blackmoon | 93c4ed64dc4c94a5ee75d3b71bcd05779e6144ad3e16801d0c7dd6edcf33727f | Triage

Submit
Reports

Overview

overview

Static

static

93c4ed64dc...7f.exe

windows7-x64

93c4ed64dc...7f.exe

windows10-2004-x64

Sharing

General

Target

93c4ed64dc4c94a5ee75d3b71bcd05779e6144ad3e16801d0c7dd6edcf33727f
Size

129KB
Sample

221129-fwfxvaha39
MD5

32ceef1cc2a15e91db6645b0e1c94b54
SHA1

cf76717ac222d121d8ff7843627b1e31a21b8240
SHA256

93c4ed64dc4c94a5ee75d3b71bcd05779e6144ad3e16801d0c7dd6edcf33727f
SHA512

9385e85035d75519158123b8463c8f33599eef64bda32b526a5cd7ecd7b50a5bfaa1ccaba416ae1db08af344de64a98cc041a5dba9f724359c6336c23e3cfe2f
SSDEEP

3072:Z+WNkNXcl6hRICWl3BmFGTd2ko7o1jzzX5mTout:Z+WNOnh6CWl3VMbS3T8ToS

Score

10^/10

blackmoon banker persistence trojan vmprotect

Static task

static1

Behavioral task

behavioral1

Sample

93c4ed64dc4c94a5ee75d3b71bcd05779e6144ad3e16801d0c7dd6edcf33727f.exe

Resource

win7-20220812-en

blackmoon banker persistence trojan vmprotect

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

93c4ed64dc4c94a5ee75d3b71bcd05779e6144ad3e16801d0c7dd6edcf33727f.exe

Resource

win10v2004-20220812-en

blackmoon banker persistence trojan vmprotect

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Targets

- Target
  
  93c4ed64dc4c94a5ee75d3b71bcd05779e6144ad3e16801d0c7dd6edcf33727f
- Size
  
  129KB
- MD5
  
  32ceef1cc2a15e91db6645b0e1c94b54
- SHA1
  
  cf76717ac222d121d8ff7843627b1e31a21b8240
- SHA256
  
  93c4ed64dc4c94a5ee75d3b71bcd05779e6144ad3e16801d0c7dd6edcf33727f
- SHA512
  
  9385e85035d75519158123b8463c8f33599eef64bda32b526a5cd7ecd7b50a5bfaa1ccaba416ae1db08af344de64a98cc041a5dba9f724359c6336c23e3cfe2f
- SSDEEP
  
  3072:Z+WNkNXcl6hRICWl3BmFGTd2ko7o1jzzX5mTout:Z+WNOnh6CWl3VMbS3T8ToS
Score

10^/10

blackmoon banker persistence trojan vmprotect
- Blackmoon, KrBanker
  Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
  trojan banker blackmoon
- Detect Blackmoon payload
- Drops file in Drivers directory
- Executes dropped EXE
- Modifies AppInit DLL entries
  persistence
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

blackmoonbankerpersistencetrojanvmprotect

behavioral2

blackmoonbankerpersistencetrojanvmprotect

© 2018-2024

Terms | Privacy