General

  • Target

    2025-06-30_8225c7e5c8ed4e22dadc938065559c6a_amadey_darkgate_elex_icedid_rhadamanthys_smoke-loader_stealc_stop_tofsee_xiaobaminer

  • Size

    8.0MB

  • Sample

    250630-zf91jaxwf1

  • MD5

    8225c7e5c8ed4e22dadc938065559c6a

  • SHA1

    452cc2074f58caea5f17e172ca0c22f05a4c2459

  • SHA256

    7f5b3d1347d936be872722db66256213a81895d7336c2c622a2f599f6661b536

  • SHA512

    50298b9a91b423fafaf90a256528ce42145e920078765f387e11d9d6ba820c06072c5581fc5aa981bdb3a1c3102bc2b7d1ef46d77193aeb0d7cf7f8d12048089

  • SSDEEP

    98304:ycAawV77GBfWPcAawV77GBfWVcAawV77GBfWPcAawV77GBfW5:lwGBfWEwGBfWWwGBfWEwGBfW

Malware Config

Targets

    • Target

      2025-06-30_8225c7e5c8ed4e22dadc938065559c6a_amadey_darkgate_elex_icedid_rhadamanthys_smoke-loader_stealc_stop_tofsee_xiaobaminer

    • Size

      8.0MB

    • MD5

      8225c7e5c8ed4e22dadc938065559c6a

    • SHA1

      452cc2074f58caea5f17e172ca0c22f05a4c2459

    • SHA256

      7f5b3d1347d936be872722db66256213a81895d7336c2c622a2f599f6661b536

    • SHA512

      50298b9a91b423fafaf90a256528ce42145e920078765f387e11d9d6ba820c06072c5581fc5aa981bdb3a1c3102bc2b7d1ef46d77193aeb0d7cf7f8d12048089

    • SSDEEP

      98304:ycAawV77GBfWPcAawV77GBfWVcAawV77GBfWPcAawV77GBfW5:lwGBfWEwGBfWWwGBfWEwGBfW

    • Blackmoon family

    • Blackmoon, KrBanker

      Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    • Detect Blackmoon payload

    • Adds policy Run key to start application

    • Disables RegEdit via registry modification

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v16

Tasks