blackmoon | c61ecaeab40591b89f8138333499b40a0060e02ce11403499e829b7f588e7a12

General

Target

c61ecaeab40591b89f8138333499b40a0060e02ce11403499e829b7f588e7a12.exe
Size

260KB
MD5

fc2e73824f78609c27efab5fa7c73493
SHA1

78d62dec4ba87bd8ed0ee9751b63fc5d0668dc3a
SHA256

c61ecaeab40591b89f8138333499b40a0060e02ce11403499e829b7f588e7a12
SHA512

abbae4bf59f442b01a0186a0e0c63a5b41c67c43ace11b8e1c2ad1a094c4b1b9fb60f074800bf05034e9e5bf7fe01ae2323e0a2fcacda353267514b8fc8e0f6e
SSDEEP

6144:LhR5nr+Pzr1Gq/Jf+2upbKOCeY9nP878g9M:9r+PfP/J2baecrg9M

Score

10^/10

blackmoon banker trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4844-138-0x0000000000400000-0x0000000000422000-memory.dmp	family_blackmoon

Executes dropped EXE 2 IoCs

Processes:

doudou.exeÁ¬·¢³ÌÐò.exe

pid process

4844 doudou.exe
4768 Á¬·¢³ÌÐò.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\doudou.exe	upx
C:\doudou.exe	upx
C:\Á¬·¢³ÌÐò.exe	upx
C:\Á¬·¢³ÌÐò.exe	upx
behavioral2/memory/4844-138-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral2/memory/4768-139-0x0000000000400000-0x0000000000484000-memory.dmp	upx
behavioral2/memory/4768-140-0x0000000000400000-0x0000000000484000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

c61ecaeab40591b89f8138333499b40a0060e02ce11403499e829b7f588e7a12.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	c61ecaeab40591b89f8138333499b40a0060e02ce11403499e829b7f588e7a12.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

doudou.exe

pid	process
4844	doudou.exe
4844	doudou.exe
4844	doudou.exe
4844	doudou.exe
4844	doudou.exe
4844	doudou.exe
4844	doudou.exe
4844	doudou.exe
4844	doudou.exe
4844	doudou.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Á¬·¢³ÌÐò.exe

pid process

4768 Á¬·¢³ÌÐò.exe
4768 Á¬·¢³ÌÐò.exe
4768 Á¬·¢³ÌÐò.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Á¬·¢³ÌÐò.exe

pid process

4768 Á¬·¢³ÌÐò.exe
4768 Á¬·¢³ÌÐò.exe
4768 Á¬·¢³ÌÐò.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Á¬·¢³ÌÐò.exe

pid process

4768 Á¬·¢³ÌÐò.exe

pid	process
4768	Á¬·¢³ÌÐò.exe
4768	Á¬·¢³ÌÐò.exe
4768	Á¬·¢³ÌÐò.exe

pid	process
4768	Á¬·¢³ÌÐò.exe
4768	Á¬·¢³ÌÐò.exe
4768	Á¬·¢³ÌÐò.exe

pid	process
4768	Á¬·¢³ÌÐò.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

c61ecaeab40591b89f8138333499b40a0060e02ce11403499e829b7f588e7a12.exe

description	pid	process	target process
PID 4904 wrote to memory of 4844	4904	c61ecaeab40591b89f8138333499b40a0060e02ce11403499e829b7f588e7a12.exe	doudou.exe
PID 4904 wrote to memory of 4844	4904	c61ecaeab40591b89f8138333499b40a0060e02ce11403499e829b7f588e7a12.exe	doudou.exe
PID 4904 wrote to memory of 4844	4904	c61ecaeab40591b89f8138333499b40a0060e02ce11403499e829b7f588e7a12.exe	doudou.exe
PID 4904 wrote to memory of 4768	4904	c61ecaeab40591b89f8138333499b40a0060e02ce11403499e829b7f588e7a12.exe	Á¬·¢³ÌÐò.exe
PID 4904 wrote to memory of 4768	4904	c61ecaeab40591b89f8138333499b40a0060e02ce11403499e829b7f588e7a12.exe	Á¬·¢³ÌÐò.exe
PID 4904 wrote to memory of 4768	4904	c61ecaeab40591b89f8138333499b40a0060e02ce11403499e829b7f588e7a12.exe	Á¬·¢³ÌÐò.exe

C:\Users\Admin\AppData\Local\Temp\c61ecaeab40591b89f8138333499b40a0060e02ce11403499e829b7f588e7a12.exe
"C:\Users\Admin\AppData\Local\Temp\c61ecaeab40591b89f8138333499b40a0060e02ce11403499e829b7f588e7a12.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4904

C:\doudou.exe
"C:\doudou.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4844

C:\Á¬·¢³ÌÐò.exe
"C:\Á¬·¢³ÌÐò.exe"
2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4768

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\doudou.exe
Filesize
14KB

MD5
9dc6adde90f23e1778612867bc47a7db

SHA1
f6b140d44944c1197f886ac2c3ad9a4c4824ee45

SHA256
79268839f46c8ca4d010415b07e7b02957e728c652988bcd276ae50717b41386

SHA512
87e61373abbb7ab18d647ff5fe4a60f5c1e08c8170f30127cbd5b4dd0402031a2e8f95662811cbf4ba35d9b7f834a4711e2515dad30efc90d3171bf13c8b786d

Download Submit
C:\doudou.exe
Filesize
14KB

MD5
9dc6adde90f23e1778612867bc47a7db

SHA1
f6b140d44944c1197f886ac2c3ad9a4c4824ee45

SHA256
79268839f46c8ca4d010415b07e7b02957e728c652988bcd276ae50717b41386

SHA512
87e61373abbb7ab18d647ff5fe4a60f5c1e08c8170f30127cbd5b4dd0402031a2e8f95662811cbf4ba35d9b7f834a4711e2515dad30efc90d3171bf13c8b786d

Download Submit
C:\Á¬·¢³ÌÐò.exe
Filesize
235KB

MD5
59f233558cfdb557e835b3538317a67a

SHA1
003f9992b69d494c1c65b6631691819d1d1302a0

SHA256
319ac331bd2e87fd3477884f359104c54a1ac24b0781d0354eb248f5e6d84bf9

SHA512
ae738799048192c4a226d61db3cecabfce57bf206170ebdcd2a893ed8d4081513f5d1f25cd27b5dc0fe0bc27c9a258be44fb1f24a46829a1893cf0d5e3f475b6

Download Submit
C:\Á¬·¢³ÌÐò.exe
Filesize
235KB

MD5
59f233558cfdb557e835b3538317a67a

SHA1
003f9992b69d494c1c65b6631691819d1d1302a0

SHA256
319ac331bd2e87fd3477884f359104c54a1ac24b0781d0354eb248f5e6d84bf9

SHA512
ae738799048192c4a226d61db3cecabfce57bf206170ebdcd2a893ed8d4081513f5d1f25cd27b5dc0fe0bc27c9a258be44fb1f24a46829a1893cf0d5e3f475b6

Download Submit
memory/4768-135-0x0000000000000000-mapping.dmp

Download
memory/4768-139-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4768-140-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4844-132-0x0000000000000000-mapping.dmp

Download
memory/4844-138-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads