blackmoon | 86c9a8d2660fa8e958fead2a2ebcf1904696175d105a628e8ec91dfdc5063fa2

General

Target

86c9a8d2660fa8e958fead2a2ebcf1904696175d105a628e8ec91dfdc5063fa2.exe
Size

131KB
MD5

d3723895ae8ed74410ef996de6c82c7f
SHA1

3c4aba83a38fa42d11896b1d10570d9b17cf693c
SHA256

86c9a8d2660fa8e958fead2a2ebcf1904696175d105a628e8ec91dfdc5063fa2
SHA512

8f5e645e1ba6a23887479693f659ed64235f67406d7cd9c02bdd78830cf551036b0fea47db6b0a658483d0a8f27fc29ec59e99b943eac333f5b1553ce633938b
SSDEEP

3072:2b5CSaLbs4RHjVb2+OwZGC6+0Mm6cK2y5y5DmeffwHMICZzGWSS+pAboutj:2sBPzjVbSwZGCk6cDy+DmqfmsSStboSj

Score

10^/10

blackmoon banker persistence trojan vmprotect

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1064-59-0x0000000000400000-0x000000000043F000-memory.dmp	family_blackmoon

Drops file in Drivers directory 1 IoCs

Processes:

86c9a8d2660fa8e958fead2a2ebcf1904696175d105a628e8ec91dfdc5063fa2.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	86c9a8d2660fa8e958fead2a2ebcf1904696175d105a628e8ec91dfdc5063fa2.exe

Executes dropped EXE 1 IoCs

Processes:

VnrYne173.exe

pid process

1744 VnrYne173.exe

pid	process
1744	VnrYne173.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

yara_rule
vmprotect
C:\Users\Admin\AppData\Local\Temp\7083662.txt	vmprotect
\Users\Admin\AppData\Local\Temp\7083662.txt	vmprotect

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1652 cmd.exe

pid	process
1652	cmd.exe

Loads dropped DLL 3 IoCs

Processes:

86c9a8d2660fa8e958fead2a2ebcf1904696175d105a628e8ec91dfdc5063fa2.exerundll32.exe

pid	process
1064	86c9a8d2660fa8e958fead2a2ebcf1904696175d105a628e8ec91dfdc5063fa2.exe
1064	86c9a8d2660fa8e958fead2a2ebcf1904696175d105a628e8ec91dfdc5063fa2.exe
1372	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Configuring = "rundll32.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\7083662.txt,M"	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

86c9a8d2660fa8e958fead2a2ebcf1904696175d105a628e8ec91dfdc5063fa2.exe

pid	process
1064	86c9a8d2660fa8e958fead2a2ebcf1904696175d105a628e8ec91dfdc5063fa2.exe
1064	86c9a8d2660fa8e958fead2a2ebcf1904696175d105a628e8ec91dfdc5063fa2.exe
1064	86c9a8d2660fa8e958fead2a2ebcf1904696175d105a628e8ec91dfdc5063fa2.exe
1064	86c9a8d2660fa8e958fead2a2ebcf1904696175d105a628e8ec91dfdc5063fa2.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

rundll32.exe

pid process

1372 rundll32.exe

pid	process
1372	rundll32.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

86c9a8d2660fa8e958fead2a2ebcf1904696175d105a628e8ec91dfdc5063fa2.exeVnrYne173.exe

description	pid	process	target process
PID 1064 wrote to memory of 1744	1064	86c9a8d2660fa8e958fead2a2ebcf1904696175d105a628e8ec91dfdc5063fa2.exe	VnrYne173.exe
PID 1064 wrote to memory of 1744	1064	86c9a8d2660fa8e958fead2a2ebcf1904696175d105a628e8ec91dfdc5063fa2.exe	VnrYne173.exe
PID 1064 wrote to memory of 1744	1064	86c9a8d2660fa8e958fead2a2ebcf1904696175d105a628e8ec91dfdc5063fa2.exe	VnrYne173.exe
PID 1064 wrote to memory of 1744	1064	86c9a8d2660fa8e958fead2a2ebcf1904696175d105a628e8ec91dfdc5063fa2.exe	VnrYne173.exe
PID 1744 wrote to memory of 1372	1744	VnrYne173.exe	rundll32.exe
PID 1744 wrote to memory of 1372	1744	VnrYne173.exe	rundll32.exe
PID 1744 wrote to memory of 1372	1744	VnrYne173.exe	rundll32.exe
PID 1744 wrote to memory of 1372	1744	VnrYne173.exe	rundll32.exe
PID 1744 wrote to memory of 1372	1744	VnrYne173.exe	rundll32.exe
PID 1744 wrote to memory of 1372	1744	VnrYne173.exe	rundll32.exe
PID 1744 wrote to memory of 1372	1744	VnrYne173.exe	rundll32.exe
PID 1744 wrote to memory of 1376	1744	VnrYne173.exe	cmd.exe
PID 1744 wrote to memory of 1376	1744	VnrYne173.exe	cmd.exe
PID 1744 wrote to memory of 1376	1744	VnrYne173.exe	cmd.exe
PID 1744 wrote to memory of 1376	1744	VnrYne173.exe	cmd.exe
PID 1064 wrote to memory of 1652	1064	86c9a8d2660fa8e958fead2a2ebcf1904696175d105a628e8ec91dfdc5063fa2.exe	cmd.exe
PID 1064 wrote to memory of 1652	1064	86c9a8d2660fa8e958fead2a2ebcf1904696175d105a628e8ec91dfdc5063fa2.exe	cmd.exe
PID 1064 wrote to memory of 1652	1064	86c9a8d2660fa8e958fead2a2ebcf1904696175d105a628e8ec91dfdc5063fa2.exe	cmd.exe
PID 1064 wrote to memory of 1652	1064	86c9a8d2660fa8e958fead2a2ebcf1904696175d105a628e8ec91dfdc5063fa2.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\86c9a8d2660fa8e958fead2a2ebcf1904696175d105a628e8ec91dfdc5063fa2.exe
"C:\Users\Admin\AppData\Local\Temp\86c9a8d2660fa8e958fead2a2ebcf1904696175d105a628e8ec91dfdc5063fa2.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1064

C:\Users\Admin\AppData\Local\Temp\VnrYne173.exe
C:\Users\Admin\AppData\Local\Temp\VnrYne173.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1744

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\7083662.txt,M
3⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:1372

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\7083662.bat
3⤵
PID:1376

C:\Windows\SysWOW64\cmd.exe
cmd /c del "C:\Users\Admin\AppData\Local\Temp\86c9a8d2660fa8e958fead2a2ebcf1904696175d105a628e8ec91dfdc5063fa2.exe"
2⤵
- Deletes itself
PID:1652

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7083662.bat
Filesize
132B

MD5
94c81f4fa825da5f7cd0ab04a1a57fe0

SHA1
5b47232a4a31c98c935112704c6a125a874d1a57

SHA256
413d25d0266693bcfc838d8abae2ff1990399728064f8fa486db7a4cbd2ea5bb

SHA512
a63d50b52405a8c8aeefb9db349838805ec7dd50598a5a558d923301ee00d61cc98df3fc71e716e81be38b017f0c9ee59def855e6a8a06f0d8d8c2e61c2a301c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7083662.txt
Filesize
105KB

MD5
b89a7dbe0cc3b12970215a02dfb49c6c

SHA1
ce545bc075ae333cde63460ef3c3c3e8f4649265

SHA256
036fd651bdf0549a766e1a045feca8c5071674758fcd77aff1d5b851d212cb52

SHA512
3881a0ee753a410aa9f5f8dcb154323f903caca9d1745ab650278fe6303e81cbe5c9cdb9c62ead36357ebec54050561fd2473fdbb139000fcbb85018f95948c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\VnrYne173.exe
Filesize
80.1MB

MD5
5fdbaa2d49424a48ddd895eff5e03ad6

SHA1
e053f3ff549bc7e33d2c2d58d586560c0d95bc53

SHA256
9c6f8626462b26e6d0c7adbd0f54bd885134f7f8401ef09db2e9241094466efe

SHA512
0ab72c453cde9b995e7a8511d9c73d4ffb13083ba87146e7d68569dcd9636db9fe9e9ad7e154626a0dc955b469b8f4f9ab81bc8128004225a13f29460ff93b9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\VnrYne173.exe
Filesize
80.1MB

MD5
5fdbaa2d49424a48ddd895eff5e03ad6

SHA1
e053f3ff549bc7e33d2c2d58d586560c0d95bc53

SHA256
9c6f8626462b26e6d0c7adbd0f54bd885134f7f8401ef09db2e9241094466efe

SHA512
0ab72c453cde9b995e7a8511d9c73d4ffb13083ba87146e7d68569dcd9636db9fe9e9ad7e154626a0dc955b469b8f4f9ab81bc8128004225a13f29460ff93b9d

Download Submit
\Users\Admin\AppData\Local\Temp\7083662.txt
Filesize
105KB

MD5
b89a7dbe0cc3b12970215a02dfb49c6c

SHA1
ce545bc075ae333cde63460ef3c3c3e8f4649265

SHA256
036fd651bdf0549a766e1a045feca8c5071674758fcd77aff1d5b851d212cb52

SHA512
3881a0ee753a410aa9f5f8dcb154323f903caca9d1745ab650278fe6303e81cbe5c9cdb9c62ead36357ebec54050561fd2473fdbb139000fcbb85018f95948c2

Download Submit
\Users\Admin\AppData\Local\Temp\VnrYne173.exe
Filesize
80.1MB

MD5
5fdbaa2d49424a48ddd895eff5e03ad6

SHA1
e053f3ff549bc7e33d2c2d58d586560c0d95bc53

SHA256
9c6f8626462b26e6d0c7adbd0f54bd885134f7f8401ef09db2e9241094466efe

SHA512
0ab72c453cde9b995e7a8511d9c73d4ffb13083ba87146e7d68569dcd9636db9fe9e9ad7e154626a0dc955b469b8f4f9ab81bc8128004225a13f29460ff93b9d

Download Submit
\Users\Admin\AppData\Local\Temp\VnrYne173.exe
Filesize
80.1MB

MD5
5fdbaa2d49424a48ddd895eff5e03ad6

SHA1
e053f3ff549bc7e33d2c2d58d586560c0d95bc53

SHA256
9c6f8626462b26e6d0c7adbd0f54bd885134f7f8401ef09db2e9241094466efe

SHA512
0ab72c453cde9b995e7a8511d9c73d4ffb13083ba87146e7d68569dcd9636db9fe9e9ad7e154626a0dc955b469b8f4f9ab81bc8128004225a13f29460ff93b9d

Download Submit
memory/1064-61-0x000000000C0F0000-0x000000000D0F0000-memory.dmp

Filesize
16.0MB

Download
memory/1064-59-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1064-54-0x0000000075BB1000-0x0000000075BB3000-memory.dmp

Filesize
8KB

Download
memory/1372-65-0x0000000000000000-mapping.dmp

Download
memory/1376-67-0x0000000000000000-mapping.dmp

Download
memory/1652-71-0x0000000000000000-mapping.dmp

Download
memory/1744-63-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1744-64-0x00000000003A0000-0x00000000003D9000-memory.dmp

Filesize
228KB

Download
memory/1744-62-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1744-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads