blackmoon | c4b963d33c85443673d172e9b031fe7507e079f486b253ad086973583f7da110

General

Target

netbri.exe
Size

700KB
MD5

a165e1db0ff449c3752a6959598d925f
SHA1

f122e6063f883bd071d4eb19527fdb39ffbd8033
SHA256

e3998468214b36f97454b9b8fb698cf8afa374522d7663ca979fcf7dd86e427e
SHA512

9b7839e3e56039b62c0c94c8bcbd00f5c92f9613c1a605a3226d38646991d763c09787618314647c9dad94d39323bb1827710aa6eff43f85bd20e2a700b50455
SSDEEP

12288:DLnnGUbSWxIDCBoOd1x29v2aDpB9gf3XgaFN9gX08Oujawx021njLgnJRv:PnnGDWxImBoOd1xIv2ad/s3Xg4YE8O6o

Score

10^/10

blackmoon banker trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1692-65-0x0000000002A60000-0x0000000002FDA000-memory.dmp	family_blackmoon
behavioral1/memory/1692-73-0x0000000002A60000-0x0000000002FDA000-memory.dmp	family_blackmoon

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

netbri.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	netbri.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	netbri.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

netbri.exe

pid process

1692 netbri.exe
1692 netbri.exe
1692 netbri.exe
1692 netbri.exe

pid	process
1692	netbri.exe
1692	netbri.exe
1692	netbri.exe
1692	netbri.exe

C:\Users\Admin\AppData\Local\Temp\netbri.exe
"C:\Users\Admin\AppData\Local\Temp\netbri.exe"
1⤵
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
PID:1692

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1692-55-0x0000000004380000-0x00000000045A2000-memory.dmp

Filesize
2.1MB

Download
memory/1692-56-0x0000000004380000-0x00000000045A2000-memory.dmp

Filesize
2.1MB

Download
memory/1692-58-0x0000000004380000-0x00000000045A2000-memory.dmp

Filesize
2.1MB

Download
memory/1692-59-0x0000000004380000-0x00000000045A2000-memory.dmp

Filesize
2.1MB

Download
memory/1692-61-0x0000000004380000-0x00000000045A2000-memory.dmp

Filesize
2.1MB

Download
memory/1692-60-0x0000000004380000-0x00000000045A2000-memory.dmp

Filesize
2.1MB

Download
memory/1692-57-0x0000000004380000-0x00000000045A2000-memory.dmp

Filesize
2.1MB

Download
memory/1692-63-0x0000000004380000-0x00000000045A2000-memory.dmp

Filesize
2.1MB

Download
memory/1692-68-0x0000000003210000-0x0000000003368000-memory.dmp

Filesize
1.3MB

Download
memory/1692-69-0x0000000004380000-0x00000000045A2000-memory.dmp

Filesize
2.1MB

Download
memory/1692-67-0x0000000003100000-0x0000000003210000-memory.dmp

Filesize
1.1MB

Download
memory/1692-66-0x0000000010000000-0x000000001001A000-memory.dmp

Filesize
104KB

Download
memory/1692-65-0x0000000002A60000-0x0000000002FDA000-memory.dmp

Filesize
5.5MB

Download
memory/1692-64-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1692-62-0x0000000004380000-0x00000000045A2000-memory.dmp

Filesize
2.1MB

Download
memory/1692-71-0x0000000004380000-0x00000000045A2000-memory.dmp

Filesize
2.1MB

Download
memory/1692-72-0x0000000006110000-0x0000000006615000-memory.dmp

Filesize
5.0MB

Download
memory/1692-73-0x0000000002A60000-0x0000000002FDA000-memory.dmp

Filesize
5.5MB

Download
memory/1692-74-0x0000000003210000-0x0000000003368000-memory.dmp

Filesize
1.3MB

Download
memory/1692-75-0x0000000004380000-0x00000000045A2000-memory.dmp

Filesize
2.1MB

Download

Analysis

Sharing