blackmoon | 83cb837bcf16eddfa4087e7bfdd02576392596d6665c36030368eac3b5671055

General

Target

83cb837bcf16eddfa4087e7bfdd02576392596d6665c36030368eac3b5671055.exe
Size

617KB
MD5

a40acb3b2bab50ab8bb1ea9330528211
SHA1

972663b4a724271cb0e2da5b165f842a4da924c4
SHA256

83cb837bcf16eddfa4087e7bfdd02576392596d6665c36030368eac3b5671055
SHA512

d1b6bf7dd9b4473c125ae929989a1225288d5e57fb4d9ad7118e00b746ac00fec7e642cc0a6430d1c2a94bfe7f0bd2f2dc84af3206591cd9bf0f85da65a19f76
SSDEEP

12288:elOzm53eWqJXXUM2mslctPU+1W3r7HsVzlZ4SN1BLGgEow7Sa:mOzuOUM+Kd3g3rQd/7BLGgBw2a

Score

10^/10

blackmoon banker trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 9 IoCs

resource	yara_rule
behavioral1/memory/900-98-0x0000000000400000-0x00000000005C0000-memory.dmp	family_blackmoon
behavioral1/memory/900-99-0x0000000000400000-0x00000000005C0000-memory.dmp	family_blackmoon
behavioral1/files/0x0008000000012328-101.dat	family_blackmoon
behavioral1/files/0x0008000000012328-103.dat	family_blackmoon
behavioral1/files/0x0008000000012328-105.dat	family_blackmoon
behavioral1/files/0x0008000000012328-106.dat	family_blackmoon
behavioral1/files/0x0008000000012328-107.dat	family_blackmoon
behavioral1/files/0x0008000000012328-108.dat	family_blackmoon
behavioral1/memory/900-109-0x0000000000400000-0x00000000005C0000-memory.dmp	family_blackmoon

Executes dropped EXE 1 IoCs

pid	Process
1840	UpDate.exe

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/900-55-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/900-56-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/900-57-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/900-59-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/900-61-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/900-63-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/900-65-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/900-67-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/900-69-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/900-71-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/900-73-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/900-75-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/900-77-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/900-81-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/900-87-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/900-89-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/900-91-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/900-93-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/900-95-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/900-85-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/900-97-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/900-83-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/900-79-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/900-100-0x0000000010000000-0x000000001003E000-memory.dmp	upx

Loads dropped DLL 4 IoCs

pid	Process
900	83cb837bcf16eddfa4087e7bfdd02576392596d6665c36030368eac3b5671055.exe
1840	UpDate.exe
1840	UpDate.exe
1840	UpDate.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1840	UpDate.exe
1840	UpDate.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
900	83cb837bcf16eddfa4087e7bfdd02576392596d6665c36030368eac3b5671055.exe
900	83cb837bcf16eddfa4087e7bfdd02576392596d6665c36030368eac3b5671055.exe
900	83cb837bcf16eddfa4087e7bfdd02576392596d6665c36030368eac3b5671055.exe
900	83cb837bcf16eddfa4087e7bfdd02576392596d6665c36030368eac3b5671055.exe
900	83cb837bcf16eddfa4087e7bfdd02576392596d6665c36030368eac3b5671055.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 900 wrote to memory of 1840	900	83cb837bcf16eddfa4087e7bfdd02576392596d6665c36030368eac3b5671055.exe	29
PID 900 wrote to memory of 1840	900	83cb837bcf16eddfa4087e7bfdd02576392596d6665c36030368eac3b5671055.exe	29
PID 900 wrote to memory of 1840	900	83cb837bcf16eddfa4087e7bfdd02576392596d6665c36030368eac3b5671055.exe	29
PID 900 wrote to memory of 1840	900	83cb837bcf16eddfa4087e7bfdd02576392596d6665c36030368eac3b5671055.exe	29
PID 900 wrote to memory of 1840	900	83cb837bcf16eddfa4087e7bfdd02576392596d6665c36030368eac3b5671055.exe	29
PID 900 wrote to memory of 1840	900	83cb837bcf16eddfa4087e7bfdd02576392596d6665c36030368eac3b5671055.exe	29
PID 900 wrote to memory of 1840	900	83cb837bcf16eddfa4087e7bfdd02576392596d6665c36030368eac3b5671055.exe	29

C:\Users\Admin\AppData\Local\Temp\83cb837bcf16eddfa4087e7bfdd02576392596d6665c36030368eac3b5671055.exe
"C:\Users\Admin\AppData\Local\Temp\83cb837bcf16eddfa4087e7bfdd02576392596d6665c36030368eac3b5671055.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:900
- C:\Users\Admin\AppData\Local\Temp\data\UpDate.exe
  C:\Users\Admin\AppData\Local\Temp\data\UpDate.exe 2.9 %43%3A%5C%55%73%65%72%73%5C%41%64%6D%69%6E%5C%41%70%70%44%61%74%61%5C%4C%6F%63%61%6C%5C%54%65%6D%70%5C%38%33%63%62%38%33%37%62%63%66%31%36%65%64%64%66%61%34%30%38%37%65%37%62%66%64%64%30%32%35%37%36%33%39%32%35%39%36%64%36%36%36%35%63%33%36%30%33%30%33%36%38%65%61%63%33%62%35%36%37%31%30%35%35%2E%65%78%65 ¼Ù http://www.gutou.cc/up/shiyimiaozan.txt
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:1840

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\data\UpDate.exe

Filesize
296KB

MD5
590787762f9d7779ce9e933047716e78

SHA1
e2b651375975505f337661cfc9cd8910a9d0515a

SHA256
7deef1f98c1c832cc984f96a3833ea2ccbe9404f9914b96132e4cbd4de32d449

SHA512
84db742b90e1bcfba016ca18ecf5adfaa364403582230cf70f4a909d28840c11b53df66fb860b244445afe9bc2ad76ee260cf9920b251ce768dcaf7a213cf596

Download Submit
C:\Users\Admin\AppData\Local\Temp\data\UpDate.exe

Filesize
296KB

MD5
590787762f9d7779ce9e933047716e78

SHA1
e2b651375975505f337661cfc9cd8910a9d0515a

SHA256
7deef1f98c1c832cc984f96a3833ea2ccbe9404f9914b96132e4cbd4de32d449

SHA512
84db742b90e1bcfba016ca18ecf5adfaa364403582230cf70f4a909d28840c11b53df66fb860b244445afe9bc2ad76ee260cf9920b251ce768dcaf7a213cf596

Download Submit
\Users\Admin\AppData\Local\Temp\data\UpDate.exe

Filesize
296KB

MD5
590787762f9d7779ce9e933047716e78

SHA1
e2b651375975505f337661cfc9cd8910a9d0515a

SHA256
7deef1f98c1c832cc984f96a3833ea2ccbe9404f9914b96132e4cbd4de32d449

SHA512
84db742b90e1bcfba016ca18ecf5adfaa364403582230cf70f4a909d28840c11b53df66fb860b244445afe9bc2ad76ee260cf9920b251ce768dcaf7a213cf596

Download Submit
\Users\Admin\AppData\Local\Temp\data\UpDate.exe

Filesize
296KB

MD5
590787762f9d7779ce9e933047716e78

SHA1
e2b651375975505f337661cfc9cd8910a9d0515a

SHA256
7deef1f98c1c832cc984f96a3833ea2ccbe9404f9914b96132e4cbd4de32d449

SHA512
84db742b90e1bcfba016ca18ecf5adfaa364403582230cf70f4a909d28840c11b53df66fb860b244445afe9bc2ad76ee260cf9920b251ce768dcaf7a213cf596

Download Submit
\Users\Admin\AppData\Local\Temp\data\UpDate.exe

Filesize
296KB

MD5
590787762f9d7779ce9e933047716e78

SHA1
e2b651375975505f337661cfc9cd8910a9d0515a

SHA256
7deef1f98c1c832cc984f96a3833ea2ccbe9404f9914b96132e4cbd4de32d449

SHA512
84db742b90e1bcfba016ca18ecf5adfaa364403582230cf70f4a909d28840c11b53df66fb860b244445afe9bc2ad76ee260cf9920b251ce768dcaf7a213cf596

Download Submit
\Users\Admin\AppData\Local\Temp\data\UpDate.exe

Filesize
296KB

MD5
590787762f9d7779ce9e933047716e78

SHA1
e2b651375975505f337661cfc9cd8910a9d0515a

SHA256
7deef1f98c1c832cc984f96a3833ea2ccbe9404f9914b96132e4cbd4de32d449

SHA512
84db742b90e1bcfba016ca18ecf5adfaa364403582230cf70f4a909d28840c11b53df66fb860b244445afe9bc2ad76ee260cf9920b251ce768dcaf7a213cf596

Download Submit
memory/900-89-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/900-97-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/900-67-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/900-69-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/900-71-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/900-73-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/900-75-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/900-77-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/900-81-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/900-87-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/900-54-0x0000000075FF1000-0x0000000075FF3000-memory.dmp

Filesize
8KB

Download
memory/900-91-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/900-93-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/900-95-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/900-85-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/900-65-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/900-83-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/900-79-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/900-98-0x0000000000400000-0x00000000005C0000-memory.dmp

Filesize
1.8MB

Download
memory/900-99-0x0000000000400000-0x00000000005C0000-memory.dmp

Filesize
1.8MB

Download
memory/900-100-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/900-63-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/900-109-0x0000000000400000-0x00000000005C0000-memory.dmp

Filesize
1.8MB

Download
memory/900-61-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/900-59-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/900-57-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/900-56-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/900-55-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing