blackmoon | 12a75c224552d98c859c0d2b993491979dfb4854a0579e6727d98ae07f0270de

General

Target

12a75c224552d98c859c0d2b993491979dfb4854a0579e6727d98ae07f0270de.exe
Size

614KB
MD5

cb7df596d90826c43af76345742176f4
SHA1

2f7922566545feb4ec8446aee509e7a2dece16ae
SHA256

12a75c224552d98c859c0d2b993491979dfb4854a0579e6727d98ae07f0270de
SHA512

467581592fd9da2bfe8ed5dbb276fe6779bcc5938db4c480dab7aeb6d32a1eb502b9018fd6c0320a5bf23079eb9f56546b0ef9011b2632a54685f0b6f8aff9dd
SSDEEP

12288:ybofM/YK57baXhauW703GH3MfQvUhJLeTruUo:y/X57baXhV32H0NteTrfo

Score

10^/10

blackmoon banker trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 2 IoCs

resource	yara_rule
behavioral2/memory/4688-132-0x0000000000400000-0x00000000005A9200-memory.dmp	family_blackmoon
behavioral2/memory/4688-179-0x0000000000400000-0x00000000005A9200-memory.dmp	family_blackmoon

UPX packed file 28 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4688-132-0x0000000000400000-0x00000000005A9200-memory.dmp	upx
behavioral2/memory/4688-133-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/4688-135-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/4688-136-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/4688-137-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/4688-138-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/4688-140-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/4688-142-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/4688-144-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/4688-146-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/4688-148-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/4688-150-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/4688-152-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/4688-154-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/4688-156-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/4688-158-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/4688-160-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/4688-162-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/4688-164-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/4688-166-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/4688-168-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/4688-170-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/4688-172-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/4688-174-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/4688-176-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/4688-178-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/4688-179-0x0000000000400000-0x00000000005A9200-memory.dmp	upx
behavioral2/memory/4688-180-0x0000000010000000-0x000000001003D000-memory.dmp	upx

Program crash 3 IoCs

pid	pid_target	Process	procid_target
2268	4688	WerFault.exe	82
1272	4688	WerFault.exe	82
1216	4688	WerFault.exe	82

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4688	12a75c224552d98c859c0d2b993491979dfb4854a0579e6727d98ae07f0270de.exe
4688	12a75c224552d98c859c0d2b993491979dfb4854a0579e6727d98ae07f0270de.exe
4688	12a75c224552d98c859c0d2b993491979dfb4854a0579e6727d98ae07f0270de.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4688 wrote to memory of 2268	4688	12a75c224552d98c859c0d2b993491979dfb4854a0579e6727d98ae07f0270de.exe	87
PID 4688 wrote to memory of 2268	4688	12a75c224552d98c859c0d2b993491979dfb4854a0579e6727d98ae07f0270de.exe	87
PID 4688 wrote to memory of 2268	4688	12a75c224552d98c859c0d2b993491979dfb4854a0579e6727d98ae07f0270de.exe	87

C:\Users\Admin\AppData\Local\Temp\12a75c224552d98c859c0d2b993491979dfb4854a0579e6727d98ae07f0270de.exe
"C:\Users\Admin\AppData\Local\Temp\12a75c224552d98c859c0d2b993491979dfb4854a0579e6727d98ae07f0270de.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4688
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4688 -s 2140
  2⤵
  - Program crash
  PID:2268
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4688 -s 2140
  2⤵
  - Program crash
  PID:1272
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4688 -s 2140
  2⤵
  - Program crash
  PID:1216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4688 -ip 4688
1⤵
PID:4228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4688 -ip 4688
1⤵
PID:4364

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4688-156-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/4688-176-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/4688-136-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/4688-137-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/4688-158-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/4688-140-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/4688-142-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/4688-144-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/4688-146-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/4688-148-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/4688-150-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/4688-152-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/4688-135-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/4688-154-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/4688-138-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/4688-160-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/4688-162-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/4688-164-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/4688-166-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/4688-168-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/4688-170-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/4688-172-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/4688-174-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/4688-132-0x0000000000400000-0x00000000005A9200-memory.dmp

Filesize
1.7MB

Download
memory/4688-178-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/4688-179-0x0000000000400000-0x00000000005A9200-memory.dmp

Filesize
1.7MB

Download
memory/4688-180-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/4688-133-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download

Analysis

Sharing