General

  • Target

    2024-12-24_1cc1f1ac450e0f1fd571c70bb0f1c9d8_icedid_xmrig

  • Size

    3.8MB

  • Sample

    241224-a4fn6awqhy

  • MD5

    1cc1f1ac450e0f1fd571c70bb0f1c9d8

  • SHA1

    1c5e98a096502b2655a8915333db74802296ccea

  • SHA256

    fe7ccecbc6a3c48b1d0e46013255d6a22999ae42ee06a4e31e2f1da4d2f77681

  • SHA512

    4d60a85204c4368fb3b82ccd34742eebcad88aab75352f811cc3ef5f92d825c44f38646cff6c492d79ce01b868444a4aca39bf32be144f02c3332351993cfc73

  • SSDEEP

    98304:dvfapmo1Y4+6Y7SOEfX/SbgR98Jy91SHINL8:da9+6Y7SOEibgRrwo+

Malware Config

Targets

    • Target

      2024-12-24_1cc1f1ac450e0f1fd571c70bb0f1c9d8_icedid_xmrig

    • Size

      3.8MB

    • MD5

      1cc1f1ac450e0f1fd571c70bb0f1c9d8

    • SHA1

      1c5e98a096502b2655a8915333db74802296ccea

    • SHA256

      fe7ccecbc6a3c48b1d0e46013255d6a22999ae42ee06a4e31e2f1da4d2f77681

    • SHA512

      4d60a85204c4368fb3b82ccd34742eebcad88aab75352f811cc3ef5f92d825c44f38646cff6c492d79ce01b868444a4aca39bf32be144f02c3332351993cfc73

    • SSDEEP

      98304:dvfapmo1Y4+6Y7SOEfX/SbgR98Jy91SHINL8:da9+6Y7SOEibgRrwo+

    • Blackmoon family

    • Blackmoon, KrBanker

      Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    • Detect Blackmoon payload

    • UAC bypass

    • Xmrig family

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Event Triggered Execution: Image File Execution Options Injection

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks