blackmoon | b4d4590a582639275a82f8de43cb470da98af293b3e3d147ae66fd24b793a832

Resubmissions

19-11-2022 13:50

221119-q5g7dadg75 10

16-11-2022 22:11

221116-13znrahb4y 10

Analysis

max time kernel
128s
max time network
130s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
19-11-2022 13:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b4d4590a582639275a82f8de43cb470da98af293b3e3d147ae66fd24b793a832.exe
Size

4.0MB
MD5

a0588d88e7ddb01fc9ac9d3b5cf215d8
SHA1

3647f00f21ba2f090d81f07fca5137c4566b4046
SHA256

b4d4590a582639275a82f8de43cb470da98af293b3e3d147ae66fd24b793a832
SHA512

0597a689f1b9c521415835272f123782ce5431c3049be15aa38664e8b288cf29a6715eb47e023e2479bfbba2ee387435ba72b5b7e14801a6c086b59f311df9c6
SSDEEP

98304:WBLaX2XjPrbVGbFWMZNA2wITWuXIu/M1vrGp1oVXL:YLaWrh3WNVwWWuz/M1vqpeXL

Score

10^/10

blackmoon banker trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 5 IoCs

resource	yara_rule
behavioral1/memory/1260-55-0x0000000000400000-0x0000000001092000-memory.dmp	family_blackmoon
behavioral1/memory/1260-56-0x0000000000400000-0x0000000001092000-memory.dmp	family_blackmoon
behavioral1/memory/1260-57-0x0000000000400000-0x0000000001092000-memory.dmp	family_blackmoon
behavioral1/memory/1260-58-0x0000000000400000-0x0000000001092000-memory.dmp	family_blackmoon
behavioral1/memory/1260-59-0x0000000000400000-0x0000000001092000-memory.dmp	family_blackmoon

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	b4d4590a582639275a82f8de43cb470da98af293b3e3d147ae66fd24b793a832.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	b4d4590a582639275a82f8de43cb470da98af293b3e3d147ae66fd24b793a832.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1260	b4d4590a582639275a82f8de43cb470da98af293b3e3d147ae66fd24b793a832.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
1260	b4d4590a582639275a82f8de43cb470da98af293b3e3d147ae66fd24b793a832.exe
1260	b4d4590a582639275a82f8de43cb470da98af293b3e3d147ae66fd24b793a832.exe
1260	b4d4590a582639275a82f8de43cb470da98af293b3e3d147ae66fd24b793a832.exe
1260	b4d4590a582639275a82f8de43cb470da98af293b3e3d147ae66fd24b793a832.exe
1260	b4d4590a582639275a82f8de43cb470da98af293b3e3d147ae66fd24b793a832.exe
1260	b4d4590a582639275a82f8de43cb470da98af293b3e3d147ae66fd24b793a832.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
1260	b4d4590a582639275a82f8de43cb470da98af293b3e3d147ae66fd24b793a832.exe
1260	b4d4590a582639275a82f8de43cb470da98af293b3e3d147ae66fd24b793a832.exe
1260	b4d4590a582639275a82f8de43cb470da98af293b3e3d147ae66fd24b793a832.exe
1260	b4d4590a582639275a82f8de43cb470da98af293b3e3d147ae66fd24b793a832.exe
1260	b4d4590a582639275a82f8de43cb470da98af293b3e3d147ae66fd24b793a832.exe
1260	b4d4590a582639275a82f8de43cb470da98af293b3e3d147ae66fd24b793a832.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1260	b4d4590a582639275a82f8de43cb470da98af293b3e3d147ae66fd24b793a832.exe
1260	b4d4590a582639275a82f8de43cb470da98af293b3e3d147ae66fd24b793a832.exe

C:\Users\Admin\AppData\Local\Temp\b4d4590a582639275a82f8de43cb470da98af293b3e3d147ae66fd24b793a832.exe
"C:\Users\Admin\AppData\Local\Temp\b4d4590a582639275a82f8de43cb470da98af293b3e3d147ae66fd24b793a832.exe"
1⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1260

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1260-54-0x0000000075291000-0x0000000075293000-memory.dmp

Filesize
8KB

Download
memory/1260-55-0x0000000000400000-0x0000000001092000-memory.dmp

Filesize
12.6MB

Download
memory/1260-56-0x0000000000400000-0x0000000001092000-memory.dmp

Filesize
12.6MB

Download
memory/1260-57-0x0000000000400000-0x0000000001092000-memory.dmp

Filesize
12.6MB

Download
memory/1260-58-0x0000000000400000-0x0000000001092000-memory.dmp

Filesize
12.6MB

Download
memory/1260-59-0x0000000000400000-0x0000000001092000-memory.dmp

Filesize
12.6MB

Download