blackmoon | 8f2fdc0a52748edb7be9bb430a6ae62fb9c65db79fa00a2078a2218b4b062cb8 | Triage

Submit
Reports

Overview

overview

Static

static

8f2fdc0a52...b8.exe

windows7-x64

8f2fdc0a52...b8.exe

windows10-2004-x64

Sharing

General

Target

8f2fdc0a52748edb7be9bb430a6ae62fb9c65db79fa00a2078a2218b4b062cb8
Size

141KB
Sample

221129-f9vcdsdf4v
MD5

b87df20eda8aea1594ce221ee1fc550a
SHA1

a5e985819ed2be3433b7caa8901e2b6bcb237fc9
SHA256

8f2fdc0a52748edb7be9bb430a6ae62fb9c65db79fa00a2078a2218b4b062cb8
SHA512

77a1c83ad951bde5561ae6377f91ce2643962a51f98005b56fa6874ae8e0c35256d715e784703ff2d2cb273cf19d500316661d59ddc37a6712843781c504cef5
SSDEEP

3072:iS13dexXhf2hek4txILwTFnvt2c3Ek4oAJ/gDH9gzuaEgTsDz:iS1twl2he9RIc0kBzuu+s

Score

10^/10

blackmoon banker persistence trojan vmprotect

Static task

static1

Behavioral task

behavioral1

Sample

8f2fdc0a52748edb7be9bb430a6ae62fb9c65db79fa00a2078a2218b4b062cb8.exe

Resource

win7-20221111-en

blackmoon banker persistence trojan vmprotect

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

8f2fdc0a52748edb7be9bb430a6ae62fb9c65db79fa00a2078a2218b4b062cb8.exe

Resource

win10v2004-20220812-en

blackmoon banker persistence trojan vmprotect

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Targets

- Target
  
  8f2fdc0a52748edb7be9bb430a6ae62fb9c65db79fa00a2078a2218b4b062cb8
- Size
  
  141KB
- MD5
  
  b87df20eda8aea1594ce221ee1fc550a
- SHA1
  
  a5e985819ed2be3433b7caa8901e2b6bcb237fc9
- SHA256
  
  8f2fdc0a52748edb7be9bb430a6ae62fb9c65db79fa00a2078a2218b4b062cb8
- SHA512
  
  77a1c83ad951bde5561ae6377f91ce2643962a51f98005b56fa6874ae8e0c35256d715e784703ff2d2cb273cf19d500316661d59ddc37a6712843781c504cef5
- SSDEEP
  
  3072:iS13dexXhf2hek4txILwTFnvt2c3Ek4oAJ/gDH9gzuaEgTsDz:iS1twl2he9RIc0kBzuu+s
Score

10^/10

blackmoon banker persistence trojan vmprotect
- Blackmoon, KrBanker
  Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
  trojan banker blackmoon
- Detect Blackmoon payload
- Drops file in Drivers directory
- Executes dropped EXE
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

blackmoonbankerpersistencetrojanvmprotect

behavioral2

blackmoonbankerpersistencetrojanvmprotect

© 2018-2024

Terms | Privacy