blackmoon | 36cb93e2d5dfa498df7eee7c14361597d2e838e6b702b6918c8cf3664adf979e

Analysis

max time kernel
94s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
30-04-2023 04:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-04-29_084b53f7a0920e455110e6d976c2289b_hacktools_icedid.exe
Size

13.5MB
MD5

084b53f7a0920e455110e6d976c2289b
SHA1

5ec3b3f22afd4c29c3c39aaf227b9f9f6678913c
SHA256

36cb93e2d5dfa498df7eee7c14361597d2e838e6b702b6918c8cf3664adf979e
SHA512

a77586d05867b715ea7e4711d4ad1fbd5b91ab869a1d1a2782fa658df999b41bd88baebca5b7f1031e291c3baf24679470cb21340f9b33ce11ffd88d945dbbf2
SSDEEP

393216:a9yHhd/Ez8IPjlg9wn3NWD3/Dx7okxWmU8U7:awBd/c8UgoMDxMHmU8u

Score

10^/10

blackmoon banker trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\ÌìÁúÐ¡ÃÛ[0430.1].exe	family_blackmoon
C:\Users\Admin\AppData\Local\Temp\ÌìÁúÐ¡ÃÛ[0430.1].exe	family_blackmoon

Executes dropped EXE 1 IoCs

Processes:

ÌìÁúÐ¡ÃÛ[0430.1].exe

pid process

5016 ÌìÁúÐ¡ÃÛ[0430.1].exe

pid	process
5016	ÌìÁúÐ¡ÃÛ[0430.1].exe

Loads dropped DLL 4 IoCs

Processes:

2023-04-29_084b53f7a0920e455110e6d976c2289b_hacktools_icedid.exeÌìÁúÐ¡ÃÛ[0430.1].exe

pid	process
4968	2023-04-29_084b53f7a0920e455110e6d976c2289b_hacktools_icedid.exe
4968	2023-04-29_084b53f7a0920e455110e6d976c2289b_hacktools_icedid.exe
5016	ÌìÁúÐ¡ÃÛ[0430.1].exe
5016	ÌìÁúÐ¡ÃÛ[0430.1].exe

Drops file in Windows directory 1 IoCs

Processes:

2023-04-29_084b53f7a0920e455110e6d976c2289b_hacktools_icedid.exe

description ioc process

File created C:\Windows\Media\xminfo.wav 2023-04-29_084b53f7a0920e455110e6d976c2289b_hacktools_icedid.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\Media\xminfo.wav	2023-04-29_084b53f7a0920e455110e6d976c2289b_hacktools_icedid.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	41	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	18	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

2023-04-29_084b53f7a0920e455110e6d976c2289b_hacktools_icedid.exeÌìÁúÐ¡ÃÛ[0430.1].exe

pid	process
4968	2023-04-29_084b53f7a0920e455110e6d976c2289b_hacktools_icedid.exe
4968	2023-04-29_084b53f7a0920e455110e6d976c2289b_hacktools_icedid.exe
4968	2023-04-29_084b53f7a0920e455110e6d976c2289b_hacktools_icedid.exe
4968	2023-04-29_084b53f7a0920e455110e6d976c2289b_hacktools_icedid.exe
4968	2023-04-29_084b53f7a0920e455110e6d976c2289b_hacktools_icedid.exe
4968	2023-04-29_084b53f7a0920e455110e6d976c2289b_hacktools_icedid.exe
4968	2023-04-29_084b53f7a0920e455110e6d976c2289b_hacktools_icedid.exe
4968	2023-04-29_084b53f7a0920e455110e6d976c2289b_hacktools_icedid.exe
4968	2023-04-29_084b53f7a0920e455110e6d976c2289b_hacktools_icedid.exe
4968	2023-04-29_084b53f7a0920e455110e6d976c2289b_hacktools_icedid.exe
4968	2023-04-29_084b53f7a0920e455110e6d976c2289b_hacktools_icedid.exe
4968	2023-04-29_084b53f7a0920e455110e6d976c2289b_hacktools_icedid.exe
5016	ÌìÁúÐ¡ÃÛ[0430.1].exe
5016	ÌìÁúÐ¡ÃÛ[0430.1].exe
5016	ÌìÁúÐ¡ÃÛ[0430.1].exe
5016	ÌìÁúÐ¡ÃÛ[0430.1].exe
5016	ÌìÁúÐ¡ÃÛ[0430.1].exe
5016	ÌìÁúÐ¡ÃÛ[0430.1].exe
5016	ÌìÁúÐ¡ÃÛ[0430.1].exe
5016	ÌìÁúÐ¡ÃÛ[0430.1].exe
5016	ÌìÁúÐ¡ÃÛ[0430.1].exe
5016	ÌìÁúÐ¡ÃÛ[0430.1].exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

2023-04-29_084b53f7a0920e455110e6d976c2289b_hacktools_icedid.exeÌìÁúÐ¡ÃÛ[0430.1].exe

description	pid	process
Token: SeDebugPrivilege	4968	2023-04-29_084b53f7a0920e455110e6d976c2289b_hacktools_icedid.exe
Token: SeDebugPrivilege	4968	2023-04-29_084b53f7a0920e455110e6d976c2289b_hacktools_icedid.exe
Token: SeDebugPrivilege	4968	2023-04-29_084b53f7a0920e455110e6d976c2289b_hacktools_icedid.exe
Token: SeDebugPrivilege	5016	ÌìÁúÐ¡ÃÛ[0430.1].exe
Token: SeDebugPrivilege	5016	ÌìÁúÐ¡ÃÛ[0430.1].exe
Token: SeDebugPrivilege	5016	ÌìÁúÐ¡ÃÛ[0430.1].exe

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

2023-04-29_084b53f7a0920e455110e6d976c2289b_hacktools_icedid.exeÌìÁúÐ¡ÃÛ[0430.1].exe

pid	process
4968	2023-04-29_084b53f7a0920e455110e6d976c2289b_hacktools_icedid.exe
4968	2023-04-29_084b53f7a0920e455110e6d976c2289b_hacktools_icedid.exe
4968	2023-04-29_084b53f7a0920e455110e6d976c2289b_hacktools_icedid.exe
4968	2023-04-29_084b53f7a0920e455110e6d976c2289b_hacktools_icedid.exe
4968	2023-04-29_084b53f7a0920e455110e6d976c2289b_hacktools_icedid.exe
4968	2023-04-29_084b53f7a0920e455110e6d976c2289b_hacktools_icedid.exe
5016	ÌìÁúÐ¡ÃÛ[0430.1].exe
5016	ÌìÁúÐ¡ÃÛ[0430.1].exe
5016	ÌìÁúÐ¡ÃÛ[0430.1].exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

2023-04-29_084b53f7a0920e455110e6d976c2289b_hacktools_icedid.exe

description	pid	process	target process
PID 4968 wrote to memory of 5016	4968	2023-04-29_084b53f7a0920e455110e6d976c2289b_hacktools_icedid.exe	ÌìÁúÐ¡ÃÛ[0430.1].exe
PID 4968 wrote to memory of 5016	4968	2023-04-29_084b53f7a0920e455110e6d976c2289b_hacktools_icedid.exe	ÌìÁúÐ¡ÃÛ[0430.1].exe
PID 4968 wrote to memory of 5016	4968	2023-04-29_084b53f7a0920e455110e6d976c2289b_hacktools_icedid.exe	ÌìÁúÐ¡ÃÛ[0430.1].exe
PID 4968 wrote to memory of 4948	4968	2023-04-29_084b53f7a0920e455110e6d976c2289b_hacktools_icedid.exe	cmd.exe
PID 4968 wrote to memory of 4948	4968	2023-04-29_084b53f7a0920e455110e6d976c2289b_hacktools_icedid.exe	cmd.exe
PID 4968 wrote to memory of 4948	4968	2023-04-29_084b53f7a0920e455110e6d976c2289b_hacktools_icedid.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2023-04-29_084b53f7a0920e455110e6d976c2289b_hacktools_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2023-04-29_084b53f7a0920e455110e6d976c2289b_hacktools_icedid.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4968

C:\Users\Admin\AppData\Local\Temp\ÌìÁúÐ¡ÃÛ[0430.1].exe
C:\Users\Admin\AppData\Local\Temp\ÌìÁúÐ¡ÃÛ[0430.1].exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ .bat""
2⤵
PID:4948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ .bat

Filesize
165B

MD5
da5d0e7ff5fe982f4d8cef8e107a13d2

SHA1
24f66619a3884fc07954aff87eb4e084ce16d93b

SHA256
961f74320f02da0655cf630f95568c2a14062955512ea0379d2d14d62ad4be22

SHA512
cd86c081ee9c6c1b3559ed316b475ac5392867710d495a79cf3ed1fd6a14aa18496160927a2207eb90af092e2892ab9277fcc32f37d2a3cf353a03d8382e3d51

Download Submit
C:\Users\Admin\AppData\Local\Temp\F9E1.tmp

Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\F9F1.tmp

Filesize
1.6MB

MD5
5870ea0d6ba8dd6e2008466bdd00e0f4

SHA1
d41bf60d0dedff90e3cfc1b41b7e1a73df39a7d5

SHA256
5a7dac8c8b5d7cf1115246dfaf994e7f50e16a7eac1488642396f5e23fddfe0d

SHA512
0c620d5e7383adcf979feccc3b1bad584a5cec8b3d74d0ace8bb786f1f04ba87fa70d59d041dc3833977d44a75f2070181d4054c7c0b9c4ce2d66249b4b3c837

Download Submit
C:\Users\Admin\AppData\Local\Temp\FA11.tmp

Filesize
137KB

MD5
f6b847a54cfb804a25b8842b45fd1d50

SHA1
bb22fef07ce1577c8a7fa057d8cf05502c013bfc

SHA256
5dd2f5a957946e0b6f63660ebd897851aad4795d4c847396c47ddbb647715583

SHA512
dd08a55f538e2a33e6a0c496dc97ae9045594cbbf62f7894ae8ded63f4dc0b2e89c5935269adfd1c19607b1d2474bddc49f6acb955e6dc53a55560663ca2137a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ÌìÁúÐ¡ÃÛ[0430.1].exe

Filesize
13.6MB

MD5
811f3ca6197e1fb57b0a339c73056ae7

SHA1
20cf6ed71c67b593e86b6fd81845910bb73bac9f

SHA256
23ca3d2fe7861fd6f4260d266fb003031aa30f5f92baffc1946805c133821fa8

SHA512
42f5a36cb0176f72d2a1b3277fca8b562ba99f45dd277b0a7883c91f8eed9b57ec2c453939747618619d50f56caca3753f03705684c98c269a9159325faa1177

Download Submit
C:\Users\Admin\AppData\Local\Temp\ÌìÁúÐ¡ÃÛ[0430.1].exe

Filesize
13.6MB

MD5
811f3ca6197e1fb57b0a339c73056ae7

SHA1
20cf6ed71c67b593e86b6fd81845910bb73bac9f

SHA256
23ca3d2fe7861fd6f4260d266fb003031aa30f5f92baffc1946805c133821fa8

SHA512
42f5a36cb0176f72d2a1b3277fca8b562ba99f45dd277b0a7883c91f8eed9b57ec2c453939747618619d50f56caca3753f03705684c98c269a9159325faa1177

Download Submit
C:\Windows\Media\xminfo.wav

Filesize
10B

MD5
8e63a3dd3993866cccd5c1741f28016b

SHA1
5b6edfa8017e1267862a497410882883a17ef81c

SHA256
277b14d2f2720f49b7a7f53e27b2ee17694384a4c0ffa78a76a40d1e47af3b3f

SHA512
f9751e79987a39227b10c7a7edec2ae269c3645d312acb1bcd87ec4e0b4677a2c9df4d52986555f073663217397c11fa801ce608817315ed74148d756543794e

Download Submit
C:\ÌìÁúÐ¡ÃÛ\ÅäÖÃÎÄ¼þ\ÅäÖÃÎÄ¼þ.ini

Filesize
72B

MD5
d2e34a631a9218349387d46a9f737cd2

SHA1
05aea73c11bc715058e6f9e4f0a247f12b1abcdc

SHA256
7e55963316647ad8136c1a42c3cb94c5a005296ccc7fd6b66cff8cbe742815da

SHA512
e997597b735a8bedeb4c0c0bf2845d15790fbfc35d0d407f7e74ceb209b5f17b0f53f56b4c71d0dae17ede564ee9ccdf1c46d7c4839b1925c17ec1f7dca0f720

Download Submit
C:\ÌìÁúÐ¡ÃÛ\ÅäÖÃÎÄ¼þ\ÅäÖÃÎÄ¼þ.ini

Filesize
72B

MD5
d2e34a631a9218349387d46a9f737cd2

SHA1
05aea73c11bc715058e6f9e4f0a247f12b1abcdc

SHA256
7e55963316647ad8136c1a42c3cb94c5a005296ccc7fd6b66cff8cbe742815da

SHA512
e997597b735a8bedeb4c0c0bf2845d15790fbfc35d0d407f7e74ceb209b5f17b0f53f56b4c71d0dae17ede564ee9ccdf1c46d7c4839b1925c17ec1f7dca0f720

