blackmoon | 23f1e7cfc8cf536e194cc5f7802ba714663c157a7f4c9128bae0c28796160be4 | Triage

Submit
Reports

Overview

overview

Static

static

3

23f1e7cfc8...e4.exe

windows7-x64

3

23f1e7cfc8...e4.exe

windows10-2004-x64

Sharing

General

Target

23f1e7cfc8cf536e194cc5f7802ba714663c157a7f4c9128bae0c28796160be4
Size

3.3MB
Sample

231001-bqfmnshg32
MD5

6db9897cb3dc1481f8bfdbd04605248c
SHA1

d1bc953ec6d73a45cc81acfe229cc93accd8cae9
SHA256

23f1e7cfc8cf536e194cc5f7802ba714663c157a7f4c9128bae0c28796160be4
SHA512

e7e28eec705101628358145ec6425b151d6bd4b88db9762d3460e6ff2a32eeb80497b57e94564a6016266a0abce337e88155b211cead842a07da851abda64d0d
SSDEEP

49152:+hKsq/yGfE++k/xdQ95plG4CbTZr39MemijbHJjpapR9qRs3UzSrrf0k:IkBm95plG4CXBFjpapR9jr7

Score

10^/10

blackmoon sality backdoor banker evasion persistence trojan upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

23f1e7cfc8cf536e194cc5f7802ba714663c157a7f4c9128bae0c28796160be4.exe

Resource

win7-20230831-en

windows7-x64

2 signatures

150 seconds

Behavioral task

behavioral2

Sample

23f1e7cfc8cf536e194cc5f7802ba714663c157a7f4c9128bae0c28796160be4.exe

Resource

win10v2004-20230915-en

blackmoon sality backdoor banker evasion persistence trojan upx

windows10-2004-x64

19 signatures

150 seconds

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Targets

- Target
  
  23f1e7cfc8cf536e194cc5f7802ba714663c157a7f4c9128bae0c28796160be4
- Size
  
  3.3MB
- MD5
  
  6db9897cb3dc1481f8bfdbd04605248c
- SHA1
  
  d1bc953ec6d73a45cc81acfe229cc93accd8cae9
- SHA256
  
  23f1e7cfc8cf536e194cc5f7802ba714663c157a7f4c9128bae0c28796160be4
- SHA512
  
  e7e28eec705101628358145ec6425b151d6bd4b88db9762d3460e6ff2a32eeb80497b57e94564a6016266a0abce337e88155b211cead842a07da851abda64d0d
- SSDEEP
  
  49152:+hKsq/yGfE++k/xdQ95plG4CbTZr39MemijbHJjpapR9qRs3UzSrrf0k:IkBm95plG4CXBFjpapR9jr7
Score

10^/10

blackmoon sality backdoor banker evasion persistence trojan upx
- Blackmoon, KrBanker
  Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
  trojan banker blackmoon
- Detect Blackmoon payload
- Modifies firewall policy service
  evasion
- Sality
  Sality is backdoor written in C++, first discovered in 2003.
  backdoor sality
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Replication Through Removable Media

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

blackmoonsalitybackdoorbankerevasionpersistencetrojanupx

© 2018-2025

Terms | Privacy