blackmoon | 0582b53407ec1509be024523fc82ac8a1d528bd670e931542f81dea17e347bc4 | Triage

Submit
Reports

Overview

overview

Static

static

7

1d381bb52634f826.exe

windows10-2004-x64

Sharing

General

Target

1d381bb52634f826.exe
Size

285KB
Sample

230616-h7zkfadc9z
MD5

e72c60640dbe31fce8b08d8190282763
SHA1

476fd543dbb50cd60ea189369cc5014c1b7811d4
SHA256

0582b53407ec1509be024523fc82ac8a1d528bd670e931542f81dea17e347bc4
SHA512

19a40c4ff023a8109bb9b9c5cadd3e5a1b257ecab5c53fe7bb07520f8e8984d6128bad68863b54a23cf1982a2b6e0ae7fedc8375fab4033a7eaf4436f0ee6b92
SSDEEP

6144:LMYVjTqJ0dIS8l2I9FIs5oGHs+xgjhK2BV+L0CNCWiZnDoS:LMYpqMIfTKd+xYBAL0CALDoS

Score

10^/10

blackmoon banker microsoft discovery persistence phishing trojan upx

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

1d381bb52634f826.exe

Resource

win10v2004-20230220-en

blackmoon banker microsoft discovery persistence phishing trojan upx

windows10-2004-x64

39 signatures

1800 seconds

Malware Config

Targets

- Target
  
  1d381bb52634f826.exe
- Size
  
  285KB
- MD5
  
  e72c60640dbe31fce8b08d8190282763
- SHA1
  
  476fd543dbb50cd60ea189369cc5014c1b7811d4
- SHA256
  
  0582b53407ec1509be024523fc82ac8a1d528bd670e931542f81dea17e347bc4
- SHA512
  
  19a40c4ff023a8109bb9b9c5cadd3e5a1b257ecab5c53fe7bb07520f8e8984d6128bad68863b54a23cf1982a2b6e0ae7fedc8375fab4033a7eaf4436f0ee6b92
- SSDEEP
  
  6144:LMYVjTqJ0dIS8l2I9FIs5oGHs+xgjhK2BV+L0CNCWiZnDoS:LMYpqMIfTKd+xYBAL0CALDoS
Score

10^/10

blackmoon banker microsoft discovery persistence phishing trojan upx
- Blackmoon, KrBanker
  Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
  trojan banker blackmoon
- Detect Blackmoon payload
- Blocklisted process makes network request
- Downloads MZ/PE file
- Drops file in Drivers directory
- Sets service image path in registry
  persistence
- ACProtect 1.3x - 1.4x DLL software
  Detects file using ACProtect software.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
  persistence
- Registers COM server for autorun
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Detected potential entity reuse from brand microsoft.
  phishing microsoft
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Change Default File Association

Privilege Escalation

Defense Evasion

Modify Registry

Install Root Certificate

Credential Access

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

blackmoonbankermicrosoftdiscoverypersistencephishingtrojanupx

© 2018-2024

Terms | Privacy