blackmoon | 7e6a8e3801e87e6d392b0826b21bdffa0bdef5c67476b48427171bb9c992b31c | Triage

Submit
Reports

Overview

overview

Static

static

3

218b9a39a1...bf.exe

windows7-x64

218b9a39a1...bf.exe

windows10-2004-x64

Sharing

Copy URL Twitter E-mail

General

Target

218b9a39a157bc200e3bc0b28f99c6bf
Size

128KB
Sample

231225-qnq3ysaacr
MD5

218b9a39a157bc200e3bc0b28f99c6bf
SHA1

2259bcf24387279012a3c194a8c6eb0d21d5e7bd
SHA256

7e6a8e3801e87e6d392b0826b21bdffa0bdef5c67476b48427171bb9c992b31c
SHA512

d6c0b0f0af47f9cf9edfb78969a074e231c5312ac40e248e18db9ad0be96c1ca4dfe4f693014787629bb2641d4b16ed66622c4d83cdd14ded079dbf368ac603a
SSDEEP

3072:0gUq9GDx++6rIsbT4qOg41v2dYeVUknnzBbMqds6NoutZ:0Tq9G0+LwTODt2meVnnnlb7/oSZ

Score

10^/10

blackmoon banker persistence trojan vmprotect

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

218b9a39a157bc200e3bc0b28f99c6bf.exe

Resource

win7-20231129-en

blackmoon banker persistence trojan vmprotect

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

218b9a39a157bc200e3bc0b28f99c6bf.exe

Resource

win10v2004-20231215-en

blackmoon banker persistence trojan vmprotect

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Targets

- Target
  
  218b9a39a157bc200e3bc0b28f99c6bf
- Size
  
  128KB
- MD5
  
  218b9a39a157bc200e3bc0b28f99c6bf
- SHA1
  
  2259bcf24387279012a3c194a8c6eb0d21d5e7bd
- SHA256
  
  7e6a8e3801e87e6d392b0826b21bdffa0bdef5c67476b48427171bb9c992b31c
- SHA512
  
  d6c0b0f0af47f9cf9edfb78969a074e231c5312ac40e248e18db9ad0be96c1ca4dfe4f693014787629bb2641d4b16ed66622c4d83cdd14ded079dbf368ac603a
- SSDEEP
  
  3072:0gUq9GDx++6rIsbT4qOg41v2dYeVUknnzBbMqds6NoutZ:0Tq9G0+LwTODt2meVnnnlb7/oSZ
Score

10^/10

blackmoon banker persistence trojan vmprotect
- Blackmoon, KrBanker
  Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
  trojan banker blackmoon
- Detect Blackmoon payload
- Drops file in Drivers directory
- Modifies AppInit DLL entries
  persistence
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

blackmoonbankerpersistencetrojanvmprotect

behavioral2

blackmoonbankerpersistencetrojanvmprotect

© 2018-2025

Terms | Privacy