blackmoon | 32e908a3ed3ca25b9003b7eef74de80c4b441b79b269d0e2587fb2c73bb0d26a

General

Target

bcfcd1861307ae8f017d999cb3417a4f.exe
Size

132KB
MD5

bcfcd1861307ae8f017d999cb3417a4f
SHA1

70506fc7acbf364d8e6d3ea00181f3095f7f8319
SHA256

32e908a3ed3ca25b9003b7eef74de80c4b441b79b269d0e2587fb2c73bb0d26a
SHA512

d58f5e28bc929ca3cafcef10cf387b4226e4d5f5c03b36ba1f1419bee376b71344c47b2cd96777dfec2d6c85b36ad3b9392a1afb8f5fe88078efce749c62acbb
SSDEEP

3072:lDuU38eJq4HnSMHpCyykwG1yqh9q0rkPUjtQTiCout:Me0CJHvwg9q0r+GmJoS

Score

10^/10

blackmoon banker persistence trojan vmprotect

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
behavioral1/memory/1776-25-0x0000000000400000-0x0000000000440000-memory.dmp	family_blackmoon

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	bcfcd1861307ae8f017d999cb3417a4f.exe

Deletes itself 1 IoCs

pid	Process
2804	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2964	VnrYne173.exe

Loads dropped DLL 3 IoCs

pid	Process
1776	bcfcd1861307ae8f017d999cb3417a4f.exe
1776	bcfcd1861307ae8f017d999cb3417a4f.exe
2936	rundll32.exe

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/files/0x000b000000015cbd-21.dat	vmprotect

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Configuring = "rundll32.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\259400303.txt,M"	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1776	bcfcd1861307ae8f017d999cb3417a4f.exe
1776	bcfcd1861307ae8f017d999cb3417a4f.exe
1776	bcfcd1861307ae8f017d999cb3417a4f.exe
1776	bcfcd1861307ae8f017d999cb3417a4f.exe
1776	bcfcd1861307ae8f017d999cb3417a4f.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2936	rundll32.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1776 wrote to memory of 2964	1776	bcfcd1861307ae8f017d999cb3417a4f.exe	28
PID 1776 wrote to memory of 2964	1776	bcfcd1861307ae8f017d999cb3417a4f.exe	28
PID 1776 wrote to memory of 2964	1776	bcfcd1861307ae8f017d999cb3417a4f.exe	28
PID 1776 wrote to memory of 2964	1776	bcfcd1861307ae8f017d999cb3417a4f.exe	28
PID 2964 wrote to memory of 2936	2964	VnrYne173.exe	29
PID 2964 wrote to memory of 2936	2964	VnrYne173.exe	29
PID 2964 wrote to memory of 2936	2964	VnrYne173.exe	29
PID 2964 wrote to memory of 2936	2964	VnrYne173.exe	29
PID 2964 wrote to memory of 2936	2964	VnrYne173.exe	29
PID 2964 wrote to memory of 2936	2964	VnrYne173.exe	29
PID 2964 wrote to memory of 2936	2964	VnrYne173.exe	29
PID 2964 wrote to memory of 2540	2964	VnrYne173.exe	30
PID 2964 wrote to memory of 2540	2964	VnrYne173.exe	30
PID 2964 wrote to memory of 2540	2964	VnrYne173.exe	30
PID 2964 wrote to memory of 2540	2964	VnrYne173.exe	30
PID 1776 wrote to memory of 2804	1776	bcfcd1861307ae8f017d999cb3417a4f.exe	32
PID 1776 wrote to memory of 2804	1776	bcfcd1861307ae8f017d999cb3417a4f.exe	32
PID 1776 wrote to memory of 2804	1776	bcfcd1861307ae8f017d999cb3417a4f.exe	32
PID 1776 wrote to memory of 2804	1776	bcfcd1861307ae8f017d999cb3417a4f.exe	32

C:\Users\Admin\AppData\Local\Temp\bcfcd1861307ae8f017d999cb3417a4f.exe
"C:\Users\Admin\AppData\Local\Temp\bcfcd1861307ae8f017d999cb3417a4f.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1776
- C:\Users\Admin\AppData\Local\Temp\VnrYne173.exe
  C:\Users\Admin\AppData\Local\Temp\VnrYne173.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\259400303.txt,M
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of SetWindowsHookEx
    PID:2936
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\259400303.bat
    3⤵
    PID:2540
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del "C:\Users\Admin\AppData\Local\Temp\bcfcd1861307ae8f017d999cb3417a4f.exe"
  2⤵
  - Deletes itself
  PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\259400303.bat

Filesize
132B

MD5
94c81f4fa825da5f7cd0ab04a1a57fe0

SHA1
5b47232a4a31c98c935112704c6a125a874d1a57

SHA256
413d25d0266693bcfc838d8abae2ff1990399728064f8fa486db7a4cbd2ea5bb

SHA512
a63d50b52405a8c8aeefb9db349838805ec7dd50598a5a558d923301ee00d61cc98df3fc71e716e81be38b017f0c9ee59def855e6a8a06f0d8d8c2e61c2a301c

Download Submit
C:\Users\Admin\AppData\Local\Temp\259400303.txt

Filesize
102KB

MD5
54dd2d17884c5f50cb25978e305e14e6

SHA1
9ca2c39d2ca642058403f40cda8b1c3528b5c6fc

SHA256
5a1bbafa4824802b1b54cc2ec63639e6a9153d9400b81583bffd8615676bdcd3

SHA512
aa09b91c9ac7c12176ed863f1293d265ba3b563d8dc164264c54ec6f3aceaa0bec76d9c7fa42e29d1dd0ee4bc17d4a8324940889d680e5d441e31061c32c1381

Download Submit
C:\Users\Admin\AppData\Local\Temp\VnrYne173.exe

Filesize
18.9MB

MD5
b1b2334993eece24325c186ab054a373

SHA1
c5e0cfa8b76b30006bfe0940202f30ef5e949cff

SHA256
efad873e22fc8a13fa417e8c3dd299b70fd7d94c566ccf23ea44442cff8b2998

SHA512
1c1136a3daa03dc017792915e307a4b53927389f09defa94a4f05003ced92ebfcb83f375e1b7fa062e8ab70b86a6bbdb80c07998d03acdfbb6be12e73d1572e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\VnrYne173.exe

Filesize
10.1MB

MD5
9a87c5be46b6ce8b9f05be4041f27f1d

SHA1
3c9a1cb947c9330eb02dd3d8ff91870fc704a514

SHA256
bd2c1ecbfc6a249dbab6366580a4e34880d488911d5ba3fc3ed7908118a43800

SHA512
8861551bbc44f3a0a7703feabad06d96c3c626d1065d910cfaab76ab091ed01dc4ff45b406f1182d95e7915e1251d1a5dd4880430c1688b17a7c1d7e5cb6a1e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\VnrYne173.exe

Filesize
8.3MB

MD5
61ba50119ec04f8533de4aff18f10957

SHA1
87e6b0e6e1618365151995c3a36dc87e04173057

SHA256
40c814efef6718f59f8281486a36a8dda83cfa499ceccad0b48dea1cad7770e7

SHA512
d6bdc550822e6f9ed87f142554fcf47f18d937e6ce54064ed40a37072e823c70e7eafcfefcb026444f5fcf3e225f9ccd6deac042b11c686bdf9f426b6bd17310

Download Submit
\Users\Admin\AppData\Local\Temp\VnrYne173.exe

Filesize
7.1MB

MD5
bb12d3340634133e17b583fa35c77b6f

SHA1
19a721d8cab79b12bfbe37f8ed2a67a4f09e89f9

SHA256
ec6a572701bd689eb3bf46a0a383fcf2f859e3d6411a69ac5f440357e6a43979

SHA512
1a4fe36856bf81d8c997f6f94b6f1bf7a39720e18d225905884315c0e3e34657c5cd8c44af7cb65716bf49d4dca729e9a3db5dddbb6d7fe9c4ace11fa06308b6

Download Submit
\Users\Admin\AppData\Local\Temp\VnrYne173.exe

Filesize
6.7MB

MD5
b12078284b477ca94a7398bcaae13bef

SHA1
6e81ab33315964cd455c7ba223ed3e7c46c59c5a

SHA256
f164c9e8edcc0ca29cdad44e769c106a714549160897853f903624c359e08bdf

SHA512
b8a365fdb6bca40b245e0ad137e83d0b9408e02abdaa381d1fc82c6b826470243df396329fd644e8f2d10a03276e1103231fc24574c5b88d91d00848aa8d4f7d

Download Submit
memory/1776-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1776-25-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2964-10-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2964-11-0x0000000000310000-0x000000000034E000-memory.dmp

Filesize
248KB

Download
memory/2964-20-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads