blackmoon | db12041535a38a59fc09b85f67302cbc9859b0f444c5fa677bcfd4f4f3b8e303

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/09/2024, 17:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-05_88e5f7fcb3a6b6f2ebb54bbdaae394e5_icedid_jrat_sakula.exe
Size

21.3MB
MD5

88e5f7fcb3a6b6f2ebb54bbdaae394e5
SHA1

a1797481b116c8f9d6dbf72b538ec200528a0aa4
SHA256

db12041535a38a59fc09b85f67302cbc9859b0f444c5fa677bcfd4f4f3b8e303
SHA512

c8de757766df4c27f092320f07906886cb3a4e39eea82f9da5abcf0f9555c8eaa9e3c333321e5738066368584c5c2b75528b27bd92a08f833b2c05b0d3ae1aad
SSDEEP

196608:w1zsKFJndotUVMbUJfF7PD2pbJ6VszmYN8jqqw8o3BNYtRlR:WPFJm6VorNk28o3gtRj

Score

10^/10

blackmoon banker discovery trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 13 IoCs

resource	yara_rule
behavioral2/files/0x000800000001e55f-8.dat	family_blackmoon
behavioral2/memory/624-26-0x0000000000DE0000-0x0000000000F9B000-memory.dmp	family_blackmoon
behavioral2/memory/624-27-0x0000000000DE0000-0x0000000000F9B000-memory.dmp	family_blackmoon
behavioral2/memory/624-23-0x0000000000DE0000-0x0000000000F9B000-memory.dmp	family_blackmoon
behavioral2/memory/624-22-0x0000000000DE0000-0x0000000000F9B000-memory.dmp	family_blackmoon
behavioral2/memory/624-30-0x0000000000DE0000-0x0000000000F9B000-memory.dmp	family_blackmoon
behavioral2/memory/624-31-0x0000000000DE0000-0x0000000000F9B000-memory.dmp	family_blackmoon
behavioral2/memory/624-32-0x0000000000DE0000-0x0000000000F9B000-memory.dmp	family_blackmoon
behavioral2/memory/624-34-0x0000000000DE0000-0x0000000000F9B000-memory.dmp	family_blackmoon
behavioral2/memory/624-42-0x0000000000DE0000-0x0000000000F9B000-memory.dmp	family_blackmoon
behavioral2/memory/624-63-0x0000000000DE0000-0x0000000000F9B000-memory.dmp	family_blackmoon
behavioral2/memory/624-76-0x0000000000DE0000-0x0000000000F9B000-memory.dmp	family_blackmoon
behavioral2/memory/624-88-0x0000000000DE0000-0x0000000000F9B000-memory.dmp	family_blackmoon

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	2024-09-05_88e5f7fcb3a6b6f2ebb54bbdaae394e5_icedid_jrat_sakula.exe

Deletes itself 1 IoCs

pid	Process
624	Tomcat.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WPS.lnk	Tomcat.exe

Executes dropped EXE 1 IoCs

pid	Process
624	Tomcat.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1116-2-0x0000000010000000-0x0000000010014000-memory.dmp	upx
behavioral2/memory/1116-3-0x0000000010000000-0x0000000010014000-memory.dmp	upx
behavioral2/memory/624-21-0x00000000025F0000-0x0000000002608000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-05_88e5f7fcb3a6b6f2ebb54bbdaae394e5_icedid_jrat_sakula.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tomcat.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1116	2024-09-05_88e5f7fcb3a6b6f2ebb54bbdaae394e5_icedid_jrat_sakula.exe
1116	2024-09-05_88e5f7fcb3a6b6f2ebb54bbdaae394e5_icedid_jrat_sakula.exe
1116	2024-09-05_88e5f7fcb3a6b6f2ebb54bbdaae394e5_icedid_jrat_sakula.exe
1116	2024-09-05_88e5f7fcb3a6b6f2ebb54bbdaae394e5_icedid_jrat_sakula.exe
624	Tomcat.exe
624	Tomcat.exe
624	Tomcat.exe
624	Tomcat.exe
624	Tomcat.exe
624	Tomcat.exe
624	Tomcat.exe
624	Tomcat.exe
624	Tomcat.exe
624	Tomcat.exe
624	Tomcat.exe
624	Tomcat.exe
624	Tomcat.exe
624	Tomcat.exe
624	Tomcat.exe
624	Tomcat.exe
624	Tomcat.exe
624	Tomcat.exe
624	Tomcat.exe
624	Tomcat.exe
624	Tomcat.exe
624	Tomcat.exe
624	Tomcat.exe
624	Tomcat.exe
624	Tomcat.exe
624	Tomcat.exe
624	Tomcat.exe
624	Tomcat.exe
624	Tomcat.exe
624	Tomcat.exe
624	Tomcat.exe
624	Tomcat.exe
624	Tomcat.exe
624	Tomcat.exe
624	Tomcat.exe
624	Tomcat.exe
624	Tomcat.exe
624	Tomcat.exe
624	Tomcat.exe
624	Tomcat.exe
624	Tomcat.exe
624	Tomcat.exe
624	Tomcat.exe
624	Tomcat.exe
624	Tomcat.exe
624	Tomcat.exe
624	Tomcat.exe
624	Tomcat.exe
624	Tomcat.exe
624	Tomcat.exe
624	Tomcat.exe
624	Tomcat.exe
624	Tomcat.exe
624	Tomcat.exe
624	Tomcat.exe
624	Tomcat.exe
624	Tomcat.exe
624	Tomcat.exe
624	Tomcat.exe
624	Tomcat.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	624	Tomcat.exe
Token: SeLockMemoryPrivilege	624	Tomcat.exe
Token: SeCreateGlobalPrivilege	624	Tomcat.exe
Token: SeBackupPrivilege	624	Tomcat.exe
Token: SeRestorePrivilege	624	Tomcat.exe
Token: SeShutdownPrivilege	624	Tomcat.exe
Token: SeCreateTokenPrivilege	624	Tomcat.exe
Token: SeTakeOwnershipPrivilege	624	Tomcat.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1116	2024-09-05_88e5f7fcb3a6b6f2ebb54bbdaae394e5_icedid_jrat_sakula.exe
1116	2024-09-05_88e5f7fcb3a6b6f2ebb54bbdaae394e5_icedid_jrat_sakula.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1116 wrote to memory of 624	1116	2024-09-05_88e5f7fcb3a6b6f2ebb54bbdaae394e5_icedid_jrat_sakula.exe	86
PID 1116 wrote to memory of 624	1116	2024-09-05_88e5f7fcb3a6b6f2ebb54bbdaae394e5_icedid_jrat_sakula.exe	86
PID 1116 wrote to memory of 624	1116	2024-09-05_88e5f7fcb3a6b6f2ebb54bbdaae394e5_icedid_jrat_sakula.exe	86

C:\Users\Admin\AppData\Local\Temp\2024-09-05_88e5f7fcb3a6b6f2ebb54bbdaae394e5_icedid_jrat_sakula.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-05_88e5f7fcb3a6b6f2ebb54bbdaae394e5_icedid_jrat_sakula.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1116
- C:\Users\Admin\Documents\Tomcat.exe
  "C:\Users\Admin\Documents\Tomcat.exe"
  2⤵
  - Deletes itself
  - Drops startup file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\Tomcat.exe

Filesize
1.6MB

MD5
4450058efd92854936ddb1c7a7619c4a

SHA1
5bb4e2a8d4e8d16d9aa15f728c453f56fca24405

SHA256
356ba962940bc10e18343aee4f6943147b55c6a8778d06df4eab6e401cee89a5

SHA512
b66dc4f173a7370446a51fcdfc82d29db837097788a3cf3f82c1bc9a0c54bb96a9cbec119446bb25823d8cab5a2eb8888f8042b8e48a3ade524e1159a9af4180

Download Submit
C:\Users\Admin\Documents\conf.ini

Filesize
218B

MD5
0da3fe479e80097442bd49221a6b350a

SHA1
b6282b7a231ae343addda71355e87893e1ad5824

SHA256
e1ec86f4e5d584cb2b4659164cd3b409b99756742a95814dfcdfecffa164ab1e

SHA512
30360772ac29aa3d3f8cf243605b25d7871ca771832123785a3d17861495884d2d063436f6b0ee7528c06558f2db3d2b4d6b9d4768d667b5f6887f41f18f6992

