General

  • Target

    86c9a8d2660fa8e958fead2a2ebcf1904696175d105a628e8ec91dfdc5063fa2

  • Size

    131KB

  • Sample

    221129-g4tpcagc5s

  • MD5

    d3723895ae8ed74410ef996de6c82c7f

  • SHA1

    3c4aba83a38fa42d11896b1d10570d9b17cf693c

  • SHA256

    86c9a8d2660fa8e958fead2a2ebcf1904696175d105a628e8ec91dfdc5063fa2

  • SHA512

    8f5e645e1ba6a23887479693f659ed64235f67406d7cd9c02bdd78830cf551036b0fea47db6b0a658483d0a8f27fc29ec59e99b943eac333f5b1553ce633938b

  • SSDEEP

    3072:2b5CSaLbs4RHjVb2+OwZGC6+0Mm6cK2y5y5DmeffwHMICZzGWSS+pAboutj:2sBPzjVbSwZGCk6cDy+DmqfmsSStboSj

Malware Config

Targets

    • Target

      86c9a8d2660fa8e958fead2a2ebcf1904696175d105a628e8ec91dfdc5063fa2

    • Size

      131KB

    • MD5

      d3723895ae8ed74410ef996de6c82c7f

    • SHA1

      3c4aba83a38fa42d11896b1d10570d9b17cf693c

    • SHA256

      86c9a8d2660fa8e958fead2a2ebcf1904696175d105a628e8ec91dfdc5063fa2

    • SHA512

      8f5e645e1ba6a23887479693f659ed64235f67406d7cd9c02bdd78830cf551036b0fea47db6b0a658483d0a8f27fc29ec59e99b943eac333f5b1553ce633938b

    • SSDEEP

      3072:2b5CSaLbs4RHjVb2+OwZGC6+0Mm6cK2y5y5DmeffwHMICZzGWSS+pAboutj:2sBPzjVbSwZGCk6cDy+DmqfmsSStboSj

    • Blackmoon, KrBanker

      Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    • Detect Blackmoon payload

    • Drops file in Drivers directory

    • Executes dropped EXE

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

        Execution

          Exfiltration

            Impact

              Initial Access

                Lateral Movement

                  Privilege Escalation

                    Tasks