blackmoon | e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b

General

Target

e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.exe
Size

2.1MB
MD5

0287e13e0df148a77e8e0b829918ea13
SHA1

c02d090847f4e91423e98a2857c696fa2be802e3
SHA256

e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b
SHA512

bbe4877d88a1903ce3bbf165b3e4545c46a993d030d9ae491cdc5d0f742926a36cb43cf5d309bc9c997c9d8d5acb9fd9825b091bba187162a45bb9410bea2575
SSDEEP

49152:N+Bp091F1Eu/4opVwg3DT6KvN2Ne1O1ez4Br0ORZCfBV3U6g:ABK9Cu/dwg3KqEBrbRZG3U6

Score

10^/10

blackmoon banker trojan upx vmprotect

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1420-57-0x0000000000400000-0x00000000008D6000-memory.dmp	family_blackmoon

Blocklisted process makes network request 17 IoCs

Processes:

cmd.exe

flow	pid	process
8	796	cmd.exe
10	796	cmd.exe
12	796	cmd.exe
17	796	cmd.exe
18	796	cmd.exe
19	796	cmd.exe
20	796	cmd.exe
23	796	cmd.exe
24	796	cmd.exe
26	796	cmd.exe
27	796	cmd.exe
28	796	cmd.exe
29	796	cmd.exe
30	796	cmd.exe
36	796	cmd.exe
37	796	cmd.exe
38	796	cmd.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1420-60-0x0000000002660000-0x00000000026D2000-memory.dmp	upx
behavioral1/memory/1420-61-0x0000000002660000-0x00000000026D2000-memory.dmp	upx

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/memory/1420-54-0x0000000000400000-0x00000000008D6000-memory.dmp	vmprotect
behavioral1/memory/1420-56-0x0000000000400000-0x00000000008D6000-memory.dmp	vmprotect
behavioral1/memory/1420-57-0x0000000000400000-0x00000000008D6000-memory.dmp	vmprotect

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.exe

pid process

1420 e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.exe

description pid process target process

PID 1420 set thread context of 796 1420 e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.exe cmd.exe

description	pid	process	target process
PID 1420 set thread context of 796	1420	e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

Processes:

e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.execmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\yy.com	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\yy.com\NumberOfSubdomains = "1"	cmd.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

cmd.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	cmd.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	cmd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.exe

pid	process
1420	e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.exe
1420	e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.exe

pid process

1420 e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.execmd.exe

pid	process
1420	e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.exe
1420	e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.exe
1420	e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.exe
1420	e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.exe
796	cmd.exe
796	cmd.exe
796	cmd.exe
796	cmd.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.exe

description	pid	process	target process
PID 1420 wrote to memory of 796	1420	e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.exe	cmd.exe
PID 1420 wrote to memory of 796	1420	e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.exe	cmd.exe
PID 1420 wrote to memory of 796	1420	e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.exe	cmd.exe
PID 1420 wrote to memory of 796	1420	e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.exe	cmd.exe
PID 1420 wrote to memory of 796	1420	e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.exe	cmd.exe
PID 1420 wrote to memory of 796	1420	e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.exe	cmd.exe
PID 1420 wrote to memory of 796	1420	e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.exe	cmd.exe
PID 1420 wrote to memory of 796	1420	e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.exe	cmd.exe
PID 1420 wrote to memory of 796	1420	e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.exe	cmd.exe
PID 1420 wrote to memory of 796	1420	e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.exe
"C:\Users\Admin\AppData\Local\Temp\e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe
2⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
PID:796

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/796-68-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/796-65-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/796-78-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/796-76-0x000000000044E933-mapping.dmp

Download
memory/796-74-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/796-63-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/796-71-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/796-62-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/1420-55-0x00000000767B1000-0x00000000767B3000-memory.dmp

Filesize
8KB

Download
memory/1420-54-0x0000000000400000-0x00000000008D6000-memory.dmp

Filesize
4.8MB

Download
memory/1420-61-0x0000000002660000-0x00000000026D2000-memory.dmp

Filesize
456KB

Download
memory/1420-60-0x0000000002660000-0x00000000026D2000-memory.dmp

Filesize
456KB

Download
memory/1420-57-0x0000000000400000-0x00000000008D6000-memory.dmp

Filesize
4.8MB

Download
memory/1420-56-0x0000000000400000-0x00000000008D6000-memory.dmp

Filesize
4.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads