blackmoon | fce58603d18b169d67fee4a3df7d39757a4126716703840acfe8cfb5e34990e9

General

Target

fce58603d18b169d67fee4a3df7d39757a4126716703840acfe8cfb5e34990e9.exe
Size

688KB
MD5

b2e12c662badc96d34a096f48db2d85c
SHA1

d6d99f90c0dd1a56a1285532254a1c92a6024077
SHA256

fce58603d18b169d67fee4a3df7d39757a4126716703840acfe8cfb5e34990e9
SHA512

52815a032f3f88758098757fe18bf575423f481a6e58586fc5f80105cce4d367373913516c802decb225e92b2fb0bf3c130163dc2e75d15b4239a16001dbde92
SSDEEP

12288:Q8pU1gjXtuyO5lwwP5JuPi4k57It16nP0jaogTF4mFvnnkWTVb5VedvRoqr+In3/:Q8pUcU98wD6uIp2tL/35bLLRQ/

Score

10^/10

blackmoon banker trojan vmprotect

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1992-57-0x0000000000400000-0x0000000000669000-memory.dmp	family_blackmoon

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/memory/1992-55-0x0000000000400000-0x0000000000669000-memory.dmp	vmprotect
behavioral1/memory/1992-57-0x0000000000400000-0x0000000000669000-memory.dmp	vmprotect

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376231026"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000256ed27e8919d04f83812f84ee5c95da00000000020000000000106600000001000020000000436de9ffce6afde561b96f380a17475d0dd75472031eecf3141549f1381a49bd000000000e8000000002000020000000a161c7653107459dada8492a0546bda129d399d08bfbfc834bd3b9b3e77cc70a200000006ae5ed8b843513dd4d28c73bf0cde881380385e237b72bacfba533f2decf822740000000a3d9b6271df1872f8f42614f6e17e570bfd7c80750e7ba8e362db9016346c0b068f846f1f27667a87b00d606a98b711e66128e34420ac07500540b2298cdb3cc	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9FE917E1-6D86-11ED-85B0-EA20C184BE27} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000256ed27e8919d04f83812f84ee5c95da00000000020000000000106600000001000020000000dad8d102cc9c4235ef4ea3dae38691e9f93f912d8f9fb4a397bcacda9b9dd8fc000000000e80000000020000200000006509b83be83c2a584baa4f37ff9209dc7a666b7ef5d6d6da18bec84dd5bc1b8f90000000e3bbe032715f4fd1d389c35e6005735fe27a4334f854f3039bca448f61ac1ea95bbb8a6116f000a2a8a1e261a94583ccfe2ae821148a7b3b9c92e4e2758740794541fda28f44f8bb0fbf93a0425c443408d40cb339fbf9adbd3a97e5fae60733f25bdcf1967307049e9eef6f62ba97b32dabc386f3d9f125ab69efb9c4a07f75e14d2dd9adab0b9482003159474e47c040000000b8e34e7420aa9ac6afef4ba48732edf9c2bffac2194b45c2535400bf25a16fdc374de25703a8c8b52d454f7a7662d9513ed8ee4ed7d3cb5710940b4a6361091d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90af069a9301d901	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

560 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

560 iexplore.exe
560 iexplore.exe
2000 IEXPLORE.EXE
2000 IEXPLORE.EXE
2000 IEXPLORE.EXE
2000 IEXPLORE.EXE

pid	process
560	iexplore.exe

pid	process
560	iexplore.exe
560	iexplore.exe
2000	IEXPLORE.EXE
2000	IEXPLORE.EXE
2000	IEXPLORE.EXE
2000	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

fce58603d18b169d67fee4a3df7d39757a4126716703840acfe8cfb5e34990e9.exeiexplore.exe

description	pid	process	target process
PID 1992 wrote to memory of 560	1992	fce58603d18b169d67fee4a3df7d39757a4126716703840acfe8cfb5e34990e9.exe	iexplore.exe
PID 1992 wrote to memory of 560	1992	fce58603d18b169d67fee4a3df7d39757a4126716703840acfe8cfb5e34990e9.exe	iexplore.exe
PID 1992 wrote to memory of 560	1992	fce58603d18b169d67fee4a3df7d39757a4126716703840acfe8cfb5e34990e9.exe	iexplore.exe
PID 1992 wrote to memory of 560	1992	fce58603d18b169d67fee4a3df7d39757a4126716703840acfe8cfb5e34990e9.exe	iexplore.exe
PID 560 wrote to memory of 2000	560	iexplore.exe	IEXPLORE.EXE
PID 560 wrote to memory of 2000	560	iexplore.exe	IEXPLORE.EXE
PID 560 wrote to memory of 2000	560	iexplore.exe	IEXPLORE.EXE
PID 560 wrote to memory of 2000	560	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\fce58603d18b169d67fee4a3df7d39757a4126716703840acfe8cfb5e34990e9.exe
"C:\Users\Admin\AppData\Local\Temp\fce58603d18b169d67fee4a3df7d39757a4126716703840acfe8cfb5e34990e9.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.csolwg.com/?app=error&s=Windows7-64
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:560
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:560 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2000

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\PO6DWTW0.txt

Filesize
608B

MD5
dbbf34c9f2796e4702510375ed037332

SHA1
cb90d05f5c97a56b6afa14dd3d408f7ee3e9dc10

SHA256
17f58c57d21999a8d0501d0abfd9731d97cca18067af938dc29904cb2a9c1171

SHA512
8271708914962a62dd14746a8547df5b51c2074fe1b34cdd66f4b2198341ea9aea4a486d57e4f6495ab8b181c9cf9735d1c2ca5381d011b2478b6afeb002a9c3

Download Submit
memory/1992-54-0x00000000760C1000-0x00000000760C3000-memory.dmp

Filesize
8KB

Download
memory/1992-55-0x0000000000400000-0x0000000000669000-memory.dmp

Filesize
2.4MB

Download
memory/1992-56-0x0000000000401000-0x0000000000405000-memory.dmp

Filesize
16KB

Download
memory/1992-57-0x0000000000400000-0x0000000000669000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads