blackmoon | f99644c9a3a55b452e7b020a013c68bc0d7b322f375f08fff1ebbf1bfdb414bd | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

f99644c9a3...bd.dll

windows7-x64

f99644c9a3...bd.dll

windows10-2004-x64

Sharing

General

Target

f99644c9a3a55b452e7b020a013c68bc0d7b322f375f08fff1ebbf1bfdb414bd
Size

2.2MB
Sample

230201-yv4avsbg62
MD5

229fe93e9fb01454b5f43ed1b919f74b
SHA1

39d53f9d310edf375c0e15be64ebc98db385f75a
SHA256

f99644c9a3a55b452e7b020a013c68bc0d7b322f375f08fff1ebbf1bfdb414bd
SHA512

a1acb895b4c933d61e2c23556cb718ccb5edd221d2a60ab1baf4fe9b9cc2ea0945b4b87878af2f7fac2453daebb114709c22fec5fd66740ec64e7ef2ca563f8c
SSDEEP

24576:oe1Trm3HUloRz6OwxWNdDCVcsgYXzu+6miipvHl30HCI7JsyPAinTtdYaSO/3DkY:oe5oMzWNNcQYSFAEJJki5OaAXtQl

Score

10^/10

blackmoon banker bootkit persistence trojan

Static task

static1

Behavioral task

behavioral1

Sample

f99644c9a3a55b452e7b020a013c68bc0d7b322f375f08fff1ebbf1bfdb414bd.dll

Resource

win7-20220812-en

blackmoon banker bootkit persistence trojan

windows7-x64

5 signatures

150 seconds

Behavioral task

behavioral2

Sample

f99644c9a3a55b452e7b020a013c68bc0d7b322f375f08fff1ebbf1bfdb414bd.dll

Resource

win10v2004-20220812-en

blackmoon banker bootkit persistence trojan

windows10-2004-x64

6 signatures

150 seconds

Malware Config

Targets

- Target
  
  f99644c9a3a55b452e7b020a013c68bc0d7b322f375f08fff1ebbf1bfdb414bd
- Size
  
  2.2MB
- MD5
  
  229fe93e9fb01454b5f43ed1b919f74b
- SHA1
  
  39d53f9d310edf375c0e15be64ebc98db385f75a
- SHA256
  
  f99644c9a3a55b452e7b020a013c68bc0d7b322f375f08fff1ebbf1bfdb414bd
- SHA512
  
  a1acb895b4c933d61e2c23556cb718ccb5edd221d2a60ab1baf4fe9b9cc2ea0945b4b87878af2f7fac2453daebb114709c22fec5fd66740ec64e7ef2ca563f8c
- SSDEEP
  
  24576:oe1Trm3HUloRz6OwxWNdDCVcsgYXzu+6miipvHl30HCI7JsyPAinTtdYaSO/3DkY:oe5oMzWNNcQYSFAEJJki5OaAXtQl
Score

10^/10

blackmoon banker bootkit persistence trojan
- Blackmoon, KrBanker
  Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
  trojan banker blackmoon
- Detect Blackmoon payload
- Blocklisted process makes network request
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

blackmoonbankerbootkitpersistencetrojan

behavioral2

blackmoonbankerbootkitpersistencetrojan

© 2018-2025

Terms | Privacy