blackmoon | af0354685eed6dc6a81df1d9f7f0049e0318a0cb13c7e3b33db816531b4c03ef

General

Target

2024-03-05_e8ebd7371423674eeaf3096be663bed8_hacktools_icedid.exe
Size

10.7MB
MD5

e8ebd7371423674eeaf3096be663bed8
SHA1

31ea5b998f973e7d218ab21797a35d3b3a3ca6aa
SHA256

af0354685eed6dc6a81df1d9f7f0049e0318a0cb13c7e3b33db816531b4c03ef
SHA512

362fe78da19bed48d84ad13b1d0051dfd93d7647a5342a074646df22c143597734f2446787007aa5cf5156ce85da01351651b1ae094afbaa8bc20f4e013da36d
SSDEEP

196608:k4ejnJcDKlFBqZcPzFwDxURK8vyqByLdlf3hRQIgLKND3JAD9:6ODKlFBqauayOclfhRQIG2D3uh

Score

10^/10

blackmoon chinese_generic_botnet banker botnet persistence spyware stealer trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 3 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023221-5.dat	family_blackmoon
behavioral2/files/0x0008000000023221-7.dat	family_blackmoon
behavioral2/files/0x0008000000023221-11.dat	family_blackmoon

Generic Chinese Botnet
A botnet originating from China which is currently unnamed publicly.
botnet chinese_generic_botnet

Chinese Botnet payload 2 IoCs

botnet

resource	yara_rule
behavioral2/memory/3440-13096-0x0000000010000000-0x0000000010017000-memory.dmp	unk_chinese_botnet
behavioral2/memory/3440-13101-0x0000000000400000-0x000000000053C000-memory.dmp	unk_chinese_botnet

Detects executables packed with VMProtect. 3 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023221-5.dat	INDICATOR_EXE_Packed_VMProtect
behavioral2/files/0x0008000000023221-7.dat	INDICATOR_EXE_Packed_VMProtect
behavioral2/files/0x0008000000023221-11.dat	INDICATOR_EXE_Packed_VMProtect

UPX dump on OEP (original entry point) 3 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023221-5.dat	UPX
behavioral2/files/0x0008000000023221-7.dat	UPX
behavioral2/files/0x0008000000023221-11.dat	UPX

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	2024-03-05_e8ebd7371423674eeaf3096be663bed8_hacktools_icedid.exe

Executes dropped EXE 2 IoCs

pid	Process
1844	ÎÞµ°Ä§Óò[¶Ü].exe
3440	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gkgqgko.exe = "C:\\Users\\Admin\\AppData\\Roaming\\cmd.exe"	cmd.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 33 IoCs

pid	Process
3440	cmd.exe
3440	cmd.exe
3440	cmd.exe
3440	cmd.exe
3440	cmd.exe
3440	cmd.exe
3440	cmd.exe
3440	cmd.exe
3440	cmd.exe
3440	cmd.exe
3440	cmd.exe
3440	cmd.exe
3440	cmd.exe
3440	cmd.exe
3440	cmd.exe
3440	cmd.exe
3440	cmd.exe
3440	cmd.exe
3440	cmd.exe
3440	cmd.exe
3440	cmd.exe
3440	cmd.exe
3440	cmd.exe
3440	cmd.exe
3440	cmd.exe
3440	cmd.exe
3440	cmd.exe
3440	cmd.exe
3440	cmd.exe
3440	cmd.exe
3440	cmd.exe
3440	cmd.exe
3440	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3440	cmd.exe
3440	cmd.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4524	2024-03-05_e8ebd7371423674eeaf3096be663bed8_hacktools_icedid.exe
4524	2024-03-05_e8ebd7371423674eeaf3096be663bed8_hacktools_icedid.exe
1844	ÎÞµ°Ä§Óò[¶Ü].exe
1844	ÎÞµ°Ä§Óò[¶Ü].exe
3440	cmd.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4524 wrote to memory of 1844	4524	2024-03-05_e8ebd7371423674eeaf3096be663bed8_hacktools_icedid.exe	91
PID 4524 wrote to memory of 1844	4524	2024-03-05_e8ebd7371423674eeaf3096be663bed8_hacktools_icedid.exe	91
PID 4524 wrote to memory of 1844	4524	2024-03-05_e8ebd7371423674eeaf3096be663bed8_hacktools_icedid.exe	91
PID 4524 wrote to memory of 3440	4524	2024-03-05_e8ebd7371423674eeaf3096be663bed8_hacktools_icedid.exe	92
PID 4524 wrote to memory of 3440	4524	2024-03-05_e8ebd7371423674eeaf3096be663bed8_hacktools_icedid.exe	92
PID 4524 wrote to memory of 3440	4524	2024-03-05_e8ebd7371423674eeaf3096be663bed8_hacktools_icedid.exe	92

C:\Users\Admin\AppData\Local\Temp\2024-03-05_e8ebd7371423674eeaf3096be663bed8_hacktools_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-05_e8ebd7371423674eeaf3096be663bed8_hacktools_icedid.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4524
- C:\Users\Admin\AppData\Roaming\ÎÞµ°Ä§Óò[¶Ü].exe
  "C:\Users\Admin\AppData\Roaming\ÎÞµ°Ä§Óò[¶Ü].exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1844
- C:\Users\Admin\AppData\Roaming\cmd.exe
  "C:\Users\Admin\AppData\Roaming\cmd.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\cmd.exe

Filesize
944KB

MD5
a76c226baaef6352380bbcf17442f554

SHA1
163d718deec12af5a5764941377c8a59ffb93e84

SHA256
2418a667c78233cbd6cf0899cafe5aade8298e5ebde9cb2977da68258aa83125

SHA512
d6ee88480aeef06af49cfae8b9a6b7359979f59a155870ba80618238c240b797a7a183dadffb68d8ae78d08a8f1c97762847212605ab15368ff5df35c6b6996d

Download Submit
C:\Users\Admin\AppData\Roaming\ÎÞµ°Ä§Óò[¶Ü].exe

Filesize
5.6MB

MD5
9c7f661a8ca29eac572c0dc61b337270

SHA1
9a9e3d279d9799c9e8979841f69495e831a75a14

SHA256
af366c6925fe2978b04c86af3b8d2fbef2e60b12eb9db3badddda5af1822348f

SHA512
e61e6f77f30e9f42039a1947f96402c8bc23184e2ffd9b66d73aa3dab523fc24508c51ee87e2e4ce7d5308d22a9961a0ea48f146bcfe05cf92027a500fbf32be

Download Submit
C:\Users\Admin\AppData\Roaming\ÎÞµ°Ä§Óò[¶Ü].exe

Filesize
3.1MB

MD5
552fb45afbf4b373eed642cb479ea630

SHA1
7703b8905a5b072fd25d8b535fa6a0d0cc284a28

SHA256
5294242269d3aea639acd8e461f4134c370c602f4882d09311a884fcd509529b

SHA512
3a1af6f4df6a721eb9024f4c927255faeca71cc4efbcc65f8750ad998225f078d26ddc444196d5cffc99105706fe9e59c74dd33788217af35163eba7063526ee

Download Submit
C:\Users\Admin\AppData\Roaming\ÎÞµ°Ä§Óò[¶Ü].exe

Filesize
640KB

MD5
04a8bd492315dd7c2cc0c6df387c7501

SHA1
5c08b056e44fe84e0ace1ebf6f0f8d50fbed064c

SHA256
9a2ec284e419b93a8e3d1604771c0c3394d76fcc170b68cb6ef80070cf731baa

SHA512
9a48abe69e49f7e28223f12e0fc51c167531126c0d3d8951a10fcbc76322d715ac8077338517053adf127936e85cb7bc455316c32ce0021912803fec5a25162b

Download Submit
memory/3440-3897-0x00000000771A0000-0x0000000077340000-memory.dmp

Filesize
1.6MB

Download
memory/3440-23-0x00000000766A0000-0x00000000768B5000-memory.dmp

Filesize
2.1MB

Download
memory/3440-22-0x0000000000400000-0x000000000053C000-memory.dmp

Filesize
1.2MB

Download
memory/3440-5906-0x0000000077BA0000-0x0000000077C1A000-memory.dmp

Filesize
488KB

Download
memory/3440-13091-0x0000000000400000-0x000000000053C000-memory.dmp

Filesize
1.2MB

Download
memory/3440-13092-0x0000000000400000-0x000000000053C000-memory.dmp

Filesize
1.2MB

Download
memory/3440-13093-0x0000000000400000-0x000000000053C000-memory.dmp

Filesize
1.2MB

Download
memory/3440-13094-0x0000000000400000-0x000000000053C000-memory.dmp

Filesize
1.2MB

Download
memory/3440-13095-0x0000000000400000-0x000000000053C000-memory.dmp

Filesize
1.2MB

Download
memory/3440-13096-0x0000000010000000-0x0000000010017000-memory.dmp

Filesize
92KB

Download
memory/3440-13101-0x0000000000400000-0x000000000053C000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads