blackmoon | 5c066b413d4dfac1c3afd51fb1d95e106ebd6abe277cf0f7198d1517f8921cd6

General

Target

2024-06-24_81ff760fa2fd00a428fb6267b4fa397d_icedid_sakula.exe
Size

20.8MB
MD5

81ff760fa2fd00a428fb6267b4fa397d
SHA1

07cd9651c7867513d09c9e49a910e8a0ef498c86
SHA256

5c066b413d4dfac1c3afd51fb1d95e106ebd6abe277cf0f7198d1517f8921cd6
SHA512

88d63c488f4a8c0d855138c251804d5d576be1372c636ecb962c7c99602a860fc0503f7a750da3a0670b88bb36edb45bbd8b7803e8eb1a505a61b9d1409616c0
SSDEEP

196608:VJ+kISLa1I6aEromRQsVm2vbDbtYxlXiG:XMSLa1IvEUmOsVm2vbD2T

Score

10^/10

blackmoon banker discovery trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0038000000015ca5-8.dat	family_blackmoon
behavioral1/memory/2804-26-0x0000000000F10000-0x00000000010CB000-memory.dmp	family_blackmoon
behavioral1/memory/2804-28-0x0000000000F10000-0x00000000010CB000-memory.dmp	family_blackmoon

Deletes itself 1 IoCs

pid	Process
2804	Tomcat.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WPS.lnk	Tomcat.exe

Executes dropped EXE 1 IoCs

pid	Process
2804	Tomcat.exe

Loads dropped DLL 3 IoCs

pid	Process
2124	2024-06-24_81ff760fa2fd00a428fb6267b4fa397d_icedid_sakula.exe
2124	2024-06-24_81ff760fa2fd00a428fb6267b4fa397d_icedid_sakula.exe
2804	Tomcat.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2124-1-0x0000000010000000-0x0000000010014000-memory.dmp	upx
behavioral1/memory/2804-19-0x0000000000120000-0x0000000000138000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 43 IoCs

pid	Process
2124	2024-06-24_81ff760fa2fd00a428fb6267b4fa397d_icedid_sakula.exe
2124	2024-06-24_81ff760fa2fd00a428fb6267b4fa397d_icedid_sakula.exe
2804	Tomcat.exe
2804	Tomcat.exe
2804	Tomcat.exe
2804	Tomcat.exe
2804	Tomcat.exe
2804	Tomcat.exe
2804	Tomcat.exe
2804	Tomcat.exe
2804	Tomcat.exe
2804	Tomcat.exe
2804	Tomcat.exe
2804	Tomcat.exe
2804	Tomcat.exe
2804	Tomcat.exe
2804	Tomcat.exe
2804	Tomcat.exe
2804	Tomcat.exe
2804	Tomcat.exe
2804	Tomcat.exe
2804	Tomcat.exe
2804	Tomcat.exe
2804	Tomcat.exe
2804	Tomcat.exe
2804	Tomcat.exe
2804	Tomcat.exe
2804	Tomcat.exe
2804	Tomcat.exe
2804	Tomcat.exe
2804	Tomcat.exe
2804	Tomcat.exe
2804	Tomcat.exe
2804	Tomcat.exe
2804	Tomcat.exe
2804	Tomcat.exe
2804	Tomcat.exe
2804	Tomcat.exe
2804	Tomcat.exe
2804	Tomcat.exe
2804	Tomcat.exe
2804	Tomcat.exe
2804	Tomcat.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2804	Tomcat.exe
Token: SeLockMemoryPrivilege	2804	Tomcat.exe
Token: SeCreateGlobalPrivilege	2804	Tomcat.exe
Token: SeBackupPrivilege	2804	Tomcat.exe
Token: SeRestorePrivilege	2804	Tomcat.exe
Token: SeShutdownPrivilege	2804	Tomcat.exe
Token: SeCreateTokenPrivilege	2804	Tomcat.exe
Token: SeTakeOwnershipPrivilege	2804	Tomcat.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2124	2024-06-24_81ff760fa2fd00a428fb6267b4fa397d_icedid_sakula.exe
2124	2024-06-24_81ff760fa2fd00a428fb6267b4fa397d_icedid_sakula.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 2804	2124	2024-06-24_81ff760fa2fd00a428fb6267b4fa397d_icedid_sakula.exe	28
PID 2124 wrote to memory of 2804	2124	2024-06-24_81ff760fa2fd00a428fb6267b4fa397d_icedid_sakula.exe	28
PID 2124 wrote to memory of 2804	2124	2024-06-24_81ff760fa2fd00a428fb6267b4fa397d_icedid_sakula.exe	28
PID 2124 wrote to memory of 2804	2124	2024-06-24_81ff760fa2fd00a428fb6267b4fa397d_icedid_sakula.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-06-24_81ff760fa2fd00a428fb6267b4fa397d_icedid_sakula.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-24_81ff760fa2fd00a428fb6267b4fa397d_icedid_sakula.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Users\Admin\Documents\Tomcat.exe
  "C:\Users\Admin\Documents\Tomcat.exe"
  2⤵
  - Deletes itself
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\Tomcat.exe

Filesize
1.6MB

MD5
2b167c677a4b530ea698976ab95738ea

SHA1
868261797b63da95bccfd9e547781517165889e9

SHA256
7e7cca8d2fe16537b5c870b16ae52fd8150f2ad4063e6023493294ed5ea9ca61

SHA512
c308d8f410601d9ae113841f75801dcfa584b9518520339cd265d397b761ba6ed0c9667b0236204a2db59d15f38abf467c4ab1f9c01ff08baf6bc8519cb490cf

Download Submit
C:\Users\Admin\Documents\conf.ini

Filesize
208B

MD5
5f92bbd13d26b381a33ec8b16e6dd23a

SHA1
75a188d633e46338d55e49ceb90b89509589068c

SHA256
66f8b3ed9af56226aa9e1005972ef60c89f325b600e0dafecd170b0b8a95ae1b

SHA512
9bed7ca2e99521d2f653d6a4e159391eacc19bd24ab13068dc90d4f5615cec7d3b4ac956f99c53d95e928b1e28fca7c5bfb093e66f2b1a109b700b6b4ad09d67

Download Submit
memory/2124-1-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/2804-11-0x0000000010000000-0x0000000010109000-memory.dmp

Filesize
1.0MB

Download
memory/2804-17-0x00000000000E0000-0x000000000010B000-memory.dmp

Filesize
172KB

Download
memory/2804-19-0x0000000000120000-0x0000000000138000-memory.dmp

Filesize
96KB

Download
memory/2804-21-0x0000000000610000-0x0000000000669000-memory.dmp

Filesize
356KB

Download
memory/2804-26-0x0000000000F10000-0x00000000010CB000-memory.dmp

Filesize
1.7MB

Download
memory/2804-28-0x0000000000F10000-0x00000000010CB000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing