blackmoon | 6ecdb31dd0eac23b2a8ac03b6dfc0da3fbdda45973243775d037aaf89ac5b8a1

General

Target

6ecdb31dd0eac23b2a8ac03b6dfc0da3fbdda45973243775d037aaf89ac5b8a1.exe
Size

438KB
MD5

edff2cab0b78c2a8fdabc8dbb440d2c3
SHA1

113e3b0b233c073a44c06a685f68e9400e21efb6
SHA256

6ecdb31dd0eac23b2a8ac03b6dfc0da3fbdda45973243775d037aaf89ac5b8a1
SHA512

6a10fb5979b1d66a8461da50ad50f9d73ae1b93d9c9d74be83b97feb52388780bfd290c814bb05707a9374d622ac75d1b2664766db2e399609864945c2f6044a
SSDEEP

12288:Z1w/VTZZkBi0awczzzd1VCDlYic4HNfIxoS:H+b+i0aDkBceJ

Score

10^/10

blackmoon banker trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 2 IoCs

resource	yara_rule
behavioral1/memory/564-64-0x0000000000400000-0x00000000004B8000-memory.dmp	family_blackmoon
behavioral1/memory/564-67-0x0000000000400000-0x00000000004B8000-memory.dmp	family_blackmoon

Executes dropped EXE 2 IoCs

pid	Process
960	svchost.exe
1632	svchost.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000012314-54.dat	upx
behavioral1/files/0x0008000000012314-56.dat	upx
behavioral1/memory/564-64-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/960-66-0x0000000000FE0000-0x00000000011DA000-memory.dmp	upx
behavioral1/memory/564-67-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/960-68-0x0000000000FE0000-0x00000000011DA000-memory.dmp	upx

Loads dropped DLL 3 IoCs

pid	Process
564	6ecdb31dd0eac23b2a8ac03b6dfc0da3fbdda45973243775d037aaf89ac5b8a1.exe
564	6ecdb31dd0eac23b2a8ac03b6dfc0da3fbdda45973243775d037aaf89ac5b8a1.exe
564	6ecdb31dd0eac23b2a8ac03b6dfc0da3fbdda45973243775d037aaf89ac5b8a1.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{A4FC6719-AFD5-4F8E-8138-B35FA78CD671}	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{A4FC6719-AFD5-4F8E-8138-B35FA78CD671}\ = "16358"	svchost.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
1632	svchost.exe
960	svchost.exe
960	svchost.exe
1632	svchost.exe
1632	svchost.exe
1632	svchost.exe
1632	svchost.exe
1632	svchost.exe
1632	svchost.exe
1632	svchost.exe
1632	svchost.exe
1632	svchost.exe
1632	svchost.exe
1632	svchost.exe
1632	svchost.exe
1632	svchost.exe
1632	svchost.exe
1632	svchost.exe
1632	svchost.exe
1632	svchost.exe
1632	svchost.exe
1632	svchost.exe
1632	svchost.exe
1632	svchost.exe
1632	svchost.exe
1632	svchost.exe
1632	svchost.exe
1632	svchost.exe
1632	svchost.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	960	svchost.exe
Token: SeDebugPrivilege	960	svchost.exe
Token: SeDebugPrivilege	960	svchost.exe
Token: SeDebugPrivilege	960	svchost.exe
Token: SeDebugPrivilege	960	svchost.exe
Token: SeDebugPrivilege	960	svchost.exe
Token: SeDebugPrivilege	960	svchost.exe
Token: SeDebugPrivilege	960	svchost.exe
Token: SeDebugPrivilege	960	svchost.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 564 wrote to memory of 960	564	6ecdb31dd0eac23b2a8ac03b6dfc0da3fbdda45973243775d037aaf89ac5b8a1.exe	28
PID 564 wrote to memory of 960	564	6ecdb31dd0eac23b2a8ac03b6dfc0da3fbdda45973243775d037aaf89ac5b8a1.exe	28
PID 564 wrote to memory of 960	564	6ecdb31dd0eac23b2a8ac03b6dfc0da3fbdda45973243775d037aaf89ac5b8a1.exe	28
PID 564 wrote to memory of 960	564	6ecdb31dd0eac23b2a8ac03b6dfc0da3fbdda45973243775d037aaf89ac5b8a1.exe	28
PID 564 wrote to memory of 1632	564	6ecdb31dd0eac23b2a8ac03b6dfc0da3fbdda45973243775d037aaf89ac5b8a1.exe	29
PID 564 wrote to memory of 1632	564	6ecdb31dd0eac23b2a8ac03b6dfc0da3fbdda45973243775d037aaf89ac5b8a1.exe	29
PID 564 wrote to memory of 1632	564	6ecdb31dd0eac23b2a8ac03b6dfc0da3fbdda45973243775d037aaf89ac5b8a1.exe	29
PID 564 wrote to memory of 1632	564	6ecdb31dd0eac23b2a8ac03b6dfc0da3fbdda45973243775d037aaf89ac5b8a1.exe	29

C:\Users\Admin\AppData\Local\Temp\6ecdb31dd0eac23b2a8ac03b6dfc0da3fbdda45973243775d037aaf89ac5b8a1.exe
"C:\Users\Admin\AppData\Local\Temp\6ecdb31dd0eac23b2a8ac03b6dfc0da3fbdda45973243775d037aaf89ac5b8a1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:564
- C:\Users\Admin\AppData\Local\Temp\19535\svchost.exe
  C:\Users\Admin\AppData\Local\Temp\19535\svchost.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:960
- C:\Users\Admin\AppData\Local\Temp\195352\svchost.exe
  C:\Users\Admin\AppData\Local\Temp\195352\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1632

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\195352\svchost.exe

Filesize
176KB

MD5
5d917c38c107a8a1a51431639721e148

SHA1
913e0ae47537d6e023e4bd46cc4e7d9da8bd128f

SHA256
04bc5a5b0bbf8e52fa5305df4e7cc87b96b06c8952e43e7ba801f4a34e074ea7

SHA512
b476963d93f5cab6ee5c2232af71a7bcbee6a26def69fb12694f6d87106b796d587e70ee619dd149bf5017b1d5f2997babfe8bc04b71c91dd4bf0ed89d09461b

Download Submit
C:\Users\Admin\AppData\Local\Temp\195352\svchost.exe

Filesize
176KB

MD5
5d917c38c107a8a1a51431639721e148

SHA1
913e0ae47537d6e023e4bd46cc4e7d9da8bd128f

SHA256
04bc5a5b0bbf8e52fa5305df4e7cc87b96b06c8952e43e7ba801f4a34e074ea7

SHA512
b476963d93f5cab6ee5c2232af71a7bcbee6a26def69fb12694f6d87106b796d587e70ee619dd149bf5017b1d5f2997babfe8bc04b71c91dd4bf0ed89d09461b

Download Submit
C:\Users\Admin\AppData\Local\Temp\19535\svchost.exe

Filesize
328KB

MD5
9240869c842b43abde5d9064c0517926

SHA1
ef13f9926408f2fc4a225de7b7b0fdf5120008ca

SHA256
a89ff31455e29d91ba1320b67bb063bbfb7761011d300f489f886ec2e9b0f2d8

SHA512
385b18b8dcc5f77078cf6fb0d76a213439dad6cb5d8c53220eb9d0e92c62c873681cd2aaaabf1ec726096606edef5306c6bd871529b0b8ae00f3b92941e16565

Download Submit
\Users\Admin\AppData\Local\Temp\195352\svchost.exe

Filesize
176KB

MD5
5d917c38c107a8a1a51431639721e148

SHA1
913e0ae47537d6e023e4bd46cc4e7d9da8bd128f

SHA256
04bc5a5b0bbf8e52fa5305df4e7cc87b96b06c8952e43e7ba801f4a34e074ea7

SHA512
b476963d93f5cab6ee5c2232af71a7bcbee6a26def69fb12694f6d87106b796d587e70ee619dd149bf5017b1d5f2997babfe8bc04b71c91dd4bf0ed89d09461b

Download Submit
\Users\Admin\AppData\Local\Temp\195352\svchost.exe

Filesize
176KB

MD5
5d917c38c107a8a1a51431639721e148

SHA1
913e0ae47537d6e023e4bd46cc4e7d9da8bd128f

SHA256
04bc5a5b0bbf8e52fa5305df4e7cc87b96b06c8952e43e7ba801f4a34e074ea7

SHA512
b476963d93f5cab6ee5c2232af71a7bcbee6a26def69fb12694f6d87106b796d587e70ee619dd149bf5017b1d5f2997babfe8bc04b71c91dd4bf0ed89d09461b

Download Submit
\Users\Admin\AppData\Local\Temp\19535\svchost.exe

Filesize
328KB

MD5
9240869c842b43abde5d9064c0517926

SHA1
ef13f9926408f2fc4a225de7b7b0fdf5120008ca

SHA256
a89ff31455e29d91ba1320b67bb063bbfb7761011d300f489f886ec2e9b0f2d8

SHA512
385b18b8dcc5f77078cf6fb0d76a213439dad6cb5d8c53220eb9d0e92c62c873681cd2aaaabf1ec726096606edef5306c6bd871529b0b8ae00f3b92941e16565

Download Submit
memory/564-64-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/564-65-0x0000000001FE0000-0x00000000021DA000-memory.dmp

Filesize
2.0MB

Download
memory/564-67-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/960-57-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download
memory/960-66-0x0000000000FE0000-0x00000000011DA000-memory.dmp

Filesize
2.0MB

Download
memory/960-68-0x0000000000FE0000-0x00000000011DA000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing