blackmoon | fce97ef8ab70e808ba2b2817c382d657a4e0923704c1cad2bb023379220bca6c

General

Target

fce97ef8ab70e808ba2b2817c382d657a4e0923704c1cad2bb023379220bca6c.exe
Size

311KB
MD5

3acae02fcb29940d3473010c8a2a9cbd
SHA1

c843ad5ff8b01eafe64ecad030beb24fd336a8dc
SHA256

fce97ef8ab70e808ba2b2817c382d657a4e0923704c1cad2bb023379220bca6c
SHA512

212ac5b1cedc571541e18a8a67f02309612a7e242a08fe66a0e549ca616d1bf885658f8342d23e6e9f5b9200a4eb6f43e63d3fe86198c59f3e250dad9adae6d7
SSDEEP

6144:OUfoCVoAqF5gxYLQPfcwSVyqFoSZYV/2Jzid+mzk7A1j:OYnKF5gcQHLioSWc7m

Score

10^/10

blackmoon banker persistence trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/864-64-0x0000000000400000-0x0000000000442000-memory.dmp	family_blackmoon
behavioral1/memory/864-68-0x0000000000400000-0x0000000000442000-memory.dmp	family_blackmoon

Executes dropped EXE 1 IoCs

Processes:

Fobeka.exe

pid process

864 Fobeka.exe
Loads dropped DLL 1 IoCs

Processes:

fce97ef8ab70e808ba2b2817c382d657a4e0923704c1cad2bb023379220bca6c.exe

pid process

1752 fce97ef8ab70e808ba2b2817c382d657a4e0923704c1cad2bb023379220bca6c.exe

pid	process
864	Fobeka.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

fce97ef8ab70e808ba2b2817c382d657a4e0923704c1cad2bb023379220bca6c.exeFobeka.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fce97ef8ab70e808ba2b2817c382d657a4e0923704c1cad2bb023379220bca6c.exe"	fce97ef8ab70e808ba2b2817c382d657a4e0923704c1cad2bb023379220bca6c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	Fobeka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syotom = "C:\\WINDOWS\\srchasstsss\\Fobeka.exe"	Fobeka.exe

Drops file in Windows directory 5 IoCs

Processes:

fce97ef8ab70e808ba2b2817c382d657a4e0923704c1cad2bb023379220bca6c.exe

description	ioc	process
File created	C:\WINDOWS\srchasstsss\Fobeka.vbs	fce97ef8ab70e808ba2b2817c382d657a4e0923704c1cad2bb023379220bca6c.exe
File opened for modification	C:\WINDOWS\IE.txt	fce97ef8ab70e808ba2b2817c382d657a4e0923704c1cad2bb023379220bca6c.exe
File created	C:\WINDOWS\srchasstsss\V3like.vbs	fce97ef8ab70e808ba2b2817c382d657a4e0923704c1cad2bb023379220bca6c.exe
File created	C:\WINDOWS\srchasstsss\Fobeka.exe	fce97ef8ab70e808ba2b2817c382d657a4e0923704c1cad2bb023379220bca6c.exe
File created	C:\WINDOWS\srchasstsss\Fobeka.bat	fce97ef8ab70e808ba2b2817c382d657a4e0923704c1cad2bb023379220bca6c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000279787bc58d0d347998c44a73cbfbfe100000000020000000000106600000001000020000000c5ce7f99ceaf642c7a55fc1def882baa22c2dd1a0b7dc86bad0739bd06e5a84c000000000e8000000002000020000000ac6a3441573638cb30caa8ad003c409d754759f92a6841cb85e8169a365f0eaf90000000eb4d9a07191ef5802182260136c9101a418f693749f40ff29a34541a7ea27a5813fd3bf1b4c22ccba8b8e9720c23c40a79560848881701b387a2b79cd264ea9a52690e2c46ef6110b7f95c49dfa0a128ac8282a55c3b4fe52e12e4164ecea7a19616d0311db1851d6fb6de52945b12b715882e38f1c475ecbe34db80c92537e7ffc0c5a49a782b9a68a2154448f2919c40000000ce7f100b5f8d78ca1cf8a3b2bb13d626e42e3acc4463611a934802eb0da3e3d54f4221223e8b20dd89572dae5199056ff1f42d60d96c89f1cb78e3cb84f82662	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d05b03245801d901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{209703C1-6D4B-11ED-B68C-6A6CB2F85B9F} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "375602401"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000279787bc58d0d347998c44a73cbfbfe100000000020000000000106600000001000020000000b3c46b7866790bad02ef4dd2fcd1f6602cd9c9e7bf119079db5df6e2fe470dd2000000000e8000000002000020000000310e9cef0e02b5f7b38635eb44923fa303eb6ef89e8188daf7ce0911a59099d4200000006fcd3fe0efb22aaea5e1aad1d6ff1799c601d1c506553c4b3f70285c28a9f87140000000a800303e603426c50d6a97c01ee6c0c92b748d55f619fc515ce6c1eeede30ba53b8c030f99d58bd5520654b19df3e2834cdd0274cf859780b81e637705a5aee0	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

fce97ef8ab70e808ba2b2817c382d657a4e0923704c1cad2bb023379220bca6c.exe

pid process

1752 fce97ef8ab70e808ba2b2817c382d657a4e0923704c1cad2bb023379220bca6c.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

1280 IEXPLORE.EXE

pid	process
1280	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

fce97ef8ab70e808ba2b2817c382d657a4e0923704c1cad2bb023379220bca6c.exeIEXPLORE.EXEIEXPLORE.EXE

pid	process
1752	fce97ef8ab70e808ba2b2817c382d657a4e0923704c1cad2bb023379220bca6c.exe
1752	fce97ef8ab70e808ba2b2817c382d657a4e0923704c1cad2bb023379220bca6c.exe
1280	IEXPLORE.EXE
1280	IEXPLORE.EXE
1416	IEXPLORE.EXE
1416	IEXPLORE.EXE
1416	IEXPLORE.EXE
1416	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

fce97ef8ab70e808ba2b2817c382d657a4e0923704c1cad2bb023379220bca6c.exeIEXPLORE.EXE

description	pid	process	target process
PID 1752 wrote to memory of 864	1752	fce97ef8ab70e808ba2b2817c382d657a4e0923704c1cad2bb023379220bca6c.exe	Fobeka.exe
PID 1752 wrote to memory of 864	1752	fce97ef8ab70e808ba2b2817c382d657a4e0923704c1cad2bb023379220bca6c.exe	Fobeka.exe
PID 1752 wrote to memory of 864	1752	fce97ef8ab70e808ba2b2817c382d657a4e0923704c1cad2bb023379220bca6c.exe	Fobeka.exe
PID 1752 wrote to memory of 864	1752	fce97ef8ab70e808ba2b2817c382d657a4e0923704c1cad2bb023379220bca6c.exe	Fobeka.exe
PID 1752 wrote to memory of 1940	1752	fce97ef8ab70e808ba2b2817c382d657a4e0923704c1cad2bb023379220bca6c.exe	WScript.exe
PID 1752 wrote to memory of 1940	1752	fce97ef8ab70e808ba2b2817c382d657a4e0923704c1cad2bb023379220bca6c.exe	WScript.exe
PID 1752 wrote to memory of 1940	1752	fce97ef8ab70e808ba2b2817c382d657a4e0923704c1cad2bb023379220bca6c.exe	WScript.exe
PID 1752 wrote to memory of 1940	1752	fce97ef8ab70e808ba2b2817c382d657a4e0923704c1cad2bb023379220bca6c.exe	WScript.exe
PID 1752 wrote to memory of 1280	1752	fce97ef8ab70e808ba2b2817c382d657a4e0923704c1cad2bb023379220bca6c.exe	IEXPLORE.EXE
PID 1752 wrote to memory of 1280	1752	fce97ef8ab70e808ba2b2817c382d657a4e0923704c1cad2bb023379220bca6c.exe	IEXPLORE.EXE
PID 1752 wrote to memory of 1280	1752	fce97ef8ab70e808ba2b2817c382d657a4e0923704c1cad2bb023379220bca6c.exe	IEXPLORE.EXE
PID 1752 wrote to memory of 1280	1752	fce97ef8ab70e808ba2b2817c382d657a4e0923704c1cad2bb023379220bca6c.exe	IEXPLORE.EXE
PID 1280 wrote to memory of 1416	1280	IEXPLORE.EXE	IEXPLORE.EXE
PID 1280 wrote to memory of 1416	1280	IEXPLORE.EXE	IEXPLORE.EXE
PID 1280 wrote to memory of 1416	1280	IEXPLORE.EXE	IEXPLORE.EXE
PID 1280 wrote to memory of 1416	1280	IEXPLORE.EXE	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\fce97ef8ab70e808ba2b2817c382d657a4e0923704c1cad2bb023379220bca6c.exe
"C:\Users\Admin\AppData\Local\Temp\fce97ef8ab70e808ba2b2817c382d657a4e0923704c1cad2bb023379220bca6c.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1752

C:\WINDOWS\srchasstsss\Fobeka.exe
C:\WINDOWS\srchasstsss\Fobeka.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:864

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WINDOWS\srchasstsss\V3like.vbs"
2⤵
PID:1940

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" www.naver.com
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1280

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1280 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1416

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\srchasstsss\Fobeka.exe
Filesize
86KB

MD5
16a11eee5b66798df236ba4f066ba795

SHA1
eaae9ae757f995df5f3f09dc2902c80d874edd03

SHA256
8bed8f6d002dd96535d13e6c8ed65694fab7a7a8f61af8a146e0ab4a38e99dfc

SHA512
a52f68e750e8e3a844f53960598a8de0754bbd914b602479f3be412e7f19c51aa50020333386ec812f15749b098572672130742e9395c07d941ebeaf84ff0771

Download Submit
C:\WINDOWS\srchasstsss\V3like.vbs
Filesize
86B

MD5
5e480601cc42498b764ba33a10766cbd

SHA1
d306d8dfe2ff756996bd61d43106210cc42eeba8

SHA256
b4d1791c17f6a9ccd5c45313b9993827e4e87ef3a68aa227c55589208ae04ffd

SHA512
295b5e21392c5af0f17e895f59dff4de894d37f25c6f8aa1dfe85cbfc19c177682a3d2a6be80a83cf6b737a7b196a5184ce9e24c67ae33dbda766f8bc81e216a

Download Submit
C:\Windows\srchasstsss\Fobeka.exe
Filesize
86KB

MD5
16a11eee5b66798df236ba4f066ba795

SHA1
eaae9ae757f995df5f3f09dc2902c80d874edd03

SHA256
8bed8f6d002dd96535d13e6c8ed65694fab7a7a8f61af8a146e0ab4a38e99dfc

SHA512
a52f68e750e8e3a844f53960598a8de0754bbd914b602479f3be412e7f19c51aa50020333386ec812f15749b098572672130742e9395c07d941ebeaf84ff0771

Download Submit
\Windows\srchasstsss\Fobeka.exe
Filesize
86KB

MD5
16a11eee5b66798df236ba4f066ba795

SHA1
eaae9ae757f995df5f3f09dc2902c80d874edd03

SHA256
8bed8f6d002dd96535d13e6c8ed65694fab7a7a8f61af8a146e0ab4a38e99dfc

SHA512
a52f68e750e8e3a844f53960598a8de0754bbd914b602479f3be412e7f19c51aa50020333386ec812f15749b098572672130742e9395c07d941ebeaf84ff0771

Download Submit
memory/864-56-0x0000000000000000-mapping.dmp

Download
memory/864-64-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/864-68-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1752-54-0x0000000076261000-0x0000000076263000-memory.dmp

Filesize
8KB

Download
memory/1752-63-0x0000000000240000-0x0000000000282000-memory.dmp

Filesize
264KB

Download
memory/1752-62-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/1752-66-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/1752-67-0x0000000000240000-0x0000000000282000-memory.dmp

Filesize
264KB

Download
memory/1940-59-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads