blackmoon | c94f3e205c747ea3238c6aeb6fab6972af50a332af242b2aa02ef689ec269f8b

General

Target

c94f3e205c747ea3238c6aeb6fab6972af50a332af242b2aa02ef689ec269f8b.exe
Size

1.3MB
MD5

4f6be8b0a37123f64dc6c5c64d3ac731
SHA1

3cc764ed720c10ca1f35f2c15e64c58b054788e0
SHA256

c94f3e205c747ea3238c6aeb6fab6972af50a332af242b2aa02ef689ec269f8b
SHA512

ff559524ae0ad1f5a7385db97cf2ef0b44a9b8b328056f879f7b0f3566d38df04864e25d7c099ac1e0bbf00bb42034a59f60c9486548f17838ac47dad08d0904
SSDEEP

24576:DkACnTTsXcJu1VUY4fA8sycIht2J14/4aoy13CDIMwZZgV0rtJynfBX4W:Dx1VUYd8DcI3gao4SDk3tJyfB

Score

10^/10

blackmoon banker persistence trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000022cdf-1.dat	family_blackmoon

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	iqfjhzrwpzzesqlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\iqfjhzrwpzzesqlj = "C:\\ProgramData\\Citrix\\kkdxerypygkpnhnfzqqkldk\\iqfjhzrwpzzesqlj.exe"	iqfjhzrwpzzesqlj.exe

Executes dropped EXE 1 IoCs

pid	Process
348	iqfjhzrwpzzesqlj.exe

Loads dropped DLL 1 IoCs

pid	Process
348	iqfjhzrwpzzesqlj.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
348	iqfjhzrwpzzesqlj.exe
348	iqfjhzrwpzzesqlj.exe
348	iqfjhzrwpzzesqlj.exe
348	iqfjhzrwpzzesqlj.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3292	c94f3e205c747ea3238c6aeb6fab6972af50a332af242b2aa02ef689ec269f8b.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	348	iqfjhzrwpzzesqlj.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1160	c94f3e205c747ea3238c6aeb6fab6972af50a332af242b2aa02ef689ec269f8b.exe
5012	c94f3e205c747ea3238c6aeb6fab6972af50a332af242b2aa02ef689ec269f8b.exe
3292	c94f3e205c747ea3238c6aeb6fab6972af50a332af242b2aa02ef689ec269f8b.exe
348	iqfjhzrwpzzesqlj.exe
348	iqfjhzrwpzzesqlj.exe
348	iqfjhzrwpzzesqlj.exe
348	iqfjhzrwpzzesqlj.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1160 wrote to memory of 5012	1160	c94f3e205c747ea3238c6aeb6fab6972af50a332af242b2aa02ef689ec269f8b.exe	84
PID 1160 wrote to memory of 5012	1160	c94f3e205c747ea3238c6aeb6fab6972af50a332af242b2aa02ef689ec269f8b.exe	84
PID 1160 wrote to memory of 5012	1160	c94f3e205c747ea3238c6aeb6fab6972af50a332af242b2aa02ef689ec269f8b.exe	84
PID 5012 wrote to memory of 3292	5012	c94f3e205c747ea3238c6aeb6fab6972af50a332af242b2aa02ef689ec269f8b.exe	85
PID 5012 wrote to memory of 3292	5012	c94f3e205c747ea3238c6aeb6fab6972af50a332af242b2aa02ef689ec269f8b.exe	85
PID 5012 wrote to memory of 3292	5012	c94f3e205c747ea3238c6aeb6fab6972af50a332af242b2aa02ef689ec269f8b.exe	85
PID 3292 wrote to memory of 1704	3292	c94f3e205c747ea3238c6aeb6fab6972af50a332af242b2aa02ef689ec269f8b.exe	86
PID 3292 wrote to memory of 1704	3292	c94f3e205c747ea3238c6aeb6fab6972af50a332af242b2aa02ef689ec269f8b.exe	86
PID 3292 wrote to memory of 1704	3292	c94f3e205c747ea3238c6aeb6fab6972af50a332af242b2aa02ef689ec269f8b.exe	86
PID 1704 wrote to memory of 348	1704	cmd.exe	88
PID 1704 wrote to memory of 348	1704	cmd.exe	88
PID 1704 wrote to memory of 348	1704	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\c94f3e205c747ea3238c6aeb6fab6972af50a332af242b2aa02ef689ec269f8b.exe
"C:\Users\Admin\AppData\Local\Temp\c94f3e205c747ea3238c6aeb6fab6972af50a332af242b2aa02ef689ec269f8b.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1160
- C:\Users\Admin\AppData\Local\Temp\c94f3e205c747ea3238c6aeb6fab6972af50a332af242b2aa02ef689ec269f8b.exe
  TY433A5C50726F6772616D446174615C4369747269785C6B6B64786572797079676B706E686E667A71716B6C646B5C6971666A687A7277707A7A6573716C6A2E657865
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5012
- - C:\Users\Admin\AppData\Local\Temp\c94f3e205c747ea3238c6aeb6fab6972af50a332af242b2aa02ef689ec269f8b.exe
    KL433A5C50726F6772616D446174615C4369747269785C6B6B64786572797079676B706E686E667A71716B6C646B5C6971666A687A7277707A7A6573716C6A2E657865
    3⤵
    - Suspicious behavior: RenamesItself
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3292
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\ProgramData\Citrix\kkdxerypygkpnhnfzqqkldk\iqfjhzrwpzzesqlj.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1704
    - - C:\ProgramData\Citrix\kkdxerypygkpnhnfzqqkldk\iqfjhzrwpzzesqlj.exe
        
        C:\ProgramData\Citrix\kkdxerypygkpnhnfzqqkldk\iqfjhzrwpzzesqlj.exe
        5⤵
        Adds policy Run key to start application
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Citrix\kkdxerypygkpnhnfzqqkldk\ctxmui.dll

Filesize
744KB

MD5
d9af52f6ba09088b0c6d40e84dd7e87d

SHA1
178fbd173d5a64ca7b04f7c2f146d963b8ef0501

SHA256
478b311e7397ef5db4d789e5af3f729558e8eb7afaba49b4d45b789a6ec0ecc9

SHA512
64dffe73611881dc08576752364fe577aab70a0a306f90645a5dec16ea86dab85a90aa5a5693b32b40d05b14cd55ee865cfdab5bb28411d42f7a874bacf610bd

Download Submit
C:\ProgramData\Citrix\kkdxerypygkpnhnfzqqkldk\iqfjhzrwpzzesqlj.exe

Filesize
125KB

MD5
8929530afda63d45859ecbabc5e9edb4

SHA1
7f8a88b9d815399ee0047f8bc67c7a2a1d7c16bd

SHA256
f4f76935e15ae533d47434880b455297a7b57bd45cd98e124eabf4cfe5b24723

SHA512
fae7e1027de3ece5ad06b24ead5c07912c0b5c6217677d2702ebec49c968c7a6f3feffb73491a1557878c6cc5cc69045bc818abc71a48c5a2408f1359f9bd583

Download Submit
memory/348-16-0x00000000046E0000-0x0000000004855000-memory.dmp

Filesize
1.5MB

Download
memory/348-21-0x0000000003E40000-0x0000000003E41000-memory.dmp

Filesize
4KB

Download
memory/348-4-0x00000000029D0000-0x0000000002AB9000-memory.dmp

Filesize
932KB

Download
memory/348-5-0x0000000003C00000-0x0000000003E11000-memory.dmp

Filesize
2.1MB

Download
memory/348-6-0x00000000029D0000-0x0000000002AB9000-memory.dmp

Filesize
932KB

Download
memory/348-10-0x0000000003FE0000-0x0000000004036000-memory.dmp

Filesize
344KB

Download
memory/348-12-0x0000000004050000-0x000000000413B000-memory.dmp

Filesize
940KB

Download
memory/348-14-0x0000000004270000-0x0000000004309000-memory.dmp

Filesize
612KB

Download
memory/348-3-0x00000000029D0000-0x0000000002AB9000-memory.dmp

Filesize
932KB

Download
memory/348-18-0x0000000004380000-0x00000000043D2000-memory.dmp

Filesize
328KB

Download
memory/348-15-0x00000000046E0000-0x0000000004855000-memory.dmp

Filesize
1.5MB

Download
memory/348-2-0x00000000029D0000-0x0000000002AB9000-memory.dmp

Filesize
932KB

Download
memory/348-20-0x0000000003E50000-0x0000000003E51000-memory.dmp

Filesize
4KB

Download
memory/348-19-0x0000000003C00000-0x0000000003E11000-memory.dmp

Filesize
2.1MB

Download
memory/348-22-0x0000000003C00000-0x0000000003E11000-memory.dmp

Filesize
2.1MB

Download
memory/348-23-0x0000000004380000-0x00000000043D2000-memory.dmp

Filesize
328KB

Download
memory/348-24-0x0000000003FE0000-0x0000000004036000-memory.dmp

Filesize
344KB

Download
memory/348-26-0x0000000004270000-0x0000000004309000-memory.dmp

Filesize
612KB

Download
memory/348-25-0x0000000004050000-0x000000000413B000-memory.dmp

Filesize
940KB

Download
memory/348-27-0x00000000046E0000-0x0000000004855000-memory.dmp

Filesize
1.5MB

Download
memory/348-28-0x0000000004380000-0x00000000043D2000-memory.dmp

Filesize
328KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads