blackmoon | ee82cc3d73179d2d8f94cd8bc30376af7457407e6e450b81f67aac7965a8d8ee

General

Target

ee82cc3d73179d2d8f94cd8bc30376af7457407e6e450b81f67aac7965a8d8ee.exe
Size

1.9MB
MD5

b79fdfa22a1ec7d64e3475006e3355bf
SHA1

f7bf622ccb4ed8ef32dd894de9bdd408450e0ddc
SHA256

ee82cc3d73179d2d8f94cd8bc30376af7457407e6e450b81f67aac7965a8d8ee
SHA512

3286d38312243b19f81112431d556a0eba03dbbc6ce9c6b09dce5d7268e50a46fa35a2e04218f6a045ab9baf5edc3aaca62cab9a5b69d87a43feb9aa937408f6
SSDEEP

24576:K3M7V45iensGYO1WVNKnXJIT/49r9L55ZsyjJMZ7NXxD+hUnbfB9gZGbx7bQr:Kx5mGYOqNKnXaT/49r92yjAdxD+uY2

Score

10^/10

blackmoon banker persistence trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000c000000012320-6.dat	family_blackmoon

Executes dropped EXE 1 IoCs

pid	Process
1668	CDM.exe

UPX packed file 28 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2084-9-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2084-11-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2084-17-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2084-25-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2084-23-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2084-28-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2084-36-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2084-47-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2084-56-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2084-58-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2084-54-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2084-52-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2084-50-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2084-45-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2084-43-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2084-41-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2084-39-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2084-34-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2084-32-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2084-30-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2084-21-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2084-19-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2084-15-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2084-14-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2084-12-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2084-13-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2084-59-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2084-60-0x0000000010000000-0x000000001003E000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ÎÒµÄÆô¶¯Ïî = "C:\\CDM.exe"	CDM.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2084	ee82cc3d73179d2d8f94cd8bc30376af7457407e6e450b81f67aac7965a8d8ee.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2084	ee82cc3d73179d2d8f94cd8bc30376af7457407e6e450b81f67aac7965a8d8ee.exe
2084	ee82cc3d73179d2d8f94cd8bc30376af7457407e6e450b81f67aac7965a8d8ee.exe
1668	CDM.exe
1668	CDM.exe
2084	ee82cc3d73179d2d8f94cd8bc30376af7457407e6e450b81f67aac7965a8d8ee.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 1668	2084	ee82cc3d73179d2d8f94cd8bc30376af7457407e6e450b81f67aac7965a8d8ee.exe	28
PID 2084 wrote to memory of 1668	2084	ee82cc3d73179d2d8f94cd8bc30376af7457407e6e450b81f67aac7965a8d8ee.exe	28
PID 2084 wrote to memory of 1668	2084	ee82cc3d73179d2d8f94cd8bc30376af7457407e6e450b81f67aac7965a8d8ee.exe	28
PID 2084 wrote to memory of 1668	2084	ee82cc3d73179d2d8f94cd8bc30376af7457407e6e450b81f67aac7965a8d8ee.exe	28

C:\Users\Admin\AppData\Local\Temp\ee82cc3d73179d2d8f94cd8bc30376af7457407e6e450b81f67aac7965a8d8ee.exe
"C:\Users\Admin\AppData\Local\Temp\ee82cc3d73179d2d8f94cd8bc30376af7457407e6e450b81f67aac7965a8d8ee.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2084
- C:\CDM.exe
  "C:\CDM.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetWindowsHookEx
  PID:1668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\CDM.exe

Filesize
884KB

MD5
beb1ea045490ba658f11b9f564e50068

SHA1
f59e4c154ce2a5337ee2bdd188b54d8dd9558608

SHA256
3cfdf483152500ae8c0ceae673e017450acf06e41ff3dc8fd72af1d916b61b12

SHA512
37422f122ff9616aa74f341215e4bef30b1a324fae37ce7286f53f5b656a08c909001890a3d17be00c3870393483bdcd42891094a34a05783f2537e79883fb5e

Download Submit
memory/2084-9-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2084-11-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2084-17-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2084-25-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2084-23-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2084-28-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2084-36-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2084-47-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2084-56-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2084-58-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2084-54-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2084-52-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2084-50-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2084-45-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2084-43-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2084-41-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2084-39-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2084-34-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2084-32-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2084-30-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2084-21-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2084-19-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2084-15-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2084-14-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2084-12-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2084-13-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2084-59-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2084-60-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads