General

  • Target

    2024-05-18_89e42e00a254301818f04bcd76fefffb_icedid_xiaobaminer

  • Size

    7.8MB

  • Sample

    240518-grfa7aeh49

  • MD5

    89e42e00a254301818f04bcd76fefffb

  • SHA1

    3aa475d0ad23f576088f0dad74d78f3f9cc8c419

  • SHA256

    5b72a670584e91af70c62db03fb28205b771fac2f072ea501a99014ddccb1b25

  • SHA512

    6b6cbff9e4ed3d42abc26d789574bd55c47bdee1ab9d308b5738644d49f04bfbf2003ed0581ae05e50fbaedf910ee152360c755a48f6668e4f3e109e6b53d823

  • SSDEEP

    98304:JT6tWQtZ/K0tGOFWVRuLftCTcm6Z6aLapI9:J6tWyZ/K0ttYVAATcm6Z6acI9

Malware Config

Targets

    • Target

      2024-05-18_89e42e00a254301818f04bcd76fefffb_icedid_xiaobaminer

    • Size

      7.8MB

    • MD5

      89e42e00a254301818f04bcd76fefffb

    • SHA1

      3aa475d0ad23f576088f0dad74d78f3f9cc8c419

    • SHA256

      5b72a670584e91af70c62db03fb28205b771fac2f072ea501a99014ddccb1b25

    • SHA512

      6b6cbff9e4ed3d42abc26d789574bd55c47bdee1ab9d308b5738644d49f04bfbf2003ed0581ae05e50fbaedf910ee152360c755a48f6668e4f3e109e6b53d823

    • SSDEEP

      98304:JT6tWQtZ/K0tGOFWVRuLftCTcm6Z6aLapI9:J6tWyZ/K0ttYVAATcm6Z6acI9

    • Blackmoon, KrBanker

      Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    • Detect Blackmoon payload

    • UAC bypass

    • Adds policy Run key to start application

    • Disables RegEdit via registry modification

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks