blackmoon | 9b99d65ad5c5fed0bf7ee7ec1f2aa9c015190a9d3a08ae0e7276735e5334c30a | Triage

Submit
Reports

Overview

overview

Static

static

2024-01-29...id.exe

windows7-x64

2024-01-29...id.exe

windows10-2004-x64

Sharing

General

Target

2024-01-29_46ab5f6a3dc7b4ea0385a5fe7ec06e5d_hacktools_icedid
Size

2.0MB
Sample

240129-g53zeadddr
MD5

46ab5f6a3dc7b4ea0385a5fe7ec06e5d
SHA1

edfa63e3b56382b84c506840351b8e18c432ad4d
SHA256

9b99d65ad5c5fed0bf7ee7ec1f2aa9c015190a9d3a08ae0e7276735e5334c30a
SHA512

ef05ce8da4dc8a1138eac7a2b4b362991640fb6b5b68599b67eeaf49d20642d799497fe74fd2be7395fa2e11df5c42330b840ddbe09ecd43fe5fb7a3b0cc536f
SSDEEP

24576:nSH25PwcN2jx23LdZNtWFKVYIdaY5VFt1LuqJhDqGFeyUQPurCD8JYjSK5ECe:nlDoOTNtGKiIvfuRVy/Pur2Mge

Score

10^/10

blackmoon banker bootkit persistence trojan

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

2024-01-29_46ab5f6a3dc7b4ea0385a5fe7ec06e5d_hacktools_icedid.exe

Resource

win7-20231215-en

blackmoon banker bootkit persistence trojan

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

2024-01-29_46ab5f6a3dc7b4ea0385a5fe7ec06e5d_hacktools_icedid.exe

Resource

win10v2004-20231222-en

blackmoon banker bootkit persistence trojan

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Targets

- Target
  
  2024-01-29_46ab5f6a3dc7b4ea0385a5fe7ec06e5d_hacktools_icedid
- Size
  
  2.0MB
- MD5
  
  46ab5f6a3dc7b4ea0385a5fe7ec06e5d
- SHA1
  
  edfa63e3b56382b84c506840351b8e18c432ad4d
- SHA256
  
  9b99d65ad5c5fed0bf7ee7ec1f2aa9c015190a9d3a08ae0e7276735e5334c30a
- SHA512
  
  ef05ce8da4dc8a1138eac7a2b4b362991640fb6b5b68599b67eeaf49d20642d799497fe74fd2be7395fa2e11df5c42330b840ddbe09ecd43fe5fb7a3b0cc536f
- SSDEEP
  
  24576:nSH25PwcN2jx23LdZNtWFKVYIdaY5VFt1LuqJhDqGFeyUQPurCD8JYjSK5ECe:nlDoOTNtGKiIvfuRVy/Pur2Mge
Score

10^/10

blackmoon banker bootkit persistence trojan
- Blackmoon, KrBanker
  Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
  trojan banker blackmoon
- Detect Blackmoon payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

Bootkit

Privilege Escalation

Defense Evasion

Pre-OS Boot

Bootkit

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

blackmoonbankerbootkitpersistencetrojan

behavioral2

blackmoonbankerbootkitpersistencetrojan

© 2018-2024

Terms | Privacy