Malware Analysis Report

2025-08-05 17:02

Sample ID 240107-yay6eadfa3
Target 20240106f05debf54fe5722d9430887cc806146fhacktoolsicedid.exe
SHA256 d2fcd69ea514d5d72f88f86f3605d8559f1f94be3c064ee57e2f23bccb7b4961
Tags
blackmoon banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d2fcd69ea514d5d72f88f86f3605d8559f1f94be3c064ee57e2f23bccb7b4961

Threat Level: Known bad

The file 20240106f05debf54fe5722d9430887cc806146fhacktoolsicedid.exe was found to be: Known bad.

Malicious Activity Summary

blackmoon banker trojan

Detect Blackmoon payload

Blackmoon family

Blackmoon, KrBanker

Loads dropped DLL

Executes dropped EXE

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-01-07 19:35

Signatures

Blackmoon family

blackmoon

Detect Blackmoon payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-07 19:35

Reported

2024-01-07 19:38

Platform

win7-20231129-en

Max time kernel

117s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\20240106f05debf54fe5722d9430887cc806146fhacktoolsicedid.exe"

Signatures

Blackmoon, KrBanker

trojan banker blackmoon

Detect Blackmoon payload

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TPHelper.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240106f05debf54fe5722d9430887cc806146fhacktoolsicedid.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240106f05debf54fe5722d9430887cc806146fhacktoolsicedid.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\20240106f05debf54fe5722d9430887cc806146fhacktoolsicedid.exe

"C:\Users\Admin\AppData\Local\Temp\20240106f05debf54fe5722d9430887cc806146fhacktoolsicedid.exe"

C:\Users\Admin\AppData\Local\Temp\TPHelper.exe

C:\Users\Admin\AppData\Local\Temp\\TPHelper.exe

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\RCX4E2.tmp

MD5 35ad2688f70633fe65f435f7aac8391f
SHA1 d0fd9ea0fa3836688064f50d5c96f281e2830b42
SHA256 1b0482ba2c3c72a71508a009c881c1f45193a7b3987d3f76b8cf43263cc78cec
SHA512 4d157e8b0429a1f3b167bd7d6302435bf436b253e6cc1043e4e0e34bd2094a658f13846b18f99bc968e74fdd0a1f52de1e073afffad3049d5f458e0f7bc3b4b4

memory/2380-16-0x00000000024F0000-0x0000000002765000-memory.dmp

memory/2224-18-0x0000000000400000-0x0000000000675000-memory.dmp

memory/2224-19-0x0000000010000000-0x0000000010295000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TPHelperBase.dll

MD5 def3b0579cea1e1bcd6c30a818f0a2e5
SHA1 e57da62fd32d02725eebb27bae3f830ce4148f1d
SHA256 d81a87646314713e9242650e72e442e8a306864ba6f0a615e215828b0cf23756
SHA512 4b17880768a1c72856940350416381496d60b2feb0f6274d141c4ce2d7a7da64a534debdeb5651e76440a742c4767df3ff0315841a466330b3010f47bc5175f6

memory/2224-20-0x00000000766B0000-0x00000000766F7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TPHelper.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\Users\Admin\AppData\Local\Temp\TPHelper.exe

MD5 a413d742ab8168ddf9ca8a12df5757f3
SHA1 96e4fae4ed92d83126aeeb3d207491c64bea903a
SHA256 25f508f415a9890f2da568cd830499334c340fc88a840cd1b77862182f63d753
SHA512 88eca809348c15924b4627d675e5423073e6760d26d1fd4946c5a4001bea2d4406e3836d787790ec85d0ad3a5acbf25bbe932043a93040564feaf7d29d95eabd

memory/2224-837-0x00000000025A0000-0x00000000026B1000-memory.dmp

memory/2224-849-0x00000000025A0000-0x00000000026B1000-memory.dmp

memory/2224-861-0x00000000025A0000-0x00000000026B1000-memory.dmp

memory/2224-869-0x00000000025A0000-0x00000000026B1000-memory.dmp

memory/2224-879-0x00000000025A0000-0x00000000026B1000-memory.dmp

memory/2224-887-0x00000000025A0000-0x00000000026B1000-memory.dmp

memory/2224-891-0x00000000025A0000-0x00000000026B1000-memory.dmp

memory/2224-889-0x00000000025A0000-0x00000000026B1000-memory.dmp

memory/2224-885-0x00000000025A0000-0x00000000026B1000-memory.dmp

memory/2224-883-0x00000000025A0000-0x00000000026B1000-memory.dmp

memory/2224-881-0x00000000025A0000-0x00000000026B1000-memory.dmp

memory/2224-877-0x00000000025A0000-0x00000000026B1000-memory.dmp

memory/2224-875-0x00000000025A0000-0x00000000026B1000-memory.dmp

memory/2224-873-0x00000000025A0000-0x00000000026B1000-memory.dmp

memory/2224-871-0x00000000025A0000-0x00000000026B1000-memory.dmp

memory/2224-867-0x00000000025A0000-0x00000000026B1000-memory.dmp

memory/2224-865-0x00000000025A0000-0x00000000026B1000-memory.dmp

memory/2224-863-0x00000000025A0000-0x00000000026B1000-memory.dmp

memory/2224-859-0x00000000025A0000-0x00000000026B1000-memory.dmp

memory/2224-857-0x00000000025A0000-0x00000000026B1000-memory.dmp

memory/2224-855-0x00000000025A0000-0x00000000026B1000-memory.dmp

memory/2224-853-0x00000000025A0000-0x00000000026B1000-memory.dmp

memory/2224-851-0x00000000025A0000-0x00000000026B1000-memory.dmp

memory/2224-847-0x00000000025A0000-0x00000000026B1000-memory.dmp

memory/2224-845-0x00000000025A0000-0x00000000026B1000-memory.dmp

memory/2224-843-0x00000000025A0000-0x00000000026B1000-memory.dmp

memory/2224-841-0x00000000025A0000-0x00000000026B1000-memory.dmp

memory/2224-839-0x00000000025A0000-0x00000000026B1000-memory.dmp

memory/2224-835-0x00000000025A0000-0x00000000026B1000-memory.dmp

memory/2224-833-0x00000000025A0000-0x00000000026B1000-memory.dmp

memory/2224-831-0x00000000025A0000-0x00000000026B1000-memory.dmp

memory/2224-830-0x00000000025A0000-0x00000000026B1000-memory.dmp

memory/2224-2567-0x0000000000400000-0x0000000000675000-memory.dmp

memory/2224-2566-0x0000000010000000-0x0000000010295000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-07 19:35

Reported

2024-01-07 19:38

Platform

win10v2004-20231222-en

Max time kernel

3s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\20240106f05debf54fe5722d9430887cc806146fhacktoolsicedid.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TPHelper.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TPHelper.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\TPHelper.exe

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240106f05debf54fe5722d9430887cc806146fhacktoolsicedid.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240106f05debf54fe5722d9430887cc806146fhacktoolsicedid.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\20240106f05debf54fe5722d9430887cc806146fhacktoolsicedid.exe

"C:\Users\Admin\AppData\Local\Temp\20240106f05debf54fe5722d9430887cc806146fhacktoolsicedid.exe"

C:\Users\Admin\AppData\Local\Temp\TPHelper.exe

C:\Users\Admin\AppData\Local\Temp\\TPHelper.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2464 -ip 2464

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 540

Network

Country Destination Domain Proto
US 8.8.8.8:53 4.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 31.179.17.96.in-addr.arpa udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/2464-16-0x0000000000400000-0x0000000000675000-memory.dmp

memory/2464-17-0x0000000010000000-0x0000000010295000-memory.dmp

memory/2464-18-0x0000000075C10000-0x0000000075E25000-memory.dmp

memory/2464-3892-0x0000000010000000-0x0000000010295000-memory.dmp

memory/2464-3893-0x0000000000400000-0x0000000000675000-memory.dmp