Download Submit
C:\ÌìÁúÐ¡ÃÛ\ÔËÐÐÎÄ¼þ\QYCJ.dll

Filesize
3.0MB

MD5
54da9cb20347baec926b6678f8efb3ab

SHA1
18ca10861aa561c56666270cca7fd44c73c28d72

SHA256
038675d5ee0b22a17a12646ba9cf3fcffd0a2acfb712c1953102671774a82390

SHA512
e4608ef1875e2dd46c1352d5e750178ce439725a6b190d37a14decb7e960428841ea3ef5e17488226f9bcfc6d58793cb254f142ba4f54cd316c9cbee50cae77b

Download Submit
C:\ÌìÁúÐ¡ÃÛ\ÔËÐÐÎÄ¼þ\QYCJ.dll

Filesize
3.0MB

MD5
54da9cb20347baec926b6678f8efb3ab

SHA1
18ca10861aa561c56666270cca7fd44c73c28d72

SHA256
038675d5ee0b22a17a12646ba9cf3fcffd0a2acfb712c1953102671774a82390

SHA512
e4608ef1875e2dd46c1352d5e750178ce439725a6b190d37a14decb7e960428841ea3ef5e17488226f9bcfc6d58793cb254f142ba4f54cd316c9cbee50cae77b

Download Submit
C:\ÌìÁúÐ¡ÃÛ\ÔËÐÐÎÄ¼þ\QYCJ.dll

Filesize
3.0MB

MD5
54da9cb20347baec926b6678f8efb3ab

SHA1
18ca10861aa561c56666270cca7fd44c73c28d72

SHA256
038675d5ee0b22a17a12646ba9cf3fcffd0a2acfb712c1953102671774a82390

SHA512
e4608ef1875e2dd46c1352d5e750178ce439725a6b190d37a14decb7e960428841ea3ef5e17488226f9bcfc6d58793cb254f142ba4f54cd316c9cbee50cae77b

Download Submit
C:\ÌìÁúÐ¡ÃÛ\ÔËÐÐÎÄ¼þ\QYCJ.dll

Filesize
3.0MB

MD5
54da9cb20347baec926b6678f8efb3ab

SHA1
18ca10861aa561c56666270cca7fd44c73c28d72

SHA256
038675d5ee0b22a17a12646ba9cf3fcffd0a2acfb712c1953102671774a82390

SHA512
e4608ef1875e2dd46c1352d5e750178ce439725a6b190d37a14decb7e960428841ea3ef5e17488226f9bcfc6d58793cb254f142ba4f54cd316c9cbee50cae77b

Download Submit
C:\ÌìÁúÐ¡ÃÛ\ÔËÐÐÎÄ¼þ\QYCJ.dll

Filesize
3.0MB

MD5
54da9cb20347baec926b6678f8efb3ab

SHA1
18ca10861aa561c56666270cca7fd44c73c28d72

SHA256
038675d5ee0b22a17a12646ba9cf3fcffd0a2acfb712c1953102671774a82390

SHA512
e4608ef1875e2dd46c1352d5e750178ce439725a6b190d37a14decb7e960428841ea3ef5e17488226f9bcfc6d58793cb254f142ba4f54cd316c9cbee50cae77b

Download Submit
C:\ÌìÁúÐ¡ÃÛ\ÔËÐÐÎÄ¼þ\QYCJ.dll

Filesize
3.0MB

MD5
54da9cb20347baec926b6678f8efb3ab

SHA1
18ca10861aa561c56666270cca7fd44c73c28d72

SHA256
038675d5ee0b22a17a12646ba9cf3fcffd0a2acfb712c1953102671774a82390

SHA512
e4608ef1875e2dd46c1352d5e750178ce439725a6b190d37a14decb7e960428841ea3ef5e17488226f9bcfc6d58793cb254f142ba4f54cd316c9cbee50cae77b

Download Submit
memory/4968-161-0x0000000005C50000-0x000000000629C000-memory.dmp

Filesize
6.3MB

Download
memory/4968-160-0x00000000018A0000-0x00000000018A1000-memory.dmp

Filesize
4KB

Download
memory/5016-210-0x00000000016D0000-0x00000000016D1000-memory.dmp

Filesize
4KB

Download
memory/5016-211-0x0000000005AE0000-0x000000000612C000-memory.dmp

Filesize
6.3MB

Download