blackmoon | 72b2c9237870304be9925de2263b171ffdb4afb1c3c1e80f209fd3913c6d61a5 | Triage

Submit
Reports

Overview

overview

Static

static

72b2c92378...a5.exe

windows7-x64

72b2c92378...a5.exe

windows10-2004-x64

Sharing

General

Target

72b2c9237870304be9925de2263b171ffdb4afb1c3c1e80f209fd3913c6d61a5
Size

139KB
Sample

221126-v8tf2afa6t
MD5

9c8e5c253c092a4b57e71637c8c82f32
SHA1

9de7e6eaff226aae710434ec3c85f3bec9048119
SHA256

72b2c9237870304be9925de2263b171ffdb4afb1c3c1e80f209fd3913c6d61a5
SHA512

60dfc82a06c918b6d13fe2aee3ca9b46c2441777c56702bcfb1fd47ec38add44bf4d55eae07ca3e38cac0e8a09ff3cf1bef7a982ce713939f5ba85a8b1c69223
SSDEEP

3072:yZoThHgWy6pi16eEYkXZNqRtT6V/xMcJBFlX9aUGpMyout:yugEUNGFvBF7OpoS

Score

10^/10

blackmoon banker persistence trojan vmprotect

Static task

static1

Behavioral task

behavioral1

Sample

72b2c9237870304be9925de2263b171ffdb4afb1c3c1e80f209fd3913c6d61a5.exe

Resource

win7-20220812-en

blackmoon banker persistence trojan vmprotect

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

72b2c9237870304be9925de2263b171ffdb4afb1c3c1e80f209fd3913c6d61a5.exe

Resource

win10v2004-20220901-en

blackmoon banker persistence trojan vmprotect

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Targets

- Target
  
  72b2c9237870304be9925de2263b171ffdb4afb1c3c1e80f209fd3913c6d61a5
- Size
  
  139KB
- MD5
  
  9c8e5c253c092a4b57e71637c8c82f32
- SHA1
  
  9de7e6eaff226aae710434ec3c85f3bec9048119
- SHA256
  
  72b2c9237870304be9925de2263b171ffdb4afb1c3c1e80f209fd3913c6d61a5
- SHA512
  
  60dfc82a06c918b6d13fe2aee3ca9b46c2441777c56702bcfb1fd47ec38add44bf4d55eae07ca3e38cac0e8a09ff3cf1bef7a982ce713939f5ba85a8b1c69223
- SSDEEP
  
  3072:yZoThHgWy6pi16eEYkXZNqRtT6V/xMcJBFlX9aUGpMyout:yugEUNGFvBF7OpoS
Score

10^/10

blackmoon banker persistence trojan vmprotect
- Blackmoon, KrBanker
  Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
  trojan banker blackmoon
- Detect Blackmoon payload
- Drops file in Drivers directory
- Executes dropped EXE
- Modifies AppInit DLL entries
  persistence
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

blackmoonbankerpersistencetrojanvmprotect

behavioral2

blackmoonbankerpersistencetrojanvmprotect

© 2018-2024

Terms | Privacy