blackmoon | 82a6ad96f7cd58389805f2deba720aa6b8134ef82544461b0b1dd4148956d2bc

General

Target

2024-10-10_ba6d9c645d71854f516fa0321f7f1c6c_icedid.exe
Size

19.0MB
MD5

ba6d9c645d71854f516fa0321f7f1c6c
SHA1

2fef07ac2deffdbde8de0079bd0ed74db77ed1da
SHA256

82a6ad96f7cd58389805f2deba720aa6b8134ef82544461b0b1dd4148956d2bc
SHA512

ac5b87fa8f5bd22935e597cd77d295533b91ca373b482aa94bf96f141b2eb90af9774e28be313148b2576607e15ec619c3db8bea806b90dc993788d1bfb57512
SSDEEP

196608:dFnmeshQxOC5zshnLD/gvWAulknBjo5MKOivL5EeS29BLncy3DaryWHeJkwhOLpT:S1CxCyju+nB0MKNDyenncscHeWwS8yL

Score

10^/10

blackmoon banker discovery trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
behavioral2/memory/4656-37-0x0000000010000000-0x00000000100B6000-memory.dmp	family_blackmoon

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0007000000023c98-17.dat	acprotect
behavioral2/files/0x000d000000023b7c-26.dat	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	2024-10-10_ba6d9c645d71854f516fa0321f7f1c6c_icedid.exe

Executes dropped EXE 1 IoCs

pid	Process
4172	Lx_Aria2c.exe

Loads dropped DLL 2 IoCs

pid	Process
4656	2024-10-10_ba6d9c645d71854f516fa0321f7f1c6c_icedid.exe
4656	2024-10-10_ba6d9c645d71854f516fa0321f7f1c6c_icedid.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023c98-17.dat	upx
behavioral2/memory/4656-21-0x0000000073A20000-0x0000000073CBB000-memory.dmp	upx
behavioral2/files/0x000d000000023b7c-26.dat	upx
behavioral2/memory/4656-29-0x0000000010000000-0x00000000100B6000-memory.dmp	upx
behavioral2/memory/4656-33-0x0000000073A20000-0x0000000073CBB000-memory.dmp	upx
behavioral2/memory/4656-37-0x0000000010000000-0x00000000100B6000-memory.dmp	upx
behavioral2/memory/4656-36-0x0000000073A20000-0x0000000073CBB000-memory.dmp	upx
behavioral2/memory/4656-41-0x0000000073A20000-0x0000000073CBB000-memory.dmp	upx
behavioral2/memory/4656-71-0x0000000073A20000-0x0000000073CBB000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-10_ba6d9c645d71854f516fa0321f7f1c6c_icedid.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4656	2024-10-10_ba6d9c645d71854f516fa0321f7f1c6c_icedid.exe
4656	2024-10-10_ba6d9c645d71854f516fa0321f7f1c6c_icedid.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2632	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2632	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4656	2024-10-10_ba6d9c645d71854f516fa0321f7f1c6c_icedid.exe
4656	2024-10-10_ba6d9c645d71854f516fa0321f7f1c6c_icedid.exe
4656	2024-10-10_ba6d9c645d71854f516fa0321f7f1c6c_icedid.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4656 wrote to memory of 4172	4656	2024-10-10_ba6d9c645d71854f516fa0321f7f1c6c_icedid.exe	89
PID 4656 wrote to memory of 4172	4656	2024-10-10_ba6d9c645d71854f516fa0321f7f1c6c_icedid.exe	89

C:\Users\Admin\AppData\Local\Temp\2024-10-10_ba6d9c645d71854f516fa0321f7f1c6c_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-10_ba6d9c645d71854f516fa0321f7f1c6c_icedid.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4656
- C:\Users\Admin\AppData\Local\Temp\Lx_Aria2c.exe
  "C:\Users\Admin\AppData\Local\Temp\Lx_Aria2c.exe" --conf-path=C:\Users\Admin\AppData\Local\Temp\aria2.conf #--save-session=C:\Users\Admin\AppData\Local\Temp\aria2.session --input-file=C:\Users\Admin\AppData\Local\Temp\aria2.session --rpc-listen-port=7022 --listen-port=7055 --dht-listen-port=7033 --enable-rpc=true --rpc-allow-origin-all=true --disable-ipv6=false --rpc-secret=123 --enable-dht=true --enable-dht6=true --dht-file-path=C:/Users/Admin/AppData/Local/Temp/dht.dat --dht-file-path6=C:/Users/Admin/AppData/Local/Temp/dht6.dat --bt-external-ip= --stop-with-process=4656
  2⤵
  - Executes dropped EXE
  PID:4172

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x48c 0x490
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Lx_Aria2c.exe

Filesize
7.4MB

MD5
5f21116bf47d681bd6b7204c22b1c3ae

SHA1
3ddadc7669445230992568fa1493ae648bcdd252

SHA256
eae4b5599f4575cb4d05858bd5600faf2e5fdf2804c58d374b9876bd31ab56a5

SHA512
d5585cecd5933ff3361128dbd26eb18dc216cb77a2454a72b4f102162b26ccd48d18e61d988998a93b050d991524a782cd9202f69c281c650a6b8b3fadbf7dd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\aria2.conf

Filesize
55KB

MD5
58a3f44f99122a4a7ad7f285b7cb015e

SHA1
e8eaa4a2f560dbf866476725592e9d4ca2dd8012

SHA256
b48565b171e48670e48c910ca5659361878fb527294050c93050576d664b019b

SHA512
08d3dca96eda6557fb2c1a99fc94caed672da53a645218fc858a55ae2f74939c57e1daa41acff0cc8a12fc63fae540369193c948d36b9a3faeb7697e68f1f07f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl.dll

Filesize
1.2MB

MD5
5271aaa62f698410541480fde7a83b5c

SHA1
e064163660fba20753a31cbd8453fe7a836a4f5e

SHA256
c442b9b62eee26434b4314a03e3193389564c740d0d3ed38951875d406a7b6d3

SHA512
609880514f170acc4d7e6e433600ffc696e236f36b97c8f04355c5dddc087f0a4094cc8fcf967c393519e37ce65039e14ef01c1ae6b5a47b58075e970b18f40c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libexdui.dll

Filesize
168KB

MD5
32ab548fc2dabe299609b0fbefb570d1

SHA1
482d3eea3a49e9c81d21bb16cba33cbadcc07f99

SHA256
cf3880791580075582d00675576350d08f2d9cde0555cf04c63ed5a8b76366fd

SHA512
ec674e133a768a80c5502392ff85db341be674d82955387c4b0cb8408f798dca27f0be010d2a0520c07f4197d00d960afd811ef3a93f6ab65feb19753ab5d72b

Download Submit
memory/4172-38-0x00007FF6F2040000-0x00007FF6F27AB000-memory.dmp

Filesize
7.4MB

Download
memory/4656-32-0x0000000008D20000-0x0000000008D21000-memory.dmp

Filesize
4KB

Download
memory/4656-34-0x0000000004730000-0x0000000004731000-memory.dmp

Filesize
4KB

Download
memory/4656-28-0x0000000004590000-0x0000000004591000-memory.dmp

Filesize
4KB

Download
memory/4656-29-0x0000000010000000-0x00000000100B6000-memory.dmp

Filesize
728KB

Download
memory/4656-31-0x0000000008EB0000-0x0000000008EB1000-memory.dmp

Filesize
4KB

Download
memory/4656-24-0x0000000004730000-0x0000000004731000-memory.dmp

Filesize
4KB

Download
memory/4656-33-0x0000000073A20000-0x0000000073CBB000-memory.dmp

Filesize
2.6MB

Download
memory/4656-25-0x0000000004590000-0x0000000004591000-memory.dmp

Filesize
4KB

Download
memory/4656-35-0x0000000004590000-0x0000000004591000-memory.dmp

Filesize
4KB

Download
memory/4656-37-0x0000000010000000-0x00000000100B6000-memory.dmp

Filesize
728KB

Download
memory/4656-36-0x0000000073A20000-0x0000000073CBB000-memory.dmp

Filesize
2.6MB

Download
memory/4656-21-0x0000000073A20000-0x0000000073CBB000-memory.dmp

Filesize
2.6MB

Download
memory/4656-40-0x0000000008D30000-0x0000000008D31000-memory.dmp

Filesize
4KB

Download
memory/4656-41-0x0000000073A20000-0x0000000073CBB000-memory.dmp

Filesize
2.6MB

Download
memory/4656-71-0x0000000073A20000-0x0000000073CBB000-memory.dmp

Filesize
2.6MB

Download

Analysis

Sharing