blackmoon | 45c71780462d5f198c14f2fff5e0b6deef1e7212aa1531ed134781e6ef3f2453

Analysis

max time kernel
203s
max time network
200s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2023, 05:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

45c71780462d5f198c14f2fff5e0b6deef1e7212aa1531ed134781e6ef3f2453.exe
Size

14.2MB
MD5

1610513f677306b8c6b4039b5ae3fadc
SHA1

f67ea317b0e8b36ad284e9536b80ca6913633d3d
SHA256

45c71780462d5f198c14f2fff5e0b6deef1e7212aa1531ed134781e6ef3f2453
SHA512

508118bcc99afa87bb22b548645dd0c2e2782b5d00535aa727fe7d5f41e23c90a6c12fbdcd8968136f5ec20e12eea8d2bd5e6f4545e8279242d025ec17523b52
SSDEEP

393216:MpgGC5K8qO4QJ4KRuqy3RukNZgvqzVRBgGY:Kkj/ZYlgC54l

Score

10^/10

blackmoon banker bootkit persistence trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 2 IoCs

resource	yara_rule
behavioral2/memory/4024-23-0x0000000010000000-0x00000000100FC000-memory.dmp	family_blackmoon
behavioral2/memory/4024-26-0x0000000010000000-0x00000000100FC000-memory.dmp	family_blackmoon

Loads dropped DLL 2 IoCs

pid	Process
4024	45c71780462d5f198c14f2fff5e0b6deef1e7212aa1531ed134781e6ef3f2453.exe
4024	45c71780462d5f198c14f2fff5e0b6deef1e7212aa1531ed134781e6ef3f2453.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	45c71780462d5f198c14f2fff5e0b6deef1e7212aa1531ed134781e6ef3f2453.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4024	45c71780462d5f198c14f2fff5e0b6deef1e7212aa1531ed134781e6ef3f2453.exe
4024	45c71780462d5f198c14f2fff5e0b6deef1e7212aa1531ed134781e6ef3f2453.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4024	45c71780462d5f198c14f2fff5e0b6deef1e7212aa1531ed134781e6ef3f2453.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4024	45c71780462d5f198c14f2fff5e0b6deef1e7212aa1531ed134781e6ef3f2453.exe
4024	45c71780462d5f198c14f2fff5e0b6deef1e7212aa1531ed134781e6ef3f2453.exe
4024	45c71780462d5f198c14f2fff5e0b6deef1e7212aa1531ed134781e6ef3f2453.exe

C:\Users\Admin\AppData\Local\Temp\45c71780462d5f198c14f2fff5e0b6deef1e7212aa1531ed134781e6ef3f2453.exe
"C:\Users\Admin\AppData\Local\Temp\45c71780462d5f198c14f2fff5e0b6deef1e7212aa1531ed134781e6ef3f2453.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ExuiKrnln_Win32_20230120.lib

Filesize
1.3MB

MD5
733addd0bb479e49e25452fde2cff901

SHA1
e7a8c8b916423420dbf01a9f1924ef7a6001c43e

SHA256
880857ae1b56535a2efa32a4daf876e6606805a14e9038e0fdc7b9c36fa2184e

SHA512
f814773d26744cd6e408358af04b583281d5e228cc0fe00d3eacfcd8375701204b7e0093ffc4915ddcce3fd7b4ea2910cf0a2b8624d42f55cfe899b8abb3cc3e

Download Submit
C:\Users\Admin\Documents\libexdui.dll

Filesize
312KB

MD5
460985cd6e19695e691a6acc9351d80b

SHA1
0a15fa4d9b2a8323df23e650a283076e5833afea

SHA256
b559b21adf327c570dde6a0faebad5758a4e2bdb2f9d332b6e143f4f949a1c16

SHA512
aba1ccb125b3d39f7d8d8fd091d5423671e3a87e21d6ec3f2cb8a76addea70a3521c5b5e1eac7df798ebe9d33029e43dac5f1d6e72a8cda7a010f9fe9ee3491b

Download Submit
memory/4024-36-0x000000000A1E0000-0x000000000A1E1000-memory.dmp

Filesize
4KB

Download
memory/4024-23-0x0000000010000000-0x00000000100FC000-memory.dmp

Filesize
1008KB

Download
memory/4024-4-0x00000000020D0000-0x00000000020D1000-memory.dmp

Filesize
4KB

Download
memory/4024-7-0x0000000000400000-0x0000000001FBF000-memory.dmp

Filesize
27.7MB

Download
memory/4024-8-0x00000000025D0000-0x00000000025D1000-memory.dmp

Filesize
4KB

Download
memory/4024-6-0x00000000025C0000-0x00000000025C1000-memory.dmp

Filesize
4KB

Download
memory/4024-3-0x00000000020A0000-0x00000000020A1000-memory.dmp

Filesize
4KB

Download
memory/4024-9-0x0000000000400000-0x0000000001FBF000-memory.dmp

Filesize
27.7MB

Download
memory/4024-2-0x0000000002000000-0x0000000002001000-memory.dmp

Filesize
4KB

Download
memory/4024-1-0x0000000003F90000-0x0000000004137000-memory.dmp

Filesize
1.7MB

Download
memory/4024-20-0x0000000010000000-0x00000000100FC000-memory.dmp

Filesize
1008KB

Download
memory/4024-21-0x0000000000400000-0x0000000001FBF000-memory.dmp

Filesize
27.7MB

Download
memory/4024-37-0x000000000A1D0000-0x000000000A1D1000-memory.dmp

Filesize
4KB

Download
memory/4024-26-0x0000000010000000-0x00000000100FC000-memory.dmp

Filesize
1008KB

Download
memory/4024-27-0x000000000A0A0000-0x000000000A0A1000-memory.dmp

Filesize
4KB

Download
memory/4024-28-0x000000000A0B0000-0x000000000A0B1000-memory.dmp

Filesize
4KB

Download
memory/4024-30-0x000000000A130000-0x000000000A131000-memory.dmp

Filesize
4KB

Download
memory/4024-31-0x000000000A150000-0x000000000A151000-memory.dmp

Filesize
4KB

Download
memory/4024-29-0x000000000A0F0000-0x000000000A0F1000-memory.dmp

Filesize
4KB

Download
memory/4024-32-0x000000000A1B0000-0x000000000A1B1000-memory.dmp

Filesize
4KB

Download
memory/4024-33-0x000000000A200000-0x000000000A201000-memory.dmp

Filesize
4KB

Download
memory/4024-34-0x000000000A250000-0x000000000A251000-memory.dmp

Filesize
4KB

Download
memory/4024-5-0x00000000025B0000-0x00000000025B1000-memory.dmp

Filesize
4KB

Download
memory/4024-0-0x0000000000400000-0x0000000001FBF000-memory.dmp

Filesize
27.7MB

Download
memory/4024-43-0x000000000A2C0000-0x000000000A2C1000-memory.dmp

Filesize
4KB

Download
memory/4024-39-0x000000000A220000-0x000000000A221000-memory.dmp

Filesize
4KB

Download
memory/4024-35-0x000000000A2A0000-0x000000000A2A1000-memory.dmp

Filesize
4KB

Download
memory/4024-40-0x000000000A280000-0x000000000A281000-memory.dmp

Filesize
4KB

Download
memory/4024-41-0x000000000A270000-0x000000000A271000-memory.dmp

Filesize
4KB

Download
memory/4024-42-0x000000000A2D0000-0x000000000A2D1000-memory.dmp

Filesize
4KB

Download
memory/4024-44-0x000000000A320000-0x000000000A321000-memory.dmp

Filesize
4KB

Download
memory/4024-38-0x000000000A230000-0x000000000A231000-memory.dmp

Filesize
4KB

Download
memory/4024-45-0x000000000A3E0000-0x000000000A3E1000-memory.dmp

Filesize
4KB

Download
memory/4024-46-0x000000000A4F0000-0x000000000A4F1000-memory.dmp

Filesize
4KB

Download
memory/4024-47-0x000000000A550000-0x000000000A551000-memory.dmp

Filesize
4KB

Download
memory/4024-48-0x000000000A380000-0x000000000A381000-memory.dmp

Filesize
4KB

Download
memory/4024-49-0x000000000A0E0000-0x000000000A0E1000-memory.dmp

Filesize
4KB

Download
memory/4024-50-0x000000000A0D0000-0x000000000A0D1000-memory.dmp

Filesize
4KB

Download
memory/4024-51-0x000000000A120000-0x000000000A121000-memory.dmp

Filesize
4KB

Download
memory/4024-52-0x000000000A110000-0x000000000A111000-memory.dmp

Filesize
4KB

Download
memory/4024-53-0x000000000A160000-0x000000000A161000-memory.dmp

Filesize
4KB

Download
memory/4024-54-0x00000000095C0000-0x00000000095C1000-memory.dmp

Filesize
4KB

Download
memory/4024-55-0x000000000B480000-0x000000000B481000-memory.dmp

Filesize
4KB

Download
memory/4024-56-0x000000000B390000-0x000000000B391000-memory.dmp

Filesize
4KB

Download
memory/4024-57-0x000000000B4C0000-0x000000000B4C1000-memory.dmp

Filesize
4KB

Download
memory/4024-58-0x000000000B3A0000-0x000000000B3A1000-memory.dmp

Filesize
4KB

Download
memory/4024-59-0x00000000095D0000-0x00000000095D1000-memory.dmp

Filesize
4KB

Download