General

  • Size

    1MB

  • Sample

    220725-kbamjsbeck

  • MD5

    b7f74c02e8e4dc10eb8f11d0e107310e

  • SHA1

    d7efa03c14830997e55c78365ee15bd8c1c01971

  • SHA256

    3ac761271417ecf9e5e8e6152f3c9bbcaf8863286da6933f5fc4c7a2462a31e9

  • SHA512

    d64d3224075ca55efe055dca5f9fcb658b4541db94db1908a05924827b1d6d290e5f0bab83477a13fc29292793e32e420d6183155076235f8ebc26363b2e5c44

Malware Config

Targets

    • Target

      b7f74c02e8e4dc10eb8f11d0e107310e

    • Size

      1MB

    • MD5

      b7f74c02e8e4dc10eb8f11d0e107310e

    • SHA1

      d7efa03c14830997e55c78365ee15bd8c1c01971

    • SHA256

      3ac761271417ecf9e5e8e6152f3c9bbcaf8863286da6933f5fc4c7a2462a31e9

    • SHA512

      d64d3224075ca55efe055dca5f9fcb658b4541db94db1908a05924827b1d6d290e5f0bab83477a13fc29292793e32e420d6183155076235f8ebc26363b2e5c44

    • Blackmoon, KrBanker

      Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    • Detect Blackmoon payload

    • Sets DLL path for service in the registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Deletes itself

    • Loads dropped DLL

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

        Execution

          Exfiltration

            Impact

              Initial Access

                Lateral Movement

                  Privilege Escalation