blackmoon | 40de407398fe8b3b4aecb085bef960e077ba061f10a208099500e87e994775b6

General

Target

08dbd438e6da6ed529558bf13b17090346fc43c864aaa5981f4edabb15eb4e19.exe
Size

232KB
MD5

511ef2a273cf6aa9ed79a5ba1d20732a
SHA1

b2973d6fa4e44bbd23b0dd8a59023da51255091f
SHA256

08dbd438e6da6ed529558bf13b17090346fc43c864aaa5981f4edabb15eb4e19
SHA512

d8b7fde518e794f9d4066d548afd25fd2371300daa190572bd4c92306d0a637e5ae113b6cd29fdcb176c7ba7f60c0324a42a3d5423bd304e17c22d46a3592879
SSDEEP

3072:D3VmqeE1i0jbQEYvubUHVIHRvwtGyod8tEB1EpWtDiMNUavlm8+:D3VmqeE11jivGUHVUhyosGDiMb5

Score

10^/10

blackmoon banker trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 3 IoCs

Processes:

resource	yara_rule
C:\Windows\SysWOW64\rnCgJYc.exe	family_blackmoon
C:\Windows\SysWOW64\rnCgJYc.exe	family_blackmoon
C:\Windows\SysWOW64\rnCgJYc.exe	family_blackmoon

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

08dbd438e6da6ed529558bf13b17090346fc43c864aaa5981f4edabb15eb4e19.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	08dbd438e6da6ed529558bf13b17090346fc43c864aaa5981f4edabb15eb4e19.exe

Executes dropped EXE 1 IoCs

Processes:

rnCgJYc.exe

pid process

1676 rnCgJYc.exe

pid	process
1676	rnCgJYc.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1676-143-0x0000000001F90000-0x0000000001F9A000-memory.dmp	upx
behavioral2/memory/1676-144-0x0000000001F90000-0x0000000001F9A000-memory.dmp	upx
behavioral2/memory/1676-160-0x00000000127D0000-0x00000000127DB000-memory.dmp	upx
behavioral2/memory/1676-171-0x00000000127D0000-0x00000000127DB000-memory.dmp	upx
behavioral2/memory/1676-191-0x00000000127D0000-0x00000000127DB000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

Processes:

08dbd438e6da6ed529558bf13b17090346fc43c864aaa5981f4edabb15eb4e19.exe

description	ioc	process
File created	C:\Windows\SysWOW64\rnCgJYc.exe	08dbd438e6da6ed529558bf13b17090346fc43c864aaa5981f4edabb15eb4e19.exe
File opened for modification	C:\Windows\SysWOW64\rnCgJYc.exe	08dbd438e6da6ed529558bf13b17090346fc43c864aaa5981f4edabb15eb4e19.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rnCgJYc.exe

pid process

1676 rnCgJYc.exe
1676 rnCgJYc.exe

pid	process
1676	rnCgJYc.exe
1676	rnCgJYc.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

08dbd438e6da6ed529558bf13b17090346fc43c864aaa5981f4edabb15eb4e19.exernCgJYc.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	3128	08dbd438e6da6ed529558bf13b17090346fc43c864aaa5981f4edabb15eb4e19.exe
Token: SeDebugPrivilege	1676	rnCgJYc.exe
Token: SeDebugPrivilege	1676	rnCgJYc.exe
Token: SeDebugPrivilege	1676	rnCgJYc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

08dbd438e6da6ed529558bf13b17090346fc43c864aaa5981f4edabb15eb4e19.exernCgJYc.exe

pid process

3128 08dbd438e6da6ed529558bf13b17090346fc43c864aaa5981f4edabb15eb4e19.exe
1676 rnCgJYc.exe

pid	process
3128	08dbd438e6da6ed529558bf13b17090346fc43c864aaa5981f4edabb15eb4e19.exe
1676	rnCgJYc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

08dbd438e6da6ed529558bf13b17090346fc43c864aaa5981f4edabb15eb4e19.exe

description	pid	process	target process
PID 3128 wrote to memory of 1676	3128	08dbd438e6da6ed529558bf13b17090346fc43c864aaa5981f4edabb15eb4e19.exe	rnCgJYc.exe
PID 3128 wrote to memory of 1676	3128	08dbd438e6da6ed529558bf13b17090346fc43c864aaa5981f4edabb15eb4e19.exe	rnCgJYc.exe
PID 3128 wrote to memory of 1676	3128	08dbd438e6da6ed529558bf13b17090346fc43c864aaa5981f4edabb15eb4e19.exe	rnCgJYc.exe
PID 3128 wrote to memory of 1464	3128	08dbd438e6da6ed529558bf13b17090346fc43c864aaa5981f4edabb15eb4e19.exe	cmd.exe
PID 3128 wrote to memory of 1464	3128	08dbd438e6da6ed529558bf13b17090346fc43c864aaa5981f4edabb15eb4e19.exe	cmd.exe
PID 3128 wrote to memory of 1464	3128	08dbd438e6da6ed529558bf13b17090346fc43c864aaa5981f4edabb15eb4e19.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\08dbd438e6da6ed529558bf13b17090346fc43c864aaa5981f4edabb15eb4e19.exe
"C:\Users\Admin\AppData\Local\Temp\08dbd438e6da6ed529558bf13b17090346fc43c864aaa5981f4edabb15eb4e19.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3128

C:\Windows\SysWOW64\rnCgJYc.exe
"C:\Windows\system32\rnCgJYc.exe" -auto
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1676

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\08DBD4~1.EXE > nul
2⤵
PID:1464

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\rnCgJYc.exe
Filesize
232KB

MD5
511ef2a273cf6aa9ed79a5ba1d20732a

SHA1
b2973d6fa4e44bbd23b0dd8a59023da51255091f

SHA256
08dbd438e6da6ed529558bf13b17090346fc43c864aaa5981f4edabb15eb4e19

SHA512
d8b7fde518e794f9d4066d548afd25fd2371300daa190572bd4c92306d0a637e5ae113b6cd29fdcb176c7ba7f60c0324a42a3d5423bd304e17c22d46a3592879

Download Submit
C:\Windows\SysWOW64\rnCgJYc.exe
Filesize
232KB

MD5
511ef2a273cf6aa9ed79a5ba1d20732a

SHA1
b2973d6fa4e44bbd23b0dd8a59023da51255091f

SHA256
08dbd438e6da6ed529558bf13b17090346fc43c864aaa5981f4edabb15eb4e19

SHA512
d8b7fde518e794f9d4066d548afd25fd2371300daa190572bd4c92306d0a637e5ae113b6cd29fdcb176c7ba7f60c0324a42a3d5423bd304e17c22d46a3592879

Download Submit
C:\Windows\SysWOW64\rnCgJYc.exe
Filesize
232KB

MD5
511ef2a273cf6aa9ed79a5ba1d20732a

SHA1
b2973d6fa4e44bbd23b0dd8a59023da51255091f

SHA256
08dbd438e6da6ed529558bf13b17090346fc43c864aaa5981f4edabb15eb4e19

SHA512
d8b7fde518e794f9d4066d548afd25fd2371300daa190572bd4c92306d0a637e5ae113b6cd29fdcb176c7ba7f60c0324a42a3d5423bd304e17c22d46a3592879

Download Submit
memory/1676-144-0x0000000001F90000-0x0000000001F9A000-memory.dmp

Filesize
40KB

Download
memory/1676-160-0x00000000127D0000-0x00000000127DB000-memory.dmp

Filesize
44KB

Download
memory/1676-161-0x0000000012780000-0x0000000012781000-memory.dmp

Filesize
4KB

Download
memory/1676-143-0x0000000001F90000-0x0000000001F9A000-memory.dmp

Filesize
40KB

Download
memory/1676-170-0x0000000002220000-0x0000000002221000-memory.dmp

Filesize
4KB

Download
memory/1676-171-0x00000000127D0000-0x00000000127DB000-memory.dmp

Filesize
44KB

Download
memory/1676-172-0x00000000127B0000-0x00000000127B1000-memory.dmp

Filesize
4KB

Download
memory/1676-173-0x00000000127A0000-0x00000000127A1000-memory.dmp

Filesize
4KB

Download
memory/1676-174-0x0000000012790000-0x0000000012791000-memory.dmp

Filesize
4KB

Download
memory/1676-191-0x00000000127D0000-0x00000000127DB000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads