0000023BAE181340

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\System32\rundll32.exe

Code function: 4_2_0000023BAE182078 GetProcessHeap,memset,

4_2_0000023BAE182078

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Giowcosi64.dll",#1

Jump to behavior

Stealing of Sensitive Information:

Yara detected IcedID

Source: Yara match	File source: 12.2.rundll32.exe.1473bb10000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.2332f2d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.136b1440000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll64.exe.1a9c7ae0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.23bae180000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.1c801d60000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.2bb4aa80000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.136b1440000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.1c801d10000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.136b1430000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.2ca7bee0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.1c801d60000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.2ca7bed0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.2bb4aa70000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.2332f2c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.2bb4aa80000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.1473bb00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.23bae170000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll64.exe.1a9c7890000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.23bae180000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll64.exe.1a9c7ae0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.2ca7bee0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.2332f2d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.1473bb10000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.753734569.000002BB4AA80000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1023202734.000001A9C7AE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.824770074.000001473BB10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.753421493.000002BB4AA70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.744528892.0000023BAE180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.760340152.000002332F2C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.826876248.000001C801D60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.824761939.000001473BB00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.760354110.000002332F2D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.825167289.00000136B1430000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.826795548.000001C801D10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.744526075.0000023BAE170000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.760108318.000002CA7BEE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.825171186.00000136B1440000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1023090624.000001A9C7890000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.760094169.000002CA7BED0000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected IcedID

Source: Yara match	File source: 12.2.rundll32.exe.1473bb10000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.2332f2d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.136b1440000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll64.exe.1a9c7ae0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.23bae180000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.1c801d60000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.2bb4aa80000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.136b1440000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.1c801d10000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.136b1430000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.2ca7bee0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.1c801d60000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.2ca7bed0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.2bb4aa70000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.2332f2c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.2bb4aa80000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.1473bb00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.23bae170000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll64.exe.1a9c7890000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.23bae180000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll64.exe.1a9c7ae0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.2ca7bee0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.2332f2d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.1473bb10000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.753734569.000002BB4AA80000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1023202734.000001A9C7AE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.824770074.000001473BB10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.753421493.000002BB4AA70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.744528892.0000023BAE180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.760340152.000002332F2C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.826876248.000001C801D60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.824761939.000001473BB00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.760354110.000002332F2D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.825167289.00000136B1430000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.826795548.000001C801D10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.744526075.0000023BAE170000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.760108318.000002CA7BEE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.825171186.00000136B1440000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1023090624.000001A9C7890000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.760094169.000002CA7BED0000.00000004.00000001.sdmp, type: MEMORY

ID:	532354
Product:	CloudBasic
Start time:	04:27:03
Start date:	02.12.2021
Sample:	Giowcosi64.dll
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	8afee9d09b791bffd2372931cc9060ba
SHA1:	fe27de2819b394e2b0824dd28531a4ab914aa855
SHA256:	c340ae2dde2bd8fbae46b15abef0c7e706fe8953c837329bde409959836d6510
Filetype:	Win64 Dynamic Link Library (generic) (102004/3) 86.43%

Windows Analysis Report Giowcosi64.dll

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted URLs