blackmoon | 6d7eee0253c4fb6bdd946c309f3db823a348b1cdc9dcb2bd3f2412b30eb9590f | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

64c2e949a2...9b.exe

windows7-x64

64c2e949a2...9b.exe

windows10-2004-x64

Sharing

General

Target

64c2e949a2f92c4f458ea1e18ef0829b.bin
Size

2.0MB
Sample

240125-b4a94sdeb9
MD5

64c2e949a2f92c4f458ea1e18ef0829b
SHA1

5274af76387950b897e4cd1fd9f8cf69755dd05e
SHA256

6d7eee0253c4fb6bdd946c309f3db823a348b1cdc9dcb2bd3f2412b30eb9590f
SHA512

6b52f421f8f03402d012cc185547e26ee5e562b18bdc42cf81e80e6a5463ac57383e1d11099770057149c0a6477564b20efb39960e0f1a44b7ebe9e6e89e8b29
SSDEEP

24576:bSH25PwcN2jx23LdZNtWFKVsIdaY5VFt1LuqJhDqGFeyUQPurCD8JYjSK5ECl:blDoOTNtGKOIvfuRVy/Pur2Mgl

Score

10^/10

blackmoon banker bootkit persistence trojan

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

64c2e949a2f92c4f458ea1e18ef0829b.exe

Resource

win7-20231215-en

blackmoon banker bootkit persistence trojan

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

64c2e949a2f92c4f458ea1e18ef0829b.exe

Resource

win10v2004-20231215-en

blackmoon banker bootkit persistence trojan

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Targets

- Target
  
  64c2e949a2f92c4f458ea1e18ef0829b.bin
- Size
  
  2.0MB
- MD5
  
  64c2e949a2f92c4f458ea1e18ef0829b
- SHA1
  
  5274af76387950b897e4cd1fd9f8cf69755dd05e
- SHA256
  
  6d7eee0253c4fb6bdd946c309f3db823a348b1cdc9dcb2bd3f2412b30eb9590f
- SHA512
  
  6b52f421f8f03402d012cc185547e26ee5e562b18bdc42cf81e80e6a5463ac57383e1d11099770057149c0a6477564b20efb39960e0f1a44b7ebe9e6e89e8b29
- SSDEEP
  
  24576:bSH25PwcN2jx23LdZNtWFKVsIdaY5VFt1LuqJhDqGFeyUQPurCD8JYjSK5ECl:blDoOTNtGKOIvfuRVy/Pur2Mgl
Score

10^/10

blackmoon banker bootkit persistence trojan
- Blackmoon, KrBanker
  Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
  trojan banker blackmoon
- Detect Blackmoon payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

Bootkit

Privilege Escalation

Defense Evasion

Pre-OS Boot

Bootkit

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

blackmoonbankerbootkitpersistencetrojan

behavioral2

blackmoonbankerbootkitpersistencetrojan

© 2018-2025

Terms | Privacy