blackmoon | a0ded4a88e62728739a8b3332c9b68f11d11cd783c06f2a4c2cc12f65e2791b8

General

Target

2024-05-29_b946f8bf5db0d31e6ee4c1bcde6b6096_hacktools_icedid.exe
Size

9.5MB
MD5

b946f8bf5db0d31e6ee4c1bcde6b6096
SHA1

df518d1daa224d5a61d58adb3354bb912a0d8c4b
SHA256

a0ded4a88e62728739a8b3332c9b68f11d11cd783c06f2a4c2cc12f65e2791b8
SHA512

bffd7f54bf012a65158ee971fd49c20da5540273f2ce7718dd1453b726ba3436a238177eacc6c31352e7481132212d6bf3d0f514a6b49fa572ec31186c8b0b70
SSDEEP

196608:ZN5JcDKlFBqZcPzFwDxURK8vyqByLdlf3hRQIgLKNc:ZvODKlFBqauayOclfhRQIG2c

Score

10^/10

blackmoon banker spyware stealer trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0036000000013a3a-2.dat	family_blackmoon
behavioral1/files/0x0036000000013a46-11.dat	family_blackmoon

Detects executables packed with VMProtect. 2 IoCs

resource	yara_rule
behavioral1/files/0x0036000000013a3a-2.dat	INDICATOR_EXE_Packed_VMProtect
behavioral1/files/0x0036000000013a46-11.dat	INDICATOR_EXE_Packed_VMProtect

UPX dump on OEP (original entry point) 2 IoCs

resource	yara_rule
behavioral1/files/0x0036000000013a3a-2.dat	UPX
behavioral1/files/0x0036000000013a46-11.dat	UPX

Executes dropped EXE 2 IoCs

pid	Process
2936	2024-05-29_b946f8bf5db0d31e6ee4c1bcde6b6096_hacktools_icedid.exe
2788	63E3B0161EDD6B0047A2D74C4C5B02DF.exe

Loads dropped DLL 3 IoCs

pid	Process
2320	2024-05-29_b946f8bf5db0d31e6ee4c1bcde6b6096_hacktools_icedid.exe
2320	2024-05-29_b946f8bf5db0d31e6ee4c1bcde6b6096_hacktools_icedid.exe
2936	2024-05-29_b946f8bf5db0d31e6ee4c1bcde6b6096_hacktools_icedid.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2320	2024-05-29_b946f8bf5db0d31e6ee4c1bcde6b6096_hacktools_icedid.exe
Token: SeDebugPrivilege	2320	2024-05-29_b946f8bf5db0d31e6ee4c1bcde6b6096_hacktools_icedid.exe
Token: SeDebugPrivilege	2936	2024-05-29_b946f8bf5db0d31e6ee4c1bcde6b6096_hacktools_icedid.exe
Token: SeDebugPrivilege	2936	2024-05-29_b946f8bf5db0d31e6ee4c1bcde6b6096_hacktools_icedid.exe
Token: SeDebugPrivilege	2936	2024-05-29_b946f8bf5db0d31e6ee4c1bcde6b6096_hacktools_icedid.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2936	2024-05-29_b946f8bf5db0d31e6ee4c1bcde6b6096_hacktools_icedid.exe
2320	2024-05-29_b946f8bf5db0d31e6ee4c1bcde6b6096_hacktools_icedid.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2936	2024-05-29_b946f8bf5db0d31e6ee4c1bcde6b6096_hacktools_icedid.exe
2320	2024-05-29_b946f8bf5db0d31e6ee4c1bcde6b6096_hacktools_icedid.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2320	2024-05-29_b946f8bf5db0d31e6ee4c1bcde6b6096_hacktools_icedid.exe
2936	2024-05-29_b946f8bf5db0d31e6ee4c1bcde6b6096_hacktools_icedid.exe
2788	63E3B0161EDD6B0047A2D74C4C5B02DF.exe
2788	63E3B0161EDD6B0047A2D74C4C5B02DF.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 2936	2320	2024-05-29_b946f8bf5db0d31e6ee4c1bcde6b6096_hacktools_icedid.exe	28
PID 2320 wrote to memory of 2936	2320	2024-05-29_b946f8bf5db0d31e6ee4c1bcde6b6096_hacktools_icedid.exe	28
PID 2320 wrote to memory of 2936	2320	2024-05-29_b946f8bf5db0d31e6ee4c1bcde6b6096_hacktools_icedid.exe	28
PID 2320 wrote to memory of 2936	2320	2024-05-29_b946f8bf5db0d31e6ee4c1bcde6b6096_hacktools_icedid.exe	28
PID 2936 wrote to memory of 2788	2936	2024-05-29_b946f8bf5db0d31e6ee4c1bcde6b6096_hacktools_icedid.exe	30
PID 2936 wrote to memory of 2788	2936	2024-05-29_b946f8bf5db0d31e6ee4c1bcde6b6096_hacktools_icedid.exe	30
PID 2936 wrote to memory of 2788	2936	2024-05-29_b946f8bf5db0d31e6ee4c1bcde6b6096_hacktools_icedid.exe	30
PID 2936 wrote to memory of 2788	2936	2024-05-29_b946f8bf5db0d31e6ee4c1bcde6b6096_hacktools_icedid.exe	30

C:\Users\Admin\AppData\Local\Temp\2024-05-29_b946f8bf5db0d31e6ee4c1bcde6b6096_hacktools_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-29_b946f8bf5db0d31e6ee4c1bcde6b6096_hacktools_icedid.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Users\Admin\AppData\Roaming\Õù°Ô½ÄÏ\2024-05-29_b946f8bf5db0d31e6ee4c1bcde6b6096_hacktools_icedid.exe
  "C:\Users\Admin\AppData\Roaming\Õù°Ô½ÄÏ\2024-05-29_b946f8bf5db0d31e6ee4c1bcde6b6096_hacktools_icedid.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Users\Admin\AppData\Roaming\Õù°Ô½ÄÏ\63E3B0161EDD6B0047A2D74C4C5B02DF.exe
    "C:\Users\Admin\AppData\Roaming\Õù°Ô½ÄÏ\63E3B0161EDD6B0047A2D74C4C5B02DF.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\Õù°Ô½ÄÏ.lnk

Filesize
1KB

MD5
5d6b24fdd839a150632957c6b73764bd

SHA1
9a5e5b2a490aaac65003d397bfbadfc0aa26a601

SHA256
c340dc46a67e6623ae63def950505a44daa2a5ccb9b7957044e999457aa33c54

SHA512
8df9c50846d5d77122d88dcb4e413fdba8318af24d2e8e234577405cf7d19ba0bba6b0e11eb87907e58a835e811312d01fe98869a593a9c486fe7452f2cfcf23

Download Submit
\Users\Admin\AppData\Roaming\Õù°Ô½ÄÏ\2024-05-29_b946f8bf5db0d31e6ee4c1bcde6b6096_hacktools_icedid.exe

Filesize
9.5MB

MD5
b946f8bf5db0d31e6ee4c1bcde6b6096

SHA1
df518d1daa224d5a61d58adb3354bb912a0d8c4b

SHA256
a0ded4a88e62728739a8b3332c9b68f11d11cd783c06f2a4c2cc12f65e2791b8

SHA512
bffd7f54bf012a65158ee971fd49c20da5540273f2ce7718dd1453b726ba3436a238177eacc6c31352e7481132212d6bf3d0f514a6b49fa572ec31186c8b0b70

Download Submit
\Users\Admin\AppData\Roaming\Õù°Ô½ÄÏ\63E3B0161EDD6B0047A2D74C4C5B02DF.exe

Filesize
9.0MB

MD5
a2a1de3e3129ae79f45933a69028dd3c

SHA1
57b0fd5011fe7dd804a9a18593223d9bfeb90fe2

SHA256
fe820f3b0a405f1e6937ff8bfb92b345aefc15ca1723bab965111fd613938515

SHA512
f883536c8b6962e60c764b81d369abb8f6a174fe5a1b43adf769ebfdf2433bb0269a757f34153af9377715a2a9f294825877abeb18f9655c56a3a873874f127d

Download Submit

Analysis

Sharing