Malware Analysis Report

2024-11-16 15:18

Sample ID 240606-q5w1jaeh9x
Target 2024-06-06_fa26cfd5a2f621c95254e4f5ed6debae_icedid
SHA256 3b4948df3b46a9f63d0ee48b73794b1ff6cbfd15531566c671746fe6c9ffd961
Tags
blackmoon banker trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3b4948df3b46a9f63d0ee48b73794b1ff6cbfd15531566c671746fe6c9ffd961

Threat Level: Known bad

The file 2024-06-06_fa26cfd5a2f621c95254e4f5ed6debae_icedid was found to be: Known bad.

Malicious Activity Summary

blackmoon banker trojan upx

Detect Blackmoon payload

UPX dump on OEP (original entry point)

Blackmoon family

Blackmoon, KrBanker

UPX dump on OEP (original entry point)

Checks computer location settings

UPX packed file

Executes dropped EXE

Loads dropped DLL

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-06 13:51

Signatures

Blackmoon family

blackmoon

Detect Blackmoon payload

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-06 13:51

Reported

2024-06-06 13:53

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-06_fa26cfd5a2f621c95254e4f5ed6debae_icedid.exe"

Signatures

Blackmoon, KrBanker

trojan banker blackmoon

Detect Blackmoon payload

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2024-06-06_fa26cfd5a2f621c95254e4f5ed6debae_icedid.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Downloader\aria2c.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_fa26cfd5a2f621c95254e4f5ed6debae_icedid.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-06_fa26cfd5a2f621c95254e4f5ed6debae_icedid.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-06_fa26cfd5a2f621c95254e4f5ed6debae_icedid.exe"

C:\Users\Admin\AppData\Roaming\Downloader\aria2c.exe

"C:\Users\Admin\AppData\Roaming\Downloader\aria2c.exe" --conf-path="C:\Users\Admin\AppData\Roaming\Downloader\aria2.conf" #--save-session="C:\Users\Admin\AppData\Roaming\Downloader\aria2.session" --input-file="C:\Users\Admin\AppData\Roaming\Downloader\aria2.session" --rpc-listen-port=6288 --listen-port=6388 --dht-listen-port=6390 --enable-rpc=true --rpc-allow-origin-all=true --disable-ipv6=false --rpc-secret=123 --enable-dht=true --enable-dht6=true --dht-file-path="C:\Users\Admin\AppData\Roaming\Downloader\dht.dat" --dht-file-path6="C:\Users\Admin\AppData\Roaming\Downloader\dht6.dat" --bt-external-ip= --stop-with-process=1588

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 ip.tool.chinaz.com udp
CN 123.129.219.81:80 ip.tool.chinaz.com tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.96:443 www.bing.com tcp
US 8.8.8.8:53 96.61.62.23.in-addr.arpa udp
N/A 127.0.0.1:6288 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 89.16.208.104.in-addr.arpa udp

Files

memory/1588-1-0x0000000010000000-0x0000000010116000-memory.dmp

memory/1588-0-0x0000000000400000-0x0000000000F70000-memory.dmp

memory/1588-5-0x0000000002FA0000-0x000000000305E000-memory.dmp

memory/1588-7-0x0000000075D00000-0x0000000075D01000-memory.dmp

memory/1588-6-0x0000000002E20000-0x0000000002E3A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Downloader\libcurl.dll

MD5 c827add774456c759d2a7b35a2ae3525
SHA1 e6817d1b5c62460bdfd4aa3cd3941a6e7ecdc533
SHA256 5eb7c4723acab028d8bfea807cae6dad1f38d2c21b11586d77a69a716fbc4f2a
SHA512 5febaf93c07eb86b2dd9a228fe18e55ba57183d7300c07da802ddf7d381c3138e20601386744e92caed15e183fa793969ce47fa799e9f124c3f09e0b2c1da22d

memory/1588-16-0x0000000075CE0000-0x0000000075DD0000-memory.dmp

memory/1588-18-0x0000000075CE0000-0x0000000075DD0000-memory.dmp

memory/1588-17-0x0000000075CE0000-0x0000000075DD0000-memory.dmp

memory/1588-15-0x0000000075CE0000-0x0000000075DD0000-memory.dmp

memory/1588-14-0x0000000075CE0000-0x0000000075DD0000-memory.dmp

memory/1588-13-0x0000000075CE0000-0x0000000075DD0000-memory.dmp

memory/1588-19-0x0000000075CE0000-0x0000000075DD0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Downloader\aria2c.exe

MD5 a5c047f169471bd325552c255d6c04af
SHA1 e313cff2f3d668ec5d0e90920bd622b0f38aed9d
SHA256 cec8bb942475690363c1558fdf55e3cf59f29607967a822a626d4976a348334a
SHA512 6cf929d36ea0c95815d3218a3b11f0c8f539a6113c368642a70d41379145ba7ace9aed1e5b78836a4cd2ca861d9bcd10fea3e7fc126adb85822ed4cf4f762f0d

C:\Users\Admin\AppData\Roaming\Downloader\aria2.conf

MD5 be2848313251cc4bdc3f4d83fbb678ee
SHA1 1e43738b25f0abcb6288e12b7e8d01b3e8666e8a
SHA256 35a633ec422857ce9d27f0e6b948d8b871af90c0430754bdd3f7ca70970e866d
SHA512 7093a99574544973a2c4ea9abebeefdb8b463bb42514a5d06dc29bff6cdd34381f10e394f79a8a5af1b27b86b5a31a71a48e569a2c76a20d4f982a5df61b3932

memory/3916-31-0x0000000000400000-0x00000000008CE000-memory.dmp

memory/1588-32-0x0000000075CE0000-0x0000000075DD0000-memory.dmp

memory/1588-33-0x0000000075CE0000-0x0000000075DD0000-memory.dmp

memory/1588-36-0x0000000075CE0000-0x0000000075DD0000-memory.dmp

memory/1588-35-0x0000000075CE0000-0x0000000075DD0000-memory.dmp

memory/1588-34-0x0000000075CE0000-0x0000000075DD0000-memory.dmp

memory/1588-37-0x0000000075CE0000-0x0000000075DD0000-memory.dmp

memory/1588-38-0x0000000075CE0000-0x0000000075DD0000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-06 13:51

Reported

2024-06-06 13:53

Platform

win7-20231129-en

Max time kernel

145s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-06_fa26cfd5a2f621c95254e4f5ed6debae_icedid.exe"

Signatures

Blackmoon, KrBanker

trojan banker blackmoon

Detect Blackmoon payload

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Downloader\aria2c.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_fa26cfd5a2f621c95254e4f5ed6debae_icedid.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-06_fa26cfd5a2f621c95254e4f5ed6debae_icedid.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-06_fa26cfd5a2f621c95254e4f5ed6debae_icedid.exe"

C:\Users\Admin\AppData\Roaming\Downloader\aria2c.exe

"C:\Users\Admin\AppData\Roaming\Downloader\aria2c.exe" --conf-path="C:\Users\Admin\AppData\Roaming\Downloader\aria2.conf" #--save-session="C:\Users\Admin\AppData\Roaming\Downloader\aria2.session" --input-file="C:\Users\Admin\AppData\Roaming\Downloader\aria2.session" --rpc-listen-port=6288 --listen-port=6388 --dht-listen-port=6390 --enable-rpc=true --rpc-allow-origin-all=true --disable-ipv6=false --rpc-secret=123 --enable-dht=true --enable-dht6=true --dht-file-path="C:\Users\Admin\AppData\Roaming\Downloader\dht.dat" --dht-file-path6="C:\Users\Admin\AppData\Roaming\Downloader\dht6.dat" --bt-external-ip= --stop-with-process=2264

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip.tool.chinaz.com udp
CN 123.129.219.81:80 ip.tool.chinaz.com tcp
N/A 127.0.0.1:6288 tcp

Files

memory/2264-1-0x0000000010000000-0x0000000010116000-memory.dmp

memory/2264-0-0x0000000000400000-0x0000000000F70000-memory.dmp

memory/2264-5-0x0000000000270000-0x000000000028A000-memory.dmp

memory/2264-6-0x0000000002F20000-0x0000000002FDE000-memory.dmp

memory/2264-11-0x0000000076120000-0x0000000076230000-memory.dmp

memory/2264-10-0x0000000076120000-0x0000000076230000-memory.dmp

memory/2264-9-0x0000000076134000-0x0000000076135000-memory.dmp

\Users\Admin\AppData\Roaming\Downloader\libcurl.dll

MD5 c827add774456c759d2a7b35a2ae3525
SHA1 e6817d1b5c62460bdfd4aa3cd3941a6e7ecdc533
SHA256 5eb7c4723acab028d8bfea807cae6dad1f38d2c21b11586d77a69a716fbc4f2a
SHA512 5febaf93c07eb86b2dd9a228fe18e55ba57183d7300c07da802ddf7d381c3138e20601386744e92caed15e183fa793969ce47fa799e9f124c3f09e0b2c1da22d

\Users\Admin\AppData\Roaming\Downloader\aria2c.exe

MD5 a5c047f169471bd325552c255d6c04af
SHA1 e313cff2f3d668ec5d0e90920bd622b0f38aed9d
SHA256 cec8bb942475690363c1558fdf55e3cf59f29607967a822a626d4976a348334a
SHA512 6cf929d36ea0c95815d3218a3b11f0c8f539a6113c368642a70d41379145ba7ace9aed1e5b78836a4cd2ca861d9bcd10fea3e7fc126adb85822ed4cf4f762f0d

C:\Users\Admin\AppData\Roaming\Downloader\aria2.conf

MD5 be2848313251cc4bdc3f4d83fbb678ee
SHA1 1e43738b25f0abcb6288e12b7e8d01b3e8666e8a
SHA256 35a633ec422857ce9d27f0e6b948d8b871af90c0430754bdd3f7ca70970e866d
SHA512 7093a99574544973a2c4ea9abebeefdb8b463bb42514a5d06dc29bff6cdd34381f10e394f79a8a5af1b27b86b5a31a71a48e569a2c76a20d4f982a5df61b3932

memory/2588-24-0x0000000000400000-0x00000000008CE000-memory.dmp

memory/2264-25-0x0000000000270000-0x000000000028A000-memory.dmp

memory/2264-27-0x0000000076120000-0x0000000076230000-memory.dmp