blackmoon | 03bd0dddf1b312469c908974dcb17763662a8023c346ba47386545e9dce8fc52

General

Target

2024-02-01_e14ed60fa2852dbedd00f54387fabca5_icedid.exe
Size

1.7MB
MD5

e14ed60fa2852dbedd00f54387fabca5
SHA1

d68677f26d1fcb4ef0c314b53c517b5c8f5db904
SHA256

03bd0dddf1b312469c908974dcb17763662a8023c346ba47386545e9dce8fc52
SHA512

5f39494f704cf3475d2759d1f7885c25229154d9d5d74eb00073871655014b0f85f6b83600e8da733d3f541b144b5d9ec7c235986e197a6fc1e76ca6771cc58a
SSDEEP

24576:wHnmlJblvSdFP8THlhqe1kh8eOUvAK6kMU0MG0aw/FODVQLeBtaZMbPS8BehyDlr:SmHz0E8AK6kMfSibPrecW

Score

10^/10

blackmoon banker persistence trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 4 IoCs

resource	yara_rule
behavioral1/memory/548-9-0x0000000000400000-0x0000000000611000-memory.dmp	family_blackmoon
behavioral1/files/0x000c0000000133b0-21.dat	family_blackmoon
behavioral1/memory/548-20-0x0000000000400000-0x0000000000611000-memory.dmp	family_blackmoon
behavioral1/files/0x000c0000000133b0-13.dat	family_blackmoon

UPX dump on OEP (original entry point) 9 IoCs

resource	yara_rule
behavioral1/memory/548-4-0x0000000000400000-0x0000000000611000-memory.dmp	UPX
behavioral1/memory/548-7-0x0000000000400000-0x0000000000611000-memory.dmp	UPX
behavioral1/memory/548-6-0x0000000000400000-0x0000000000611000-memory.dmp	UPX
behavioral1/memory/548-9-0x0000000000400000-0x0000000000611000-memory.dmp	UPX
behavioral1/memory/2928-24-0x00000000000F0000-0x00000000000FB000-memory.dmp	UPX
behavioral1/files/0x000c0000000133b0-21.dat	UPX
behavioral1/memory/548-20-0x0000000000400000-0x0000000000611000-memory.dmp	UPX
behavioral1/files/0x000c0000000133b0-13.dat	UPX
behavioral1/memory/2928-26-0x00000000000F0000-0x00000000000FB000-memory.dmp	UPX

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SQL Server Reporting Services (MSSQLSERVSER)\Parameters\ServiceDll = "C:\\ProgramData\\Microsoft\\Windows\\GameExplorer\\Remote.hlp"	2024-02-01_e14ed60fa2852dbedd00f54387fabca5_icedid.exe

Deletes itself 1 IoCs

pid	Process
2660	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
2928	svchost.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/548-4-0x0000000000400000-0x0000000000611000-memory.dmp	upx
behavioral1/memory/548-7-0x0000000000400000-0x0000000000611000-memory.dmp	upx
behavioral1/memory/548-6-0x0000000000400000-0x0000000000611000-memory.dmp	upx
behavioral1/memory/548-9-0x0000000000400000-0x0000000000611000-memory.dmp	upx
behavioral1/memory/2928-24-0x00000000000F0000-0x00000000000FB000-memory.dmp	upx
behavioral1/memory/548-20-0x0000000000400000-0x0000000000611000-memory.dmp	upx
behavioral1/memory/2928-26-0x00000000000F0000-0x00000000000FB000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Delete00.bat	2024-02-01_e14ed60fa2852dbedd00f54387fabca5_icedid.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2188 set thread context of 548	2188	2024-02-01_e14ed60fa2852dbedd00f54387fabca5_icedid.exe	28

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2932	sc.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2560	PING.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
548	2024-02-01_e14ed60fa2852dbedd00f54387fabca5_icedid.exe
2928	svchost.exe
2928	svchost.exe
2928	svchost.exe
2928	svchost.exe
2928	svchost.exe
2928	svchost.exe
2928	svchost.exe
2928	svchost.exe
2928	svchost.exe
2928	svchost.exe
2928	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	548	2024-02-01_e14ed60fa2852dbedd00f54387fabca5_icedid.exe
Token: SeDebugPrivilege	2928	svchost.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 548	2188	2024-02-01_e14ed60fa2852dbedd00f54387fabca5_icedid.exe	28
PID 2188 wrote to memory of 548	2188	2024-02-01_e14ed60fa2852dbedd00f54387fabca5_icedid.exe	28
PID 2188 wrote to memory of 548	2188	2024-02-01_e14ed60fa2852dbedd00f54387fabca5_icedid.exe	28
PID 2188 wrote to memory of 548	2188	2024-02-01_e14ed60fa2852dbedd00f54387fabca5_icedid.exe	28
PID 2188 wrote to memory of 548	2188	2024-02-01_e14ed60fa2852dbedd00f54387fabca5_icedid.exe	28
PID 2188 wrote to memory of 548	2188	2024-02-01_e14ed60fa2852dbedd00f54387fabca5_icedid.exe	28
PID 2188 wrote to memory of 548	2188	2024-02-01_e14ed60fa2852dbedd00f54387fabca5_icedid.exe	28
PID 2188 wrote to memory of 548	2188	2024-02-01_e14ed60fa2852dbedd00f54387fabca5_icedid.exe	28
PID 2188 wrote to memory of 548	2188	2024-02-01_e14ed60fa2852dbedd00f54387fabca5_icedid.exe	28
PID 548 wrote to memory of 2932	548	2024-02-01_e14ed60fa2852dbedd00f54387fabca5_icedid.exe	29
PID 548 wrote to memory of 2932	548	2024-02-01_e14ed60fa2852dbedd00f54387fabca5_icedid.exe	29
PID 548 wrote to memory of 2932	548	2024-02-01_e14ed60fa2852dbedd00f54387fabca5_icedid.exe	29
PID 548 wrote to memory of 2932	548	2024-02-01_e14ed60fa2852dbedd00f54387fabca5_icedid.exe	29
PID 548 wrote to memory of 2660	548	2024-02-01_e14ed60fa2852dbedd00f54387fabca5_icedid.exe	31
PID 548 wrote to memory of 2660	548	2024-02-01_e14ed60fa2852dbedd00f54387fabca5_icedid.exe	31
PID 548 wrote to memory of 2660	548	2024-02-01_e14ed60fa2852dbedd00f54387fabca5_icedid.exe	31
PID 548 wrote to memory of 2660	548	2024-02-01_e14ed60fa2852dbedd00f54387fabca5_icedid.exe	31
PID 2660 wrote to memory of 2560	2660	cmd.exe	33
PID 2660 wrote to memory of 2560	2660	cmd.exe	33
PID 2660 wrote to memory of 2560	2660	cmd.exe	33
PID 2660 wrote to memory of 2560	2660	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\2024-02-01_e14ed60fa2852dbedd00f54387fabca5_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-01_e14ed60fa2852dbedd00f54387fabca5_icedid.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Users\Admin\AppData\Local\Temp\2024-02-01_e14ed60fa2852dbedd00f54387fabca5_icedid.exe
  2⤵
  - Sets DLL path for service in the registry
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:548
- - C:\Windows\SysWOW64\sc.exe
    sc failure SQL Server Reporting Services (MSSQLSERVSER) reset= 86400 actions= restart/1000
    3⤵
    - Launches sc.exe
    PID:2932
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\System32\\Delete00.bat
    3⤵
    - Deletes itself
    - Suspicious use of WriteProcessMemory
    PID:2660
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1
      4⤵
      Runs ping.exe
      PID:2560

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Delete00.bat

Filesize
151B

MD5
989005fe39e7f07af776f46432c74dcf

SHA1
b35b4853ae88d110518c26256e289728f4eb8728

SHA256
dc5b0b17746e2b502f3188f3a5bf42dbcd573afcfea1f0c52db7b6b4e06dddd0

SHA512
c23cf6070b6827e36d40499fe59b350faff08820895fc92e89fbf73ab245c9c6c09a5d2040042fb4de7d11382170e9807ad35b967a673b519838cee47caffd2a

Download Submit
\??\c:\programdata\microsoft\windows\gameexplorer\remote.hlp

Filesize
347KB

MD5
8ad1d8882337d5e43ae910e91dd77f9b

SHA1
147009546a348aa89827b5bbfebfc17cd2ed97d0

SHA256
4adac2c0bb2678a9361781b826876b3a99979b139b35f10330e7b90f2c596305

SHA512
0ec36d14bce9485bf84b25d58074ffb998ff9629ce6352ac0cce2f75a09542533fa7be4a756c7e06867f76fe51f916547668236a3d93eca1317a7fae2026e9f2

Download Submit
\ProgramData\Microsoft\Windows\GameExplorer\Remote.hlp

Filesize
267KB

MD5
b3d47c085384a23848cf1e34d7f9eb19

SHA1
ccbfc014019734b0f725b965e0bbf582d7834043

SHA256
f32000d92bfbebdfd9f462a69d92b135e4d0b99e22edf4c53b71aaaf576ddea3

SHA512
0b6893c585ee7ecc8ce41a105f3bd09a3001ac377cc89edfaf4f9dbcc616237f89ed6bd227ae5962b55d7b79427c547872bc2a979c13517c94cf96112bbef9ce

Download Submit
memory/548-0-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/548-2-0x0000000000400000-0x0000000000611000-memory.dmp

Filesize
2.1MB

Download
memory/548-4-0x0000000000400000-0x0000000000611000-memory.dmp

Filesize
2.1MB

Download
memory/548-7-0x0000000000400000-0x0000000000611000-memory.dmp

Filesize
2.1MB

Download
memory/548-6-0x0000000000400000-0x0000000000611000-memory.dmp

Filesize
2.1MB

Download
memory/548-9-0x0000000000400000-0x0000000000611000-memory.dmp

Filesize
2.1MB

Download
memory/548-20-0x0000000000400000-0x0000000000611000-memory.dmp

Filesize
2.1MB

Download
memory/2928-24-0x00000000000F0000-0x00000000000FB000-memory.dmp

Filesize
44KB

Download
memory/2928-26-0x00000000000F0000-0x00000000000FB000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads