blackmoon | 1989d2f3db46b9c5c949f4b8498cda2a2fde7b08e4c5d1267950debe82daa2fc

General

Target

5ac529b84bed8f7e3428245e47a78667.exe
Size

277KB
MD5

5ac529b84bed8f7e3428245e47a78667
SHA1

3da3922f429143ccb6d0c3224e3d189c9bb31fa6
SHA256

1989d2f3db46b9c5c949f4b8498cda2a2fde7b08e4c5d1267950debe82daa2fc
SHA512

1093d5ddb6c4834b0b8389dc9fa648aad37ab9b170c908e6b9bb37354e1b3906db0b8485a44ab3b0a545bbe2868bfe6229488830b9c925c26f3a78bd83166962
SSDEEP

6144:sbFMvcdKa1rEgjpI+tK9/DYag1dNqaFm:sbFMEdKa1Jjl89/DYayT

Score

10^/10

blackmoon banker trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 12 IoCs

resource	yara_rule
behavioral1/memory/2008-60-0x0000000000400000-0x0000000000454000-memory.dmp	family_blackmoon
behavioral1/memory/2008-62-0x0000000000400000-0x0000000000454000-memory.dmp	family_blackmoon
behavioral1/memory/2008-65-0x0000000000400000-0x0000000000454000-memory.dmp	family_blackmoon
behavioral1/memory/2008-68-0x0000000010000000-0x0000000010062000-memory.dmp	family_blackmoon
behavioral1/memory/2008-69-0x0000000010000000-0x0000000010062000-memory.dmp	family_blackmoon
behavioral1/memory/2008-70-0x0000000010000000-0x0000000010062000-memory.dmp	family_blackmoon
behavioral1/memory/2008-71-0x0000000000020000-0x0000000000037000-memory.dmp	family_blackmoon
behavioral1/memory/2008-78-0x0000000010000000-0x0000000010062000-memory.dmp	family_blackmoon
behavioral1/memory/2008-79-0x0000000010000000-0x0000000010062000-memory.dmp	family_blackmoon
behavioral1/memory/2008-103-0x0000000002FC0000-0x0000000003014000-memory.dmp	family_blackmoon
behavioral1/memory/2008-107-0x00000000036A0000-0x0000000003728000-memory.dmp	family_blackmoon
behavioral1/memory/2008-120-0x0000000010000000-0x0000000010062000-memory.dmp	family_blackmoon

Deletes itself 1 IoCs

pid	Process
2008	svchost.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2008-66-0x0000000010000000-0x0000000010062000-memory.dmp	upx
behavioral1/memory/2008-68-0x0000000010000000-0x0000000010062000-memory.dmp	upx
behavioral1/memory/2008-69-0x0000000010000000-0x0000000010062000-memory.dmp	upx
behavioral1/memory/2008-70-0x0000000010000000-0x0000000010062000-memory.dmp	upx
behavioral1/memory/2008-74-0x0000000000320000-0x00000000003A9000-memory.dmp	upx
behavioral1/memory/2008-75-0x0000000000320000-0x00000000003A9000-memory.dmp	upx
behavioral1/memory/2008-77-0x0000000000320000-0x00000000003A9000-memory.dmp	upx
behavioral1/memory/2008-78-0x0000000010000000-0x0000000010062000-memory.dmp	upx
behavioral1/memory/2008-79-0x0000000010000000-0x0000000010062000-memory.dmp	upx
behavioral1/memory/2008-110-0x0000000003730000-0x00000000037B9000-memory.dmp	upx
behavioral1/memory/2008-111-0x0000000003730000-0x00000000037B9000-memory.dmp	upx
behavioral1/memory/2008-113-0x0000000003730000-0x00000000037B9000-memory.dmp	upx
behavioral1/memory/2008-120-0x0000000010000000-0x0000000010062000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2004 set thread context of 2008	2004	5ac529b84bed8f7e3428245e47a78667.exe	27

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main	svchost.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2008	svchost.exe
2008	svchost.exe
2008	svchost.exe
2008	svchost.exe
2008	svchost.exe
2008	svchost.exe
2008	svchost.exe
2008	svchost.exe
2008	svchost.exe
2008	svchost.exe
2008	svchost.exe
2008	svchost.exe
2008	svchost.exe
2008	svchost.exe
2008	svchost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2004	5ac529b84bed8f7e3428245e47a78667.exe
Token: SeDebugPrivilege	2008	svchost.exe
Token: SeDebugPrivilege	2008	svchost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2008	svchost.exe
2008	svchost.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 2008	2004	5ac529b84bed8f7e3428245e47a78667.exe	27
PID 2004 wrote to memory of 2008	2004	5ac529b84bed8f7e3428245e47a78667.exe	27
PID 2004 wrote to memory of 2008	2004	5ac529b84bed8f7e3428245e47a78667.exe	27
PID 2004 wrote to memory of 2008	2004	5ac529b84bed8f7e3428245e47a78667.exe	27
PID 2004 wrote to memory of 2008	2004	5ac529b84bed8f7e3428245e47a78667.exe	27
PID 2004 wrote to memory of 2008	2004	5ac529b84bed8f7e3428245e47a78667.exe	27
PID 2004 wrote to memory of 2008	2004	5ac529b84bed8f7e3428245e47a78667.exe	27
PID 2004 wrote to memory of 2008	2004	5ac529b84bed8f7e3428245e47a78667.exe	27
PID 2004 wrote to memory of 2008	2004	5ac529b84bed8f7e3428245e47a78667.exe	27
PID 2004 wrote to memory of 2008	2004	5ac529b84bed8f7e3428245e47a78667.exe	27

C:\Users\Admin\AppData\Local\Temp\5ac529b84bed8f7e3428245e47a78667.exe
"C:\Users\Admin\AppData\Local\Temp\5ac529b84bed8f7e3428245e47a78667.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2004
- \??\c:\windows\syswow64\svchost.exe
  c:\windows\syswow64\svchost.exe
  2⤵
  - Deletes itself
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2008

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2008-56-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2008-55-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2008-54-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2008-58-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2008-60-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2008-62-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2008-63-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2008-65-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2008-66-0x0000000010000000-0x0000000010062000-memory.dmp

Filesize
392KB

Download
memory/2008-68-0x0000000010000000-0x0000000010062000-memory.dmp

Filesize
392KB

Download
memory/2008-69-0x0000000010000000-0x0000000010062000-memory.dmp

Filesize
392KB

Download
memory/2008-70-0x0000000010000000-0x0000000010062000-memory.dmp

Filesize
392KB

Download
memory/2008-71-0x0000000000020000-0x0000000000037000-memory.dmp

Filesize
92KB

Download
memory/2008-74-0x0000000000320000-0x00000000003A9000-memory.dmp

Filesize
548KB

Download
memory/2008-75-0x0000000000320000-0x00000000003A9000-memory.dmp

Filesize
548KB

Download
memory/2008-77-0x0000000000320000-0x00000000003A9000-memory.dmp

Filesize
548KB

Download
memory/2008-78-0x0000000010000000-0x0000000010062000-memory.dmp

Filesize
392KB

Download
memory/2008-79-0x0000000010000000-0x0000000010062000-memory.dmp

Filesize
392KB

Download
memory/2008-98-0x00000000008C0000-0x00000000009C0000-memory.dmp

Filesize
1024KB

Download
memory/2008-97-0x00000000008C0000-0x00000000009C0000-memory.dmp

Filesize
1024KB

Download
memory/2008-103-0x0000000002FC0000-0x0000000003014000-memory.dmp

Filesize
336KB

Download
memory/2008-107-0x00000000036A0000-0x0000000003728000-memory.dmp

Filesize
544KB

Download
memory/2008-110-0x0000000003730000-0x00000000037B9000-memory.dmp

Filesize
548KB

Download
memory/2008-111-0x0000000003730000-0x00000000037B9000-memory.dmp

Filesize
548KB

Download
memory/2008-113-0x0000000003730000-0x00000000037B9000-memory.dmp

Filesize
548KB

Download
memory/2008-120-0x0000000010000000-0x0000000010062000-memory.dmp

Filesize
392KB

Download
memory/2008-122-0x0000000001F10000-0x0000000001F11000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing