blackmoon | aa0f430e5c143bfaec8a9a5c46b3cb0b7f16b9defad69cf677c4a8879eb9bcd7

General

Target

aa0f430e5c143bfaec8a9a5c46b3cb0b7f16b9defad69cf677c4a8879eb9bcd7.exe
Size

2.0MB
MD5

cc888e112e6212bc0a77c5628ceb2e23
SHA1

7c16d0c6349af720642109c67435236a3239d273
SHA256

aa0f430e5c143bfaec8a9a5c46b3cb0b7f16b9defad69cf677c4a8879eb9bcd7
SHA512

3b6c1121eac1d9609e2e20f923d6b80020701402a70abd3eaa7c2dc8035b047ff011c057ff101e59e4f8dcffbdd4f486f9224fb5c2336163cb9771a0612b0557
SSDEEP

49152:P96pwkZmHLcZEQ8L09njnxvcjxFSKmQV00ObPT+Db0KZCgHk9:5okLcZEoZg3SV3+D4jn

Score

10^/10

blackmoon banker evasion trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\good\good.exe	family_blackmoon
C:\Users\Admin\Desktop\good\good.exe	family_blackmoon

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

aa0f430e5c143bfaec8a9a5c46b3cb0b7f16b9defad69cf677c4a8879eb9bcd7.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ aa0f430e5c143bfaec8a9a5c46b3cb0b7f16b9defad69cf677c4a8879eb9bcd7.exe
Executes dropped EXE 1 IoCs

Processes:

good.exe

pid process

1504 good.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	aa0f430e5c143bfaec8a9a5c46b3cb0b7f16b9defad69cf677c4a8879eb9bcd7.exe

pid	process
1504	good.exe

UPX packed file 25 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3576-134-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3576-136-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3576-135-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3576-138-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3576-140-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3576-142-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3576-144-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3576-146-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3576-148-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3576-150-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3576-152-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3576-154-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3576-156-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3576-158-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3576-160-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3576-162-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3576-164-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3576-166-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3576-168-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3576-170-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3576-172-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3576-174-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3576-176-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3576-178-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3576-186-0x0000000010000000-0x000000001003E000-memory.dmp	upx

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

aa0f430e5c143bfaec8a9a5c46b3cb0b7f16b9defad69cf677c4a8879eb9bcd7.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	aa0f430e5c143bfaec8a9a5c46b3cb0b7f16b9defad69cf677c4a8879eb9bcd7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	aa0f430e5c143bfaec8a9a5c46b3cb0b7f16b9defad69cf677c4a8879eb9bcd7.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

aa0f430e5c143bfaec8a9a5c46b3cb0b7f16b9defad69cf677c4a8879eb9bcd7.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Wine	aa0f430e5c143bfaec8a9a5c46b3cb0b7f16b9defad69cf677c4a8879eb9bcd7.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

aa0f430e5c143bfaec8a9a5c46b3cb0b7f16b9defad69cf677c4a8879eb9bcd7.exe

pid process

3576 aa0f430e5c143bfaec8a9a5c46b3cb0b7f16b9defad69cf677c4a8879eb9bcd7.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

aa0f430e5c143bfaec8a9a5c46b3cb0b7f16b9defad69cf677c4a8879eb9bcd7.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	aa0f430e5c143bfaec8a9a5c46b3cb0b7f16b9defad69cf677c4a8879eb9bcd7.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	aa0f430e5c143bfaec8a9a5c46b3cb0b7f16b9defad69cf677c4a8879eb9bcd7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	aa0f430e5c143bfaec8a9a5c46b3cb0b7f16b9defad69cf677c4a8879eb9bcd7.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\IESettingSync	aa0f430e5c143bfaec8a9a5c46b3cb0b7f16b9defad69cf677c4a8879eb9bcd7.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

aa0f430e5c143bfaec8a9a5c46b3cb0b7f16b9defad69cf677c4a8879eb9bcd7.exe

pid	process
3576	aa0f430e5c143bfaec8a9a5c46b3cb0b7f16b9defad69cf677c4a8879eb9bcd7.exe
3576	aa0f430e5c143bfaec8a9a5c46b3cb0b7f16b9defad69cf677c4a8879eb9bcd7.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

aa0f430e5c143bfaec8a9a5c46b3cb0b7f16b9defad69cf677c4a8879eb9bcd7.exe

pid	process
3576	aa0f430e5c143bfaec8a9a5c46b3cb0b7f16b9defad69cf677c4a8879eb9bcd7.exe
3576	aa0f430e5c143bfaec8a9a5c46b3cb0b7f16b9defad69cf677c4a8879eb9bcd7.exe
3576	aa0f430e5c143bfaec8a9a5c46b3cb0b7f16b9defad69cf677c4a8879eb9bcd7.exe
3576	aa0f430e5c143bfaec8a9a5c46b3cb0b7f16b9defad69cf677c4a8879eb9bcd7.exe
3576	aa0f430e5c143bfaec8a9a5c46b3cb0b7f16b9defad69cf677c4a8879eb9bcd7.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

aa0f430e5c143bfaec8a9a5c46b3cb0b7f16b9defad69cf677c4a8879eb9bcd7.exe

description	pid	process	target process
PID 3576 wrote to memory of 1504	3576	aa0f430e5c143bfaec8a9a5c46b3cb0b7f16b9defad69cf677c4a8879eb9bcd7.exe	good.exe
PID 3576 wrote to memory of 1504	3576	aa0f430e5c143bfaec8a9a5c46b3cb0b7f16b9defad69cf677c4a8879eb9bcd7.exe	good.exe
PID 3576 wrote to memory of 1504	3576	aa0f430e5c143bfaec8a9a5c46b3cb0b7f16b9defad69cf677c4a8879eb9bcd7.exe	good.exe

C:\Users\Admin\AppData\Local\Temp\aa0f430e5c143bfaec8a9a5c46b3cb0b7f16b9defad69cf677c4a8879eb9bcd7.exe
"C:\Users\Admin\AppData\Local\Temp\aa0f430e5c143bfaec8a9a5c46b3cb0b7f16b9defad69cf677c4a8879eb9bcd7.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3576

C:\Users\Admin\Desktop\good\good.exe
"C:\Users\Admin\Desktop\good\good.exe" i
2⤵
- Executes dropped EXE
PID:1504

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

3

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\good\cfg.ini
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\Desktop\good\good.exe
Filesize
107KB

MD5
446d420e57d1818aa690364f59a487c0

SHA1
627bb0a8f70bef07494a9e0c078b1659d23da8de

SHA256
ed303b005e5a2e39a4c58a17dec360eced3794d6b6aeaf963cb5ab77bc64490d

SHA512
9d447f71b4b788c51bcd2ee28ae2fc134972b89b983c2e4e69e392895f841d2b69f81b4e383d309e23b9b85c25162a0274f4cab8837d94c20b3c9435f8362ba3

Download Submit
C:\Users\Admin\Desktop\good\good.exe
Filesize
107KB

MD5
446d420e57d1818aa690364f59a487c0

SHA1
627bb0a8f70bef07494a9e0c078b1659d23da8de

SHA256
ed303b005e5a2e39a4c58a17dec360eced3794d6b6aeaf963cb5ab77bc64490d

SHA512
9d447f71b4b788c51bcd2ee28ae2fc134972b89b983c2e4e69e392895f841d2b69f81b4e383d309e23b9b85c25162a0274f4cab8837d94c20b3c9435f8362ba3

Download Submit
memory/1504-179-0x0000000000000000-mapping.dmp

Download
memory/3576-160-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3576-166-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3576-140-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3576-142-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3576-144-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3576-146-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3576-148-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3576-150-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3576-152-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3576-154-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3576-156-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3576-158-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3576-132-0x0000000000400000-0x000000000092D000-memory.dmp

Filesize
5.2MB

Download
memory/3576-162-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3576-164-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3576-138-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3576-168-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3576-170-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3576-172-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3576-174-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3576-176-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3576-177-0x0000000000400000-0x000000000092D000-memory.dmp

Filesize
5.2MB

Download
memory/3576-178-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3576-135-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3576-136-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3576-134-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3576-133-0x0000000077080000-0x0000000077223000-memory.dmp

Filesize
1.6MB

Download
memory/3576-183-0x0000000000400000-0x000000000092D000-memory.dmp

Filesize
5.2MB

Download
memory/3576-184-0x0000000077080000-0x0000000077223000-memory.dmp

Filesize
1.6MB

Download
memory/3576-185-0x0000000000400000-0x000000000092D000-memory.dmp

Filesize
5.2MB

Download
memory/3576-186-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads