General

  • Target

    1d381bb52634f826.exe

  • Size

    285KB

  • Sample

    230616-kbqzjadh79

  • MD5

    e72c60640dbe31fce8b08d8190282763

  • SHA1

    476fd543dbb50cd60ea189369cc5014c1b7811d4

  • SHA256

    0582b53407ec1509be024523fc82ac8a1d528bd670e931542f81dea17e347bc4

  • SHA512

    19a40c4ff023a8109bb9b9c5cadd3e5a1b257ecab5c53fe7bb07520f8e8984d6128bad68863b54a23cf1982a2b6e0ae7fedc8375fab4033a7eaf4436f0ee6b92

  • SSDEEP

    6144:LMYVjTqJ0dIS8l2I9FIs5oGHs+xgjhK2BV+L0CNCWiZnDoS:LMYpqMIfTKd+xYBAL0CALDoS

Malware Config

Targets

    • Target

      1d381bb52634f826.exe

    • Size

      285KB

    • MD5

      e72c60640dbe31fce8b08d8190282763

    • SHA1

      476fd543dbb50cd60ea189369cc5014c1b7811d4

    • SHA256

      0582b53407ec1509be024523fc82ac8a1d528bd670e931542f81dea17e347bc4

    • SHA512

      19a40c4ff023a8109bb9b9c5cadd3e5a1b257ecab5c53fe7bb07520f8e8984d6128bad68863b54a23cf1982a2b6e0ae7fedc8375fab4033a7eaf4436f0ee6b92

    • SSDEEP

      6144:LMYVjTqJ0dIS8l2I9FIs5oGHs+xgjhK2BV+L0CNCWiZnDoS:LMYpqMIfTKd+xYBAL0CALDoS

    • Blackmoon, KrBanker

      Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    • Detect Blackmoon payload

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

    • Registers COM server for autorun

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks