blackmoon | 136ea8d9f04fcc7c39957bd47c1c68f467b0e1777814038d876161dca439dcf3

General

Target

000115c7b913353376679335880f8982.exe
Size

4.5MB
MD5

000115c7b913353376679335880f8982
SHA1

ae7c1096980b474da7f0d6b516841675b0ebf2d6
SHA256

136ea8d9f04fcc7c39957bd47c1c68f467b0e1777814038d876161dca439dcf3
SHA512

7e9d6af745dd397ce22e3fc946226a114aeb372a16b0d301c50225c3645e395548c3cf8e71652826a45f0b21d5a4d693421ce3731537c0a1e04c7c93c0d2558f
SSDEEP

49152:+lozaRGEgKs/5SP4cKgBhD1cK72HDPNUeFwbDQeq8Yy3FLpNGuoenW0Kno:WAaRGEfs/jxw77mPNU+SDQW9ceW0Ko

Score

10^/10

blackmoon banker trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 2 IoCs

resource	yara_rule
behavioral1/memory/2900-0-0x0000000000400000-0x000000000088A000-memory.dmp	family_blackmoon
behavioral1/memory/2900-117-0x0000000000400000-0x000000000088A000-memory.dmp	family_blackmoon

UPX packed file 29 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2900-1-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2900-3-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2900-7-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2900-26-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2900-29-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2900-50-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2900-51-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2900-53-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2900-48-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2900-46-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2900-44-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2900-42-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2900-40-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2900-38-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2900-36-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2900-33-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2900-31-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2900-24-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2900-22-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2900-20-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2900-18-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2900-16-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2900-14-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2900-12-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2900-9-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2900-6-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2900-5-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2900-4-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2900-115-0x0000000010000000-0x000000001003D000-memory.dmp	upx

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	000115c7b913353376679335880f8982.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	000115c7b913353376679335880f8982.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	000115c7b913353376679335880f8982.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2900	000115c7b913353376679335880f8982.exe
2900	000115c7b913353376679335880f8982.exe
2900	000115c7b913353376679335880f8982.exe
2900	000115c7b913353376679335880f8982.exe

C:\Users\Admin\AppData\Local\Temp\000115c7b913353376679335880f8982.exe
"C:\Users\Admin\AppData\Local\Temp\000115c7b913353376679335880f8982.exe"
1⤵
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
8KB

MD5
9dbcd64b514dfd8edaf017c1475533c7

SHA1
d0f8afa5db04fac733ff2ac4c549b2be3e1eae59

SHA256
d66c1dbf86614df14ae1726e808b6da3777f2d357403ca0ecf7a25ffb36d118e

SHA512
9d979795f5fcc0af70f8fee40a832b268d9d6adc59d476a1c8c25f3ac76fd992d92d8112d96d652ab28d0ad1b419078c42cd229b14f7d03c18afe1ff5b50d2dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar285D.tmp

Filesize
46KB

MD5
3794ed293c6dbf8085eb50d128826dd5

SHA1
8d9c4469f310fb87986d8fe1cc6a009a71e5c0fe

SHA256
0f76b1465b23790f89b0ab94fb6da7cc085976913a2f7d7927616830f0b84f10

SHA512
028348d15bd1f6f7b15cbb037fc48236222c92397152abe79048b347c4a404b1a0db4d51a7127e301fe605e1dbedcf4c5def64bd5e97e82af75dbdd302ba27bc

Download Submit
memory/2900-33-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2900-22-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2900-26-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2900-29-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2900-50-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2900-51-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2900-53-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2900-48-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2900-46-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2900-44-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2900-42-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2900-40-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2900-38-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2900-36-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2900-0-0x0000000000400000-0x000000000088A000-memory.dmp

Filesize
4.5MB

Download
memory/2900-31-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2900-7-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2900-20-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2900-24-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2900-18-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2900-16-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2900-14-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2900-12-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2900-9-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2900-6-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2900-5-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2900-4-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2900-3-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2900-1-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2900-116-0x00000000009B0000-0x0000000000AB0000-memory.dmp

Filesize
1024KB

Download
memory/2900-115-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2900-117-0x0000000000400000-0x000000000088A000-memory.dmp

Filesize
4.5MB

Download
memory/2900-118-0x00000000009B0000-0x0000000000AB0000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing