blackmoon | a36d90a69729cfcdde459e27efc693d49c29773f8976d66844aa2c6e61cfe6d5

General

Target

a36d90a69729cfcdde459e27efc693d49c29773f8976d66844aa2c6e61cfe6d5.exe
Size

9.9MB
MD5

472c8a6f504b9cd3f40090cfa956ed6c
SHA1

d5fe1d6c84b007996bc7bad1a4fb2b853bf89e5f
SHA256

a36d90a69729cfcdde459e27efc693d49c29773f8976d66844aa2c6e61cfe6d5
SHA512

f41857219f69ff6200bb5fb4af1014a53992d7c5ca0ccae1334f8d87a94a7d94622f73a7c309f56c74e4dcde7f896ebcb27352e68bc75e72627049edfafd1350
SSDEEP

196608:zYnGKWUGNEoiN/A4sZvnGfq9nY3ESrKxzWMKkrUr3pM7I41vSnS2A7:UnjpGNvxnrnTygar3xgvSnSZ7

Score

10^/10

blackmoon aspackv2 banker trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 11 IoCs

resource	yara_rule
behavioral2/memory/368-2-0x0000000000400000-0x0000000000927000-memory.dmp	family_blackmoon
behavioral2/memory/368-1-0x0000000000400000-0x0000000000927000-memory.dmp	family_blackmoon
behavioral2/memory/368-3-0x0000000000400000-0x0000000000927000-memory.dmp	family_blackmoon
behavioral2/memory/368-16-0x0000000000400000-0x0000000000927000-memory.dmp	family_blackmoon
behavioral2/memory/780-17-0x0000000000400000-0x0000000000927000-memory.dmp	family_blackmoon
behavioral2/memory/780-18-0x0000000000400000-0x0000000000927000-memory.dmp	family_blackmoon
behavioral2/memory/780-19-0x0000000000400000-0x0000000000927000-memory.dmp	family_blackmoon
behavioral2/memory/780-172-0x0000000000400000-0x0000000000927000-memory.dmp	family_blackmoon
behavioral2/memory/780-179-0x0000000000400000-0x0000000000927000-memory.dmp	family_blackmoon
behavioral2/memory/780-180-0x0000000000400000-0x0000000000927000-memory.dmp	family_blackmoon
behavioral2/memory/780-186-0x0000000000400000-0x0000000000927000-memory.dmp	family_blackmoon

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x000800000002316c-14.dat	aspack_v212_v242
behavioral2/files/0x000800000002316c-15.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
780	21162a36d90a69729cfcdde459e27efc693d49c29773f8976d66844aa2c6e61cfe6d5.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	a36d90a69729cfcdde459e27efc693d49c29773f8976d66844aa2c6e61cfe6d5.exe
File opened (read-only)	\??\H:	a36d90a69729cfcdde459e27efc693d49c29773f8976d66844aa2c6e61cfe6d5.exe
File opened (read-only)	\??\I:	a36d90a69729cfcdde459e27efc693d49c29773f8976d66844aa2c6e61cfe6d5.exe
File opened (read-only)	\??\J:	a36d90a69729cfcdde459e27efc693d49c29773f8976d66844aa2c6e61cfe6d5.exe
File opened (read-only)	\??\O:	a36d90a69729cfcdde459e27efc693d49c29773f8976d66844aa2c6e61cfe6d5.exe
File opened (read-only)	\??\Q:	a36d90a69729cfcdde459e27efc693d49c29773f8976d66844aa2c6e61cfe6d5.exe
File opened (read-only)	\??\R:	a36d90a69729cfcdde459e27efc693d49c29773f8976d66844aa2c6e61cfe6d5.exe
File opened (read-only)	\??\G:	a36d90a69729cfcdde459e27efc693d49c29773f8976d66844aa2c6e61cfe6d5.exe
File opened (read-only)	\??\K:	a36d90a69729cfcdde459e27efc693d49c29773f8976d66844aa2c6e61cfe6d5.exe
File opened (read-only)	\??\M:	a36d90a69729cfcdde459e27efc693d49c29773f8976d66844aa2c6e61cfe6d5.exe
File opened (read-only)	\??\N:	a36d90a69729cfcdde459e27efc693d49c29773f8976d66844aa2c6e61cfe6d5.exe
File opened (read-only)	\??\P:	a36d90a69729cfcdde459e27efc693d49c29773f8976d66844aa2c6e61cfe6d5.exe
File opened (read-only)	\??\A:	a36d90a69729cfcdde459e27efc693d49c29773f8976d66844aa2c6e61cfe6d5.exe
File opened (read-only)	\??\E:	a36d90a69729cfcdde459e27efc693d49c29773f8976d66844aa2c6e61cfe6d5.exe
File opened (read-only)	\??\S:	a36d90a69729cfcdde459e27efc693d49c29773f8976d66844aa2c6e61cfe6d5.exe
File opened (read-only)	\??\W:	a36d90a69729cfcdde459e27efc693d49c29773f8976d66844aa2c6e61cfe6d5.exe
File opened (read-only)	\??\X:	a36d90a69729cfcdde459e27efc693d49c29773f8976d66844aa2c6e61cfe6d5.exe
File opened (read-only)	\??\Y:	a36d90a69729cfcdde459e27efc693d49c29773f8976d66844aa2c6e61cfe6d5.exe
File opened (read-only)	\??\B:	a36d90a69729cfcdde459e27efc693d49c29773f8976d66844aa2c6e61cfe6d5.exe
File opened (read-only)	\??\L:	a36d90a69729cfcdde459e27efc693d49c29773f8976d66844aa2c6e61cfe6d5.exe
File opened (read-only)	\??\T:	a36d90a69729cfcdde459e27efc693d49c29773f8976d66844aa2c6e61cfe6d5.exe
File opened (read-only)	\??\U:	a36d90a69729cfcdde459e27efc693d49c29773f8976d66844aa2c6e61cfe6d5.exe
File opened (read-only)	\??\Z:	a36d90a69729cfcdde459e27efc693d49c29773f8976d66844aa2c6e61cfe6d5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
368	a36d90a69729cfcdde459e27efc693d49c29773f8976d66844aa2c6e61cfe6d5.exe
368	a36d90a69729cfcdde459e27efc693d49c29773f8976d66844aa2c6e61cfe6d5.exe
368	a36d90a69729cfcdde459e27efc693d49c29773f8976d66844aa2c6e61cfe6d5.exe
780	21162a36d90a69729cfcdde459e27efc693d49c29773f8976d66844aa2c6e61cfe6d5.exe
780	21162a36d90a69729cfcdde459e27efc693d49c29773f8976d66844aa2c6e61cfe6d5.exe
780	21162a36d90a69729cfcdde459e27efc693d49c29773f8976d66844aa2c6e61cfe6d5.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 368 wrote to memory of 780	368	a36d90a69729cfcdde459e27efc693d49c29773f8976d66844aa2c6e61cfe6d5.exe	93
PID 368 wrote to memory of 780	368	a36d90a69729cfcdde459e27efc693d49c29773f8976d66844aa2c6e61cfe6d5.exe	93
PID 368 wrote to memory of 780	368	a36d90a69729cfcdde459e27efc693d49c29773f8976d66844aa2c6e61cfe6d5.exe	93

C:\Users\Admin\AppData\Local\Temp\a36d90a69729cfcdde459e27efc693d49c29773f8976d66844aa2c6e61cfe6d5.exe
"C:\Users\Admin\AppData\Local\Temp\a36d90a69729cfcdde459e27efc693d49c29773f8976d66844aa2c6e61cfe6d5.exe"
1⤵
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:368
- C:\Èý½çÖ®áÛÎ¢¶Ë\21162a36d90a69729cfcdde459e27efc693d49c29773f8976d66844aa2c6e61cfe6d5.exe
  C:\Èý½çÖ®áÛÎ¢¶Ë\21162a36d90a69729cfcdde459e27efc693d49c29773f8976d66844aa2c6e61cfe6d5.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1bf0591baf89a9c47f4984783f3f7334.txt

Filesize
16B

MD5
211fc700d32d80bd507655db7ab7050c

SHA1
05993e2b3638388fdda27f7c68419bb2bf38fd2e

SHA256
02b81af1f327c4c83d420ed9c856960878a1bd538a29a6fcb8ee7d31b943b6da

SHA512
cc6094ab9199d554c2e9a1898a10332306d827db8681106727891028c3ddf92fd8e16c69fdea32437b719eb4aaf66102cc62401fa848ae968b85a136f4fb22e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\20c8044e58afa6803001d03bf0cb1d1d.ini

Filesize
10KB

MD5
274e81a994c9ec817375b9763d0a57e4

SHA1
b9e96e4534ad3613b7f4ee1640a8f7281c543490

SHA256
2d8874282b846794f40f576690dc2d686310863b9838ed1ae000448f314a743b

SHA512
a4ef58b2456298e79b444d08e5d2355d04d02e8ccd4a6214b3a9869992ee67aa673652b53fbad119b573f6640c70effffba519ceb3256b18798c47d1c0d64817

Download Submit
C:\Èý½çÖ®áÛÎ¢¶Ë\21162a36d90a69729cfcdde459e27efc693d49c29773f8976d66844aa2c6e61cfe6d5.exe

Filesize
1.4MB

MD5
d772a4343904b5b740d65c879b80a151

SHA1
873acddc0dc83fd276442ba1169f9441423d211f

SHA256
52eb1de4bf01215af071de128d615923065ab652377e31b24bc493e4de6cdaca

SHA512
47b0b50935070115c558ba72c26f8a247da1ac1639782cba45de902ae3f3b29df54938ba54490f8fa3250129f881a882b2f06fb70f377fbb35380477d24271b1

Download Submit
C:\Èý½çÖ®áÛÎ¢¶Ë\21162a36d90a69729cfcdde459e27efc693d49c29773f8976d66844aa2c6e61cfe6d5.exe

Filesize
979KB

MD5
5fff92ca883ffa06d8cc285420a5f084

SHA1
b7d6509a31f7768b99b6fca863cfd481d7823c60

SHA256
ba7a00de60acb92672b25fa6f321625b8fa841fa60bc6c1d5de39b40c9e02b47

SHA512
011c77fb241cee62da249263a6adcb8da8167ac11a181edd308547d0ebe5c2494e3ef9ec23b11a8a11bb2f4fbd2d417f2bf2f8d077079ca36f9fe779e7e3804b

Download Submit
C:\Èý½çÖ®áÛÎ¢¶Ë\Data\log.dat

Filesize
233B

MD5
90d9629685ca3ab87d060442e8a1620a

SHA1
554a797d5c2b153506f37616f9f94567c024f41c

SHA256
8413e9ae961cb4b9ff4ae2302b192b2d6ff4e6de657f6fa2b30cec4714335872

SHA512
419eb9e3c88262651f36abf5a80ad790259f79b416924513e27c92227d96055101f60bace84c10b28328ba69d1d52f160e143fe30f2456e4113b58b5dcb73b7d

Download Submit
memory/368-8-0x0000000003C60000-0x0000000003C61000-memory.dmp

Filesize
4KB

Download
memory/368-3-0x0000000000400000-0x0000000000927000-memory.dmp

Filesize
5.2MB

Download
memory/368-0-0x0000000000400000-0x0000000000927000-memory.dmp

Filesize
5.2MB

Download
memory/368-7-0x0000000003C80000-0x0000000003C81000-memory.dmp

Filesize
4KB

Download
memory/368-16-0x0000000000400000-0x0000000000927000-memory.dmp

Filesize
5.2MB

Download
memory/368-9-0x0000000003C90000-0x0000000003C91000-memory.dmp

Filesize
4KB

Download
memory/368-2-0x0000000000400000-0x0000000000927000-memory.dmp

Filesize
5.2MB

Download
memory/368-1-0x0000000000400000-0x0000000000927000-memory.dmp

Filesize
5.2MB

Download
memory/780-17-0x0000000000400000-0x0000000000927000-memory.dmp

Filesize
5.2MB

Download
memory/780-24-0x0000000003B90000-0x0000000003B91000-memory.dmp

Filesize
4KB

Download
memory/780-23-0x0000000003B80000-0x0000000003B81000-memory.dmp

Filesize
4KB

Download
memory/780-29-0x0000000010000000-0x0000000010028000-memory.dmp

Filesize
160KB

Download
memory/780-19-0x0000000000400000-0x0000000000927000-memory.dmp

Filesize
5.2MB

Download
memory/780-18-0x0000000000400000-0x0000000000927000-memory.dmp

Filesize
5.2MB

Download
memory/780-172-0x0000000000400000-0x0000000000927000-memory.dmp

Filesize
5.2MB

Download
memory/780-179-0x0000000000400000-0x0000000000927000-memory.dmp

Filesize
5.2MB

Download
memory/780-180-0x0000000000400000-0x0000000000927000-memory.dmp

Filesize
5.2MB

Download
memory/780-186-0x0000000000400000-0x0000000000927000-memory.dmp

Filesize
5.2MB

Download

Analysis

Sharing