blackmoon | b620edacbd2647290c6410c9ff708bd6c51796246cce4971b6ad49be587e859e | Triage

Submit
Reports

Overview

overview

Static

static

8

Encode_380.exe

windows7-x64

Encode_380.exe

windows10-2004-x64

Sharing

General

Target

b620edacbd2647290c6410c9ff708bd6c51796246cce4971b6ad49be587e859e
Size

4.8MB
Sample

221015-v9f74afhd4
MD5

4ca31cd91a2a265da80a1e64537bd901
SHA1

edf06d8a1b602ee45846e99f7638d3153fc58518
SHA256

b620edacbd2647290c6410c9ff708bd6c51796246cce4971b6ad49be587e859e
SHA512

e6a256508089b8bce34f7ca8b769c824531924d45e2b9908b268d3baf82ebd50538386dc2cb9893eba1ff27dbb08d1384418c67e73a75a290ba0be9fe6a1c683
SSDEEP

98304:Yh6TYWpDIEL+nCSCIMK2jUs5ZVIoIjBJk3hprEHapBPJlmZPSbyZVwq9:YupnqnCSC35OkRprEH8J0d6qmi

Score

10^/10

blackmoon banker bootkit persistence trojan vmprotect

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

Encode_380.exe

Resource

win7-20220812-en

blackmoon banker bootkit persistence trojan vmprotect

windows7-x64

8 signatures

150 seconds

Behavioral task

behavioral2

Sample

Encode_380.exe

Resource

win10v2004-20220812-en

blackmoon banker bootkit persistence trojan vmprotect

windows10-2004-x64

8 signatures

150 seconds

Malware Config

Targets

- Target
  
  Encode_380.exe
- Size
  
  6.3MB
- MD5
  
  3e852b92d476d15fd3028c0dea46a1c3
- SHA1
  
  d505386d4890e2d50abb22d68d7ceb7b90e31219
- SHA256
  
  25f3794f660d6d6e3ad63582fd99c9d2aa73085b570dbb1b23483f1382b22688
- SHA512
  
  d4a74f5003c41ffc95df70c9066f06ae528354e17ce8578ddc8731286d7630e6d0e2c5fe81c1281f4679545b6eebd4f04432bb458c463e757f01d3ca7c9a8777
- SSDEEP
  
  98304:V7jQMtHmZ+gFFP562OTrpr3ONmieIcAbE7Fsh30J7oN9WQOM4dRXBmjYzjLhbBIa:VPtoZ5YZreNaInE5s0JhvMYsjChv
Score

10^/10

blackmoon banker bootkit persistence trojan vmprotect
- Blackmoon, KrBanker
  Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
  trojan banker blackmoon
- Detect Blackmoon payload
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

blackmoonbankerbootkitpersistencetrojanvmprotect

behavioral2

blackmoonbankerbootkitpersistencetrojanvmprotect

© 2018-2024

Terms | Privacy