blackmoon | c7d30b5ea07e7f38338401d6af2351330a71086e08301d32d1ad040c42b8c9fe

General

Target

c7d30b5ea07e7f38338401d6af2351330a71086e08301d32d1ad040c42b8c9fe.exe
Size

3.1MB
MD5

dc624574ef8e4cb6a209144239a7f7cc
SHA1

20579df621fb9592da238eab9bc8b0c0f960dbb9
SHA256

c7d30b5ea07e7f38338401d6af2351330a71086e08301d32d1ad040c42b8c9fe
SHA512

45008753ca6aef84b82d1b0aebf19743d19af6c63716b32c223c3b3efb0e7ef1d8e78d5fcc2d8ba35f1b830890a85eed776aae5c6fa4c2ed026bca7191ef295d
SSDEEP

49152:n9s5LPkdVO3K46FKCSoJhMPmuYnH7mSl5cTsp/UJQyKnzZ/Yeco/rZj:+Z3K46FKDKMPMnHRcQqYZ

Score

10^/10

blackmoon banker trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 5 IoCs

Processes:

resource	yara_rule
\Windows\SysWOW64\FUJwmMFELIEATkrTU.exe	family_blackmoon
C:\Windows\SysWOW64\FUJwmMFELIEATkrTU.exe	family_blackmoon
C:\Windows\SysWOW64\FUJwmMFELIEATkrTU.exe	family_blackmoon
C:\Windows\SysWOW64\FUJwmMFELIEATkrTU.exe	family_blackmoon
C:\Windows\SysWOW64\FUJwmMFELIEATkrTU.exe	family_blackmoon

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

932 cmd.exe
Executes dropped EXE 3 IoCs

Processes:

FUJwmMFELIEATkrTU.exeFUJwmMFELIEATkrTU.exeFUJwmMFELIEATkrTU.exe

pid process

3000 FUJwmMFELIEATkrTU.exe
1516 FUJwmMFELIEATkrTU.exe
2748 FUJwmMFELIEATkrTU.exe
Loads dropped DLL 1 IoCs

Processes:

c7d30b5ea07e7f38338401d6af2351330a71086e08301d32d1ad040c42b8c9fe.exe

pid process

2572 c7d30b5ea07e7f38338401d6af2351330a71086e08301d32d1ad040c42b8c9fe.exe

pid	process
932	cmd.exe

pid	process
3000	FUJwmMFELIEATkrTU.exe
1516	FUJwmMFELIEATkrTU.exe
2748	FUJwmMFELIEATkrTU.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2748-63-0x0000000000360000-0x000000000036B000-memory.dmp	upx
behavioral1/memory/2748-62-0x0000000000360000-0x000000000036B000-memory.dmp	upx
behavioral1/memory/2748-66-0x00000000020D0000-0x00000000020DB000-memory.dmp	upx
behavioral1/memory/2748-102-0x0000000000360000-0x000000000036B000-memory.dmp	upx
behavioral1/memory/2748-105-0x00000000020D0000-0x00000000020DB000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

Processes:

c7d30b5ea07e7f38338401d6af2351330a71086e08301d32d1ad040c42b8c9fe.exe

description	ioc	process
File created	C:\Windows\SysWOW64\FUJwmMFELIEATkrTU.exe	c7d30b5ea07e7f38338401d6af2351330a71086e08301d32d1ad040c42b8c9fe.exe
File opened for modification	C:\Windows\SysWOW64\FUJwmMFELIEATkrTU.exe	c7d30b5ea07e7f38338401d6af2351330a71086e08301d32d1ad040c42b8c9fe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

FUJwmMFELIEATkrTU.exe

pid process

2748 FUJwmMFELIEATkrTU.exe
2748 FUJwmMFELIEATkrTU.exe
2748 FUJwmMFELIEATkrTU.exe
2748 FUJwmMFELIEATkrTU.exe

pid	process
2748	FUJwmMFELIEATkrTU.exe
2748	FUJwmMFELIEATkrTU.exe
2748	FUJwmMFELIEATkrTU.exe
2748	FUJwmMFELIEATkrTU.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

c7d30b5ea07e7f38338401d6af2351330a71086e08301d32d1ad040c42b8c9fe.exeFUJwmMFELIEATkrTU.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	2572	c7d30b5ea07e7f38338401d6af2351330a71086e08301d32d1ad040c42b8c9fe.exe
Token: SeDebugPrivilege	2748	FUJwmMFELIEATkrTU.exe
Token: SeDebugPrivilege	2748	FUJwmMFELIEATkrTU.exe
Token: SeDebugPrivilege	2748	FUJwmMFELIEATkrTU.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

c7d30b5ea07e7f38338401d6af2351330a71086e08301d32d1ad040c42b8c9fe.exeFUJwmMFELIEATkrTU.exeFUJwmMFELIEATkrTU.exeFUJwmMFELIEATkrTU.exe

pid	process
2572	c7d30b5ea07e7f38338401d6af2351330a71086e08301d32d1ad040c42b8c9fe.exe
3000	FUJwmMFELIEATkrTU.exe
1516	FUJwmMFELIEATkrTU.exe
2748	FUJwmMFELIEATkrTU.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

c7d30b5ea07e7f38338401d6af2351330a71086e08301d32d1ad040c42b8c9fe.exeFUJwmMFELIEATkrTU.exe

description	pid	process	target process
PID 2572 wrote to memory of 3000	2572	c7d30b5ea07e7f38338401d6af2351330a71086e08301d32d1ad040c42b8c9fe.exe	FUJwmMFELIEATkrTU.exe
PID 2572 wrote to memory of 3000	2572	c7d30b5ea07e7f38338401d6af2351330a71086e08301d32d1ad040c42b8c9fe.exe	FUJwmMFELIEATkrTU.exe
PID 2572 wrote to memory of 3000	2572	c7d30b5ea07e7f38338401d6af2351330a71086e08301d32d1ad040c42b8c9fe.exe	FUJwmMFELIEATkrTU.exe
PID 2572 wrote to memory of 3000	2572	c7d30b5ea07e7f38338401d6af2351330a71086e08301d32d1ad040c42b8c9fe.exe	FUJwmMFELIEATkrTU.exe
PID 2572 wrote to memory of 932	2572	c7d30b5ea07e7f38338401d6af2351330a71086e08301d32d1ad040c42b8c9fe.exe	cmd.exe
PID 2572 wrote to memory of 932	2572	c7d30b5ea07e7f38338401d6af2351330a71086e08301d32d1ad040c42b8c9fe.exe	cmd.exe
PID 2572 wrote to memory of 932	2572	c7d30b5ea07e7f38338401d6af2351330a71086e08301d32d1ad040c42b8c9fe.exe	cmd.exe
PID 2572 wrote to memory of 932	2572	c7d30b5ea07e7f38338401d6af2351330a71086e08301d32d1ad040c42b8c9fe.exe	cmd.exe
PID 1516 wrote to memory of 2748	1516	FUJwmMFELIEATkrTU.exe	FUJwmMFELIEATkrTU.exe
PID 1516 wrote to memory of 2748	1516	FUJwmMFELIEATkrTU.exe	FUJwmMFELIEATkrTU.exe
PID 1516 wrote to memory of 2748	1516	FUJwmMFELIEATkrTU.exe	FUJwmMFELIEATkrTU.exe
PID 1516 wrote to memory of 2748	1516	FUJwmMFELIEATkrTU.exe	FUJwmMFELIEATkrTU.exe

C:\Users\Admin\AppData\Local\Temp\c7d30b5ea07e7f38338401d6af2351330a71086e08301d32d1ad040c42b8c9fe.exe
"C:\Users\Admin\AppData\Local\Temp\c7d30b5ea07e7f38338401d6af2351330a71086e08301d32d1ad040c42b8c9fe.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2572
- C:\Windows\SysWOW64\FUJwmMFELIEATkrTU.exe
  -auto
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3000
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\C7D30B~1.EXE > nul
  2⤵
  - Deletes itself
  PID:932

C:\Windows\SysWOW64\FUJwmMFELIEATkrTU.exe
C:\Windows\SysWOW64\FUJwmMFELIEATkrTU.exe Service 1
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1516
- C:\Windows\SysWOW64\FUJwmMFELIEATkrTU.exe
  -OBJECT1
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\FUJwmMFELIEATkrTU.exe

Filesize
3.1MB

MD5
dc624574ef8e4cb6a209144239a7f7cc

SHA1
20579df621fb9592da238eab9bc8b0c0f960dbb9

SHA256
c7d30b5ea07e7f38338401d6af2351330a71086e08301d32d1ad040c42b8c9fe

SHA512
45008753ca6aef84b82d1b0aebf19743d19af6c63716b32c223c3b3efb0e7ef1d8e78d5fcc2d8ba35f1b830890a85eed776aae5c6fa4c2ed026bca7191ef295d

Download Submit
C:\Windows\SysWOW64\FUJwmMFELIEATkrTU.exe

Filesize
3.1MB

MD5
dc624574ef8e4cb6a209144239a7f7cc

SHA1
20579df621fb9592da238eab9bc8b0c0f960dbb9

SHA256
c7d30b5ea07e7f38338401d6af2351330a71086e08301d32d1ad040c42b8c9fe

SHA512
45008753ca6aef84b82d1b0aebf19743d19af6c63716b32c223c3b3efb0e7ef1d8e78d5fcc2d8ba35f1b830890a85eed776aae5c6fa4c2ed026bca7191ef295d

Download Submit
C:\Windows\SysWOW64\FUJwmMFELIEATkrTU.exe

Filesize
3.1MB

MD5
dc624574ef8e4cb6a209144239a7f7cc

SHA1
20579df621fb9592da238eab9bc8b0c0f960dbb9

SHA256
c7d30b5ea07e7f38338401d6af2351330a71086e08301d32d1ad040c42b8c9fe

SHA512
45008753ca6aef84b82d1b0aebf19743d19af6c63716b32c223c3b3efb0e7ef1d8e78d5fcc2d8ba35f1b830890a85eed776aae5c6fa4c2ed026bca7191ef295d

Download Submit
C:\Windows\SysWOW64\FUJwmMFELIEATkrTU.exe

Filesize
3.1MB

MD5
dc624574ef8e4cb6a209144239a7f7cc

SHA1
20579df621fb9592da238eab9bc8b0c0f960dbb9

SHA256
c7d30b5ea07e7f38338401d6af2351330a71086e08301d32d1ad040c42b8c9fe

SHA512
45008753ca6aef84b82d1b0aebf19743d19af6c63716b32c223c3b3efb0e7ef1d8e78d5fcc2d8ba35f1b830890a85eed776aae5c6fa4c2ed026bca7191ef295d

Download Submit
\Windows\SysWOW64\FUJwmMFELIEATkrTU.exe

Filesize
3.1MB

MD5
dc624574ef8e4cb6a209144239a7f7cc

SHA1
20579df621fb9592da238eab9bc8b0c0f960dbb9

SHA256
c7d30b5ea07e7f38338401d6af2351330a71086e08301d32d1ad040c42b8c9fe

SHA512
45008753ca6aef84b82d1b0aebf19743d19af6c63716b32c223c3b3efb0e7ef1d8e78d5fcc2d8ba35f1b830890a85eed776aae5c6fa4c2ed026bca7191ef295d

Download Submit
memory/2748-64-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2748-62-0x0000000000360000-0x000000000036B000-memory.dmp

Filesize
44KB

Download
memory/2748-66-0x00000000020D0000-0x00000000020DB000-memory.dmp

Filesize
44KB

Download
memory/2748-67-0x00000000020B0000-0x00000000020B1000-memory.dmp

Filesize
4KB

Download
memory/2748-68-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2748-69-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download
memory/2748-70-0x00000000008C0000-0x00000000008C1000-memory.dmp

Filesize
4KB

Download
memory/2748-63-0x0000000000360000-0x000000000036B000-memory.dmp

Filesize
44KB

Download
memory/2748-102-0x0000000000360000-0x000000000036B000-memory.dmp

Filesize
44KB

Download
memory/2748-105-0x00000000020D0000-0x00000000020DB000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads