blackmoon | 24b375ab545d73d6ecb2b8a8b71a4099b8561acb446274eab726854710d870c5 | Triage

Submit
Reports

Overview

overview

Static

static

24b375ab54...c5.exe

windows7-x64

24b375ab54...c5.exe

windows10-2004-x64

Sharing

General

Target

24b375ab545d73d6ecb2b8a8b71a4099b8561acb446274eab726854710d870c5
Size

1.2MB
Sample

221127-adcvksef27
MD5

dabbdef24d997cfeec98d06664f72bea
SHA1

1b0e59f221a085787267d0617014f49cd786cb8b
SHA256

24b375ab545d73d6ecb2b8a8b71a4099b8561acb446274eab726854710d870c5
SHA512

9f92622063fd713903a298a7a82bad85c6851b932381ff408f6a7ac049e863e573cbfcc732843eef45a6d67ec773a40824050950f6cf465df9e6cde16be8b533
SSDEEP

24576:O6rI9Eg9Z/NrgbtXQXAskv3L/Kp5uBaZaVPWXi3AWA1YXrjGKb8JWPlgfuMe:eG81KrskfbKpAa6R3AePGKUWafP

Score

10^/10

blackmoon banker persistence trojan upx vmprotect

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

24b375ab545d73d6ecb2b8a8b71a4099b8561acb446274eab726854710d870c5.exe

Resource

win7-20221111-en

blackmoon banker persistence trojan upx vmprotect

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

24b375ab545d73d6ecb2b8a8b71a4099b8561acb446274eab726854710d870c5.exe

Resource

win10v2004-20221111-en

blackmoon banker persistence trojan upx vmprotect

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Targets

- Target
  
  24b375ab545d73d6ecb2b8a8b71a4099b8561acb446274eab726854710d870c5
- Size
  
  1.2MB
- MD5
  
  dabbdef24d997cfeec98d06664f72bea
- SHA1
  
  1b0e59f221a085787267d0617014f49cd786cb8b
- SHA256
  
  24b375ab545d73d6ecb2b8a8b71a4099b8561acb446274eab726854710d870c5
- SHA512
  
  9f92622063fd713903a298a7a82bad85c6851b932381ff408f6a7ac049e863e573cbfcc732843eef45a6d67ec773a40824050950f6cf465df9e6cde16be8b533
- SSDEEP
  
  24576:O6rI9Eg9Z/NrgbtXQXAskv3L/Kp5uBaZaVPWXi3AWA1YXrjGKb8JWPlgfuMe:eG81KrskfbKpAa6R3AePGKUWafP
Score

10^/10

blackmoon banker persistence trojan upx vmprotect
- Blackmoon, KrBanker
  Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
  trojan banker blackmoon
- Detect Blackmoon payload
- Executes dropped EXE
- Sets DLL path for service in the registry
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Install Root Certificate

Credential Access

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

blackmoonbankerpersistencetrojanupxvmprotect

behavioral2

blackmoonbankerpersistencetrojanupxvmprotect

© 2018-2024

Terms | Privacy