General

  • Target

    2024-12-24_b79edeb1c46fc6015abd43903c343b28_icedid_xmrig

  • Size

    8.7MB

  • Sample

    241224-ba1ynsxjhw

  • MD5

    b79edeb1c46fc6015abd43903c343b28

  • SHA1

    80b03c124781da4ff030f3d9303dcfd257d0335f

  • SHA256

    5656e0562d8a787d324bdaaf5f88b8db5879d0dfe782d57052bca53214e0fa49

  • SHA512

    ab21e3722543c9fcb05682dc4fd7ed04352890c33ba25802b887f6f8ee03880392308d0790114fd37ffa14e7bcba6e39ebd59de2ae89566efec2666f5cfef723

  • SSDEEP

    98304:dvfapmo1Y4+6Y7SOEfX/SbgRbKCIuVOxIVr1hu52BSUXfcrRk0kq4DfQ5nBnEQWV:da9+6Y7SOEibgRAu+OYr23iBTYSOyCR

Malware Config

Targets

    • Target

      2024-12-24_b79edeb1c46fc6015abd43903c343b28_icedid_xmrig

    • Size

      8.7MB

    • MD5

      b79edeb1c46fc6015abd43903c343b28

    • SHA1

      80b03c124781da4ff030f3d9303dcfd257d0335f

    • SHA256

      5656e0562d8a787d324bdaaf5f88b8db5879d0dfe782d57052bca53214e0fa49

    • SHA512

      ab21e3722543c9fcb05682dc4fd7ed04352890c33ba25802b887f6f8ee03880392308d0790114fd37ffa14e7bcba6e39ebd59de2ae89566efec2666f5cfef723

    • SSDEEP

      98304:dvfapmo1Y4+6Y7SOEfX/SbgRbKCIuVOxIVr1hu52BSUXfcrRk0kq4DfQ5nBnEQWV:da9+6Y7SOEibgRAu+OYr23iBTYSOyCR

    • Blackmoon family

    • Blackmoon, KrBanker

      Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    • Detect Blackmoon payload

    • UAC bypass

    • Xmrig family

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Event Triggered Execution: Image File Execution Options Injection

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks