blackmoon | e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b

General

Target

e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.exe
Size

2.1MB
MD5

0287e13e0df148a77e8e0b829918ea13
SHA1

c02d090847f4e91423e98a2857c696fa2be802e3
SHA256

e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b
SHA512

bbe4877d88a1903ce3bbf165b3e4545c46a993d030d9ae491cdc5d0f742926a36cb43cf5d309bc9c997c9d8d5acb9fd9825b091bba187162a45bb9410bea2575
SSDEEP

49152:N+Bp091F1Eu/4opVwg3DT6KvN2Ne1O1ez4Br0ORZCfBV3U6g:ABK9Cu/dwg3KqEBrbRZG3U6

Score

10^/10

blackmoon banker trojan upx vmprotect

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/320-133-0x0000000000400000-0x00000000008D6000-memory.dmp	family_blackmoon
behavioral2/memory/320-145-0x0000000000400000-0x00000000008D6000-memory.dmp	family_blackmoon

Blocklisted process makes network request 15 IoCs

Processes:

cmd.exe

flow	pid	process
74	1092	cmd.exe
105	1092	cmd.exe
107	1092	cmd.exe
109	1092	cmd.exe
121	1092	cmd.exe
122	1092	cmd.exe
123	1092	cmd.exe
124	1092	cmd.exe
125	1092	cmd.exe
126	1092	cmd.exe
127	1092	cmd.exe
128	1092	cmd.exe
130	1092	cmd.exe
132	1092	cmd.exe
133	1092	cmd.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/320-136-0x0000000002860000-0x00000000028D2000-memory.dmp	upx
behavioral2/memory/320-137-0x0000000002860000-0x00000000028D2000-memory.dmp	upx

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral2/memory/320-132-0x0000000000400000-0x00000000008D6000-memory.dmp	vmprotect
behavioral2/memory/320-133-0x0000000000400000-0x00000000008D6000-memory.dmp	vmprotect
behavioral2/memory/320-145-0x0000000000400000-0x00000000008D6000-memory.dmp	vmprotect

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.exe

pid process

320 e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.exe

description pid process target process

PID 320 set thread context of 1092 320 e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.exe cmd.exe

description	pid	process	target process
PID 320 set thread context of 1092	320	e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

cmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\DOMStorage\yy.com	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\yy.com	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\yy.com\NumberOfSubdomains = "1"	cmd.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.exe

pid	process
320	e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.exe
320	e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.exe
320	e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.exe
320	e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.exe

pid process

320 e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.execmd.exe

pid	process
320	e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.exe
320	e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.exe
320	e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.exe
320	e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.exe
1092	cmd.exe
1092	cmd.exe
1092	cmd.exe
1092	cmd.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.exe

description	pid	process	target process
PID 320 wrote to memory of 1092	320	e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.exe	cmd.exe
PID 320 wrote to memory of 1092	320	e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.exe	cmd.exe
PID 320 wrote to memory of 1092	320	e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.exe	cmd.exe
PID 320 wrote to memory of 1092	320	e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.exe	cmd.exe
PID 320 wrote to memory of 1092	320	e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.exe	cmd.exe
PID 320 wrote to memory of 1092	320	e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.exe	cmd.exe
PID 320 wrote to memory of 1092	320	e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.exe	cmd.exe
PID 320 wrote to memory of 1092	320	e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.exe	cmd.exe
PID 320 wrote to memory of 1092	320	e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.exe
"C:\Users\Admin\AppData\Local\Temp\e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe
2⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1092

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/320-132-0x0000000000400000-0x00000000008D6000-memory.dmp

Filesize
4.8MB

Download
memory/320-133-0x0000000000400000-0x00000000008D6000-memory.dmp

Filesize
4.8MB

Download
memory/320-136-0x0000000002860000-0x00000000028D2000-memory.dmp

Filesize
456KB

Download
memory/320-137-0x0000000002860000-0x00000000028D2000-memory.dmp

Filesize
456KB

Download
memory/320-145-0x0000000000400000-0x00000000008D6000-memory.dmp

Filesize
4.8MB

Download
memory/1092-138-0x0000000000000000-mapping.dmp

Download
memory/1092-139-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/1092-140-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/1092-141-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/1092-142-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/1092-144-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads