blackmoon | 40de407398fe8b3b4aecb085bef960e077ba061f10a208099500e87e994775b6

General

Target

08dbd438e6da6ed529558bf13b17090346fc43c864aaa5981f4edabb15eb4e19.exe
Size

232KB
MD5

511ef2a273cf6aa9ed79a5ba1d20732a
SHA1

b2973d6fa4e44bbd23b0dd8a59023da51255091f
SHA256

08dbd438e6da6ed529558bf13b17090346fc43c864aaa5981f4edabb15eb4e19
SHA512

d8b7fde518e794f9d4066d548afd25fd2371300daa190572bd4c92306d0a637e5ae113b6cd29fdcb176c7ba7f60c0324a42a3d5423bd304e17c22d46a3592879
SSDEEP

3072:D3VmqeE1i0jbQEYvubUHVIHRvwtGyod8tEB1EpWtDiMNUavlm8+:D3VmqeE11jivGUHVUhyosGDiMb5

Score

10^/10

blackmoon banker trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 3 IoCs

Processes:

resource	yara_rule
\Windows\SysWOW64\rnCgJYc.exe	family_blackmoon
C:\Windows\SysWOW64\rnCgJYc.exe	family_blackmoon
C:\Windows\SysWOW64\rnCgJYc.exe	family_blackmoon

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

848 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

rnCgJYc.exe

pid process

856 rnCgJYc.exe
Loads dropped DLL 1 IoCs

Processes:

08dbd438e6da6ed529558bf13b17090346fc43c864aaa5981f4edabb15eb4e19.exe

pid process

1064 08dbd438e6da6ed529558bf13b17090346fc43c864aaa5981f4edabb15eb4e19.exe

pid	process
848	cmd.exe

pid	process
856	rnCgJYc.exe

pid	process
1064	08dbd438e6da6ed529558bf13b17090346fc43c864aaa5981f4edabb15eb4e19.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/856-60-0x0000000000450000-0x000000000045A000-memory.dmp	upx
behavioral1/memory/856-61-0x0000000000450000-0x000000000045A000-memory.dmp	upx
behavioral1/memory/856-79-0x00000000114F0000-0x00000000114FB000-memory.dmp	upx
behavioral1/memory/856-81-0x00000000114F0000-0x00000000114FB000-memory.dmp	upx
behavioral1/memory/856-110-0x00000000114F0000-0x00000000114FB000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

Processes:

08dbd438e6da6ed529558bf13b17090346fc43c864aaa5981f4edabb15eb4e19.exe

description	ioc	process
File created	C:\Windows\SysWOW64\rnCgJYc.exe	08dbd438e6da6ed529558bf13b17090346fc43c864aaa5981f4edabb15eb4e19.exe
File opened for modification	C:\Windows\SysWOW64\rnCgJYc.exe	08dbd438e6da6ed529558bf13b17090346fc43c864aaa5981f4edabb15eb4e19.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

rnCgJYc.exe

pid process

856 rnCgJYc.exe

pid	process
856	rnCgJYc.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

08dbd438e6da6ed529558bf13b17090346fc43c864aaa5981f4edabb15eb4e19.exernCgJYc.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	1064	08dbd438e6da6ed529558bf13b17090346fc43c864aaa5981f4edabb15eb4e19.exe
Token: SeDebugPrivilege	856	rnCgJYc.exe
Token: SeDebugPrivilege	856	rnCgJYc.exe
Token: SeDebugPrivilege	856	rnCgJYc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

08dbd438e6da6ed529558bf13b17090346fc43c864aaa5981f4edabb15eb4e19.exernCgJYc.exe

pid process

1064 08dbd438e6da6ed529558bf13b17090346fc43c864aaa5981f4edabb15eb4e19.exe
856 rnCgJYc.exe

pid	process
1064	08dbd438e6da6ed529558bf13b17090346fc43c864aaa5981f4edabb15eb4e19.exe
856	rnCgJYc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

08dbd438e6da6ed529558bf13b17090346fc43c864aaa5981f4edabb15eb4e19.exe

description	pid	process	target process
PID 1064 wrote to memory of 856	1064	08dbd438e6da6ed529558bf13b17090346fc43c864aaa5981f4edabb15eb4e19.exe	rnCgJYc.exe
PID 1064 wrote to memory of 856	1064	08dbd438e6da6ed529558bf13b17090346fc43c864aaa5981f4edabb15eb4e19.exe	rnCgJYc.exe
PID 1064 wrote to memory of 856	1064	08dbd438e6da6ed529558bf13b17090346fc43c864aaa5981f4edabb15eb4e19.exe	rnCgJYc.exe
PID 1064 wrote to memory of 856	1064	08dbd438e6da6ed529558bf13b17090346fc43c864aaa5981f4edabb15eb4e19.exe	rnCgJYc.exe
PID 1064 wrote to memory of 856	1064	08dbd438e6da6ed529558bf13b17090346fc43c864aaa5981f4edabb15eb4e19.exe	rnCgJYc.exe
PID 1064 wrote to memory of 856	1064	08dbd438e6da6ed529558bf13b17090346fc43c864aaa5981f4edabb15eb4e19.exe	rnCgJYc.exe
PID 1064 wrote to memory of 856	1064	08dbd438e6da6ed529558bf13b17090346fc43c864aaa5981f4edabb15eb4e19.exe	rnCgJYc.exe
PID 1064 wrote to memory of 848	1064	08dbd438e6da6ed529558bf13b17090346fc43c864aaa5981f4edabb15eb4e19.exe	cmd.exe
PID 1064 wrote to memory of 848	1064	08dbd438e6da6ed529558bf13b17090346fc43c864aaa5981f4edabb15eb4e19.exe	cmd.exe
PID 1064 wrote to memory of 848	1064	08dbd438e6da6ed529558bf13b17090346fc43c864aaa5981f4edabb15eb4e19.exe	cmd.exe
PID 1064 wrote to memory of 848	1064	08dbd438e6da6ed529558bf13b17090346fc43c864aaa5981f4edabb15eb4e19.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\08dbd438e6da6ed529558bf13b17090346fc43c864aaa5981f4edabb15eb4e19.exe
"C:\Users\Admin\AppData\Local\Temp\08dbd438e6da6ed529558bf13b17090346fc43c864aaa5981f4edabb15eb4e19.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1064

C:\Windows\SysWOW64\rnCgJYc.exe
"C:\Windows\system32\rnCgJYc.exe" -auto
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:856

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\08DBD4~1.EXE > nul
2⤵
- Deletes itself
PID:848

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\rnCgJYc.exe
Filesize
232KB

MD5
511ef2a273cf6aa9ed79a5ba1d20732a

SHA1
b2973d6fa4e44bbd23b0dd8a59023da51255091f

SHA256
08dbd438e6da6ed529558bf13b17090346fc43c864aaa5981f4edabb15eb4e19

SHA512
d8b7fde518e794f9d4066d548afd25fd2371300daa190572bd4c92306d0a637e5ae113b6cd29fdcb176c7ba7f60c0324a42a3d5423bd304e17c22d46a3592879

Download Submit
C:\Windows\SysWOW64\rnCgJYc.exe
Filesize
232KB

MD5
511ef2a273cf6aa9ed79a5ba1d20732a

SHA1
b2973d6fa4e44bbd23b0dd8a59023da51255091f

SHA256
08dbd438e6da6ed529558bf13b17090346fc43c864aaa5981f4edabb15eb4e19

SHA512
d8b7fde518e794f9d4066d548afd25fd2371300daa190572bd4c92306d0a637e5ae113b6cd29fdcb176c7ba7f60c0324a42a3d5423bd304e17c22d46a3592879

Download Submit
\Windows\SysWOW64\rnCgJYc.exe
Filesize
232KB

MD5
511ef2a273cf6aa9ed79a5ba1d20732a

SHA1
b2973d6fa4e44bbd23b0dd8a59023da51255091f

SHA256
08dbd438e6da6ed529558bf13b17090346fc43c864aaa5981f4edabb15eb4e19

SHA512
d8b7fde518e794f9d4066d548afd25fd2371300daa190572bd4c92306d0a637e5ae113b6cd29fdcb176c7ba7f60c0324a42a3d5423bd304e17c22d46a3592879

Download Submit
memory/856-81-0x00000000114F0000-0x00000000114FB000-memory.dmp

Filesize
44KB

Download
memory/856-79-0x00000000114F0000-0x00000000114FB000-memory.dmp

Filesize
44KB

Download
memory/856-80-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/856-61-0x0000000000450000-0x000000000045A000-memory.dmp

Filesize
40KB

Download
memory/856-82-0x00000000114D0000-0x00000000114D1000-memory.dmp

Filesize
4KB

Download
memory/856-83-0x0000000001E00000-0x0000000001E01000-memory.dmp

Filesize
4KB

Download
memory/856-90-0x0000000001F70000-0x0000000001F71000-memory.dmp

Filesize
4KB

Download
memory/856-91-0x0000000001E10000-0x0000000001E11000-memory.dmp

Filesize
4KB

Download
memory/856-60-0x0000000000450000-0x000000000045A000-memory.dmp

Filesize
40KB

Download
memory/856-110-0x00000000114F0000-0x00000000114FB000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads