blackmoon | 8f2fdc0a52748edb7be9bb430a6ae62fb9c65db79fa00a2078a2218b4b062cb8

General

Target

8f2fdc0a52748edb7be9bb430a6ae62fb9c65db79fa00a2078a2218b4b062cb8.exe
Size

141KB
MD5

b87df20eda8aea1594ce221ee1fc550a
SHA1

a5e985819ed2be3433b7caa8901e2b6bcb237fc9
SHA256

8f2fdc0a52748edb7be9bb430a6ae62fb9c65db79fa00a2078a2218b4b062cb8
SHA512

77a1c83ad951bde5561ae6377f91ce2643962a51f98005b56fa6874ae8e0c35256d715e784703ff2d2cb273cf19d500316661d59ddc37a6712843781c504cef5
SSDEEP

3072:iS13dexXhf2hek4txILwTFnvt2c3Ek4oAJ/gDH9gzuaEgTsDz:iS1twl2he9RIc0kBzuu+s

Score

10^/10

blackmoon banker persistence trojan vmprotect

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4200-132-0x0000000000400000-0x0000000000461000-memory.dmp	family_blackmoon
behavioral2/memory/4200-133-0x0000000000400000-0x0000000000461000-memory.dmp	family_blackmoon
behavioral2/memory/4200-134-0x0000000000400000-0x0000000000461000-memory.dmp	family_blackmoon

Drops file in Drivers directory 1 IoCs

Processes:

8f2fdc0a52748edb7be9bb430a6ae62fb9c65db79fa00a2078a2218b4b062cb8.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	8f2fdc0a52748edb7be9bb430a6ae62fb9c65db79fa00a2078a2218b4b062cb8.exe

Executes dropped EXE 1 IoCs

Processes:

TuxYwz569.exe

pid process

2032 TuxYwz569.exe

pid	process
2032	TuxYwz569.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

yara_rule
vmprotect
C:\Users\Admin\AppData\Local\Temp\240578546.txt	vmprotect
C:\Users\Admin\AppData\Local\Temp\240578546.txt	vmprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TuxYwz569.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	TuxYwz569.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

3544 rundll32.exe

pid	process
3544	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Configuring = "rundll32.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\240578546.txt,M"	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

8f2fdc0a52748edb7be9bb430a6ae62fb9c65db79fa00a2078a2218b4b062cb8.exe

pid	process
4200	8f2fdc0a52748edb7be9bb430a6ae62fb9c65db79fa00a2078a2218b4b062cb8.exe
4200	8f2fdc0a52748edb7be9bb430a6ae62fb9c65db79fa00a2078a2218b4b062cb8.exe
4200	8f2fdc0a52748edb7be9bb430a6ae62fb9c65db79fa00a2078a2218b4b062cb8.exe
4200	8f2fdc0a52748edb7be9bb430a6ae62fb9c65db79fa00a2078a2218b4b062cb8.exe
4200	8f2fdc0a52748edb7be9bb430a6ae62fb9c65db79fa00a2078a2218b4b062cb8.exe
4200	8f2fdc0a52748edb7be9bb430a6ae62fb9c65db79fa00a2078a2218b4b062cb8.exe
4200	8f2fdc0a52748edb7be9bb430a6ae62fb9c65db79fa00a2078a2218b4b062cb8.exe
4200	8f2fdc0a52748edb7be9bb430a6ae62fb9c65db79fa00a2078a2218b4b062cb8.exe
4200	8f2fdc0a52748edb7be9bb430a6ae62fb9c65db79fa00a2078a2218b4b062cb8.exe
4200	8f2fdc0a52748edb7be9bb430a6ae62fb9c65db79fa00a2078a2218b4b062cb8.exe
4200	8f2fdc0a52748edb7be9bb430a6ae62fb9c65db79fa00a2078a2218b4b062cb8.exe
4200	8f2fdc0a52748edb7be9bb430a6ae62fb9c65db79fa00a2078a2218b4b062cb8.exe
4200	8f2fdc0a52748edb7be9bb430a6ae62fb9c65db79fa00a2078a2218b4b062cb8.exe
4200	8f2fdc0a52748edb7be9bb430a6ae62fb9c65db79fa00a2078a2218b4b062cb8.exe
4200	8f2fdc0a52748edb7be9bb430a6ae62fb9c65db79fa00a2078a2218b4b062cb8.exe
4200	8f2fdc0a52748edb7be9bb430a6ae62fb9c65db79fa00a2078a2218b4b062cb8.exe
4200	8f2fdc0a52748edb7be9bb430a6ae62fb9c65db79fa00a2078a2218b4b062cb8.exe
4200	8f2fdc0a52748edb7be9bb430a6ae62fb9c65db79fa00a2078a2218b4b062cb8.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

rundll32.exe

pid process

3544 rundll32.exe

pid	process
3544	rundll32.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

8f2fdc0a52748edb7be9bb430a6ae62fb9c65db79fa00a2078a2218b4b062cb8.exeTuxYwz569.exe

description	pid	process	target process
PID 4200 wrote to memory of 2032	4200	8f2fdc0a52748edb7be9bb430a6ae62fb9c65db79fa00a2078a2218b4b062cb8.exe	TuxYwz569.exe
PID 4200 wrote to memory of 2032	4200	8f2fdc0a52748edb7be9bb430a6ae62fb9c65db79fa00a2078a2218b4b062cb8.exe	TuxYwz569.exe
PID 4200 wrote to memory of 2032	4200	8f2fdc0a52748edb7be9bb430a6ae62fb9c65db79fa00a2078a2218b4b062cb8.exe	TuxYwz569.exe
PID 2032 wrote to memory of 3544	2032	TuxYwz569.exe	rundll32.exe
PID 2032 wrote to memory of 3544	2032	TuxYwz569.exe	rundll32.exe
PID 2032 wrote to memory of 3544	2032	TuxYwz569.exe	rundll32.exe
PID 2032 wrote to memory of 524	2032	TuxYwz569.exe	cmd.exe
PID 2032 wrote to memory of 524	2032	TuxYwz569.exe	cmd.exe
PID 2032 wrote to memory of 524	2032	TuxYwz569.exe	cmd.exe
PID 4200 wrote to memory of 3808	4200	8f2fdc0a52748edb7be9bb430a6ae62fb9c65db79fa00a2078a2218b4b062cb8.exe	cmd.exe
PID 4200 wrote to memory of 3808	4200	8f2fdc0a52748edb7be9bb430a6ae62fb9c65db79fa00a2078a2218b4b062cb8.exe	cmd.exe
PID 4200 wrote to memory of 3808	4200	8f2fdc0a52748edb7be9bb430a6ae62fb9c65db79fa00a2078a2218b4b062cb8.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\8f2fdc0a52748edb7be9bb430a6ae62fb9c65db79fa00a2078a2218b4b062cb8.exe
"C:\Users\Admin\AppData\Local\Temp\8f2fdc0a52748edb7be9bb430a6ae62fb9c65db79fa00a2078a2218b4b062cb8.exe"
1⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4200

C:\Users\Admin\AppData\Local\Temp\TuxYwz569.exe
C:\Users\Admin\AppData\Local\Temp\TuxYwz569.exe
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\240578546.txt,M
3⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:3544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\240578546.bat
3⤵
PID:524

C:\Windows\SysWOW64\cmd.exe
cmd /c del "C:\Users\Admin\AppData\Local\Temp\8f2fdc0a52748edb7be9bb430a6ae62fb9c65db79fa00a2078a2218b4b062cb8.exe"
2⤵
PID:3808

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\240578546.bat
Filesize
134B

MD5
24620b3413f719c3bdeb1e8db07a0884

SHA1
b1f1b2122aa0d9e472b30b0fc95108f0de6bd572

SHA256
a396ce3fff484e6f62f6ad562292ffe05b0259ae2dc4a997e3a4340fbe01fcbc

SHA512
59dc22f0ec4e0e56ad01dec815c909775f0a7fc4694ee3c28afdf52746eb892db47c7696bf3af86bde0fffc6a1004818feeaa74afb2fd2f5850cf0e906688bb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\240578546.txt
Filesize
105KB

MD5
a7df87290a05904215cef9c89588b675

SHA1
b67c3c1c891cf7680729106d4c77b2c1cabe463b

SHA256
b993570b89ca3580c7078464231fe6a9823a80469b15b6c7bfdd0c8c410587ae

SHA512
2b1ee03fad425b652443b820411de573376a970e0cade80aed783192fb0c02a525372b460d4b47bfd503ef85091affc5ecec9d8757664eeaace4519ccdb38d94

Download Submit
C:\Users\Admin\AppData\Local\Temp\240578546.txt
Filesize
105KB

MD5
a7df87290a05904215cef9c89588b675

SHA1
b67c3c1c891cf7680729106d4c77b2c1cabe463b

SHA256
b993570b89ca3580c7078464231fe6a9823a80469b15b6c7bfdd0c8c410587ae

SHA512
2b1ee03fad425b652443b820411de573376a970e0cade80aed783192fb0c02a525372b460d4b47bfd503ef85091affc5ecec9d8757664eeaace4519ccdb38d94

Download Submit
C:\Users\Admin\AppData\Local\Temp\TuxYwz569.exe
Filesize
80.1MB

MD5
6c769718760dcdfef5fa626237aa63c6

SHA1
554565c6685bab8e1586ff57b99f065d63315b03

SHA256
53a8fbcada2c37034fc11669d06dd9eb151c4dc97582e332f27a5c7ffa68b6d4

SHA512
7d4162d011d33a169f371dc4706029d07d344bbbb130b7d5a8cb1c42a2610063aebb12102c5f5c9829a5bb14f3e8064d6aa119c4017267a12a8d41b233887c15

Download Submit
C:\Users\Admin\AppData\Local\Temp\TuxYwz569.exe
Filesize
80.1MB

MD5
6c769718760dcdfef5fa626237aa63c6

SHA1
554565c6685bab8e1586ff57b99f065d63315b03

SHA256
53a8fbcada2c37034fc11669d06dd9eb151c4dc97582e332f27a5c7ffa68b6d4

SHA512
7d4162d011d33a169f371dc4706029d07d344bbbb130b7d5a8cb1c42a2610063aebb12102c5f5c9829a5bb14f3e8064d6aa119c4017267a12a8d41b233887c15

Download Submit
memory/524-145-0x0000000000000000-mapping.dmp

Download
memory/2032-138-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2032-139-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2032-142-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2032-143-0x000000000A560000-0x000000000A584000-memory.dmp

Filesize
144KB

Download
memory/2032-135-0x0000000000000000-mapping.dmp

Download
memory/3544-144-0x0000000000000000-mapping.dmp

Download
memory/3808-149-0x0000000000000000-mapping.dmp

Download
memory/4200-132-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/4200-134-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/4200-133-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads