blackmoon | c05070b99a62e2e8b8ae7a73cde33b6880711f0b5dac380710b35f632adf245c

General

Target

c05070b99a62e2e8b8ae7a73cde33b6880711f0b5dac380710b35f632adf245c.exe
Size

15.6MB
MD5

a0baacbcf9d29230b71b8ba73e81d745
SHA1

8a6da2b6c687e40dc806a5012b6ee931269474c7
SHA256

c05070b99a62e2e8b8ae7a73cde33b6880711f0b5dac380710b35f632adf245c
SHA512

c682a3f9fdc78f8bfeed1ba058a8da9f3c51860091d536b2dbdc4e64a9a2436f3b87480cfa85e3a1dc830d69421cdda5fe3e1e478933e0c6fa098004d8fdfd01
SSDEEP

393216:hjfbaIzUrpuF1vNYLdU6sff/cVaBqMWaoXzsj:hjfbfIrpuFxSlsff2aBhWls

Score

10^/10

blackmoon banker trojan vmprotect

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 4 IoCs

resource	yara_rule
behavioral1/memory/1800-5-0x0000000000400000-0x0000000002AAD000-memory.dmp	family_blackmoon
behavioral1/memory/1800-12-0x0000000000400000-0x0000000002AAD000-memory.dmp	family_blackmoon
behavioral1/memory/1800-49-0x0000000000400000-0x0000000002AAD000-memory.dmp	family_blackmoon
behavioral1/memory/1800-50-0x0000000000400000-0x0000000002AAD000-memory.dmp	family_blackmoon

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/1800-5-0x0000000000400000-0x0000000002AAD000-memory.dmp	vmprotect
behavioral1/memory/1800-12-0x0000000000400000-0x0000000002AAD000-memory.dmp	vmprotect
behavioral1/memory/1800-49-0x0000000000400000-0x0000000002AAD000-memory.dmp	vmprotect
behavioral1/memory/1800-50-0x0000000000400000-0x0000000002AAD000-memory.dmp	vmprotect

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1800	c05070b99a62e2e8b8ae7a73cde33b6880711f0b5dac380710b35f632adf245c.exe
1800	c05070b99a62e2e8b8ae7a73cde33b6880711f0b5dac380710b35f632adf245c.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1800	c05070b99a62e2e8b8ae7a73cde33b6880711f0b5dac380710b35f632adf245c.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2272	cmd.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1800	c05070b99a62e2e8b8ae7a73cde33b6880711f0b5dac380710b35f632adf245c.exe
1800	c05070b99a62e2e8b8ae7a73cde33b6880711f0b5dac380710b35f632adf245c.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1800 wrote to memory of 2272	1800	c05070b99a62e2e8b8ae7a73cde33b6880711f0b5dac380710b35f632adf245c.exe	28
PID 1800 wrote to memory of 2272	1800	c05070b99a62e2e8b8ae7a73cde33b6880711f0b5dac380710b35f632adf245c.exe	28
PID 1800 wrote to memory of 2272	1800	c05070b99a62e2e8b8ae7a73cde33b6880711f0b5dac380710b35f632adf245c.exe	28
PID 1800 wrote to memory of 2272	1800	c05070b99a62e2e8b8ae7a73cde33b6880711f0b5dac380710b35f632adf245c.exe	28

C:\Users\Admin\AppData\Local\Temp\c05070b99a62e2e8b8ae7a73cde33b6880711f0b5dac380710b35f632adf245c.exe
"C:\Users\Admin\AppData\Local\Temp\c05070b99a62e2e8b8ae7a73cde33b6880711f0b5dac380710b35f632adf245c.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\f76518a.tmp.bat
  2⤵
  - Suspicious behavior: RenamesItself
  PID:2272

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\f76518a.tmp.bat

Filesize
175B

MD5
0bdb8b70a779876b03c17513ad9ee544

SHA1
3309d9ffb7548036d8bee47a89537f68058a77b5

SHA256
4ef5a7ca10104cfb3ccf469f545a30834b413d337ec93e6ef93ab76833441286

SHA512
d772aebff0f2ae59a4c01d4dc56be889e0ef767e78331260b545e637f96bdca2f759536d0df62b87618428e2e3f69e60724a307abacbb686acbbe5046e166fdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\f76518a.tmp.bat

Filesize
175B

MD5
0bdb8b70a779876b03c17513ad9ee544

SHA1
3309d9ffb7548036d8bee47a89537f68058a77b5

SHA256
4ef5a7ca10104cfb3ccf469f545a30834b413d337ec93e6ef93ab76833441286

SHA512
d772aebff0f2ae59a4c01d4dc56be889e0ef767e78331260b545e637f96bdca2f759536d0df62b87618428e2e3f69e60724a307abacbb686acbbe5046e166fdd

Download Submit
memory/1800-24-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1800-26-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1800-4-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1800-8-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1800-10-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1800-12-0x0000000000400000-0x0000000002AAD000-memory.dmp

Filesize
38.7MB

Download
memory/1800-14-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1800-16-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1800-21-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1800-29-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1800-6-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1800-0-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1800-19-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1800-31-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1800-34-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1800-36-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1800-32-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1800-38-0x0000000077220000-0x0000000077221000-memory.dmp

Filesize
4KB

Download
memory/1800-5-0x0000000000400000-0x0000000002AAD000-memory.dmp

Filesize
38.7MB

Download
memory/1800-2-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1800-49-0x0000000000400000-0x0000000002AAD000-memory.dmp

Filesize
38.7MB

Download
memory/1800-50-0x0000000000400000-0x0000000002AAD000-memory.dmp

Filesize
38.7MB

Download

Analysis

Sharing