General

  • Target

    79db79870019b16dd6259baf23fbdb0badec4c7ab519d63f950d35e2f602a17d

  • Size

    131KB

  • Sample

    221129-h6sqhage94

  • MD5

    9ec2385aa31573102fb1a53a283270e5

  • SHA1

    038483847c3d93d90c01fa4c0bb3e920e3e8aeda

  • SHA256

    79db79870019b16dd6259baf23fbdb0badec4c7ab519d63f950d35e2f602a17d

  • SHA512

    4945d5aec4878eebe058d77287f226dd9264a1cc523fa8a531b8a1fc5bcf39a06d31fc37a37fe1c0e2403f13356ffdff30d8445ffaac8435e4e7c95fb3cdfd05

  • SSDEEP

    3072:Jb5CSaLbs4RHjVb2+OwZGC6+0Mm6cK2y5y5DmeffwHMICZzGWSS+pAboutj:JsBPzjVbSwZGCk6cDy+DmqfmsSStboSj

Malware Config

Targets

    • Target

      79db79870019b16dd6259baf23fbdb0badec4c7ab519d63f950d35e2f602a17d

    • Size

      131KB

    • MD5

      9ec2385aa31573102fb1a53a283270e5

    • SHA1

      038483847c3d93d90c01fa4c0bb3e920e3e8aeda

    • SHA256

      79db79870019b16dd6259baf23fbdb0badec4c7ab519d63f950d35e2f602a17d

    • SHA512

      4945d5aec4878eebe058d77287f226dd9264a1cc523fa8a531b8a1fc5bcf39a06d31fc37a37fe1c0e2403f13356ffdff30d8445ffaac8435e4e7c95fb3cdfd05

    • SSDEEP

      3072:Jb5CSaLbs4RHjVb2+OwZGC6+0Mm6cK2y5y5DmeffwHMICZzGWSS+pAboutj:JsBPzjVbSwZGCk6cDy+DmqfmsSStboSj

    • Blackmoon, KrBanker

      Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    • Detect Blackmoon payload

    • Drops file in Drivers directory

    • Executes dropped EXE

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

        Execution

          Exfiltration

            Impact

              Initial Access

                Lateral Movement

                  Privilege Escalation

                    Tasks