blackmoon | 9d605182e6306226a1f2b2bb59909fb778d06be6fbccb7f4bfc2355650dab740

General

Target

9d605182e6306226a1f2b2bb59909fb778d06be6fbccb7f4bfc2355650dab740.exe
Size

3.5MB
MD5

1c2e452f45d96a90c0d7843801766cb5
SHA1

a5cc81e90afd167472979b2cb9d3fd937726ec52
SHA256

9d605182e6306226a1f2b2bb59909fb778d06be6fbccb7f4bfc2355650dab740
SHA512

42c4dabba18940a717804d366a5b5b7c424f96563c357a4b4a853ca82f92a4dde13dcfb8ecdf292cb8857ed3a64145ee5984179b8dfa06cb289c8e959d752ab2
SSDEEP

98304:raUUr8O9mnUpBfccAFN9ImRbuca1/gHpSwLzGxp2Ohcg:rms7an28N

Score

10^/10

blackmoon banker trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 5 IoCs

resource	yara_rule
behavioral1/files/0x0009000000012023-1.dat	family_blackmoon
behavioral1/files/0x0009000000012023-4.dat	family_blackmoon
behavioral1/files/0x0009000000012023-5.dat	family_blackmoon
behavioral1/files/0x0009000000012023-6.dat	family_blackmoon
behavioral1/files/0x0009000000012023-8.dat	family_blackmoon

Deletes itself 1 IoCs

pid	Process
2796	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2032	CYBhvSBPLl.exe
2824	CYBhvSBPLl.exe
2124	CYBhvSBPLl.exe

Loads dropped DLL 2 IoCs

pid	Process
2264	9d605182e6306226a1f2b2bb59909fb778d06be6fbccb7f4bfc2355650dab740.exe
2824	CYBhvSBPLl.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2124-9-0x0000000000270000-0x000000000027B000-memory.dmp	upx
behavioral1/memory/2124-10-0x0000000000270000-0x000000000027B000-memory.dmp	upx
behavioral1/memory/2124-11-0x0000000000270000-0x000000000027B000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\CYBhvSBPLl.exe	9d605182e6306226a1f2b2bb59909fb778d06be6fbccb7f4bfc2355650dab740.exe
File opened for modification	C:\Windows\SysWOW64\CYBhvSBPLl.exe	9d605182e6306226a1f2b2bb59909fb778d06be6fbccb7f4bfc2355650dab740.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2264	9d605182e6306226a1f2b2bb59909fb778d06be6fbccb7f4bfc2355650dab740.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2264	9d605182e6306226a1f2b2bb59909fb778d06be6fbccb7f4bfc2355650dab740.exe
2032	CYBhvSBPLl.exe
2824	CYBhvSBPLl.exe
2124	CYBhvSBPLl.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 2032	2264	9d605182e6306226a1f2b2bb59909fb778d06be6fbccb7f4bfc2355650dab740.exe	28
PID 2264 wrote to memory of 2032	2264	9d605182e6306226a1f2b2bb59909fb778d06be6fbccb7f4bfc2355650dab740.exe	28
PID 2264 wrote to memory of 2032	2264	9d605182e6306226a1f2b2bb59909fb778d06be6fbccb7f4bfc2355650dab740.exe	28
PID 2264 wrote to memory of 2032	2264	9d605182e6306226a1f2b2bb59909fb778d06be6fbccb7f4bfc2355650dab740.exe	28
PID 2264 wrote to memory of 2032	2264	9d605182e6306226a1f2b2bb59909fb778d06be6fbccb7f4bfc2355650dab740.exe	28
PID 2264 wrote to memory of 2032	2264	9d605182e6306226a1f2b2bb59909fb778d06be6fbccb7f4bfc2355650dab740.exe	28
PID 2264 wrote to memory of 2032	2264	9d605182e6306226a1f2b2bb59909fb778d06be6fbccb7f4bfc2355650dab740.exe	28
PID 2264 wrote to memory of 2796	2264	9d605182e6306226a1f2b2bb59909fb778d06be6fbccb7f4bfc2355650dab740.exe	29
PID 2264 wrote to memory of 2796	2264	9d605182e6306226a1f2b2bb59909fb778d06be6fbccb7f4bfc2355650dab740.exe	29
PID 2264 wrote to memory of 2796	2264	9d605182e6306226a1f2b2bb59909fb778d06be6fbccb7f4bfc2355650dab740.exe	29
PID 2264 wrote to memory of 2796	2264	9d605182e6306226a1f2b2bb59909fb778d06be6fbccb7f4bfc2355650dab740.exe	29
PID 2824 wrote to memory of 2124	2824	CYBhvSBPLl.exe	32
PID 2824 wrote to memory of 2124	2824	CYBhvSBPLl.exe	32
PID 2824 wrote to memory of 2124	2824	CYBhvSBPLl.exe	32
PID 2824 wrote to memory of 2124	2824	CYBhvSBPLl.exe	32
PID 2824 wrote to memory of 2124	2824	CYBhvSBPLl.exe	32
PID 2824 wrote to memory of 2124	2824	CYBhvSBPLl.exe	32
PID 2824 wrote to memory of 2124	2824	CYBhvSBPLl.exe	32

C:\Users\Admin\AppData\Local\Temp\9d605182e6306226a1f2b2bb59909fb778d06be6fbccb7f4bfc2355650dab740.exe
"C:\Users\Admin\AppData\Local\Temp\9d605182e6306226a1f2b2bb59909fb778d06be6fbccb7f4bfc2355650dab740.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Windows\SysWOW64\CYBhvSBPLl.exe
  -auto
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2032
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\9D6051~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2796

C:\Windows\SysWOW64\CYBhvSBPLl.exe
C:\Windows\SysWOW64\CYBhvSBPLl.exe Service 1
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Windows\SysWOW64\CYBhvSBPLl.exe
  -OBJECT1
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\CYBhvSBPLl.exe

Filesize
3.5MB

MD5
1c2e452f45d96a90c0d7843801766cb5

SHA1
a5cc81e90afd167472979b2cb9d3fd937726ec52

SHA256
9d605182e6306226a1f2b2bb59909fb778d06be6fbccb7f4bfc2355650dab740

SHA512
42c4dabba18940a717804d366a5b5b7c424f96563c357a4b4a853ca82f92a4dde13dcfb8ecdf292cb8857ed3a64145ee5984179b8dfa06cb289c8e959d752ab2

Download Submit
C:\Windows\SysWOW64\CYBhvSBPLl.exe

Filesize
3.5MB

MD5
1c2e452f45d96a90c0d7843801766cb5

SHA1
a5cc81e90afd167472979b2cb9d3fd937726ec52

SHA256
9d605182e6306226a1f2b2bb59909fb778d06be6fbccb7f4bfc2355650dab740

SHA512
42c4dabba18940a717804d366a5b5b7c424f96563c357a4b4a853ca82f92a4dde13dcfb8ecdf292cb8857ed3a64145ee5984179b8dfa06cb289c8e959d752ab2

Download Submit
C:\Windows\SysWOW64\CYBhvSBPLl.exe

Filesize
3.5MB

MD5
1c2e452f45d96a90c0d7843801766cb5

SHA1
a5cc81e90afd167472979b2cb9d3fd937726ec52

SHA256
9d605182e6306226a1f2b2bb59909fb778d06be6fbccb7f4bfc2355650dab740

SHA512
42c4dabba18940a717804d366a5b5b7c424f96563c357a4b4a853ca82f92a4dde13dcfb8ecdf292cb8857ed3a64145ee5984179b8dfa06cb289c8e959d752ab2

Download Submit
\Windows\SysWOW64\CYBhvSBPLl.exe

Filesize
3.5MB

MD5
1c2e452f45d96a90c0d7843801766cb5

SHA1
a5cc81e90afd167472979b2cb9d3fd937726ec52

SHA256
9d605182e6306226a1f2b2bb59909fb778d06be6fbccb7f4bfc2355650dab740

SHA512
42c4dabba18940a717804d366a5b5b7c424f96563c357a4b4a853ca82f92a4dde13dcfb8ecdf292cb8857ed3a64145ee5984179b8dfa06cb289c8e959d752ab2

Download Submit
\Windows\SysWOW64\CYBhvSBPLl.exe

Filesize
3.5MB

MD5
1c2e452f45d96a90c0d7843801766cb5

SHA1
a5cc81e90afd167472979b2cb9d3fd937726ec52

SHA256
9d605182e6306226a1f2b2bb59909fb778d06be6fbccb7f4bfc2355650dab740

SHA512
42c4dabba18940a717804d366a5b5b7c424f96563c357a4b4a853ca82f92a4dde13dcfb8ecdf292cb8857ed3a64145ee5984179b8dfa06cb289c8e959d752ab2

Download Submit
memory/2124-9-0x0000000000270000-0x000000000027B000-memory.dmp

Filesize
44KB

Download
memory/2124-10-0x0000000000270000-0x000000000027B000-memory.dmp

Filesize
44KB

Download
memory/2124-11-0x0000000000270000-0x000000000027B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing