General
-
Target
2024-05-20_f5eede3c36e6f9ab3941975ab2f3e8cf_icedid_xiaobaminer
-
Size
6.0MB
-
Sample
240520-wqck8sbe36
-
MD5
f5eede3c36e6f9ab3941975ab2f3e8cf
-
SHA1
e9f30913bd9a5b3b7b2dc35f501c525a0a89fdf7
-
SHA256
4a3efecb7f6665bc7d79e32802b9ce626a8f83b069a7f38449385009302937cc
-
SHA512
81c733abd50892770bd4fd9f6cc969447680ae62a01fd91b2264f1014d0366a6123bcdd38ad9642716785e4ed4e82479bab7329332d1c8ac2a8ee252c8e0c623
-
SSDEEP
49152:7iYgiAmOHYew6TKAQatzuvFS/KCGZd0qgNEf16lhulJLirHJIZ/K0tDAy49uO7GJ:/AmgGWQtZ/K0tGOFWVRuLftCTt6Z6
Malware Config
Targets
-
-
Target
2024-05-20_f5eede3c36e6f9ab3941975ab2f3e8cf_icedid_xiaobaminer
-
Size
6.0MB
-
MD5
f5eede3c36e6f9ab3941975ab2f3e8cf
-
SHA1
e9f30913bd9a5b3b7b2dc35f501c525a0a89fdf7
-
SHA256
4a3efecb7f6665bc7d79e32802b9ce626a8f83b069a7f38449385009302937cc
-
SHA512
81c733abd50892770bd4fd9f6cc969447680ae62a01fd91b2264f1014d0366a6123bcdd38ad9642716785e4ed4e82479bab7329332d1c8ac2a8ee252c8e0c623
-
SSDEEP
49152:7iYgiAmOHYew6TKAQatzuvFS/KCGZd0qgNEf16lhulJLirHJIZ/K0tDAy49uO7GJ:/AmgGWQtZ/K0tGOFWVRuLftCTt6Z6
Score10/10-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload
-
UAC bypass
-
Adds policy Run key to start application
-
Disables RegEdit via registry modification
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Drops autorun.inf file
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2