blackmoon | 6198c96769b99e9325d918ef6e89793472b0acff37ebbc176791547c3b807812

General

Target

6198c96769b99e9325d918ef6e89793472b0acff37ebbc176791547c3b807812.exe
Size

1.0MB
MD5

bf28d733ee9004e60bb01193d1dfcc7c
SHA1

6ca57dd01c7de207daf2bd903f923b4905e3165d
SHA256

6198c96769b99e9325d918ef6e89793472b0acff37ebbc176791547c3b807812
SHA512

f779a3150d5525a00b4dc6fc7406a3aae293d41a4625748da8e8771f9d5667de97e2a5e20e067998b86d6b7b37a7f495107c5ed93e006a76564de2dd3f733c64
SSDEEP

24576:4oKcMYyFjcKBXJqIGDpE0Dxtb1FQ7jhbc02obFAgvw9:QcNyVcKBX5GGSxtSbyeFAg

Score

10^/10

blackmoon banker trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 7 IoCs

resource	yara_rule
behavioral2/memory/2168-10-0x0000000000400000-0x00000000007FE000-memory.dmp	family_blackmoon
behavioral2/memory/2168-11-0x0000000000400000-0x00000000007FE000-memory.dmp	family_blackmoon
behavioral2/memory/2168-12-0x0000000000400000-0x00000000007FE000-memory.dmp	family_blackmoon
behavioral2/memory/2748-16-0x0000000000400000-0x00000000007FE000-memory.dmp	family_blackmoon
behavioral2/memory/2168-18-0x0000000000400000-0x00000000007FE000-memory.dmp	family_blackmoon
behavioral2/memory/2168-20-0x0000000000400000-0x00000000007FE000-memory.dmp	family_blackmoon
behavioral2/memory/2748-21-0x0000000000400000-0x00000000007FE000-memory.dmp	family_blackmoon

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x00080000000231f9-13.dat	acprotect
behavioral2/files/0x00080000000231f9-14.dat	acprotect

Loads dropped DLL 1 IoCs

pid	Process
2168	explorer.exe

UPX packed file 19 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2748-0-0x0000000000400000-0x00000000007FE000-memory.dmp	upx
behavioral2/memory/2168-2-0x0000000000400000-0x00000000007FE000-memory.dmp	upx
behavioral2/memory/2168-3-0x0000000000400000-0x00000000007FE000-memory.dmp	upx
behavioral2/memory/2168-4-0x0000000000400000-0x00000000007FE000-memory.dmp	upx
behavioral2/memory/2168-8-0x0000000000400000-0x00000000007FE000-memory.dmp	upx
behavioral2/memory/2168-9-0x0000000000400000-0x00000000007FE000-memory.dmp	upx
behavioral2/memory/2168-10-0x0000000000400000-0x00000000007FE000-memory.dmp	upx
behavioral2/memory/2168-11-0x0000000000400000-0x00000000007FE000-memory.dmp	upx
behavioral2/memory/2168-12-0x0000000000400000-0x00000000007FE000-memory.dmp	upx
behavioral2/files/0x00080000000231f9-13.dat	upx
behavioral2/memory/2168-15-0x0000000074BC0000-0x0000000074CCB000-memory.dmp	upx
behavioral2/files/0x00080000000231f9-14.dat	upx
behavioral2/memory/2748-16-0x0000000000400000-0x00000000007FE000-memory.dmp	upx
behavioral2/memory/2168-18-0x0000000000400000-0x00000000007FE000-memory.dmp	upx
behavioral2/memory/2168-19-0x0000000074BC0000-0x0000000074CCB000-memory.dmp	upx
behavioral2/memory/2168-20-0x0000000000400000-0x00000000007FE000-memory.dmp	upx
behavioral2/memory/2748-21-0x0000000000400000-0x00000000007FE000-memory.dmp	upx
behavioral2/memory/2168-25-0x0000000074BC0000-0x0000000074CCB000-memory.dmp	upx
behavioral2/memory/2168-35-0x0000000074BC0000-0x0000000074CCB000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ExuiKrnln.dll	6198c96769b99e9325d918ef6e89793472b0acff37ebbc176791547c3b807812.exe
File created	C:\Windows\SysWOW64\ExuiKrnln.dll	explorer.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2748 set thread context of 2168	2748	6198c96769b99e9325d918ef6e89793472b0acff37ebbc176791547c3b807812.exe	81

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3224	2748	WerFault.exe	80
2552	2748	WerFault.exe	80

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Internet Explorer\TypedURLs	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Internet Explorer\TypedURLs	6198c96769b99e9325d918ef6e89793472b0acff37ebbc176791547c3b807812.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	6198c96769b99e9325d918ef6e89793472b0acff37ebbc176791547c3b807812.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	6198c96769b99e9325d918ef6e89793472b0acff37ebbc176791547c3b807812.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2748	6198c96769b99e9325d918ef6e89793472b0acff37ebbc176791547c3b807812.exe
2748	6198c96769b99e9325d918ef6e89793472b0acff37ebbc176791547c3b807812.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2748	6198c96769b99e9325d918ef6e89793472b0acff37ebbc176791547c3b807812.exe
2748	6198c96769b99e9325d918ef6e89793472b0acff37ebbc176791547c3b807812.exe
2168	explorer.exe
2168	explorer.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2748 wrote to memory of 2168	2748	6198c96769b99e9325d918ef6e89793472b0acff37ebbc176791547c3b807812.exe	81
PID 2748 wrote to memory of 2168	2748	6198c96769b99e9325d918ef6e89793472b0acff37ebbc176791547c3b807812.exe	81
PID 2748 wrote to memory of 2168	2748	6198c96769b99e9325d918ef6e89793472b0acff37ebbc176791547c3b807812.exe	81
PID 2748 wrote to memory of 2168	2748	6198c96769b99e9325d918ef6e89793472b0acff37ebbc176791547c3b807812.exe	81
PID 2748 wrote to memory of 2168	2748	6198c96769b99e9325d918ef6e89793472b0acff37ebbc176791547c3b807812.exe	81
PID 2748 wrote to memory of 2168	2748	6198c96769b99e9325d918ef6e89793472b0acff37ebbc176791547c3b807812.exe	81
PID 2748 wrote to memory of 2168	2748	6198c96769b99e9325d918ef6e89793472b0acff37ebbc176791547c3b807812.exe	81
PID 2748 wrote to memory of 2168	2748	6198c96769b99e9325d918ef6e89793472b0acff37ebbc176791547c3b807812.exe	81
PID 2168 wrote to memory of 1292	2168	explorer.exe	83
PID 2168 wrote to memory of 1292	2168	explorer.exe	83
PID 2168 wrote to memory of 1292	2168	explorer.exe	83

C:\Users\Admin\AppData\Local\Temp\6198c96769b99e9325d918ef6e89793472b0acff37ebbc176791547c3b807812.exe
"C:\Users\Admin\AppData\Local\Temp\6198c96769b99e9325d918ef6e89793472b0acff37ebbc176791547c3b807812.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Windows\SysWOW64\explorer.exe
  explorer.exe
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2168
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:1292
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2748 -s 1080
  2⤵
  - Program crash
  PID:3224
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2748 -s 2044
  2⤵
  - Program crash
  PID:2552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2748 -ip 2748
1⤵
PID:2972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2748 -ip 2748
1⤵
PID:4804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ExuiKrnln.dll

Filesize
328KB

MD5
6b0c10b774ee6dbcf0e4bd1557e7160b

SHA1
98e5502f0cb27e355062e8fa0b9aad80e5c0bbad

SHA256
335722b2684ffeac668ed8e9d7d582a395f9fc3d13f552f07c5d3ec7f025890f

SHA512
a44729fad75a090e4b3a0a4211ded10ef8ec499a7479efd2e3e6c448a3c625073b88e9e2c63c943f2fbcd9605aa9cc3cb1176a2ad61d91f22c4116948d66decf

Download Submit
C:\Windows\SysWOW64\ExuiKrnln.dll

Filesize
328KB

MD5
6b0c10b774ee6dbcf0e4bd1557e7160b

SHA1
98e5502f0cb27e355062e8fa0b9aad80e5c0bbad

SHA256
335722b2684ffeac668ed8e9d7d582a395f9fc3d13f552f07c5d3ec7f025890f

SHA512
a44729fad75a090e4b3a0a4211ded10ef8ec499a7479efd2e3e6c448a3c625073b88e9e2c63c943f2fbcd9605aa9cc3cb1176a2ad61d91f22c4116948d66decf

Download Submit
memory/2168-12-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/2168-2-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/2168-8-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/2168-9-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/2168-10-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/2168-11-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/2168-35-0x0000000074BC0000-0x0000000074CCB000-memory.dmp

Filesize
1.0MB

Download
memory/2168-3-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/2168-15-0x0000000074BC0000-0x0000000074CCB000-memory.dmp

Filesize
1.0MB

Download
memory/2168-4-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/2168-25-0x0000000074BC0000-0x0000000074CCB000-memory.dmp

Filesize
1.0MB

Download
memory/2168-18-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/2168-19-0x0000000074BC0000-0x0000000074CCB000-memory.dmp

Filesize
1.0MB

Download
memory/2168-20-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/2748-21-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/2748-16-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/2748-0-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing