blackmoon | 731d9c2e4935e83a70b356cc2bff117777082e49bb43ccd9857863e0f8cbd215

General

Target

731d9c2e4935e83a70b356cc2bff117777082e49bb43ccd9857863e0f8cbd215.exe
Size

3.1MB
MD5

f2733cc44798b9014af14f7bc7d280de
SHA1

0f6a947f59710ef5dd197ed9ee02d00e72aef420
SHA256

731d9c2e4935e83a70b356cc2bff117777082e49bb43ccd9857863e0f8cbd215
SHA512

a03fc99fa026eaeac18fa1d3b0830eaeca4ee431601b9a752c31926a1a34589795faffb05a9c053e6ddd86dde335913a5ccf7b5a14055436c8bc341ac541aa31
SSDEEP

98304:al94XfeyP6RDfyu8LSMyj0mdQ1820sJPLaYy/:al2X2yiNKtSTdQ18dsJP+

Score

10^/10

blackmoon banker evasion trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4452-150-0x0000000000400000-0x00000000009C8000-memory.dmp	family_blackmoon
behavioral2/memory/4452-152-0x0000000000400000-0x00000000009C8000-memory.dmp	family_blackmoon
behavioral2/memory/4452-154-0x0000000000400000-0x00000000009C8000-memory.dmp	family_blackmoon

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Windows\jedata.dll	acprotect

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

ÅÜÅÜÓÎÏÀÈ«¹¦ÄÜ1127Ãâ·Ñ°æ.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ÅÜÅÜÓÎÏÀÈ«¹¦ÄÜ1127Ãâ·Ñ°æ.exe
Executes dropped EXE 3 IoCs

Processes:

ÅÜÅÜÓÎÏÀÈ«¹¦ÄÜ1127Ãâ·Ñ°æ.exeÄ¾Âí.exeÄ¾Âí.exe

pid process

4452 ÅÜÅÜÓÎÏÀÈ«¹¦ÄÜ1127Ãâ·Ñ°æ.exe
2844 Ä¾Âí.exe
552 Ä¾Âí.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ÅÜÅÜÓÎÏÀÈ«¹¦ÄÜ1127Ãâ·Ñ°æ.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/5004-132-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/5004-140-0x0000000000400000-0x000000000041C000-memory.dmp	upx
C:\Windows\jedata.dll	upx
behavioral2/memory/4452-151-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4452-156-0x0000000010000000-0x000000001003E000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

731d9c2e4935e83a70b356cc2bff117777082e49bb43ccd9857863e0f8cbd215.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	731d9c2e4935e83a70b356cc2bff117777082e49bb43ccd9857863e0f8cbd215.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

ÅÜÅÜÓÎÏÀÈ«¹¦ÄÜ1127Ãâ·Ñ°æ.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Wine	ÅÜÅÜÓÎÏÀÈ«¹¦ÄÜ1127Ãâ·Ñ°æ.exe

Loads dropped DLL 1 IoCs

Processes:

ÅÜÅÜÓÎÏÀÈ«¹¦ÄÜ1127Ãâ·Ñ°æ.exe

pid process

4452 ÅÜÅÜÓÎÏÀÈ«¹¦ÄÜ1127Ãâ·Ñ°æ.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

ÅÜÅÜÓÎÏÀÈ«¹¦ÄÜ1127Ãâ·Ñ°æ.exe

pid process

4452 ÅÜÅÜÓÎÏÀÈ«¹¦ÄÜ1127Ãâ·Ñ°æ.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Ä¾Âí.exe

description pid process target process

PID 2844 set thread context of 552 2844 Ä¾Âí.exe Ä¾Âí.exe

description	pid	process	target process
PID 2844 set thread context of 552	2844	Ä¾Âí.exe	Ä¾Âí.exe

Drops file in Windows directory 2 IoCs

Processes:

ÅÜÅÜÓÎÏÀÈ«¹¦ÄÜ1127Ãâ·Ñ°æ.exe

description	ioc	process
File created	C:\Windows\jedata.dll	ÅÜÅÜÓÎÏÀÈ«¹¦ÄÜ1127Ãâ·Ñ°æ.exe
File created	C:\Windows\win8.she	ÅÜÅÜÓÎÏÀÈ«¹¦ÄÜ1127Ãâ·Ñ°æ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4248 552 WerFault.exe Ä¾Âí.exe
1876 4452 WerFault.exe ÅÜÅÜÓÎÏÀÈ«¹¦ÄÜ1127Ãâ·Ñ°æ.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

ÅÜÅÜÓÎÏÀÈ«¹¦ÄÜ1127Ãâ·Ñ°æ.exe

pid process

4452 ÅÜÅÜÓÎÏÀÈ«¹¦ÄÜ1127Ãâ·Ñ°æ.exe
4452 ÅÜÅÜÓÎÏÀÈ«¹¦ÄÜ1127Ãâ·Ñ°æ.exe

pid	pid_target	process	target process
4248	552	WerFault.exe	Ä¾Âí.exe
1876	4452	WerFault.exe	ÅÜÅÜÓÎÏÀÈ«¹¦ÄÜ1127Ãâ·Ñ°æ.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

ÅÜÅÜÓÎÏÀÈ«¹¦ÄÜ1127Ãâ·Ñ°æ.exe

pid	process
4452	ÅÜÅÜÓÎÏÀÈ«¹¦ÄÜ1127Ãâ·Ñ°æ.exe
4452	ÅÜÅÜÓÎÏÀÈ«¹¦ÄÜ1127Ãâ·Ñ°æ.exe
4452	ÅÜÅÜÓÎÏÀÈ«¹¦ÄÜ1127Ãâ·Ñ°æ.exe
4452	ÅÜÅÜÓÎÏÀÈ«¹¦ÄÜ1127Ãâ·Ñ°æ.exe
4452	ÅÜÅÜÓÎÏÀÈ«¹¦ÄÜ1127Ãâ·Ñ°æ.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

731d9c2e4935e83a70b356cc2bff117777082e49bb43ccd9857863e0f8cbd215.exeÄ¾Âí.exe

description	pid	process	target process
PID 5004 wrote to memory of 4452	5004	731d9c2e4935e83a70b356cc2bff117777082e49bb43ccd9857863e0f8cbd215.exe	ÅÜÅÜÓÎÏÀÈ«¹¦ÄÜ1127Ãâ·Ñ°æ.exe
PID 5004 wrote to memory of 4452	5004	731d9c2e4935e83a70b356cc2bff117777082e49bb43ccd9857863e0f8cbd215.exe	ÅÜÅÜÓÎÏÀÈ«¹¦ÄÜ1127Ãâ·Ñ°æ.exe
PID 5004 wrote to memory of 4452	5004	731d9c2e4935e83a70b356cc2bff117777082e49bb43ccd9857863e0f8cbd215.exe	ÅÜÅÜÓÎÏÀÈ«¹¦ÄÜ1127Ãâ·Ñ°æ.exe
PID 5004 wrote to memory of 2844	5004	731d9c2e4935e83a70b356cc2bff117777082e49bb43ccd9857863e0f8cbd215.exe	Ä¾Âí.exe
PID 5004 wrote to memory of 2844	5004	731d9c2e4935e83a70b356cc2bff117777082e49bb43ccd9857863e0f8cbd215.exe	Ä¾Âí.exe
PID 5004 wrote to memory of 2844	5004	731d9c2e4935e83a70b356cc2bff117777082e49bb43ccd9857863e0f8cbd215.exe	Ä¾Âí.exe
PID 2844 wrote to memory of 552	2844	Ä¾Âí.exe	Ä¾Âí.exe
PID 2844 wrote to memory of 552	2844	Ä¾Âí.exe	Ä¾Âí.exe
PID 2844 wrote to memory of 552	2844	Ä¾Âí.exe	Ä¾Âí.exe
PID 2844 wrote to memory of 552	2844	Ä¾Âí.exe	Ä¾Âí.exe
PID 2844 wrote to memory of 552	2844	Ä¾Âí.exe	Ä¾Âí.exe

C:\Users\Admin\AppData\Local\Temp\731d9c2e4935e83a70b356cc2bff117777082e49bb43ccd9857863e0f8cbd215.exe
"C:\Users\Admin\AppData\Local\Temp\731d9c2e4935e83a70b356cc2bff117777082e49bb43ccd9857863e0f8cbd215.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5004

C:\Users\Admin\AppData\Local\Temp\Temp\ÅÜÅÜÓÎÏÀÈ«¹¦ÄÜ1127Ãâ·Ñ°æ.exe
"C:\Users\Admin\AppData\Local\Temp\Temp\ÅÜÅÜÓÎÏÀÈ«¹¦ÄÜ1127Ãâ·Ñ°æ.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 1688
3⤵
- Program crash
PID:1876

C:\Users\Admin\AppData\Local\Temp\Temp\Ä¾Âí.exe
"C:\Users\Admin\AppData\Local\Temp\Temp\Ä¾Âí.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2844

C:\Users\Admin\AppData\Local\Temp\Temp\Ä¾Âí.exe
C:\Users\Admin\AppData\Local\Temp\Temp\Ä¾Âí.exe
3⤵
- Executes dropped EXE
PID:552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 552 -s 80
4⤵
- Program crash
PID:4248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 552 -ip 552
1⤵
PID:4356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4452 -ip 4452
1⤵
PID:2372

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

3

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Temp\Ä¾Âí.exe
Filesize
5.8MB

MD5
eaaa7d585fe518826886961768b03d25

SHA1
ffbb1af5deab0b416d2d8db1f2f18ac0c1093b7a

SHA256
e3f3c0bf1db79593daf1d579ba95fb2f655e59c889d233e742c2c23e7b7a71db

SHA512
8e3c1bf285d98eb3718402df3467332055713e0d2de5c3748bcae78815e72657d2c143148a22ac722ee26831740981acc2515f6d2da2e0f4d982ff29fa1bcf2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp\Ä¾Âí.exe
Filesize
5.8MB

MD5
eaaa7d585fe518826886961768b03d25

SHA1
ffbb1af5deab0b416d2d8db1f2f18ac0c1093b7a

SHA256
e3f3c0bf1db79593daf1d579ba95fb2f655e59c889d233e742c2c23e7b7a71db

SHA512
8e3c1bf285d98eb3718402df3467332055713e0d2de5c3748bcae78815e72657d2c143148a22ac722ee26831740981acc2515f6d2da2e0f4d982ff29fa1bcf2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp\Ä¾Âí.exe
Filesize
5.8MB

MD5
eaaa7d585fe518826886961768b03d25

SHA1
ffbb1af5deab0b416d2d8db1f2f18ac0c1093b7a

SHA256
e3f3c0bf1db79593daf1d579ba95fb2f655e59c889d233e742c2c23e7b7a71db

SHA512
8e3c1bf285d98eb3718402df3467332055713e0d2de5c3748bcae78815e72657d2c143148a22ac722ee26831740981acc2515f6d2da2e0f4d982ff29fa1bcf2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp\ÅÜÅÜÓÎÏÀÈ«¹¦ÄÜ1127Ãâ·Ñ°æ.exe
Filesize
3.0MB

MD5
51f2e214a0cd49d78b93092e25270a9b

SHA1
53091dc8ebd8f86ff5091bcd10fb9ca03adc7686

SHA256
9edae2b07d53d0e39993e079e115dc146f42c078d4b4fd2df506921460d5fca2

SHA512
73d5d7d801a4b78c23d5ccd12702e68c8475e7db204e627eb76881c2f76d1c5798558b7914e494d8fc9b26797e8180418ecd30e4753d563dfb8fe829f6a588eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp\ÅÜÅÜÓÎÏÀÈ«¹¦ÄÜ1127Ãâ·Ñ°æ.exe
Filesize
3.0MB

MD5
51f2e214a0cd49d78b93092e25270a9b

SHA1
53091dc8ebd8f86ff5091bcd10fb9ca03adc7686

SHA256
9edae2b07d53d0e39993e079e115dc146f42c078d4b4fd2df506921460d5fca2

SHA512
73d5d7d801a4b78c23d5ccd12702e68c8475e7db204e627eb76881c2f76d1c5798558b7914e494d8fc9b26797e8180418ecd30e4753d563dfb8fe829f6a588eb

Download Submit
C:\Windows\jedata.dll
Filesize
86KB

MD5
114054313070472cd1a6d7d28f7c5002

SHA1
9a044986e6101df1a126035da7326a50c3fe9a23

SHA256
e15d9e1b772fed3db19e67b8d54533d1a2d46a37f8b12702a5892c6b886e9db1

SHA512
a2ff8481e89698dae4a1c83404105093472e384d7a3debbd7014e010543e08efc8ebb3f67c8a4ce09029e6b2a8fb7779bb402aae7c9987e61389cd8a72c73522

Download Submit
memory/552-146-0x0000000000EE0000-0x0000000000EF8000-memory.dmp

Filesize
96KB

Download
memory/552-141-0x0000000000000000-mapping.dmp

Download
memory/552-142-0x000000000001B000-0x000000000002A000-memory.dmp

Filesize
60KB

Download
memory/552-143-0x000000000001B000-0x0000000000022382-memory.dmp

Filesize
28KB

Download
memory/2844-145-0x0000000000EE0000-0x0000000000EF8000-memory.dmp

Filesize
96KB

Download
memory/2844-137-0x0000000000000000-mapping.dmp

Download
memory/4452-150-0x0000000000400000-0x00000000009C8000-memory.dmp

Filesize
5.8MB

Download
memory/4452-136-0x0000000000400000-0x00000000009C8000-memory.dmp

Filesize
5.8MB

Download
memory/4452-147-0x00000000026C0000-0x0000000002823000-memory.dmp

Filesize
1.4MB

Download
memory/4452-148-0x0000000077B20000-0x0000000077CC3000-memory.dmp

Filesize
1.6MB

Download
memory/4452-133-0x0000000000000000-mapping.dmp

Download
memory/4452-151-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4452-152-0x0000000000400000-0x00000000009C8000-memory.dmp

Filesize
5.8MB

Download
memory/4452-153-0x0000000077B20000-0x0000000077CC3000-memory.dmp

Filesize
1.6MB

Download
memory/4452-154-0x0000000000400000-0x00000000009C8000-memory.dmp

Filesize
5.8MB

Download
memory/4452-155-0x0000000077B20000-0x0000000077CC3000-memory.dmp

Filesize
1.6MB

Download
memory/4452-156-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/5004-140-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5004-132-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads