blackmoon | 223d98ec145c21ce9ff222008bd9ee02a8aaa146600972bf806708d9d689bef1

Analysis

max time kernel
196s
max time network
301s
platform
windows10-1703_x64
resource
win10-20240221-en
resource tags

arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
submitted
09/03/2024, 16:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TK014DCC9651DB453FB3D969CBD4E397_P.exe
Size

19.4MB
MD5

856cde622a9a5f5f5ac3c0414dedf113
SHA1

3f3fb2b95d557aee8b5478dbb8d7620e95bf2ef4
SHA256

223d98ec145c21ce9ff222008bd9ee02a8aaa146600972bf806708d9d689bef1
SHA512

c527d53823b7c191bbcd8be9da6863fb16d615dc9d58d97a2de50ec1e59bb0c022d5bffe957cddf7eb368e60512d40e2d5eb88b52220abed128a3fe0e9b05ba7
SSDEEP

393216:dMQgUTcSyvrTV6cjQP6uOX1r3clzzSefpaFTCHLafb4DjZ539a+24EWI84goJ:drgedyvHV6cjkTO+BvfSHfb4DjZ59a+a

Score

10^/10

blackmoon banker trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 2 IoCs

resource	yara_rule
behavioral1/memory/4676-13-0x0000000000400000-0x0000000001799000-memory.dmp	family_blackmoon
behavioral1/memory/4676-14-0x0000000000400000-0x0000000001799000-memory.dmp	family_blackmoon

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	TK014DCC9651DB453FB3D969CBD4E397_P.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4676	TK014DCC9651DB453FB3D969CBD4E397_P.exe
4676	TK014DCC9651DB453FB3D969CBD4E397_P.exe

C:\Users\Admin\AppData\Local\Temp\TK014DCC9651DB453FB3D969CBD4E397_P.exe
"C:\Users\Admin\AppData\Local\Temp\TK014DCC9651DB453FB3D969CBD4E397_P.exe"
1⤵
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
PID:4676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4676-0-0x0000000010000000-0x0000000011C94000-memory.dmp

Filesize
28.6MB

Download
memory/4676-10-0x0000000010000000-0x0000000011C94000-memory.dmp

Filesize
28.6MB

Download
memory/4676-12-0x0000000010000000-0x0000000011C94000-memory.dmp

Filesize
28.6MB

Download
memory/4676-13-0x0000000000400000-0x0000000001799000-memory.dmp

Filesize
19.6MB

Download
memory/4676-14-0x0000000000400000-0x0000000001799000-memory.dmp

Filesize
19.6MB

Download