blackmoon | 167affb2b2d7cef7808cbf33560df5d32ade2c73ec2fdac8cd37221d9f3bf435 | Triage

Submit
Reports

Overview

overview

Static

static

167affb2b2...35.exe

windows7-x64

167affb2b2...35.exe

windows10-2004-x64

Sharing

General

Target

167affb2b2d7cef7808cbf33560df5d32ade2c73ec2fdac8cd37221d9f3bf435
Size

37KB
Sample

221128-t9hv9ahh78
MD5

d652d64c99edd2c1b0a97e0128abf75c
SHA1

16d53172333b8b964d55f898fe67dcf109dd71a8
SHA256

167affb2b2d7cef7808cbf33560df5d32ade2c73ec2fdac8cd37221d9f3bf435
SHA512

b9c603e4d0817c82644f630d6ddabb659e817484437d55bdd9d28f49a465996680a9a0545666d56cb46efab90b142cbba7817c9df04fbeff921807b47b96678b
SSDEEP

768:liFz0DRrAJ42J9I/xSZOub7/jdWHRdxnsm474W0HMeAi6bO3it2:w1H9Gx8OubfdWHRrstOVAipiY

Score

10^/10

blackmoon banker persistence trojan upx

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

167affb2b2d7cef7808cbf33560df5d32ade2c73ec2fdac8cd37221d9f3bf435.exe

Resource

win7-20221111-en

blackmoon banker persistence trojan upx

windows7-x64

10 signatures

150 seconds

Behavioral task

behavioral2

Sample

167affb2b2d7cef7808cbf33560df5d32ade2c73ec2fdac8cd37221d9f3bf435.exe

Resource

win10v2004-20220901-en

blackmoon banker persistence trojan upx

windows10-2004-x64

9 signatures

150 seconds

Malware Config

Targets

- Target
  
  167affb2b2d7cef7808cbf33560df5d32ade2c73ec2fdac8cd37221d9f3bf435
- Size
  
  37KB
- MD5
  
  d652d64c99edd2c1b0a97e0128abf75c
- SHA1
  
  16d53172333b8b964d55f898fe67dcf109dd71a8
- SHA256
  
  167affb2b2d7cef7808cbf33560df5d32ade2c73ec2fdac8cd37221d9f3bf435
- SHA512
  
  b9c603e4d0817c82644f630d6ddabb659e817484437d55bdd9d28f49a465996680a9a0545666d56cb46efab90b142cbba7817c9df04fbeff921807b47b96678b
- SSDEEP
  
  768:liFz0DRrAJ42J9I/xSZOub7/jdWHRdxnsm474W0HMeAi6bO3it2:w1H9Gx8OubfdWHRrstOVAipiY
Score

10^/10

blackmoon banker persistence trojan upx
- Blackmoon, KrBanker
  Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
  trojan banker blackmoon
- Detect Blackmoon payload
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

blackmoonbankerpersistencetrojanupx

behavioral2

blackmoonbankerpersistencetrojanupx

© 2018-2024

Terms | Privacy