blackmoon | f422242d47aac5e01bbdfbb5db0da1735b7cb70820a21f8c740a95d0d41284e8

General

Target

f422242d47aac5e01bbdfbb5db0da1735b7cb70820a21f8c740a95d0d41284e8.exe
Size

840KB
MD5

df073126cc1a49a6f617c421b2411443
SHA1

eb4499dee0f068c2153ba7bfdc6f9a1df31915d3
SHA256

f422242d47aac5e01bbdfbb5db0da1735b7cb70820a21f8c740a95d0d41284e8
SHA512

ddda3a9a4fcc5d003f11dfea91e69414d30cdcc11fa35637ac7b4deffbc519f42812a54acab9767084d08d1876073138eb64be59b2da5a1413aa2ea6abfc459a
SSDEEP

24576:x0n0W6Evw14G6Uukw5mR9Kqw1MaN7ADqZ:in0W6r44Cc9w1cDqZ

Score

10^/10

blackmoon banker trojan vmprotect

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 3 IoCs

resource	yara_rule
behavioral2/memory/2436-3-0x0000000010000000-0x0000000010067000-memory.dmp	family_blackmoon
behavioral2/memory/2436-7-0x0000000003270000-0x0000000003C70000-memory.dmp	family_blackmoon
behavioral2/memory/4244-22-0x00000000008C0000-0x00000000008EA000-memory.dmp	family_blackmoon

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SYSTEM_START.lnk	f422242d47aac5e01bbdfbb5db0da1735b7cb70820a21f8c740a95d0d41284e8.exe

Executes dropped EXE 1 IoCs

pid	Process
4244	uxhfy

Loads dropped DLL 1 IoCs

pid	Process
4244	uxhfy

VMProtect packed file 8 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/2436-0-0x0000000000400000-0x00000000005A2000-memory.dmp	vmprotect
behavioral2/memory/2436-1-0x0000000000400000-0x00000000005A2000-memory.dmp	vmprotect
behavioral2/memory/2436-8-0x0000000000400000-0x00000000005A2000-memory.dmp	vmprotect
behavioral2/files/0x0007000000022e5c-16.dat	vmprotect
behavioral2/files/0x0007000000022e5c-17.dat	vmprotect
behavioral2/memory/4244-19-0x0000000010000000-0x0000000010057000-memory.dmp	vmprotect
behavioral2/memory/4244-18-0x0000000010000000-0x0000000010057000-memory.dmp	vmprotect
behavioral2/memory/4244-27-0x0000000010000000-0x0000000010057000-memory.dmp	vmprotect

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2436	f422242d47aac5e01bbdfbb5db0da1735b7cb70820a21f8c740a95d0d41284e8.exe
4244	uxhfy

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	uxhfy
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	uxhfy
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	uxhfy
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	uxhfy
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	uxhfy

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings	f422242d47aac5e01bbdfbb5db0da1735b7cb70820a21f8c740a95d0d41284e8.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2436	f422242d47aac5e01bbdfbb5db0da1735b7cb70820a21f8c740a95d0d41284e8.exe
2436	f422242d47aac5e01bbdfbb5db0da1735b7cb70820a21f8c740a95d0d41284e8.exe
4244	uxhfy
4244	uxhfy
4244	uxhfy
4244	uxhfy

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
696	OpenWith.exe
4244	uxhfy

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2436 wrote to memory of 4244	2436	f422242d47aac5e01bbdfbb5db0da1735b7cb70820a21f8c740a95d0d41284e8.exe	97
PID 2436 wrote to memory of 4244	2436	f422242d47aac5e01bbdfbb5db0da1735b7cb70820a21f8c740a95d0d41284e8.exe	97
PID 2436 wrote to memory of 4244	2436	f422242d47aac5e01bbdfbb5db0da1735b7cb70820a21f8c740a95d0d41284e8.exe	97

C:\Users\Admin\AppData\Local\Temp\f422242d47aac5e01bbdfbb5db0da1735b7cb70820a21f8c740a95d0d41284e8.exe
"C:\Users\Admin\AppData\Local\Temp\f422242d47aac5e01bbdfbb5db0da1735b7cb70820a21f8c740a95d0d41284e8.exe"
1⤵
- Drops startup file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Users\Public\Videos\VSTelem\uxhfy\uxhfy
  C:\Users\Public\Videos\VSTelem\uxhfy\uxhfy
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4244

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Videos\VSTelem\uxhfy\Language.dll

Filesize
196KB

MD5
53457c0864f2281d4d8100e2fd47dbc5

SHA1
54278b20dc0aef7fc2b8f3119a243426a0b8197f

SHA256
e4d05689c05636116546d9429c4415ad3c27837c10bcdda2c51f9fd2c96822d9

SHA512
2d28229178a1d6b122b39d98f21f7308adaade2f3c64061cdd51abbc6712b83b80633ae069abe0246fe7facda19980b0763b5603d8f1ad7a2e013e956041406a

Download Submit
C:\Users\Public\Videos\VSTelem\uxhfy\Update.log

Filesize
41KB

MD5
7f2aad54c639b92680d622c93140ff2d

SHA1
332f6abeb7b28f33267c700515bb1bb280048642

SHA256
bb3db86f559ea5aef6079745014289ebcf4299e994b1cb2f3c9967e58ba9aede

SHA512
8aa2157e653c1610f966147664c3a6807cd04e630998a8a577e5c469e6c9d05da9942cea1f66b12965135c57b83489fec9fc3e9211c87ca0633482201f5c4d56

Download Submit
C:\Users\Public\Videos\VSTelem\uxhfy\language.dll

Filesize
196KB

MD5
53457c0864f2281d4d8100e2fd47dbc5

SHA1
54278b20dc0aef7fc2b8f3119a243426a0b8197f

SHA256
e4d05689c05636116546d9429c4415ad3c27837c10bcdda2c51f9fd2c96822d9

SHA512
2d28229178a1d6b122b39d98f21f7308adaade2f3c64061cdd51abbc6712b83b80633ae069abe0246fe7facda19980b0763b5603d8f1ad7a2e013e956041406a

Download Submit
C:\Users\Public\Videos\VSTelem\uxhfy\uxhfy

Filesize
49KB

MD5
86810e2d993f7327eb5b25b5d17d21c1

SHA1
92be7e63223f3c7e37161b8fc1ab555813988d70

SHA256
63636cec408acbbc4d04c01f9efdbe4b9b08fa0c4390ec8729b9ff0c8be9d246

SHA512
148ef0d152260f874d2c32accf4afdc07d7b975fc15d2373d9c4d8fc4975dc4c54f37ca432eddb9b4e0d109386ab9ab8aad2dcea420ed8a5ee42e4aff341fd4c

Download Submit
C:\Users\Public\Videos\VSTelem\uxhfy\uxhfy

Filesize
49KB

MD5
86810e2d993f7327eb5b25b5d17d21c1

SHA1
92be7e63223f3c7e37161b8fc1ab555813988d70

SHA256
63636cec408acbbc4d04c01f9efdbe4b9b08fa0c4390ec8729b9ff0c8be9d246

SHA512
148ef0d152260f874d2c32accf4afdc07d7b975fc15d2373d9c4d8fc4975dc4c54f37ca432eddb9b4e0d109386ab9ab8aad2dcea420ed8a5ee42e4aff341fd4c

Download Submit
memory/2436-7-0x0000000003270000-0x0000000003C70000-memory.dmp

Filesize
10.0MB

Download
memory/2436-8-0x0000000000400000-0x00000000005A2000-memory.dmp

Filesize
1.6MB

Download
memory/2436-0-0x0000000000400000-0x00000000005A2000-memory.dmp

Filesize
1.6MB

Download
memory/2436-3-0x0000000010000000-0x0000000010067000-memory.dmp

Filesize
412KB

Download
memory/2436-1-0x0000000000400000-0x00000000005A2000-memory.dmp

Filesize
1.6MB

Download
memory/4244-19-0x0000000010000000-0x0000000010057000-memory.dmp

Filesize
348KB

Download
memory/4244-18-0x0000000010000000-0x0000000010057000-memory.dmp

Filesize
348KB

Download
memory/4244-22-0x00000000008C0000-0x00000000008EA000-memory.dmp

Filesize
168KB

Download
memory/4244-21-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/4244-27-0x0000000010000000-0x0000000010057000-memory.dmp

Filesize
348KB

Download

Analysis

Sharing