blackmoon | 0cb412b4cba1cf5c0d3899c25a31980d5b4117fc448f6073ad134e2d1dccd39b | Triage

Submit
Reports

Overview

overview

Static

static

2023-04-29...er.exe

windows7-x64

2023-04-29...er.exe

windows10-2004-x64

Sharing

General

Target

2023-04-29_3805a528be33b01aa59408a38787d6c9_icedid_xiaobaminer
Size

1.2MB
Sample

230430-en91aagh21
MD5

3805a528be33b01aa59408a38787d6c9
SHA1

329e122b904742d4586a0872edc9b6b48e9b189a
SHA256

0cb412b4cba1cf5c0d3899c25a31980d5b4117fc448f6073ad134e2d1dccd39b
SHA512

c3d868699fe04f1306abbd85befefe6d3ac451fe44543f6af18936f781db749f775f57eaa1756feacd8e7ab40f4491ea4c128a4cfd5baa457d368e90b30e6917
SSDEEP

24576:9bByw7EJLbByw7EJNMaS5jcAkSYqyEGjOlDM0:9bYwI9bYwIfMfpYqmj2D

Score

10^/10

blackmoon banker evasion persistence trojan

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

2023-04-29_3805a528be33b01aa59408a38787d6c9_icedid_xiaobaminer.exe

Resource

win7-20230220-en

blackmoon banker evasion persistence trojan

windows7-x64

18 signatures

150 seconds

Behavioral task

behavioral2

Sample

2023-04-29_3805a528be33b01aa59408a38787d6c9_icedid_xiaobaminer.exe

Resource

win10v2004-20230220-en

blackmoon banker evasion persistence trojan

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Targets

- Target
  
  2023-04-29_3805a528be33b01aa59408a38787d6c9_icedid_xiaobaminer
- Size
  
  1.2MB
- MD5
  
  3805a528be33b01aa59408a38787d6c9
- SHA1
  
  329e122b904742d4586a0872edc9b6b48e9b189a
- SHA256
  
  0cb412b4cba1cf5c0d3899c25a31980d5b4117fc448f6073ad134e2d1dccd39b
- SHA512
  
  c3d868699fe04f1306abbd85befefe6d3ac451fe44543f6af18936f781db749f775f57eaa1756feacd8e7ab40f4491ea4c128a4cfd5baa457d368e90b30e6917
- SSDEEP
  
  24576:9bByw7EJLbByw7EJNMaS5jcAkSYqyEGjOlDM0:9bYwI9bYwIfMfpYqmj2D
Score

10^/10

blackmoon banker evasion persistence trojan
- Blackmoon, KrBanker
  Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
  trojan banker blackmoon
- Detect Blackmoon payload
- UAC bypass
  evasion trojan
- Adds policy Run key to start application
  persistence
- Disables RegEdit via registry modification
  evasion
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Bypass User Account Control

Defense Evasion

Bypass User Account Control

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Replication Through Removable Media

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

blackmoonbankerevasionpersistencetrojan

behavioral2

blackmoonbankerevasionpersistencetrojan

© 2018-2024

Terms | Privacy