blackmoon | ec36faf4a4d8329b10ac75b3b6c815cd041c62918eb1c9efb7adeea8e88e8744

General

Target

oreki.exe
Size

673KB
MD5

2284c315e2528e666ade79b75a0371cd
SHA1

47e5af85d7ee5f3742837fbfe7f088f954e4ccac
SHA256

ec36faf4a4d8329b10ac75b3b6c815cd041c62918eb1c9efb7adeea8e88e8744
SHA512

cc0b76f20e36fe8425742715f87a0364c371ca6b4557ad754a9b802cbaa556f59fa8d3adabdba0081f8ae64cdfe402104fa56822c5e76d06517c58fce28426a0
SSDEEP

12288:w4cVWcj9yXy13MiG6UvbZ61pccDFT0iqgsI8em8O+1qI:w4apyCOZuCc9LHm8O+

Score

10^/10

blackmoon banker trojan upx vmprotect

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1716-56-0x0000000010000000-0x0000000010066000-memory.dmp	family_blackmoon
behavioral1/memory/1716-60-0x0000000002850000-0x0000000003250000-memory.dmp	family_blackmoon

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1076
Drops startup file 1 IoCs

Processes:

oreki.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SYSTEM_START.lnk oreki.exe
Executes dropped EXE 1 IoCs

Processes:

mjcqe

pid process

580 mjcqe
Loads dropped DLL 2 IoCs

Processes:

oreki.exemjcqe

pid process

1716 oreki.exe
580 mjcqe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SYSTEM_START.lnk	oreki.exe

pid	process
580	mjcqe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1716-54-0x0000000000400000-0x000000000055F000-memory.dmp	upx
behavioral1/memory/1716-55-0x0000000000400000-0x000000000055F000-memory.dmp	upx
behavioral1/memory/1716-82-0x0000000000400000-0x000000000055F000-memory.dmp	upx

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Public\Videos\VSTelem\pbswc\scrnshot.dll	vmprotect
\Users\Public\Videos\VSTelem\pbswc\Scrnshot.dll	vmprotect
behavioral1/memory/580-71-0x0000000010000000-0x000000001005F000-memory.dmp	vmprotect
behavioral1/memory/580-80-0x0000000010000000-0x000000001005F000-memory.dmp	vmprotect

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

oreki.exemjcqe

pid process

1716 oreki.exe
580 mjcqe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

mjcqe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	mjcqe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	mjcqe

Suspicious behavior: EnumeratesProcesses 29 IoCs

Processes:

oreki.exemjcqe

pid	process
1716	oreki.exe
580	mjcqe
580	mjcqe
580	mjcqe
580	mjcqe
580	mjcqe
580	mjcqe
580	mjcqe
580	mjcqe
580	mjcqe
580	mjcqe
580	mjcqe
580	mjcqe
580	mjcqe
580	mjcqe
580	mjcqe
580	mjcqe
580	mjcqe
580	mjcqe
580	mjcqe
580	mjcqe
580	mjcqe
580	mjcqe
580	mjcqe
580	mjcqe
580	mjcqe
580	mjcqe
580	mjcqe
580	mjcqe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

oreki.exe

description	pid	process	target process
PID 1716 wrote to memory of 580	1716	oreki.exe	mjcqe
PID 1716 wrote to memory of 580	1716	oreki.exe	mjcqe
PID 1716 wrote to memory of 580	1716	oreki.exe	mjcqe
PID 1716 wrote to memory of 580	1716	oreki.exe	mjcqe

C:\Users\Admin\AppData\Local\Temp\oreki.exe
"C:\Users\Admin\AppData\Local\Temp\oreki.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1716
- C:\Users\Public\Videos\VSTelem\pbswc\mjcqe
  C:\Users\Public\Videos\VSTelem\pbswc\mjcqe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:580

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Remote Desktop Protocol

1

T1076

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Videos\VSTelem\pbswc\Update.log

Filesize
73KB

MD5
f2756d32dec5f018dcef55d8b7b5662e

SHA1
cbde904b5a8a6da3df2e83ea3112c0e0aa8ebed8

SHA256
a3c23667f4801304183cd4c328d49cd0e4dedd552cf61c2a7be313403eddb189

SHA512
7f2978d94d316894a3de4e7e482adbfee18ef4691128536a27673927ab5a773dd54ba66e5e5bbb7da87b6a38b0040f65e52b048d85971d4427a6c97b159bbe49

Download Submit
C:\Users\Public\Videos\VSTelem\pbswc\mjcqe

Filesize
183KB

MD5
7c8270f9d0106ffaf862790f527737ce

SHA1
beab49677deb4ef1188294ef13b91f0b571f83c0

SHA256
0b87153beed1a7ac3f743f5117eea3f6c594774d77e7e0e36d82d9cc41dd9c87

SHA512
64da62c8ae3783349f85e27389f5596e925f5485b02f4290e85fae38bbb4aab4ee593dcb44738050bb7cfa43c5df70b65bb93a3aafc498c15ca163e03896c605

Download Submit
C:\Users\Public\Videos\VSTelem\pbswc\scrnshot.dll

Filesize
212KB

MD5
17114379bd336feaea221c091973516a

SHA1
1db8bc886e793b84ee6bd9d354c3253938c46b56

SHA256
63d5ff25d23bef01bd9717a6e5d203d59385d32e2518999ae4e20f9b7b283044

SHA512
ccf84b331ec713e6391407a17fb48a5e1cbc568840dccb0754dbd48997f911343bd0924ada844753c6787ec65271b00549c3e4e89d93c101677e18dfd40a79ee

Download Submit
\Users\Public\Videos\VSTelem\pbswc\Scrnshot.dll

Filesize
212KB

MD5
17114379bd336feaea221c091973516a

SHA1
1db8bc886e793b84ee6bd9d354c3253938c46b56

SHA256
63d5ff25d23bef01bd9717a6e5d203d59385d32e2518999ae4e20f9b7b283044

SHA512
ccf84b331ec713e6391407a17fb48a5e1cbc568840dccb0754dbd48997f911343bd0924ada844753c6787ec65271b00549c3e4e89d93c101677e18dfd40a79ee

Download Submit
\Users\Public\Videos\VSTelem\pbswc\mjcqe

Filesize
183KB

MD5
7c8270f9d0106ffaf862790f527737ce

SHA1
beab49677deb4ef1188294ef13b91f0b571f83c0

SHA256
0b87153beed1a7ac3f743f5117eea3f6c594774d77e7e0e36d82d9cc41dd9c87

SHA512
64da62c8ae3783349f85e27389f5596e925f5485b02f4290e85fae38bbb4aab4ee593dcb44738050bb7cfa43c5df70b65bb93a3aafc498c15ca163e03896c605

Download Submit
memory/580-71-0x0000000010000000-0x000000001005F000-memory.dmp

Filesize
380KB

Download
memory/580-73-0x00000000000A0000-0x00000000000CB000-memory.dmp

Filesize
172KB

Download
memory/580-80-0x0000000010000000-0x000000001005F000-memory.dmp

Filesize
380KB

Download
memory/580-81-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1716-60-0x0000000002850000-0x0000000003250000-memory.dmp

Filesize
10.0MB

Download
memory/1716-56-0x0000000010000000-0x0000000010066000-memory.dmp

Filesize
408KB

Download
memory/1716-54-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1716-55-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1716-82-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads