blackmoon | d471801afc0d259453a702e6c39e3420650f84ec46d11f9f02fbf31981e40a58 | Triage

Submit
Reports

Overview

overview

Static

static

ef4121272b...83.exe

windows7-x64

ef4121272b...83.exe

windows10-2004-x64

Sharing

General

Target

9b738f674a2a254854151fa7b18e4a7e.bin
Size

1005KB
Sample

230719-cdyhdsfb67
MD5

79c2682839d134dc665acf2068e243bc
SHA1

5aeac73d30225b4641ad1631dd111a6dcfe86663
SHA256

d471801afc0d259453a702e6c39e3420650f84ec46d11f9f02fbf31981e40a58
SHA512

7ff3b8c2f1fe57bea8dd0b458387b85bbebb404eac2f2e800a5eb1f53986e8a1b1549ca9cdfff84c2942e0e608ae21774e0baa9b9a95c3ff9c3e5a73e7bfbe0b
SSDEEP

24576:yDxNdHspbjvGBZdyqbSkzstt88Kd13Y/zadTYLeKcfsZTLUiUv:QDdMxjvKbTSk0tJKfY/zITw2sZTfUv

Score

10^/10

blackmoon banker bootkit persistence trojan

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

ef4121272bc4145be82dc33c67572981bbdfeb0c0d1941aa9a00e2a59b956883.exe

Resource

win7-20230712-en

blackmoon banker bootkit persistence trojan

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

ef4121272bc4145be82dc33c67572981bbdfeb0c0d1941aa9a00e2a59b956883.exe

Resource

win10v2004-20230703-en

blackmoon banker bootkit persistence trojan

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Targets

- Target
  
  ef4121272bc4145be82dc33c67572981bbdfeb0c0d1941aa9a00e2a59b956883.bin
- Size
  
  2.0MB
- MD5
  
  9b738f674a2a254854151fa7b18e4a7e
- SHA1
  
  c83df066d665312e5e5bbaeeb774550ece50a73d
- SHA256
  
  ef4121272bc4145be82dc33c67572981bbdfeb0c0d1941aa9a00e2a59b956883
- SHA512
  
  5c60adaf7a2d4a53fa7ddda416d42718a4313db8017ec08779a384d7a08337048ac8d39c07b37f417716fd7a35f9813bc5437516c775dc43400c401480b73383
- SSDEEP
  
  24576:PSH25PwcN2jx23LdZNtWFKVaIdaY5VFt1LuqJhDqGFeyUQPurCD8JYjSK5ECi:PlDoOTNtGKQIvfuRVy/Pur2Mgi
Score

10^/10

blackmoon banker bootkit persistence trojan
- Blackmoon, KrBanker
  Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
  trojan banker blackmoon
- Detect Blackmoon payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

blackmoonbankerbootkitpersistencetrojan

behavioral2

blackmoonbankerbootkitpersistencetrojan

© 2018-2024

Terms | Privacy