blackmoon | 7b70bd346a0c3fa08c34589c0cefd13548e8229d81b46cc8603f5fd988015c0c

General

Target

7b70bd346a0c3fa08c34589c0cefd13548e8229d81b46cc8603f5fd988015c0c.exe
Size

556KB
MD5

dd76ef9e2d63eb6fbea5db358e21f55d
SHA1

023bf61604ed3b47f9bfcf4a33dc24c3a5ad5ed9
SHA256

7b70bd346a0c3fa08c34589c0cefd13548e8229d81b46cc8603f5fd988015c0c
SHA512

bc5826bbcaf4d6bfb6b9a7d93d3a0907c0c9391c3716cd03fef0ff0b259dfbd8d36b044f13ce57f5731b77e11c249b55f7b8b97df4d10471f67778b12ac83d0a
SSDEEP

12288:ij9qk+AmzwPBJeh0F09hrYR5nWFpPoSFDV42/:ij9j+AmkPBgh0FMhvb7DV7

Score

10^/10

blackmoon banker trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
behavioral1/memory/2840-51-0x0000000000400000-0x00000000004A4000-memory.dmp	family_blackmoon

UPX packed file 25 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2084-1-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2084-0-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2084-2-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2084-3-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2084-5-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2084-7-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2084-9-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2084-11-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2084-13-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2084-15-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2084-17-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2084-19-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2084-21-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2084-33-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2084-43-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2084-41-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2084-39-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2084-37-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2084-35-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2084-31-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2084-29-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2084-27-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2084-25-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2084-23-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2084-49-0x0000000010000000-0x000000001003F000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2084 set thread context of 2840	2084	7b70bd346a0c3fa08c34589c0cefd13548e8229d81b46cc8603f5fd988015c0c.exe	31

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\E403A1DFC8F377E0F4AA43A83EE9EA079A1F55F2	7b70bd346a0c3fa08c34589c0cefd13548e8229d81b46cc8603f5fd988015c0c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\E403A1DFC8F377E0F4AA43A83EE9EA079A1F55F2\Blob = 09000000010000004c000000304a060a2b0601040182370a0602060a2b0601040182370a060106082b0601050507030806082b0601050507030406082b0601050507030306082b0601050507030206082b060105050703015c000000010000000400000000100000030000000100000014000000e403a1dfc8f377e0f4aa43a83ee9ea079a1f55f219000000010000001000000079d8e39856b0540913defb485e73ed621400000001000000140000000525862f6536a1e59d9eca5c0919ad0e3d96261d0f000000010000001400000052bf462203121ab271f48ff1a32d373fd9f12399040000000100000010000000dc911e8da3a186bb4d52eec0e57b51555300000001000000230000003021301f060960864801a4a227020130123010060a2b0601040182373c0101030200c02000000001000000d3050000308205cf308203b7a00302010202041eb132d5300d06092a864886f70d01010505003076310b300906035504061302434e31233021060355040a0c1a4a656d6d794c6f76654a656e6e7920504b492053657276696365311e301c060355040b0c15706b692e6a656d6d796c6f76656a656e6e792e746b3122302006035504030c194a656d6d794c6f76654a656e6e7920455620526f6f742043413020170d3030303130313030303030305a180f32303939313233313233353935395a3076310b300906035504061302434e31233021060355040a0c1a4a656d6d794c6f76654a656e6e7920504b492053657276696365311e301c060355040b0c15706b692e6a656d6d796c6f76656a656e6e792e746b3122302006035504030c194a656d6d794c6f76654a656e6e7920455620526f6f7420434130820222300d06092a864886f70d01010105000382020f003082020a0282020100b5bf164ce267332d80ffed87e949041ea0b8dd6e4389cc2ece1e2606c7dc4085d75631f5bf99e3b60a4dbe48dc7337e8edc95dd02aca568a119c2884dd8cecd0c174585e1b6ec89e47f37f28626bb42abb0f7cb0ee0f25d11e268026937bfc4587de5d7cd89d9cd3fee634120724a3771d3dec3ba265398f84274bc72d683be7982706d99e24f4ffe84370fb7b0c8d56449c1bdb2d53ca85a55ea12b4cb65aa691fbbceb57c3cb924ded732c252a968069030dbd3a2bf0c8fa027b7ab6afc325b439d4edc7bad1d3e57dfa244705d36bae516daa94378ea3a87e54aad21deb547b1bc659ca611b05da6f473f6dedfc7616bb9a86838cb2b1be86ff2169d4bcc9078527fa4e579acfc1d649339751c2e6521432cf6b5f26666f2c732ec567a2f5c89f62a34b4a73352238b02d981eaf905c6a66ebe570b20d6ae57d978420f34ab679268d8910217031fa6c69831f485eab30c445789242977e2c9d2df3f0f1aa4ec0cae5612418ffdf0127b7d5809e7a1803121d5b0ff82537ab112a49d7946a51ec8c4691332d5ffa415471f2d95e104400776c21250ae00d587b233b22a596db169e0583c0027c59814544963e66a5eb293ea11523e338d924244bd36b6d27227eecf848c3aef39b756123595c646d36d6cdf570b72fe9fbef779e0afa1db7cf4cc81964b366441f8032337a328f3c988997d0a27d2d8dce891c221a514ab30203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604140525862f6536a1e59d9eca5c0919ad0e3d96261d301f0603551d230418301680140525862f6536a1e59d9eca5c0919ad0e3d96261d300d06092a864886f70d01010505000382020100ad21caaf24b3bfa5ae380783453b61419a4625b1adf976ca6ee77f802063842fd2ca4879ddf39df1a0ca779bb313fb86d1241607b6df5e868ad9cddb69e19baf3107c22cf951569dc8d5f89db4b4ab7b859b61482b10df9bfcce81c4f1b86c77d40a5ee2805a460dd0d6ea165f86e67085097d159090416b07de58ece97764bd1ab9d3c197d1e52aa132182f68fe1962f194b22e1a5a9d4d25c46c9e97a8a6fde4ec57296b4a509eb6dcc8be7b25ff104ef9892d413c93662351b7f3bab4725aaadd18adf65efba74224dbd1dd718356d68e205046d648ac74e11d3be7494d0dba37c51a467af57c721a25968ab1e6a48416009cfb2ac1c063245d93ec2459ac262778e907e4b9aa5bf666db808344c83857d632ae46fe2daba83d1497a155bb9da767ca7fe567b218dffda7aa61055501b2f515cd0fd8b830a67c82b765f52cf80f077ea177480395a29c8dbe9cd572715257a7cef58ad63218e05d16f0096bd496e12d17bf7790b9ddb6318fb91a2a3f3395dd55e4ba739c2c8d15442fbc8de41bade132d1a23fb5a2844e6b08062208f9191e1f3ca0a5504e07cf4b3f2baa683bdc0dc10a8a6631b3d46481641798a4a37b35ada800104d8bc70c0fc31f6615284cb1229592ee072139b6a15a8ad9e1a8135bb4fe7b426d5e69ca1a9a420d7ce3612490d4d9421835a89a05f14e3ca3fd987c51cd62f2926945cfbff32caa	7b70bd346a0c3fa08c34589c0cefd13548e8229d81b46cc8603f5fd988015c0c.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	2084	7b70bd346a0c3fa08c34589c0cefd13548e8229d81b46cc8603f5fd988015c0c.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2084	7b70bd346a0c3fa08c34589c0cefd13548e8229d81b46cc8603f5fd988015c0c.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 2840	2084	7b70bd346a0c3fa08c34589c0cefd13548e8229d81b46cc8603f5fd988015c0c.exe	31
PID 2084 wrote to memory of 2840	2084	7b70bd346a0c3fa08c34589c0cefd13548e8229d81b46cc8603f5fd988015c0c.exe	31
PID 2084 wrote to memory of 2840	2084	7b70bd346a0c3fa08c34589c0cefd13548e8229d81b46cc8603f5fd988015c0c.exe	31
PID 2084 wrote to memory of 2840	2084	7b70bd346a0c3fa08c34589c0cefd13548e8229d81b46cc8603f5fd988015c0c.exe	31
PID 2084 wrote to memory of 2840	2084	7b70bd346a0c3fa08c34589c0cefd13548e8229d81b46cc8603f5fd988015c0c.exe	31
PID 2084 wrote to memory of 2840	2084	7b70bd346a0c3fa08c34589c0cefd13548e8229d81b46cc8603f5fd988015c0c.exe	31
PID 2084 wrote to memory of 2840	2084	7b70bd346a0c3fa08c34589c0cefd13548e8229d81b46cc8603f5fd988015c0c.exe	31
PID 2084 wrote to memory of 2840	2084	7b70bd346a0c3fa08c34589c0cefd13548e8229d81b46cc8603f5fd988015c0c.exe	31
PID 2084 wrote to memory of 2840	2084	7b70bd346a0c3fa08c34589c0cefd13548e8229d81b46cc8603f5fd988015c0c.exe	31
PID 2084 wrote to memory of 2840	2084	7b70bd346a0c3fa08c34589c0cefd13548e8229d81b46cc8603f5fd988015c0c.exe	31

C:\Users\Admin\AppData\Local\Temp\7b70bd346a0c3fa08c34589c0cefd13548e8229d81b46cc8603f5fd988015c0c.exe
"C:\Users\Admin\AppData\Local\Temp\7b70bd346a0c3fa08c34589c0cefd13548e8229d81b46cc8603f5fd988015c0c.exe"
1⤵
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Windows\SysWOW64\CertEnrollCtrl.exe
  "C:\Windows\SysWOW64\CertEnrollCtrl.exe"
  2⤵
  PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2084-43-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2084-31-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2084-2-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2084-3-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2084-5-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2084-7-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2084-9-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2084-11-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2084-13-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2084-15-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2084-17-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2084-19-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2084-21-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2084-33-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2084-0-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2084-39-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2084-1-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2084-37-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2084-35-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2084-41-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2084-29-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2084-27-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2084-25-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2084-23-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2084-44-0x0000000000290000-0x0000000000298000-memory.dmp

Filesize
32KB

Download
memory/2084-49-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2084-50-0x0000000000580000-0x000000000058D000-memory.dmp

Filesize
52KB

Download
memory/2084-53-0x0000000000580000-0x000000000058D000-memory.dmp

Filesize
52KB

Download
memory/2840-51-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download

Analysis

Sharing