blackmoon | 2121dff62b134d19fca570d5de76b0e09b6f48eb0600daeca7a51ce4f2ba9c5f

General

Target

2121dff62b134d19fca570d5de76b0e09b6f48eb0600daeca7a51ce4f2ba9c5f
Size

7.3MB
Sample

231011-wswrwsdh9y
MD5

2274f5ddcf0124b5a123a163f0a5217a
SHA1

91439e901de05d3ef392cae755e04376722d7122
SHA256

2121dff62b134d19fca570d5de76b0e09b6f48eb0600daeca7a51ce4f2ba9c5f
SHA512

514129a2000932593d62db677e04c1989dab41c47536f5f6964d09a3d8706cd8abefcbc3ccfeeeb3af5019daab39e74f059d669a890bf4242cb4fc9de2fbfc53
SSDEEP

196608:60XL4uLmMzeXX6s7uze9DUL25cQYlIf9UOt+:6G4LMzeXqsr9HOLaf2Ot+

Score

10^/10

Malware Config

Targets

- Target
  
  2121dff62b134d19fca570d5de76b0e09b6f48eb0600daeca7a51ce4f2ba9c5f
- Size
  
  7.3MB
- MD5
  
  2274f5ddcf0124b5a123a163f0a5217a
- SHA1
  
  91439e901de05d3ef392cae755e04376722d7122
- SHA256
  
  2121dff62b134d19fca570d5de76b0e09b6f48eb0600daeca7a51ce4f2ba9c5f
- SHA512
  
  514129a2000932593d62db677e04c1989dab41c47536f5f6964d09a3d8706cd8abefcbc3ccfeeeb3af5019daab39e74f059d669a890bf4242cb4fc9de2fbfc53
- SSDEEP
  
  196608:60XL4uLmMzeXX6s7uze9DUL25cQYlIf9UOt+:6G4LMzeXqsr9HOLaf2Ot+
Score

10^/10

blackmoon banker evasion themida trojan upx
- Blackmoon, KrBanker
  Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
  trojan banker blackmoon
- Detect Blackmoon payload
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- ACProtect 1.3x - 1.4x DLL software
  Detects file using ACProtect software.
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Targets

Blackmoon, KrBanker

Detect Blackmoon payload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

ACProtect 1.3x - 1.4x DLL software

Checks BIOS information in registry

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Themida packer

UPX packed file

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2