blackmoon | c7d30b5ea07e7f38338401d6af2351330a71086e08301d32d1ad040c42b8c9fe

General

Target

c7d30b5ea07e7f38338401d6af2351330a71086e08301d32d1ad040c42b8c9fe.exe
Size

3.1MB
MD5

dc624574ef8e4cb6a209144239a7f7cc
SHA1

20579df621fb9592da238eab9bc8b0c0f960dbb9
SHA256

c7d30b5ea07e7f38338401d6af2351330a71086e08301d32d1ad040c42b8c9fe
SHA512

45008753ca6aef84b82d1b0aebf19743d19af6c63716b32c223c3b3efb0e7ef1d8e78d5fcc2d8ba35f1b830890a85eed776aae5c6fa4c2ed026bca7191ef295d
SSDEEP

49152:n9s5LPkdVO3K46FKCSoJhMPmuYnH7mSl5cTsp/UJQyKnzZ/Yeco/rZj:+Z3K46FKDKMPMnHRcQqYZ

Score

10^/10

blackmoon banker trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 4 IoCs

Processes:

resource	yara_rule
C:\Windows\SysWOW64\FUJwmMFELIEATkrTU.exe	family_blackmoon
C:\Windows\SysWOW64\FUJwmMFELIEATkrTU.exe	family_blackmoon
C:\Windows\SysWOW64\FUJwmMFELIEATkrTU.exe	family_blackmoon
C:\Windows\SysWOW64\FUJwmMFELIEATkrTU.exe	family_blackmoon

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

c7d30b5ea07e7f38338401d6af2351330a71086e08301d32d1ad040c42b8c9fe.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation	c7d30b5ea07e7f38338401d6af2351330a71086e08301d32d1ad040c42b8c9fe.exe

Executes dropped EXE 3 IoCs

Processes:

FUJwmMFELIEATkrTU.exeFUJwmMFELIEATkrTU.exeFUJwmMFELIEATkrTU.exe

pid process

2680 FUJwmMFELIEATkrTU.exe
4216 FUJwmMFELIEATkrTU.exe
224 FUJwmMFELIEATkrTU.exe

pid	process
2680	FUJwmMFELIEATkrTU.exe
4216	FUJwmMFELIEATkrTU.exe
224	FUJwmMFELIEATkrTU.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/224-140-0x0000000002310000-0x000000000231B000-memory.dmp	upx
behavioral2/memory/224-139-0x0000000002310000-0x000000000231B000-memory.dmp	upx
behavioral2/memory/224-143-0x0000000012DD0000-0x0000000012DDB000-memory.dmp	upx
behavioral2/memory/224-178-0x0000000002310000-0x000000000231B000-memory.dmp	upx
behavioral2/memory/224-183-0x0000000012DD0000-0x0000000012DDB000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

Processes:

c7d30b5ea07e7f38338401d6af2351330a71086e08301d32d1ad040c42b8c9fe.exe

description	ioc	process
File created	C:\Windows\SysWOW64\FUJwmMFELIEATkrTU.exe	c7d30b5ea07e7f38338401d6af2351330a71086e08301d32d1ad040c42b8c9fe.exe
File opened for modification	C:\Windows\SysWOW64\FUJwmMFELIEATkrTU.exe	c7d30b5ea07e7f38338401d6af2351330a71086e08301d32d1ad040c42b8c9fe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

FUJwmMFELIEATkrTU.exe

pid	process
224	FUJwmMFELIEATkrTU.exe
224	FUJwmMFELIEATkrTU.exe
224	FUJwmMFELIEATkrTU.exe
224	FUJwmMFELIEATkrTU.exe
224	FUJwmMFELIEATkrTU.exe
224	FUJwmMFELIEATkrTU.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

c7d30b5ea07e7f38338401d6af2351330a71086e08301d32d1ad040c42b8c9fe.exeFUJwmMFELIEATkrTU.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	2508	c7d30b5ea07e7f38338401d6af2351330a71086e08301d32d1ad040c42b8c9fe.exe
Token: SeDebugPrivilege	224	FUJwmMFELIEATkrTU.exe
Token: SeDebugPrivilege	224	FUJwmMFELIEATkrTU.exe
Token: SeDebugPrivilege	224	FUJwmMFELIEATkrTU.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

c7d30b5ea07e7f38338401d6af2351330a71086e08301d32d1ad040c42b8c9fe.exeFUJwmMFELIEATkrTU.exeFUJwmMFELIEATkrTU.exeFUJwmMFELIEATkrTU.exe

pid	process
2508	c7d30b5ea07e7f38338401d6af2351330a71086e08301d32d1ad040c42b8c9fe.exe
2680	FUJwmMFELIEATkrTU.exe
4216	FUJwmMFELIEATkrTU.exe
224	FUJwmMFELIEATkrTU.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

c7d30b5ea07e7f38338401d6af2351330a71086e08301d32d1ad040c42b8c9fe.exeFUJwmMFELIEATkrTU.exe

description	pid	process	target process
PID 2508 wrote to memory of 2680	2508	c7d30b5ea07e7f38338401d6af2351330a71086e08301d32d1ad040c42b8c9fe.exe	FUJwmMFELIEATkrTU.exe
PID 2508 wrote to memory of 2680	2508	c7d30b5ea07e7f38338401d6af2351330a71086e08301d32d1ad040c42b8c9fe.exe	FUJwmMFELIEATkrTU.exe
PID 2508 wrote to memory of 2680	2508	c7d30b5ea07e7f38338401d6af2351330a71086e08301d32d1ad040c42b8c9fe.exe	FUJwmMFELIEATkrTU.exe
PID 2508 wrote to memory of 648	2508	c7d30b5ea07e7f38338401d6af2351330a71086e08301d32d1ad040c42b8c9fe.exe	cmd.exe
PID 2508 wrote to memory of 648	2508	c7d30b5ea07e7f38338401d6af2351330a71086e08301d32d1ad040c42b8c9fe.exe	cmd.exe
PID 2508 wrote to memory of 648	2508	c7d30b5ea07e7f38338401d6af2351330a71086e08301d32d1ad040c42b8c9fe.exe	cmd.exe
PID 4216 wrote to memory of 224	4216	FUJwmMFELIEATkrTU.exe	FUJwmMFELIEATkrTU.exe
PID 4216 wrote to memory of 224	4216	FUJwmMFELIEATkrTU.exe	FUJwmMFELIEATkrTU.exe
PID 4216 wrote to memory of 224	4216	FUJwmMFELIEATkrTU.exe	FUJwmMFELIEATkrTU.exe

C:\Users\Admin\AppData\Local\Temp\c7d30b5ea07e7f38338401d6af2351330a71086e08301d32d1ad040c42b8c9fe.exe
"C:\Users\Admin\AppData\Local\Temp\c7d30b5ea07e7f38338401d6af2351330a71086e08301d32d1ad040c42b8c9fe.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Windows\SysWOW64\FUJwmMFELIEATkrTU.exe
  -auto
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2680
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\C7D30B~1.EXE > nul
  2⤵
  PID:648

C:\Windows\SysWOW64\FUJwmMFELIEATkrTU.exe
C:\Windows\SysWOW64\FUJwmMFELIEATkrTU.exe Service 1
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4216
- C:\Windows\SysWOW64\FUJwmMFELIEATkrTU.exe
  -OBJECT1
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\FUJwmMFELIEATkrTU.exe

Filesize
3.1MB

MD5
dc624574ef8e4cb6a209144239a7f7cc

SHA1
20579df621fb9592da238eab9bc8b0c0f960dbb9

SHA256
c7d30b5ea07e7f38338401d6af2351330a71086e08301d32d1ad040c42b8c9fe

SHA512
45008753ca6aef84b82d1b0aebf19743d19af6c63716b32c223c3b3efb0e7ef1d8e78d5fcc2d8ba35f1b830890a85eed776aae5c6fa4c2ed026bca7191ef295d

Download Submit
C:\Windows\SysWOW64\FUJwmMFELIEATkrTU.exe

Filesize
3.1MB

MD5
dc624574ef8e4cb6a209144239a7f7cc

SHA1
20579df621fb9592da238eab9bc8b0c0f960dbb9

SHA256
c7d30b5ea07e7f38338401d6af2351330a71086e08301d32d1ad040c42b8c9fe

SHA512
45008753ca6aef84b82d1b0aebf19743d19af6c63716b32c223c3b3efb0e7ef1d8e78d5fcc2d8ba35f1b830890a85eed776aae5c6fa4c2ed026bca7191ef295d

Download Submit
C:\Windows\SysWOW64\FUJwmMFELIEATkrTU.exe

Filesize
3.1MB

MD5
dc624574ef8e4cb6a209144239a7f7cc

SHA1
20579df621fb9592da238eab9bc8b0c0f960dbb9

SHA256
c7d30b5ea07e7f38338401d6af2351330a71086e08301d32d1ad040c42b8c9fe

SHA512
45008753ca6aef84b82d1b0aebf19743d19af6c63716b32c223c3b3efb0e7ef1d8e78d5fcc2d8ba35f1b830890a85eed776aae5c6fa4c2ed026bca7191ef295d

Download Submit
C:\Windows\SysWOW64\FUJwmMFELIEATkrTU.exe

Filesize
3.1MB

MD5
dc624574ef8e4cb6a209144239a7f7cc

SHA1
20579df621fb9592da238eab9bc8b0c0f960dbb9

SHA256
c7d30b5ea07e7f38338401d6af2351330a71086e08301d32d1ad040c42b8c9fe

SHA512
45008753ca6aef84b82d1b0aebf19743d19af6c63716b32c223c3b3efb0e7ef1d8e78d5fcc2d8ba35f1b830890a85eed776aae5c6fa4c2ed026bca7191ef295d

Download Submit
memory/224-143-0x0000000012DD0000-0x0000000012DDB000-memory.dmp

Filesize
44KB

Download
memory/224-141-0x0000000000860000-0x0000000000861000-memory.dmp

Filesize
4KB

Download
memory/224-139-0x0000000002310000-0x000000000231B000-memory.dmp

Filesize
44KB

Download
memory/224-144-0x0000000012DB0000-0x0000000012DB1000-memory.dmp

Filesize
4KB

Download
memory/224-145-0x0000000002670000-0x0000000002671000-memory.dmp

Filesize
4KB

Download
memory/224-146-0x0000000012DA0000-0x0000000012DA1000-memory.dmp

Filesize
4KB

Download
memory/224-148-0x0000000002680000-0x0000000002681000-memory.dmp

Filesize
4KB

Download
memory/224-140-0x0000000002310000-0x000000000231B000-memory.dmp

Filesize
44KB

Download
memory/224-178-0x0000000002310000-0x000000000231B000-memory.dmp

Filesize
44KB

Download
memory/224-183-0x0000000012DD0000-0x0000000012DDB000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads