blackmoon | 803f49e8f4f7873ba236fa2cda24a7134d5763eef297a5dfb4aba5f26051b3a8

General

Target

803f49e8f4f7873ba236fa2cda24a7134d5763eef297a5dfb4aba5f26051b3a8.exe
Size

739KB
MD5

416820bf37862a1162d85d9470d927d0
SHA1

376ca85ad426c47f6f4b1c8e8d897e3f2d7f4fc1
SHA256

803f49e8f4f7873ba236fa2cda24a7134d5763eef297a5dfb4aba5f26051b3a8
SHA512

f856b25c33c474c2bbbdea4da52ac7e43e9a852b9e15d49859fcd6962c1f896f239c270ef6367e659e42a0357015d6b9e1f368c9d4a3781619cb15e633f65ba6
SSDEEP

12288:iJ+sfkS6arVI34ShtmhmTkzkukqeub91ljUuuzj1WPCQfW:YkJ7hghmKklub916dHzQO

Score

10^/10

blackmoon banker trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 2 IoCs

resource	yara_rule
behavioral1/memory/848-63-0x0000000000400000-0x0000000000589000-memory.dmp	family_blackmoon
behavioral1/memory/848-65-0x0000000000400000-0x0000000000589000-memory.dmp	family_blackmoon

Executes dropped EXE 1 IoCs

pid	Process
848	explorer.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000b0000000122ef-57.dat	upx
behavioral1/files/0x000b0000000122ef-61.dat	upx
behavioral1/files/0x000b0000000122ef-58.dat	upx
behavioral1/memory/848-63-0x0000000000400000-0x0000000000589000-memory.dmp	upx
behavioral1/memory/848-65-0x0000000000400000-0x0000000000589000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
1616	803f49e8f4f7873ba236fa2cda24a7134d5763eef297a5dfb4aba5f26051b3a8.exe
1616	803f49e8f4f7873ba236fa2cda24a7134d5763eef297a5dfb4aba5f26051b3a8.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1616	803f49e8f4f7873ba236fa2cda24a7134d5763eef297a5dfb4aba5f26051b3a8.exe
1616	803f49e8f4f7873ba236fa2cda24a7134d5763eef297a5dfb4aba5f26051b3a8.exe
848	explorer.exe
848	explorer.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1616 wrote to memory of 1552	1616	803f49e8f4f7873ba236fa2cda24a7134d5763eef297a5dfb4aba5f26051b3a8.exe	28
PID 1616 wrote to memory of 1552	1616	803f49e8f4f7873ba236fa2cda24a7134d5763eef297a5dfb4aba5f26051b3a8.exe	28
PID 1616 wrote to memory of 1552	1616	803f49e8f4f7873ba236fa2cda24a7134d5763eef297a5dfb4aba5f26051b3a8.exe	28
PID 1616 wrote to memory of 1552	1616	803f49e8f4f7873ba236fa2cda24a7134d5763eef297a5dfb4aba5f26051b3a8.exe	28
PID 1616 wrote to memory of 848	1616	803f49e8f4f7873ba236fa2cda24a7134d5763eef297a5dfb4aba5f26051b3a8.exe	29
PID 1616 wrote to memory of 848	1616	803f49e8f4f7873ba236fa2cda24a7134d5763eef297a5dfb4aba5f26051b3a8.exe	29
PID 1616 wrote to memory of 848	1616	803f49e8f4f7873ba236fa2cda24a7134d5763eef297a5dfb4aba5f26051b3a8.exe	29
PID 1616 wrote to memory of 848	1616	803f49e8f4f7873ba236fa2cda24a7134d5763eef297a5dfb4aba5f26051b3a8.exe	29

C:\Users\Admin\AppData\Local\Temp\803f49e8f4f7873ba236fa2cda24a7134d5763eef297a5dfb4aba5f26051b3a8.exe
"C:\Users\Admin\AppData\Local\Temp\803f49e8f4f7873ba236fa2cda24a7134d5763eef297a5dfb4aba5f26051b3a8.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1616
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  PID:1552
- C:\Users\Admin\AppData\Local\Temp\explorer.exe
  C:\Users\Admin\AppData\Local\Temp\explorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:848

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\explorer.exe

Filesize
405KB

MD5
87c6fd1725c489aeca28e08e38ac8d33

SHA1
b519a83832fc882bb3644722cbe7576dfa310cdd

SHA256
0dc56e2f96b814a48c8e1587677c4639a71a76ecdce8652b0d6df62077524012

SHA512
a5bca71f12afe28b236370b2efa228d2572840fd6570fb7dfd00e01b7f84f8b6b5f0fbe4aa8498a59093d30a30b99660b29a7310376e4841606cbfdfbf45c551

Download Submit
\Users\Admin\AppData\Local\Temp\explorer.exe

Filesize
405KB

MD5
87c6fd1725c489aeca28e08e38ac8d33

SHA1
b519a83832fc882bb3644722cbe7576dfa310cdd

SHA256
0dc56e2f96b814a48c8e1587677c4639a71a76ecdce8652b0d6df62077524012

SHA512
a5bca71f12afe28b236370b2efa228d2572840fd6570fb7dfd00e01b7f84f8b6b5f0fbe4aa8498a59093d30a30b99660b29a7310376e4841606cbfdfbf45c551

Download Submit
\Users\Admin\AppData\Local\Temp\explorer.exe

Filesize
405KB

MD5
87c6fd1725c489aeca28e08e38ac8d33

SHA1
b519a83832fc882bb3644722cbe7576dfa310cdd

SHA256
0dc56e2f96b814a48c8e1587677c4639a71a76ecdce8652b0d6df62077524012

SHA512
a5bca71f12afe28b236370b2efa228d2572840fd6570fb7dfd00e01b7f84f8b6b5f0fbe4aa8498a59093d30a30b99660b29a7310376e4841606cbfdfbf45c551

Download Submit
memory/848-59-0x0000000000000000-mapping.dmp

Download
memory/848-63-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/848-65-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/1616-54-0x0000000075C81000-0x0000000075C83000-memory.dmp

Filesize
8KB

Download
memory/1616-56-0x00000000002C0000-0x00000000002C4000-memory.dmp

Filesize
16KB

Download
memory/1616-60-0x0000000002220000-0x00000000023A9000-memory.dmp

Filesize
1.5MB

Download
memory/1616-55-0x0000000000400000-0x000000000051938C-memory.dmp

Filesize
1.1MB

Download
memory/1616-64-0x0000000000400000-0x000000000051938C-memory.dmp

Filesize
1.1MB

Download
memory/1616-66-0x0000000000400000-0x000000000051938C-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing