blackmoon | 0ff713c7e9169e214088a288d29829a9d180baaa144f55da392dcada4c22bc30

General

Target

e0fac190218ff59d4b641b03f0c397b7.exe
Size

1.2MB
MD5

e0fac190218ff59d4b641b03f0c397b7
SHA1

5720c4c9b93ab5c0236af2120cc4622a2b1a59e3
SHA256

0ff713c7e9169e214088a288d29829a9d180baaa144f55da392dcada4c22bc30
SHA512

f41126ae590bb69fa8a809ae4877c542d03d66fc23e359ec0e918c292a10077b6d53ebca649205607df1123d282d5ed6ad15a4717b40c66154a1ff641cdafc05

Score

10^/10

blackmoon banker persistence trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/888-64-0x0000000000400000-0x0000000000611000-memory.dmp	family_blackmoon
behavioral1/memory/888-65-0x0000000000400000-0x0000000000611000-memory.dmp	family_blackmoon
behavioral1/files/0x0007000000005c51-67.dat	family_blackmoon
behavioral1/files/0x0007000000005c51-68.dat	family_blackmoon
behavioral1/memory/888-71-0x0000000000400000-0x0000000000611000-memory.dmp	family_blackmoon

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

e0fac190218ff59d4b641b03f0c397b7.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SQL Server Reporting Services (MSSQLSERVSER)\Parameters\ServiceDll = "C:\\ProgramData\\Microsoft\\Windows\\GameExplorer\\Remote.hlp"	e0fac190218ff59d4b641b03f0c397b7.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1108-55-0x0000000000400000-0x00000000005CA000-memory.dmp	upx
behavioral1/memory/888-58-0x0000000000400000-0x0000000000611000-memory.dmp	upx
behavioral1/memory/1108-61-0x0000000000400000-0x00000000005CA000-memory.dmp	upx
behavioral1/memory/888-63-0x0000000000400000-0x0000000000611000-memory.dmp	upx
behavioral1/memory/888-64-0x0000000000400000-0x0000000000611000-memory.dmp	upx
behavioral1/memory/888-65-0x0000000000400000-0x0000000000611000-memory.dmp	upx
behavioral1/memory/888-71-0x0000000000400000-0x0000000000611000-memory.dmp	upx
behavioral1/memory/808-74-0x00000000001E0000-0x00000000001EB000-memory.dmp	upx
behavioral1/memory/808-75-0x00000000001E0000-0x00000000001EB000-memory.dmp	upx

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
804	cmd.exe

Loads dropped DLL 1 IoCs

Processes:

svchost.exe

pid	Process
808	svchost.exe

Drops file in System32 directory 1 IoCs

Processes:

e0fac190218ff59d4b641b03f0c397b7.exe

description	ioc	Process
File created	C:\Windows\SysWOW64\Delete00.bat	e0fac190218ff59d4b641b03f0c397b7.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

e0fac190218ff59d4b641b03f0c397b7.exe

description	pid	Process	procid_target
PID 1108 set thread context of 888	1108	e0fac190218ff59d4b641b03f0c397b7.exe	27

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid	Process
1956	sc.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
1692	PING.EXE

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

e0fac190218ff59d4b641b03f0c397b7.exesvchost.exe

pid	Process
888	e0fac190218ff59d4b641b03f0c397b7.exe
808	svchost.exe
808	svchost.exe
808	svchost.exe
808	svchost.exe
808	svchost.exe
808	svchost.exe
808	svchost.exe
808	svchost.exe
808	svchost.exe
808	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

e0fac190218ff59d4b641b03f0c397b7.exesvchost.exe

description	pid	Process
Token: SeDebugPrivilege	888	e0fac190218ff59d4b641b03f0c397b7.exe
Token: SeDebugPrivilege	808	svchost.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

e0fac190218ff59d4b641b03f0c397b7.exee0fac190218ff59d4b641b03f0c397b7.execmd.exe

description	pid	Process	procid_target
PID 1108 wrote to memory of 888	1108	e0fac190218ff59d4b641b03f0c397b7.exe	27
PID 1108 wrote to memory of 888	1108	e0fac190218ff59d4b641b03f0c397b7.exe	27
PID 1108 wrote to memory of 888	1108	e0fac190218ff59d4b641b03f0c397b7.exe	27
PID 1108 wrote to memory of 888	1108	e0fac190218ff59d4b641b03f0c397b7.exe	27
PID 1108 wrote to memory of 888	1108	e0fac190218ff59d4b641b03f0c397b7.exe	27
PID 1108 wrote to memory of 888	1108	e0fac190218ff59d4b641b03f0c397b7.exe	27
PID 1108 wrote to memory of 888	1108	e0fac190218ff59d4b641b03f0c397b7.exe	27
PID 1108 wrote to memory of 888	1108	e0fac190218ff59d4b641b03f0c397b7.exe	27
PID 1108 wrote to memory of 888	1108	e0fac190218ff59d4b641b03f0c397b7.exe	27
PID 888 wrote to memory of 1956	888	e0fac190218ff59d4b641b03f0c397b7.exe	28
PID 888 wrote to memory of 1956	888	e0fac190218ff59d4b641b03f0c397b7.exe	28
PID 888 wrote to memory of 1956	888	e0fac190218ff59d4b641b03f0c397b7.exe	28
PID 888 wrote to memory of 1956	888	e0fac190218ff59d4b641b03f0c397b7.exe	28
PID 888 wrote to memory of 804	888	e0fac190218ff59d4b641b03f0c397b7.exe	32
PID 888 wrote to memory of 804	888	e0fac190218ff59d4b641b03f0c397b7.exe	32
PID 888 wrote to memory of 804	888	e0fac190218ff59d4b641b03f0c397b7.exe	32
PID 888 wrote to memory of 804	888	e0fac190218ff59d4b641b03f0c397b7.exe	32
PID 804 wrote to memory of 1692	804	cmd.exe	33
PID 804 wrote to memory of 1692	804	cmd.exe	33
PID 804 wrote to memory of 1692	804	cmd.exe	33
PID 804 wrote to memory of 1692	804	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\e0fac190218ff59d4b641b03f0c397b7.exe
"C:\Users\Admin\AppData\Local\Temp\e0fac190218ff59d4b641b03f0c397b7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1108
- C:\Users\Admin\AppData\Local\Temp\e0fac190218ff59d4b641b03f0c397b7.exe
  2⤵
  - Sets DLL path for service in the registry
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:888
- - C:\Windows\SysWOW64\sc.exe
    sc failure SQL Server Reporting Services (MSSQLSERVSER) reset= 86400 actions= restart/1000
    3⤵
    - Launches sc.exe
    PID:1956
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\System32\\Delete00.bat
    3⤵
    - Deletes itself
    - Suspicious use of WriteProcessMemory
    PID:804
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1
      4⤵
      Runs ping.exe
      PID:1692

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:808

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Delete00.bat

Filesize
133B

MD5
dc3b149f24124fccaf30e3a09e297fad

SHA1
4dc288d951d5804c1b2edaef41987971e7e9f1ae

SHA256
f216150b744e134c33f1cea79275617d507af57b984b9c637b904976d6b29a3a

SHA512
352bf15f0f37b7816d3186c7eae0e67d5c746f2a1fa9e0ca07813bc282e76edef70701a97f97acc3db9185966fe22c265ea5d6dd331e401c527a365ff0c28f34

Download Submit
\??\c:\programdata\microsoft\windows\gameexplorer\remote.hlp

Filesize
936KB

MD5
2148ed98f723563683990f569d23bf43

SHA1
25cfad1a06933f65f7d110a81d7adbfa83c19005

SHA256
b53132d5c59e5e62e23a9cb65fa9c09aa8403f625d76877c4e8fd60a331be56a

SHA512
8ac4b829802e3238fcdf6629b09417dfb48b04d18880a230a387b3673c724a8281c795c83e7a088c12ef676b9fd054b70f90aebca34a1217fc7376aeb9f13dfa

Download Submit
\ProgramData\Microsoft\Windows\GameExplorer\Remote.hlp

Filesize
936KB

MD5
2148ed98f723563683990f569d23bf43

SHA1
25cfad1a06933f65f7d110a81d7adbfa83c19005

SHA256
b53132d5c59e5e62e23a9cb65fa9c09aa8403f625d76877c4e8fd60a331be56a

SHA512
8ac4b829802e3238fcdf6629b09417dfb48b04d18880a230a387b3673c724a8281c795c83e7a088c12ef676b9fd054b70f90aebca34a1217fc7376aeb9f13dfa

Download Submit
memory/804-70-0x0000000000000000-mapping.dmp

Download
memory/808-75-0x00000000001E0000-0x00000000001EB000-memory.dmp

Filesize
44KB

Download
memory/808-74-0x00000000001E0000-0x00000000001EB000-memory.dmp

Filesize
44KB

Download
memory/888-59-0x0000000000525B60-mapping.dmp

Download
memory/888-64-0x0000000000400000-0x0000000000611000-memory.dmp

Filesize
2.1MB

Download
memory/888-65-0x0000000000400000-0x0000000000611000-memory.dmp

Filesize
2.1MB

Download
memory/888-63-0x0000000000400000-0x0000000000611000-memory.dmp

Filesize
2.1MB

Download
memory/888-71-0x0000000000400000-0x0000000000611000-memory.dmp

Filesize
2.1MB

Download
memory/888-58-0x0000000000400000-0x0000000000611000-memory.dmp

Filesize
2.1MB

Download
memory/888-56-0x0000000000400000-0x0000000000611000-memory.dmp

Filesize
2.1MB

Download
memory/1108-61-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/1108-54-0x00000000762A1000-0x00000000762A3000-memory.dmp

Filesize
8KB

Download
memory/1108-55-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/1692-73-0x0000000000000000-mapping.dmp

Download
memory/1956-66-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads