blackmoon | af0354685eed6dc6a81df1d9f7f0049e0318a0cb13c7e3b33db816531b4c03ef

Analysis

max time kernel
147s
max time network
140s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05-03-2024 13:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-05_e8ebd7371423674eeaf3096be663bed8_hacktools_icedid.exe
Size

10.7MB
MD5

e8ebd7371423674eeaf3096be663bed8
SHA1

31ea5b998f973e7d218ab21797a35d3b3a3ca6aa
SHA256

af0354685eed6dc6a81df1d9f7f0049e0318a0cb13c7e3b33db816531b4c03ef
SHA512

362fe78da19bed48d84ad13b1d0051dfd93d7647a5342a074646df22c143597734f2446787007aa5cf5156ce85da01351651b1ae094afbaa8bc20f4e013da36d
SSDEEP

196608:k4ejnJcDKlFBqZcPzFwDxURK8vyqByLdlf3hRQIgLKND3JAD9:6ODKlFBqauayOclfhRQIG2D3uh

Score

10^/10

blackmoon chinese_generic_botnet banker botnet persistence spyware stealer trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000b000000016056-3.dat	family_blackmoon
behavioral1/files/0x000b000000016056-6.dat	family_blackmoon

Generic Chinese Botnet
A botnet originating from China which is currently unnamed publicly.
botnet chinese_generic_botnet

Chinese Botnet payload 1 IoCs

botnet

resource	yara_rule
behavioral1/memory/1936-8718-0x0000000000400000-0x000000000053C000-memory.dmp	unk_chinese_botnet

Detects executables packed with VMProtect. 2 IoCs

resource	yara_rule
behavioral1/files/0x000b000000016056-3.dat	INDICATOR_EXE_Packed_VMProtect
behavioral1/files/0x000b000000016056-6.dat	INDICATOR_EXE_Packed_VMProtect

UPX dump on OEP (original entry point) 2 IoCs

resource	yara_rule
behavioral1/files/0x000b000000016056-3.dat	UPX
behavioral1/files/0x000b000000016056-6.dat	UPX

Executes dropped EXE 2 IoCs

pid	Process
2980	ÎÞµ°Ä§Óò[¶Ü].exe
1936	cmd.exe

Loads dropped DLL 3 IoCs

pid	Process
2020	2024-03-05_e8ebd7371423674eeaf3096be663bed8_hacktools_icedid.exe
2020	2024-03-05_e8ebd7371423674eeaf3096be663bed8_hacktools_icedid.exe
2020	2024-03-05_e8ebd7371423674eeaf3096be663bed8_hacktools_icedid.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Windows\\Gkgqgko.exe"	cmd.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 33 IoCs

pid	Process
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Gkgqgko.exe	cmd.exe
File opened for modification	C:\Windows\Gkgqgko.exe	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1936	cmd.exe
1936	cmd.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2020	2024-03-05_e8ebd7371423674eeaf3096be663bed8_hacktools_icedid.exe
2020	2024-03-05_e8ebd7371423674eeaf3096be663bed8_hacktools_icedid.exe
2980	ÎÞµ°Ä§Óò[¶Ü].exe
2980	ÎÞµ°Ä§Óò[¶Ü].exe
1936	cmd.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 2980	2020	2024-03-05_e8ebd7371423674eeaf3096be663bed8_hacktools_icedid.exe	28
PID 2020 wrote to memory of 2980	2020	2024-03-05_e8ebd7371423674eeaf3096be663bed8_hacktools_icedid.exe	28
PID 2020 wrote to memory of 2980	2020	2024-03-05_e8ebd7371423674eeaf3096be663bed8_hacktools_icedid.exe	28
PID 2020 wrote to memory of 2980	2020	2024-03-05_e8ebd7371423674eeaf3096be663bed8_hacktools_icedid.exe	28
PID 2020 wrote to memory of 1936	2020	2024-03-05_e8ebd7371423674eeaf3096be663bed8_hacktools_icedid.exe	29
PID 2020 wrote to memory of 1936	2020	2024-03-05_e8ebd7371423674eeaf3096be663bed8_hacktools_icedid.exe	29
PID 2020 wrote to memory of 1936	2020	2024-03-05_e8ebd7371423674eeaf3096be663bed8_hacktools_icedid.exe	29
PID 2020 wrote to memory of 1936	2020	2024-03-05_e8ebd7371423674eeaf3096be663bed8_hacktools_icedid.exe	29

C:\Users\Admin\AppData\Local\Temp\2024-03-05_e8ebd7371423674eeaf3096be663bed8_hacktools_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-05_e8ebd7371423674eeaf3096be663bed8_hacktools_icedid.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Users\Admin\AppData\Roaming\ÎÞµ°Ä§Óò[¶Ü].exe
  "C:\Users\Admin\AppData\Roaming\ÎÞµ°Ä§Óò[¶Ü].exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2980
- C:\Users\Admin\AppData\Roaming\cmd.exe
  "C:\Users\Admin\AppData\Roaming\cmd.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\cmd.exe

Filesize
944KB

MD5
a76c226baaef6352380bbcf17442f554

SHA1
163d718deec12af5a5764941377c8a59ffb93e84

SHA256
2418a667c78233cbd6cf0899cafe5aade8298e5ebde9cb2977da68258aa83125

SHA512
d6ee88480aeef06af49cfae8b9a6b7359979f59a155870ba80618238c240b797a7a183dadffb68d8ae78d08a8f1c97762847212605ab15368ff5df35c6b6996d

Download Submit
C:\Users\Admin\AppData\Roaming\ÎÞµ°Ä§Óò[¶Ü].exe

Filesize
7.1MB

MD5
ec398682b62bd15177ca741750ef26ea

SHA1
b44ed94b6910e4fc3dd59ff368883dcd36c31a9d

SHA256
db3166aedc176b9b34b5fc9568088b93a9aea2ef55415c6cf7fd8d7d6dcec9b9

SHA512
edfd629a8f8a0b88b5b7b1715f68b3f0a9c675ae9ec1ca926df15c93368b976533d9b190c947830e714656352136289f4ac2d612a86fd3d4c19a3bcde99dbff2

Download Submit
\Users\Admin\AppData\Roaming\ÎÞµ°Ä§Óò[¶Ü].exe

Filesize
7.4MB

MD5
0ac6865e19b27f570951fb4e9184eab5

SHA1
5d34ead7608fb9ca82e9af604872c766b2b58ef5

SHA256
b8b161764a701853495b012dc5dc7964821c083a1115f96ca2a24c6a1ef8bd2e

SHA512
a6dc060c14db147f96371fe3a4dbaf0025e4abd2acf8ade155c416e3af27857ab2c5ecbdc001f2b98c316b0a6cf79bc3c7b874d50f3d3ff57c14a4448f7a9639

Download Submit
memory/1936-861-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1936-891-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1936-20-0x0000000074FA0000-0x0000000074FE7000-memory.dmp

Filesize
284KB

Download
memory/1936-830-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1936-831-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1936-833-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1936-835-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1936-837-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1936-839-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1936-841-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1936-845-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1936-843-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1936-847-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1936-867-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1936-851-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1936-853-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1936-859-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1936-8718-0x0000000000400000-0x000000000053C000-memory.dmp

Filesize
1.2MB

Download
memory/1936-8711-0x0000000000400000-0x000000000053C000-memory.dmp

Filesize
1.2MB

Download
memory/1936-19-0x0000000000400000-0x000000000053C000-memory.dmp

Filesize
1.2MB

Download
memory/1936-849-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1936-869-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1936-865-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1936-855-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1936-871-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1936-873-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1936-875-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1936-877-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1936-879-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1936-881-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1936-883-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1936-885-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1936-887-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1936-863-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1936-889-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1936-2566-0x00000000020C0000-0x0000000002241000-memory.dmp

Filesize
1.5MB

Download
memory/1936-8706-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1936-857-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/2020-18-0x0000000003DB0000-0x0000000003EEC000-memory.dmp

Filesize
1.2MB

Download