Analytics Story: IcedID
Description
Leverage searches that allow you to detect and investigate unusual activities that might relate to the IcedID banking trojan, including looking for file writes associated with its payload, process injection, shellcode execution and data collection.
Why it matters
IcedId banking trojan campaigns targeting banks and other vertical sectors.This malware is known in Microsoft Windows OS targetting browser such as firefox and chrom to steal banking information. It is also known to its unique payload downloaded in C2 where it can be a .png file that hides the core shellcode bot using steganography technique or gzip dat file that contains "license.dat" which is the actual core icedid bot.
Detections
Data Sources
Name | Platform | Sourcetype | Source |
---|---|---|---|
CrowdStrike ProcessRollup2 | N/A | crowdstrike:events:sensor |
crowdstrike |
Powershell Script Block Logging 4104 | Windows | xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-PowerShell/Operational |
Sysmon EventID 1 | Windows | xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
Sysmon EventID 11 | Windows | xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
Sysmon EventID 12 | Windows | xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
Sysmon EventID 13 | Windows | xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
Sysmon EventID 22 | Windows | xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
Sysmon EventID 7 | Windows | xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
Sysmon EventID 8 | Windows | xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
Windows Event Log Security 4688 | Windows | xmlwineventlog |
XmlWinEventLog:Security |
Windows Event Log Security 4698 | Windows | xmlwineventlog |
XmlWinEventLog:Security |
Windows Event Log Security 5140 | Windows | xmlwineventlog |
XmlWinEventLog:Security |
Windows Event Log Security 5145 | Windows | xmlwineventlog |
XmlWinEventLog:Security |
Windows Event Log TaskScheduler 200 | Windows | wineventlog |
WinEventLog:Microsoft-Windows-TaskScheduler/Operational |
References
- https://threatpost.com/icedid-banking-trojan-surges-emotet/165314/
- https://app.any.run/tasks/48414a33-3d66-4a46-afe5-c2003bb55ccf/
Source: GitHub | Version: 1