Download Submit
C:\Users\Admin\Documents\conf.ini

Filesize
225B

MD5
27d0fbd1ec2e45fcb3b188759f00ca69

SHA1
32e6c2b0d4fe661c772cd3c7013dd758cdf4060c

SHA256
deced7dae9f9d3729078ef25f2a4d48d3bb38251f436e4fde91a6df4b5118070

SHA512
ad539456b537fedd0443b4fd22f726070cd509fa1b9c2b0233383f16c565e7fd22b79f2040d1055c4c03da5c309699b58a2bcda08fb8b9e134a9314e06929f2a

Download Submit
memory/624-21-0x00000000025F0000-0x0000000002608000-memory.dmp

Filesize
96KB

Download
memory/624-26-0x0000000000DE0000-0x0000000000F9B000-memory.dmp

Filesize
1.7MB

Download
memory/624-27-0x0000000000DE0000-0x0000000000F9B000-memory.dmp

Filesize
1.7MB

Download
memory/624-25-0x0000000002C70000-0x0000000002CC9000-memory.dmp

Filesize
356KB

Download
memory/624-23-0x0000000000DE0000-0x0000000000F9B000-memory.dmp

Filesize
1.7MB

Download
memory/624-22-0x0000000000DE0000-0x0000000000F9B000-memory.dmp

Filesize
1.7MB

Download
memory/624-19-0x00000000025C0000-0x00000000025EB000-memory.dmp

Filesize
172KB

Download
memory/624-13-0x0000000010000000-0x0000000010109000-memory.dmp

Filesize
1.0MB

Download
memory/624-12-0x0000000000E3B000-0x0000000000E3C000-memory.dmp

Filesize
4KB

Download
memory/624-30-0x0000000000DE0000-0x0000000000F9B000-memory.dmp

Filesize
1.7MB

Download
memory/624-31-0x0000000000DE0000-0x0000000000F9B000-memory.dmp

Filesize
1.7MB

Download
memory/624-32-0x0000000000DE0000-0x0000000000F9B000-memory.dmp

Filesize
1.7MB

Download
memory/624-34-0x0000000000DE0000-0x0000000000F9B000-memory.dmp

Filesize
1.7MB

Download
memory/624-33-0x0000000002C70000-0x0000000002CC9000-memory.dmp

Filesize
356KB

Download
memory/624-35-0x0000000002C70000-0x0000000002CC9000-memory.dmp

Filesize
356KB

Download
memory/624-37-0x0000000002C70000-0x0000000002CC9000-memory.dmp

Filesize
356KB

Download
memory/624-38-0x0000000002C70000-0x0000000002CC9000-memory.dmp

Filesize
356KB

Download
memory/624-40-0x0000000002C70000-0x0000000002CC9000-memory.dmp

Filesize
356KB

Download
memory/624-41-0x0000000002C70000-0x0000000002CC9000-memory.dmp

Filesize
356KB

Download
memory/624-42-0x0000000000DE0000-0x0000000000F9B000-memory.dmp

Filesize
1.7MB

Download
memory/624-44-0x0000000002C70000-0x0000000002CC9000-memory.dmp

Filesize
356KB

Download
memory/624-45-0x0000000002C70000-0x0000000002CC9000-memory.dmp

Filesize
356KB

Download
memory/624-48-0x0000000002C70000-0x0000000002CC9000-memory.dmp

Filesize
356KB

Download
memory/624-49-0x0000000002C70000-0x0000000002CC9000-memory.dmp

Filesize
356KB

Download
memory/624-51-0x0000000002C70000-0x0000000002CC9000-memory.dmp

Filesize
356KB

Download
memory/624-52-0x0000000002C70000-0x0000000002CC9000-memory.dmp

Filesize
356KB

Download
memory/624-54-0x0000000002C70000-0x0000000002CC9000-memory.dmp

Filesize
356KB

Download
memory/624-55-0x0000000002C70000-0x0000000002CC9000-memory.dmp

Filesize
356KB

Download
memory/624-57-0x0000000002C70000-0x0000000002CC9000-memory.dmp

Filesize
356KB

Download
memory/624-58-0x0000000002C70000-0x0000000002CC9000-memory.dmp

Filesize
356KB

Download
memory/624-60-0x0000000002C70000-0x0000000002CC9000-memory.dmp

Filesize
356KB

Download
memory/624-61-0x0000000002C70000-0x0000000002CC9000-memory.dmp

Filesize
356KB

Download
memory/624-63-0x0000000000DE0000-0x0000000000F9B000-memory.dmp

Filesize
1.7MB

Download
memory/624-64-0x0000000002C70000-0x0000000002CC9000-memory.dmp

Filesize
356KB

Download
memory/624-65-0x0000000002C70000-0x0000000002CC9000-memory.dmp

Filesize
356KB

Download
memory/624-67-0x0000000002C70000-0x0000000002CC9000-memory.dmp

Filesize
356KB

Download
memory/624-68-0x0000000002C70000-0x0000000002CC9000-memory.dmp

Filesize
356KB

Download
memory/624-70-0x0000000002C70000-0x0000000002CC9000-memory.dmp

Filesize
356KB

Download
memory/624-71-0x0000000002C70000-0x0000000002CC9000-memory.dmp

Filesize
356KB

Download
memory/624-73-0x0000000002C70000-0x0000000002CC9000-memory.dmp

Filesize
356KB

Download
memory/624-74-0x0000000002C70000-0x0000000002CC9000-memory.dmp

Filesize
356KB

Download
memory/624-76-0x0000000000DE0000-0x0000000000F9B000-memory.dmp

Filesize
1.7MB

Download
memory/624-77-0x0000000002C70000-0x0000000002CC9000-memory.dmp

Filesize
356KB

Download
memory/624-78-0x0000000002C70000-0x0000000002CC9000-memory.dmp

Filesize
356KB

Download
memory/624-80-0x0000000002C70000-0x0000000002CC9000-memory.dmp

Filesize
356KB

Download
memory/624-81-0x0000000002C70000-0x0000000002CC9000-memory.dmp

Filesize
356KB

Download
memory/624-83-0x0000000002C70000-0x0000000002CC9000-memory.dmp

Filesize
356KB

Download
memory/624-84-0x0000000002C70000-0x0000000002CC9000-memory.dmp

Filesize
356KB

Download
memory/624-86-0x0000000002C70000-0x0000000002CC9000-memory.dmp

Filesize
356KB

Download
memory/624-87-0x0000000002C70000-0x0000000002CC9000-memory.dmp

Filesize
356KB

Download
memory/624-88-0x0000000000DE0000-0x0000000000F9B000-memory.dmp

Filesize
1.7MB

Download
memory/624-90-0x0000000002C70000-0x0000000002CC9000-memory.dmp

Filesize
356KB

Download
memory/624-91-0x0000000002C70000-0x0000000002CC9000-memory.dmp

Filesize
356KB

Download
memory/624-94-0x0000000002C70000-0x0000000002CC9000-memory.dmp

Filesize
356KB

Download
memory/624-95-0x0000000002C70000-0x0000000002CC9000-memory.dmp

Filesize
356KB

Download
memory/624-97-0x0000000002C70000-0x0000000002CC9000-memory.dmp

Filesize
356KB

Download
memory/624-98-0x0000000002C70000-0x0000000002CC9000-memory.dmp

Filesize
356KB

Download
memory/624-100-0x0000000002C70000-0x0000000002CC9000-memory.dmp

Filesize
356KB

Download
memory/624-101-0x0000000002C70000-0x0000000002CC9000-memory.dmp

Filesize
356KB

Download
memory/624-103-0x0000000002C70000-0x0000000002CC9000-memory.dmp

Filesize
356KB

Download
memory/624-104-0x0000000002C70000-0x0000000002CC9000-memory.dmp

Filesize
356KB

Download
memory/624-106-0x0000000002C70000-0x0000000002CC9000-memory.dmp

Filesize
356KB

Download
memory/624-107-0x0000000002C70000-0x0000000002CC9000-memory.dmp

Filesize
356KB

Download
memory/624-111-0x0000000002C70000-0x0000000002CC9000-memory.dmp

Filesize
356KB

Download
memory/1116-1-0x0000000006C40000-0x0000000006C67000-memory.dmp

Filesize
156KB

Download
memory/1116-2-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/1116-3-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download