General

  • Target

    2024-03-02_3ed3e409956b3dbf64f468c21db42827_icedid_xmrig

  • Size

    28.2MB

  • Sample

    240302-3p8evaah69

  • MD5

    3ed3e409956b3dbf64f468c21db42827

  • SHA1

    5598bddd81f0766c7dcde51b0b87896457fe24b5

  • SHA256

    79e795fc0d5c20c1598dfae04da6d8d15a1d0d336beef91e4b26721d6f720e49

  • SHA512

    6e7065373adc997cac79daf12b81f398a0692d0baba6fe28c208fd1885b6a47991ee80b964867e9d55d5e743c1611bb26e7abf9356eb128dec332613d400cad7

  • SSDEEP

    393216:dFgRfW+1WeWyGMR+mFgRfW+1WeWyGMR+dqh0Ttzt7:CBoBYqh0TFh

Malware Config

Targets

    • Target

      2024-03-02_3ed3e409956b3dbf64f468c21db42827_icedid_xmrig

    • Size

      28.2MB

    • MD5

      3ed3e409956b3dbf64f468c21db42827

    • SHA1

      5598bddd81f0766c7dcde51b0b87896457fe24b5

    • SHA256

      79e795fc0d5c20c1598dfae04da6d8d15a1d0d336beef91e4b26721d6f720e49

    • SHA512

      6e7065373adc997cac79daf12b81f398a0692d0baba6fe28c208fd1885b6a47991ee80b964867e9d55d5e743c1611bb26e7abf9356eb128dec332613d400cad7

    • SSDEEP

      393216:dFgRfW+1WeWyGMR+mFgRfW+1WeWyGMR+dqh0Ttzt7:CBoBYqh0TFh

    • Blackmoon, KrBanker

      Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    • Detect Blackmoon payload

    • UAC bypass

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Sets file execution options in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks