General

  • Target

    2024-12-24_5c7a596f962c637922c037748c4b9771_icedid_xmrig

  • Size

    4.8MB

  • Sample

    241224-a6p1lsxkcp

  • MD5

    5c7a596f962c637922c037748c4b9771

  • SHA1

    68c4097370dd9f97b531c13e7f9d788591cc6abe

  • SHA256

    065c3d542b97ac6b4d8f85fd0babdc06f02c347256e1e5f86482f09c4796e534

  • SHA512

    0dd9d011f91a197472fdd1543f798c0ae003d6ec78659aeb9a59aa0228da53d860adaf8463a3bdefca4ef12c0d9a14afadf016664f0773cff44219ef6680de3b

  • SSDEEP

    98304:dvfapmo1Y4+6Y7SOEfX/SbgRiZPYtOOniQHkmy1y3JyZW:da9+6Y7SOEibgRihQHpEy3JyZW

Malware Config

Targets

    • Target

      2024-12-24_5c7a596f962c637922c037748c4b9771_icedid_xmrig

    • Size

      4.8MB

    • MD5

      5c7a596f962c637922c037748c4b9771

    • SHA1

      68c4097370dd9f97b531c13e7f9d788591cc6abe

    • SHA256

      065c3d542b97ac6b4d8f85fd0babdc06f02c347256e1e5f86482f09c4796e534

    • SHA512

      0dd9d011f91a197472fdd1543f798c0ae003d6ec78659aeb9a59aa0228da53d860adaf8463a3bdefca4ef12c0d9a14afadf016664f0773cff44219ef6680de3b

    • SSDEEP

      98304:dvfapmo1Y4+6Y7SOEfX/SbgRiZPYtOOniQHkmy1y3JyZW:da9+6Y7SOEibgRihQHpEy3JyZW

    • Blackmoon family

    • Blackmoon, KrBanker

      Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    • Detect Blackmoon payload

    • UAC bypass

    • Xmrig family

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Event Triggered Execution: Image File Execution Options Injection

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks