blackmoon | e59e2344bb5f2e9a8f4e69247d20cb6501687a0d6b85ef89571b8082f4a3801a

General

Target

e59e2344bb5f2e9a8f4e69247d20cb6501687a0d6b85ef89571b8082f4a3801a.exe
Size

4.3MB
MD5

e69f75c4add5562c23c24e8b199b4d25
SHA1

569a6e7f4f4595653bc1bf7e93b1d2c358b0ef77
SHA256

e59e2344bb5f2e9a8f4e69247d20cb6501687a0d6b85ef89571b8082f4a3801a
SHA512

ad9062028c9de45a17e0138bda92992048dba232a5e165c64060a99715a29fa96c3c3c0b4ebb7eed4fea6eea3a3483516f9f2516a9325b9c4e2e2dc022770d29
SSDEEP

98304:CLSs9c4yYZIVSEa02Qh/dgrGz4tuMPBRwJkWuO1RGOjYc4+kulZ:w9crVSEu2dgrztuMPjSWOP6KlZ

Score

10^/10

blackmoon banker trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 4 IoCs

resource	yara_rule
behavioral2/memory/3512-1-0x0000000000400000-0x0000000000F30000-memory.dmp	family_blackmoon
behavioral2/files/0x00020000000228ab-19.dat	family_blackmoon
behavioral2/memory/3512-61-0x0000000000400000-0x0000000000F30000-memory.dmp	family_blackmoon
behavioral2/memory/3512-72-0x0000000000400000-0x0000000000F30000-memory.dmp	family_blackmoon

Loads dropped DLL 5 IoCs

pid	Process
3512	e59e2344bb5f2e9a8f4e69247d20cb6501687a0d6b85ef89571b8082f4a3801a.exe
3512	e59e2344bb5f2e9a8f4e69247d20cb6501687a0d6b85ef89571b8082f4a3801a.exe
3512	e59e2344bb5f2e9a8f4e69247d20cb6501687a0d6b85ef89571b8082f4a3801a.exe
3512	e59e2344bb5f2e9a8f4e69247d20cb6501687a0d6b85ef89571b8082f4a3801a.exe
3512	e59e2344bb5f2e9a8f4e69247d20cb6501687a0d6b85ef89571b8082f4a3801a.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3512	e59e2344bb5f2e9a8f4e69247d20cb6501687a0d6b85ef89571b8082f4a3801a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3512	e59e2344bb5f2e9a8f4e69247d20cb6501687a0d6b85ef89571b8082f4a3801a.exe
Token: 33	2416	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2416	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3512	e59e2344bb5f2e9a8f4e69247d20cb6501687a0d6b85ef89571b8082f4a3801a.exe
3512	e59e2344bb5f2e9a8f4e69247d20cb6501687a0d6b85ef89571b8082f4a3801a.exe
3512	e59e2344bb5f2e9a8f4e69247d20cb6501687a0d6b85ef89571b8082f4a3801a.exe
3512	e59e2344bb5f2e9a8f4e69247d20cb6501687a0d6b85ef89571b8082f4a3801a.exe

C:\Users\Admin\AppData\Local\Temp\e59e2344bb5f2e9a8f4e69247d20cb6501687a0d6b85ef89571b8082f4a3801a.exe
"C:\Users\Admin\AppData\Local\Temp\e59e2344bb5f2e9a8f4e69247d20cb6501687a0d6b85ef89571b8082f4a3801a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3512

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f8 0x334
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7z.dll

Filesize
320KB

MD5
8c68c0a08c220f94c7fc4c4fb75d0744

SHA1
4216011fc009592901c1ede16d97835422f62909

SHA256
e337af5620e64bc05699caf0a76d6d18c66cab3582a0f648f8396fb62e2e04ed

SHA512
b9dd1df595b6f05217aed0d13efe216832ff4e8281337b910d667aa4293cefaa55e59f0c9c1fe3080e9673176db931a05faa273e485c078e0564e34dff419dfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.dll

Filesize
323KB

MD5
460a62e64e6ddf5c768eee2075daf894

SHA1
e7c067159f4de4f5ec8c2db4ebd1f2c4bae1e14e

SHA256
d554a0350db44787f16b93aee60c2d2c1dafe09089c4e270aacfc6894086c543

SHA512
0cfb33bd5b00a221c77d628ea252f2f4001ccf33b08f0b25a930c1c1e30dac2d65148b63cb07ebde178d74ada827ef64014e4c180387d9fdb9e18614081c7663

Download Submit
C:\Users\Admin\AppData\Local\Temp\bass.dll

Filesize
116KB

MD5
f376fc102edbbaa7a88c005eb519c198

SHA1
f36b0fce36838655b13e95c3895bebc868c3544b

SHA256
09183fb6a2b1ae537804f475b35647758b83c0e6cafe2573dd5c710c64e9c0b0

SHA512
3d07bc58640dfef0768d12f5944f3fd8c050f92e9a794dcbfe16c6e66b87b07489555030f20e969d9d62bb4e9f7e050402391dd1c1667dea36db147807c799c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\languages.ini

Filesize
10KB

MD5
492be3d37b0e8fe74ca3afc41e18e6ce

SHA1
19a265ca3b5fb2e971d14f8d04d20f4277faa906

SHA256
6c7fa2316ce154231710387a22e014afdb24cfb4215d29feca76a2b0a9734949

SHA512
2bea1e149cc35e3bcfc93d19d0e5c09e275ec2d07f322ffb9d3b1873a12329ef86bbe5f00e9dbe5b748a3210d4613f3a94e15e8857b44f382e45de4a0b70a2cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl.dll

Filesize
25KB

MD5
673c66811cd6913eda4ca762811c34ff

SHA1
56c78f8d7abc294bab9eeb38567eee0c76a2101b

SHA256
843e9267448773cf21d8ec1027a2dc66c0d5ad428e72af8393d5bc342ee9e6d5

SHA512
e7a565c293ccf79538d802198497011b0fd9445eba958cbba89d34c3bda2b8e58ccbfd7e561536880ba12618fc3a9c25a4aff55dcb840ff6d0f93617c8769183

Download Submit
C:\Users\Admin\AppData\Local\Temp\libexdui.dll

Filesize
429KB

MD5
db4e7b05b51bf179b9852b3e9667aa4d

SHA1
0102fd2d9aaa199b568da307929f4bcfa7f2f479

SHA256
03c19157f4abff9985017c87b4686588b9860c9832c79f524d884e5c4d39ca88

SHA512
3379cc2582fe74c5579b5bb3d879b19ef910ac7efaa641809986bcc6e2f7362a128b502f4e4550ae82768625551797d38e8c33688869dbe49b39dc059adb6ebd

Download Submit
memory/3512-18-0x0000000002F40000-0x0000000002F5D000-memory.dmp

Filesize
116KB

Download
memory/3512-63-0x0000000001050000-0x0000000001051000-memory.dmp

Filesize
4KB

Download
memory/3512-0-0x0000000000400000-0x0000000000F30000-memory.dmp

Filesize
11.2MB

Download
memory/3512-55-0x0000000003F20000-0x0000000003F21000-memory.dmp

Filesize
4KB

Download
memory/3512-60-0x0000000006F20000-0x0000000006FC7000-memory.dmp

Filesize
668KB

Download
memory/3512-66-0x0000000001030000-0x0000000001031000-memory.dmp

Filesize
4KB

Download
memory/3512-67-0x0000000001060000-0x0000000001160000-memory.dmp

Filesize
1024KB

Download
memory/3512-53-0x0000000003F80000-0x0000000003F81000-memory.dmp

Filesize
4KB

Download
memory/3512-61-0x0000000000400000-0x0000000000F30000-memory.dmp

Filesize
11.2MB

Download
memory/3512-15-0x0000000075690000-0x00000000756DD000-memory.dmp

Filesize
308KB

Download
memory/3512-1-0x0000000000400000-0x0000000000F30000-memory.dmp

Filesize
11.2MB

Download
memory/3512-72-0x0000000000400000-0x0000000000F30000-memory.dmp

Filesize
11.2MB

Download
memory/3512-73-0x0000000002F40000-0x0000000002F5D000-memory.dmp

Filesize
116KB

Download
memory/3512-74-0x0000000001060000-0x0000000001160000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing