blackmoon | 65b4ddefe546f5b1dc10d748023b65c8456900eaa9f6d9aa6e117687770ad819

General

Target

2024-07-27_100cecb81c478339a93cfbe9cf0e6806_icedid_magniber_sakula.exe
Size

23.6MB
MD5

100cecb81c478339a93cfbe9cf0e6806
SHA1

593671c9abfae05961ed46699ebfc6b64e5e58c3
SHA256

65b4ddefe546f5b1dc10d748023b65c8456900eaa9f6d9aa6e117687770ad819
SHA512

c35e2349c10afbbc198329ba1f341b712d6b921d5013f1fe3c5cdedb2d69ed3ae369a9ae76c4affe6d4feb35e515b4c147553673ab5d182b51befde1f8d2bdb9
SSDEEP

393216:Gsq0rJE1XDrpe9Z+0LA6gDK1ocW1+7aXDC9MgFO0ck70fVPnxVSOyrnOviWcuEw/:G/wadDE9EkEmoX1MAOmgFH0fVPnxVSOx

Score

10^/10

blackmoon banker discovery trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Documents\Tomcat.exe	family_blackmoon

Deletes itself 1 IoCs

Processes:

Tomcat.exe

pid process

2284 Tomcat.exe
Drops startup file 1 IoCs

Processes:

Tomcat.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WPS.lnk Tomcat.exe
Executes dropped EXE 1 IoCs

Processes:

Tomcat.exe

pid process

2284 Tomcat.exe

pid	process
2284	Tomcat.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WPS.lnk	Tomcat.exe

pid	process
2284	Tomcat.exe

Loads dropped DLL 4 IoCs

Processes:

2024-07-27_100cecb81c478339a93cfbe9cf0e6806_icedid_magniber_sakula.exeTomcat.exe

pid	process
2172	2024-07-27_100cecb81c478339a93cfbe9cf0e6806_icedid_magniber_sakula.exe
2172	2024-07-27_100cecb81c478339a93cfbe9cf0e6806_icedid_magniber_sakula.exe
2284	Tomcat.exe
2284	Tomcat.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2284-21-0x0000000000360000-0x0000000000378000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

2024-07-27_100cecb81c478339a93cfbe9cf0e6806_icedid_magniber_sakula.exeTomcat.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-07-27_100cecb81c478339a93cfbe9cf0e6806_icedid_magniber_sakula.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tomcat.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

Processes:

2024-07-27_100cecb81c478339a93cfbe9cf0e6806_icedid_magniber_sakula.exeTomcat.exe

pid	process
2172	2024-07-27_100cecb81c478339a93cfbe9cf0e6806_icedid_magniber_sakula.exe
2172	2024-07-27_100cecb81c478339a93cfbe9cf0e6806_icedid_magniber_sakula.exe
2284	Tomcat.exe
2284	Tomcat.exe
2284	Tomcat.exe
2284	Tomcat.exe
2284	Tomcat.exe
2284	Tomcat.exe
2284	Tomcat.exe
2284	Tomcat.exe
2284	Tomcat.exe
2284	Tomcat.exe
2284	Tomcat.exe
2284	Tomcat.exe
2284	Tomcat.exe
2284	Tomcat.exe
2284	Tomcat.exe
2284	Tomcat.exe
2284	Tomcat.exe
2284	Tomcat.exe
2284	Tomcat.exe
2284	Tomcat.exe
2284	Tomcat.exe
2284	Tomcat.exe
2284	Tomcat.exe
2284	Tomcat.exe
2284	Tomcat.exe
2284	Tomcat.exe
2284	Tomcat.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

Tomcat.exe

description	pid	process
Token: SeDebugPrivilege	2284	Tomcat.exe
Token: SeLockMemoryPrivilege	2284	Tomcat.exe
Token: SeCreateGlobalPrivilege	2284	Tomcat.exe
Token: SeBackupPrivilege	2284	Tomcat.exe
Token: SeRestorePrivilege	2284	Tomcat.exe
Token: SeShutdownPrivilege	2284	Tomcat.exe
Token: SeCreateTokenPrivilege	2284	Tomcat.exe
Token: SeTakeOwnershipPrivilege	2284	Tomcat.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

2024-07-27_100cecb81c478339a93cfbe9cf0e6806_icedid_magniber_sakula.exe

pid	process
2172	2024-07-27_100cecb81c478339a93cfbe9cf0e6806_icedid_magniber_sakula.exe
2172	2024-07-27_100cecb81c478339a93cfbe9cf0e6806_icedid_magniber_sakula.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

2024-07-27_100cecb81c478339a93cfbe9cf0e6806_icedid_magniber_sakula.exe

description	pid	process	target process
PID 2172 wrote to memory of 2284	2172	2024-07-27_100cecb81c478339a93cfbe9cf0e6806_icedid_magniber_sakula.exe	Tomcat.exe
PID 2172 wrote to memory of 2284	2172	2024-07-27_100cecb81c478339a93cfbe9cf0e6806_icedid_magniber_sakula.exe	Tomcat.exe
PID 2172 wrote to memory of 2284	2172	2024-07-27_100cecb81c478339a93cfbe9cf0e6806_icedid_magniber_sakula.exe	Tomcat.exe
PID 2172 wrote to memory of 2284	2172	2024-07-27_100cecb81c478339a93cfbe9cf0e6806_icedid_magniber_sakula.exe	Tomcat.exe

C:\Users\Admin\AppData\Local\Temp\2024-07-27_100cecb81c478339a93cfbe9cf0e6806_icedid_magniber_sakula.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-27_100cecb81c478339a93cfbe9cf0e6806_icedid_magniber_sakula.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2172

C:\Users\Admin\Documents\Tomcat.exe
"C:\Users\Admin\Documents\Tomcat.exe"
2⤵
- Deletes itself
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\Tomcat.exe

Filesize
2.1MB

MD5
e1e3c124ce8481e2a35e49eb94ae59c2

SHA1
c9dce6860e4c645ef40b26578f778d018399947c

SHA256
6d67495ced5afc1ef0720b08801c8f0e6c5daa1effcc1f26a4cf56a55980df7c

SHA512
1669786e35abd0c17b8c1ddfd0cea29bb80aead0d07ab7a26c7f7d8a7768111ac6129006d52090a1939a26cc84f33f683e1496f4afcb16353354241f71d903d5

Download Submit
C:\Users\Admin\Documents\conf.ini

Filesize
226B

MD5
d6c58c52bca94d6a572ec967ba79e9cd

SHA1
0ff419bae9b81d04b841b8eafeb672d7090f09cc

SHA256
b3eb0fd3a901f8054310b99dd1ae59e26acc81a33b67e744b4939345d35d3f18

SHA512
62267d2e419ab1a0a2f19252da3554afbd6ddbd469a59de15d66d8adad4a3b1607ab76c809f5e942032309d58d998aa1dd4515dd25195fa0d1cff20b52a71853

Download Submit
\Users\Admin\AppData\Roaming\Ling\malloc\L_mimalloc.dll

Filesize
148KB

MD5
051d69a619adca3472e8d7c9b0c0eb5c

SHA1
6cc795ac90e43e408919e19ba6f5633863560459

SHA256
feefc12464985e2057a4cbd54117e9414f2e00a284106fa38b62d63052a1f7dd

SHA512
50daa3344aa4d86cdd22cf5736eec993467e6574c5e341cd0fd95757c739e167b6e76c744b29ae302d08c88d469fea0767640a9257f54f9dec2c5fbb87c23b71

Download Submit
memory/2284-11-0x0000000010000000-0x0000000010109000-memory.dmp

Filesize
1.0MB

Download
memory/2284-21-0x0000000000360000-0x0000000000378000-memory.dmp

Filesize
96KB

Download
memory/2284-22-0x0000000000B90000-0x0000000000BE9000-memory.dmp

Filesize
356KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads