blackmoon | f85493eb920b677f50fd08b754835dd40947baeced9ce7c2ab55a47f818502af | Triage

Submit
Reports

Overview

overview

Static

static

f85493eb92...af.exe

windows7-x64

f85493eb92...af.exe

windows10-2004-x64

Sharing

General

Target

f85493eb920b677f50fd08b754835dd40947baeced9ce7c2ab55a47f818502af
Size

141KB
Sample

221129-kq6zasgd2x
MD5

7caf6ee9eebf68f826380c415379cc4a
SHA1

7f1bce79857a2885cd8b0188951483466f5e4390
SHA256

f85493eb920b677f50fd08b754835dd40947baeced9ce7c2ab55a47f818502af
SHA512

ddca353eb7a473a24faacd41755395f3f6096f930c62ab51a845faf2a5742b508622b1e265954a30d6406eb350230aa2500bba167d36ff1d6674ad48cda32e51
SSDEEP

3072:sS13dexXhf2hek4txILwTFnvt2c3Ek4oAJ/gDH9gzuaEgTsDz:sS1twl2he9RIc0kBzuu+s

Score

10^/10

blackmoon banker persistence trojan vmprotect

Static task

static1

Behavioral task

behavioral1

Sample

f85493eb920b677f50fd08b754835dd40947baeced9ce7c2ab55a47f818502af.exe

Resource

win7-20220812-en

blackmoon banker persistence trojan vmprotect

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

f85493eb920b677f50fd08b754835dd40947baeced9ce7c2ab55a47f818502af.exe

Resource

win10v2004-20220901-en

blackmoon banker persistence trojan vmprotect

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Targets

- Target
  
  f85493eb920b677f50fd08b754835dd40947baeced9ce7c2ab55a47f818502af
- Size
  
  141KB
- MD5
  
  7caf6ee9eebf68f826380c415379cc4a
- SHA1
  
  7f1bce79857a2885cd8b0188951483466f5e4390
- SHA256
  
  f85493eb920b677f50fd08b754835dd40947baeced9ce7c2ab55a47f818502af
- SHA512
  
  ddca353eb7a473a24faacd41755395f3f6096f930c62ab51a845faf2a5742b508622b1e265954a30d6406eb350230aa2500bba167d36ff1d6674ad48cda32e51
- SSDEEP
  
  3072:sS13dexXhf2hek4txILwTFnvt2c3Ek4oAJ/gDH9gzuaEgTsDz:sS1twl2he9RIc0kBzuu+s
Score

10^/10

blackmoon banker persistence trojan vmprotect
- Blackmoon, KrBanker
  Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
  trojan banker blackmoon
- Detect Blackmoon payload
- Drops file in Drivers directory
- Executes dropped EXE
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

blackmoonbankerpersistencetrojanvmprotect

behavioral2

blackmoonbankerpersistencetrojanvmprotect

© 2018-2024

Terms | Privacy