blackmoon | d3450195f893d7df66bfa051ef9bfea1859a7360749bbedd59567016d9abbe9f

General

Target

NEAS.1e5e57747f3223647eed93baedcd4e70_JC.exe
Size

3.0MB
MD5

1e5e57747f3223647eed93baedcd4e70
SHA1

41d021b36272d89bf3f5a51a5c42600ceab5a2d9
SHA256

d3450195f893d7df66bfa051ef9bfea1859a7360749bbedd59567016d9abbe9f
SHA512

2bb4349321c19f5edfb1a86c941df1294c75152191ed18ce64c170e3a66c9395d48aee44faf45d3cd2e311b3944738ae5278b4c26746c080f9cb5369a02e8ff8
SSDEEP

49152:gUmJN8WOSElD+ff+PruHlHEIj9YX+BFBrzbIzmCFoqxmMONz0WuhzEYLXCGLcv7H:YJN8WOSE9+fMclH1YqBnbIzPKqjWoocw

Score

10^/10

blackmoon aspackv2 banker trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 22 IoCs

resource	yara_rule
behavioral2/memory/3812-1-0x0000000000400000-0x000000000092F000-memory.dmp	family_blackmoon
behavioral2/memory/3812-2-0x0000000000400000-0x000000000092F000-memory.dmp	family_blackmoon
behavioral2/memory/3812-3-0x0000000000400000-0x000000000092F000-memory.dmp	family_blackmoon
behavioral2/memory/3812-19-0x0000000000400000-0x000000000092F000-memory.dmp	family_blackmoon
behavioral2/memory/2180-22-0x0000000000400000-0x000000000092F000-memory.dmp	family_blackmoon
behavioral2/memory/2180-23-0x0000000000400000-0x000000000092F000-memory.dmp	family_blackmoon
behavioral2/memory/2180-24-0x0000000000400000-0x000000000092F000-memory.dmp	family_blackmoon
behavioral2/memory/2180-43-0x0000000000400000-0x000000000092F000-memory.dmp	family_blackmoon
behavioral2/memory/2180-46-0x0000000000400000-0x000000000092F000-memory.dmp	family_blackmoon
behavioral2/memory/2180-47-0x0000000000400000-0x000000000092F000-memory.dmp	family_blackmoon
behavioral2/memory/2180-48-0x0000000000400000-0x000000000092F000-memory.dmp	family_blackmoon
behavioral2/memory/2180-49-0x0000000000400000-0x000000000092F000-memory.dmp	family_blackmoon
behavioral2/memory/2180-50-0x0000000000400000-0x000000000092F000-memory.dmp	family_blackmoon
behavioral2/memory/2180-52-0x0000000000400000-0x000000000092F000-memory.dmp	family_blackmoon
behavioral2/memory/2180-53-0x0000000000400000-0x000000000092F000-memory.dmp	family_blackmoon
behavioral2/memory/2180-54-0x0000000000400000-0x000000000092F000-memory.dmp	family_blackmoon
behavioral2/memory/2180-55-0x0000000000400000-0x000000000092F000-memory.dmp	family_blackmoon
behavioral2/memory/2180-56-0x0000000000400000-0x000000000092F000-memory.dmp	family_blackmoon
behavioral2/memory/2180-57-0x0000000000400000-0x000000000092F000-memory.dmp	family_blackmoon
behavioral2/memory/2180-58-0x0000000000400000-0x000000000092F000-memory.dmp	family_blackmoon
behavioral2/memory/2180-59-0x0000000000400000-0x000000000092F000-memory.dmp	family_blackmoon
behavioral2/memory/2180-60-0x0000000000400000-0x000000000092F000-memory.dmp	family_blackmoon

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0006000000022ceb-18.dat	aspack_v212_v242
behavioral2/files/0x0006000000022ceb-17.dat	aspack_v212_v242

Deletes itself 1 IoCs

pid	Process
2180	NEAS.1e5e57747f3223647eed93baedcd4e70_JC[Êµ].exe

Executes dropped EXE 1 IoCs

pid	Process
2180	NEAS.1e5e57747f3223647eed93baedcd4e70_JC[Êµ].exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2180	NEAS.1e5e57747f3223647eed93baedcd4e70_JC[Êµ].exe
2180	NEAS.1e5e57747f3223647eed93baedcd4e70_JC[Êµ].exe
2180	NEAS.1e5e57747f3223647eed93baedcd4e70_JC[Êµ].exe
2180	NEAS.1e5e57747f3223647eed93baedcd4e70_JC[Êµ].exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3812 wrote to memory of 2180	3812	NEAS.1e5e57747f3223647eed93baedcd4e70_JC.exe	93
PID 3812 wrote to memory of 2180	3812	NEAS.1e5e57747f3223647eed93baedcd4e70_JC.exe	93
PID 3812 wrote to memory of 2180	3812	NEAS.1e5e57747f3223647eed93baedcd4e70_JC.exe	93

C:\Users\Admin\AppData\Local\Temp\NEAS.1e5e57747f3223647eed93baedcd4e70_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.1e5e57747f3223647eed93baedcd4e70_JC.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3812
- C:\Users\Admin\AppData\Roaming\genwangame\NEAS.1e5e57747f3223647eed93baedcd4e70_JC[Êµ]\NEAS.1e5e57747f3223647eed93baedcd4e70_JC[Êµ].exe
  C:\Users\Admin\AppData\Roaming\genwangame\NEAS.1e5e57747f3223647eed93baedcd4e70_JC[Êµ]\NEAS.1e5e57747f3223647eed93baedcd4e70_JC[Êµ].exe -t 3812 C:\Users\Admin\AppData\Local\Temp\NEAS.1e5e57747f3223647eed93baedcd4e70_JC.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B70478C503EFF9D849F66D2FFA74BEB

Filesize
471B

MD5
00fea4a918e89eb400adb152f9b406d0

SHA1
17653a5dcaf8c90f968fac45a360df45ea1fdcdb

SHA256
92697424b79a8c5ec1cbd62fb473bc9e85ae803c3b8f2238d577b1815db66892

SHA512
8bb6ad95de15b391fe29dd892b0ccd8bedf9b8d675c2719ba9093258f8c99de37eb45fecd6c44f366cbbadd195e5a7bdf2c3537c4c3348e2ef868e08a58b861d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_D14B79B440CDC26D7D21C81855E2C04D

Filesize
471B

MD5
5cdd5b77bdee93b62b47bbdc6188c037

SHA1
510816f1f173a0cb20d179b3adef79b976d4acae

SHA256
412117a2bff34f6ee6e44934473ce3b1363adcb42d80ed32581e1e6cb51160fe

SHA512
90d33526750d3543d27635f275023af0b4264fd9e13a1969b6412c56170aad53e28a7d88467f62375cdeba6eefdc121f3eae889f4b76e571dd66e6072b22725f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B70478C503EFF9D849F66D2FFA74BEB

Filesize
404B

MD5
2fe9bf33c892babb6871bee2031461f2

SHA1
091fd9ca370b998e77227ad0510d306d573ab2a7

SHA256
6f02088eddfbe5213b3b76d4842f6ef180d83f972af1cb17e124e3c19cfb4f5c

SHA512
f24fa4de42fa5f53e5a5b6469c3f5a0db68d7a18ff552f1bde45644e444012d1ab79025d09bf7c0c162be0f5a17d2a5b25ff019d566aa4bd28e100f42a2362df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_D14B79B440CDC26D7D21C81855E2C04D

Filesize
404B

MD5
0e20138df7dc0ed4bedea584a2186c7e

SHA1
f9681738d0f456bbeb0fff6ef1b3fa32682e9286

SHA256
90aa7c3afb2aebe4aab75668bfdfafca89663a9cfa9bcaa420e0404ed8456cc9

SHA512
2ecf36932f22c3123cf737ae54400f910bf434051467f3157cd8557fabfb37de3c027512c725363128ae12f821f1e02251021315d8b5988b9f4b519acdcef06b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bakdel.dat

Filesize
78B

MD5
34258013e7466e3bbc0b4a2f556f437c

SHA1
c878040a40abad6692369ed3501457e08b7d99ad

SHA256
cae2a624f09cc188598291d01971fc1c9dc2dd994cd133ca2d8095abc3460b59

SHA512
372e151d99ee4892098b241aabf3e2a7640ab9faf9920fe118d440984e779981592b66d1b8a87ce3ec6ca96bb032bb0a377412425bfa3f482e2044a54f5322b4

Download Submit
C:\Users\Admin\AppData\Roaming\genwangame\NEAS.1e5e57747f3223647eed93baedcd4e70_JC[Êµ]\NEAS.1e5e57747f3223647eed93baedcd4e70_JC[Êµ].exe

Filesize
3.0MB

MD5
1e5e57747f3223647eed93baedcd4e70

SHA1
41d021b36272d89bf3f5a51a5c42600ceab5a2d9

SHA256
d3450195f893d7df66bfa051ef9bfea1859a7360749bbedd59567016d9abbe9f

SHA512
2bb4349321c19f5edfb1a86c941df1294c75152191ed18ce64c170e3a66c9395d48aee44faf45d3cd2e311b3944738ae5278b4c26746c080f9cb5369a02e8ff8

Download Submit
C:\Users\Admin\AppData\Roaming\genwangame\NEAS.1e5e57747f3223647eed93baedcd4e70_JC[Êµ]\NEAS.1e5e57747f3223647eed93baedcd4e70_JC[Êµ].exe

Filesize
3.0MB

MD5
1e5e57747f3223647eed93baedcd4e70

SHA1
41d021b36272d89bf3f5a51a5c42600ceab5a2d9

SHA256
d3450195f893d7df66bfa051ef9bfea1859a7360749bbedd59567016d9abbe9f

SHA512
2bb4349321c19f5edfb1a86c941df1294c75152191ed18ce64c170e3a66c9395d48aee44faf45d3cd2e311b3944738ae5278b4c26746c080f9cb5369a02e8ff8

Download Submit
memory/2180-20-0x0000000000400000-0x000000000092F000-memory.dmp

Filesize
5.2MB

Download
memory/2180-44-0x00000000033B0000-0x0000000003551000-memory.dmp

Filesize
1.6MB

Download
memory/2180-60-0x0000000000400000-0x000000000092F000-memory.dmp

Filesize
5.2MB

Download
memory/2180-59-0x0000000000400000-0x000000000092F000-memory.dmp

Filesize
5.2MB

Download
memory/2180-22-0x0000000000400000-0x000000000092F000-memory.dmp

Filesize
5.2MB

Download
memory/2180-23-0x0000000000400000-0x000000000092F000-memory.dmp

Filesize
5.2MB

Download
memory/2180-24-0x0000000000400000-0x000000000092F000-memory.dmp

Filesize
5.2MB

Download
memory/2180-25-0x0000000010000000-0x0000000010059000-memory.dmp

Filesize
356KB

Download
memory/2180-26-0x00000000033B0000-0x0000000003551000-memory.dmp

Filesize
1.6MB

Download
memory/2180-58-0x0000000000400000-0x000000000092F000-memory.dmp

Filesize
5.2MB

Download
memory/2180-57-0x0000000000400000-0x000000000092F000-memory.dmp

Filesize
5.2MB

Download
memory/2180-56-0x0000000000400000-0x000000000092F000-memory.dmp

Filesize
5.2MB

Download
memory/2180-55-0x0000000000400000-0x000000000092F000-memory.dmp

Filesize
5.2MB

Download
memory/2180-54-0x0000000000400000-0x000000000092F000-memory.dmp

Filesize
5.2MB

Download
memory/2180-43-0x0000000000400000-0x000000000092F000-memory.dmp

Filesize
5.2MB

Download
memory/2180-53-0x0000000000400000-0x000000000092F000-memory.dmp

Filesize
5.2MB

Download
memory/2180-46-0x0000000000400000-0x000000000092F000-memory.dmp

Filesize
5.2MB

Download
memory/2180-47-0x0000000000400000-0x000000000092F000-memory.dmp

Filesize
5.2MB

Download
memory/2180-48-0x0000000000400000-0x000000000092F000-memory.dmp

Filesize
5.2MB

Download
memory/2180-49-0x0000000000400000-0x000000000092F000-memory.dmp

Filesize
5.2MB

Download
memory/2180-50-0x0000000000400000-0x000000000092F000-memory.dmp

Filesize
5.2MB

Download
memory/2180-52-0x0000000000400000-0x000000000092F000-memory.dmp

Filesize
5.2MB

Download
memory/3812-19-0x0000000000400000-0x000000000092F000-memory.dmp

Filesize
5.2MB

Download
memory/3812-1-0x0000000000400000-0x000000000092F000-memory.dmp

Filesize
5.2MB

Download
memory/3812-2-0x0000000000400000-0x000000000092F000-memory.dmp

Filesize
5.2MB

Download
memory/3812-3-0x0000000000400000-0x000000000092F000-memory.dmp

Filesize
5.2MB

Download
memory/3812-4-0x0000000010000000-0x0000000010059000-memory.dmp

Filesize
356KB

Download
memory/3812-5-0x0000000003430000-0x00000000035D1000-memory.dmp

Filesize
1.6MB

Download
memory/3812-21-0x0000000003430000-0x00000000035D1000-memory.dmp

Filesize
1.6MB

Download
memory/3812-0-0x0000000000400000-0x000000000092F000-memory.dmp

Filesize
5.2MB

Download

Analysis

Sharing