blackmoon | 973747e94c1034b65010cc657f314c451b74995425b828b73f4d719faa7e9a8b

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
31-05-2024 21:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-31_4611aff75eb30f686071da3c80dcfe4b_icedid.exe
Size

4.1MB
MD5

4611aff75eb30f686071da3c80dcfe4b
SHA1

8679083ba7051bfb5cafedb0e06d06f055706f88
SHA256

973747e94c1034b65010cc657f314c451b74995425b828b73f4d719faa7e9a8b
SHA512

7b2753be2f4cb341e89ac08dadf383b590b733943bdb0fdedc98f013955e8686b343a5e4e93376eb0e0868f0a53a0351ef54481b05b440519ee95c7d0a6d6ed3
SSDEEP

49152:iW4tgBsykmswdXO7vDNChMQswkczu6z3alz53wJWqH:ggBsZmsMCvAaoznzqNEL

Score

10^/10

blackmoon banker trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 6 IoCs

resource	yara_rule
behavioral1/memory/1964-10-0x0000000000400000-0x0000000000847000-memory.dmp	family_blackmoon
behavioral1/memory/1964-14-0x0000000000400000-0x0000000000847000-memory.dmp	family_blackmoon
behavioral1/memory/1964-15-0x0000000000400000-0x0000000000847000-memory.dmp	family_blackmoon
behavioral1/memory/1964-16-0x0000000000400000-0x0000000000847000-memory.dmp	family_blackmoon
behavioral1/memory/1964-17-0x0000000000400000-0x0000000000847000-memory.dmp	family_blackmoon
behavioral1/memory/1964-18-0x0000000000400000-0x0000000000847000-memory.dmp	family_blackmoon

Detects Windows executables referencing non-Windows User-Agents 6 IoCs

resource	yara_rule
behavioral1/memory/1964-10-0x0000000000400000-0x0000000000847000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1964-14-0x0000000000400000-0x0000000000847000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1964-15-0x0000000000400000-0x0000000000847000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1964-16-0x0000000000400000-0x0000000000847000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1964-17-0x0000000000400000-0x0000000000847000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1964-18-0x0000000000400000-0x0000000000847000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Suspicious use of AdjustPrivilegeToken 53 IoCs

description	pid	Process
Token: SeDebugPrivilege	1964	2024-05-31_4611aff75eb30f686071da3c80dcfe4b_icedid.exe
Token: 1	1964	2024-05-31_4611aff75eb30f686071da3c80dcfe4b_icedid.exe
Token: SeCreateTokenPrivilege	1964	2024-05-31_4611aff75eb30f686071da3c80dcfe4b_icedid.exe
Token: SeAssignPrimaryTokenPrivilege	1964	2024-05-31_4611aff75eb30f686071da3c80dcfe4b_icedid.exe
Token: SeLockMemoryPrivilege	1964	2024-05-31_4611aff75eb30f686071da3c80dcfe4b_icedid.exe
Token: SeIncreaseQuotaPrivilege	1964	2024-05-31_4611aff75eb30f686071da3c80dcfe4b_icedid.exe
Token: SeMachineAccountPrivilege	1964	2024-05-31_4611aff75eb30f686071da3c80dcfe4b_icedid.exe
Token: SeTcbPrivilege	1964	2024-05-31_4611aff75eb30f686071da3c80dcfe4b_icedid.exe
Token: SeSecurityPrivilege	1964	2024-05-31_4611aff75eb30f686071da3c80dcfe4b_icedid.exe
Token: SeTakeOwnershipPrivilege	1964	2024-05-31_4611aff75eb30f686071da3c80dcfe4b_icedid.exe
Token: SeLoadDriverPrivilege	1964	2024-05-31_4611aff75eb30f686071da3c80dcfe4b_icedid.exe
Token: SeSystemProfilePrivilege	1964	2024-05-31_4611aff75eb30f686071da3c80dcfe4b_icedid.exe
Token: SeSystemtimePrivilege	1964	2024-05-31_4611aff75eb30f686071da3c80dcfe4b_icedid.exe
Token: SeProfSingleProcessPrivilege	1964	2024-05-31_4611aff75eb30f686071da3c80dcfe4b_icedid.exe
Token: SeIncBasePriorityPrivilege	1964	2024-05-31_4611aff75eb30f686071da3c80dcfe4b_icedid.exe
Token: SeCreatePagefilePrivilege	1964	2024-05-31_4611aff75eb30f686071da3c80dcfe4b_icedid.exe
Token: SeCreatePermanentPrivilege	1964	2024-05-31_4611aff75eb30f686071da3c80dcfe4b_icedid.exe
Token: SeBackupPrivilege	1964	2024-05-31_4611aff75eb30f686071da3c80dcfe4b_icedid.exe
Token: SeRestorePrivilege	1964	2024-05-31_4611aff75eb30f686071da3c80dcfe4b_icedid.exe
Token: SeShutdownPrivilege	1964	2024-05-31_4611aff75eb30f686071da3c80dcfe4b_icedid.exe
Token: SeDebugPrivilege	1964	2024-05-31_4611aff75eb30f686071da3c80dcfe4b_icedid.exe
Token: SeAuditPrivilege	1964	2024-05-31_4611aff75eb30f686071da3c80dcfe4b_icedid.exe
Token: SeSystemEnvironmentPrivilege	1964	2024-05-31_4611aff75eb30f686071da3c80dcfe4b_icedid.exe
Token: SeChangeNotifyPrivilege	1964	2024-05-31_4611aff75eb30f686071da3c80dcfe4b_icedid.exe
Token: SeRemoteShutdownPrivilege	1964	2024-05-31_4611aff75eb30f686071da3c80dcfe4b_icedid.exe
Token: SeUndockPrivilege	1964	2024-05-31_4611aff75eb30f686071da3c80dcfe4b_icedid.exe
Token: SeSyncAgentPrivilege	1964	2024-05-31_4611aff75eb30f686071da3c80dcfe4b_icedid.exe
Token: SeEnableDelegationPrivilege	1964	2024-05-31_4611aff75eb30f686071da3c80dcfe4b_icedid.exe
Token: SeManageVolumePrivilege	1964	2024-05-31_4611aff75eb30f686071da3c80dcfe4b_icedid.exe
Token: SeImpersonatePrivilege	1964	2024-05-31_4611aff75eb30f686071da3c80dcfe4b_icedid.exe
Token: SeCreateGlobalPrivilege	1964	2024-05-31_4611aff75eb30f686071da3c80dcfe4b_icedid.exe
Token: 31	1964	2024-05-31_4611aff75eb30f686071da3c80dcfe4b_icedid.exe
Token: 32	1964	2024-05-31_4611aff75eb30f686071da3c80dcfe4b_icedid.exe
Token: 33	1964	2024-05-31_4611aff75eb30f686071da3c80dcfe4b_icedid.exe
Token: 34	1964	2024-05-31_4611aff75eb30f686071da3c80dcfe4b_icedid.exe
Token: 35	1964	2024-05-31_4611aff75eb30f686071da3c80dcfe4b_icedid.exe
Token: 36	1964	2024-05-31_4611aff75eb30f686071da3c80dcfe4b_icedid.exe
Token: 37	1964	2024-05-31_4611aff75eb30f686071da3c80dcfe4b_icedid.exe
Token: 38	1964	2024-05-31_4611aff75eb30f686071da3c80dcfe4b_icedid.exe
Token: 39	1964	2024-05-31_4611aff75eb30f686071da3c80dcfe4b_icedid.exe
Token: 40	1964	2024-05-31_4611aff75eb30f686071da3c80dcfe4b_icedid.exe
Token: 41	1964	2024-05-31_4611aff75eb30f686071da3c80dcfe4b_icedid.exe
Token: 42	1964	2024-05-31_4611aff75eb30f686071da3c80dcfe4b_icedid.exe
Token: 43	1964	2024-05-31_4611aff75eb30f686071da3c80dcfe4b_icedid.exe
Token: 44	1964	2024-05-31_4611aff75eb30f686071da3c80dcfe4b_icedid.exe
Token: 45	1964	2024-05-31_4611aff75eb30f686071da3c80dcfe4b_icedid.exe
Token: 46	1964	2024-05-31_4611aff75eb30f686071da3c80dcfe4b_icedid.exe
Token: 47	1964	2024-05-31_4611aff75eb30f686071da3c80dcfe4b_icedid.exe
Token: 48	1964	2024-05-31_4611aff75eb30f686071da3c80dcfe4b_icedid.exe
Token: SeDebugPrivilege	1964	2024-05-31_4611aff75eb30f686071da3c80dcfe4b_icedid.exe
Token: SeDebugPrivilege	1964	2024-05-31_4611aff75eb30f686071da3c80dcfe4b_icedid.exe
Token: 1	1964	2024-05-31_4611aff75eb30f686071da3c80dcfe4b_icedid.exe
Token: SeDebugPrivilege	1964	2024-05-31_4611aff75eb30f686071da3c80dcfe4b_icedid.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1964	2024-05-31_4611aff75eb30f686071da3c80dcfe4b_icedid.exe
1964	2024-05-31_4611aff75eb30f686071da3c80dcfe4b_icedid.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-31_4611aff75eb30f686071da3c80dcfe4b_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-31_4611aff75eb30f686071da3c80dcfe4b_icedid.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1964

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1964-0-0x0000000000532000-0x0000000000533000-memory.dmp

Filesize
4KB

Download
memory/1964-10-0x0000000000400000-0x0000000000847000-memory.dmp

Filesize
4.3MB

Download
memory/1964-14-0x0000000000400000-0x0000000000847000-memory.dmp

Filesize
4.3MB

Download
memory/1964-15-0x0000000000400000-0x0000000000847000-memory.dmp

Filesize
4.3MB

Download
memory/1964-16-0x0000000000400000-0x0000000000847000-memory.dmp

Filesize
4.3MB

Download
memory/1964-17-0x0000000000400000-0x0000000000847000-memory.dmp

Filesize
4.3MB

Download
memory/1964-18-0x0000000000400000-0x0000000000847000-memory.dmp

Filesize
4.3MB

Download