General

  • Size

    1MB

  • Sample

    220725-kh522aagg8

  • MD5

    e0fac190218ff59d4b641b03f0c397b7

  • SHA1

    5720c4c9b93ab5c0236af2120cc4622a2b1a59e3

  • SHA256

    0ff713c7e9169e214088a288d29829a9d180baaa144f55da392dcada4c22bc30

  • SHA512

    f41126ae590bb69fa8a809ae4877c542d03d66fc23e359ec0e918c292a10077b6d53ebca649205607df1123d282d5ed6ad15a4717b40c66154a1ff641cdafc05

Malware Config

Targets

    • Target

      e0fac190218ff59d4b641b03f0c397b7

    • Size

      1MB

    • MD5

      e0fac190218ff59d4b641b03f0c397b7

    • SHA1

      5720c4c9b93ab5c0236af2120cc4622a2b1a59e3

    • SHA256

      0ff713c7e9169e214088a288d29829a9d180baaa144f55da392dcada4c22bc30

    • SHA512

      f41126ae590bb69fa8a809ae4877c542d03d66fc23e359ec0e918c292a10077b6d53ebca649205607df1123d282d5ed6ad15a4717b40c66154a1ff641cdafc05

    • Blackmoon, KrBanker

      Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    • Detect Blackmoon payload

    • Sets DLL path for service in the registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Deletes itself

    • Loads dropped DLL

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

        Execution

          Exfiltration

            Impact

              Initial Access

                Lateral Movement

                  Privilege Escalation