blackmoon | b9eed45780779e62c7a1925766ebfba99724aef89f14e7e36bb3634f1513545c | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

7

b9eed45780...5c.exe

windows7-x64

b9eed45780...5c.exe

windows10-2004-x64

Sharing

General

Target

b9eed45780779e62c7a1925766ebfba99724aef89f14e7e36bb3634f1513545c
Size

3.4MB
Sample

240417-l3xf3abe93
MD5

122bc8a870cb17fdb8f326d03770d80e
SHA1

f863dc5cc07b885fb5d4a39bbcdf35e8890af765
SHA256

b9eed45780779e62c7a1925766ebfba99724aef89f14e7e36bb3634f1513545c
SHA512

239955042da349881c31bf7d357750501954f1c61e27542f55cde61b866fe83363a784414908bff37ec4cded33470d78456bb2af7f958e860dd2a0c983087bb1
SSDEEP

98304:jWiD4pvFeiye1JCCXeyY2RBkzjxtFj0JhYA:jNcpvF3ye1JJM2OxjjaY

Score

10^/10

blackmoon banker persistence trojan vmprotect

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

b9eed45780779e62c7a1925766ebfba99724aef89f14e7e36bb3634f1513545c.exe

Resource

win7-20240221-en

blackmoon banker persistence trojan vmprotect

windows7-x64

11 signatures

150 seconds

Behavioral task

behavioral2

Sample

b9eed45780779e62c7a1925766ebfba99724aef89f14e7e36bb3634f1513545c.exe

Resource

win10v2004-20240226-en

blackmoon banker persistence trojan vmprotect

windows10-2004-x64

10 signatures

150 seconds

Malware Config

Targets

- Target
  
  b9eed45780779e62c7a1925766ebfba99724aef89f14e7e36bb3634f1513545c
- Size
  
  3.4MB
- MD5
  
  122bc8a870cb17fdb8f326d03770d80e
- SHA1
  
  f863dc5cc07b885fb5d4a39bbcdf35e8890af765
- SHA256
  
  b9eed45780779e62c7a1925766ebfba99724aef89f14e7e36bb3634f1513545c
- SHA512
  
  239955042da349881c31bf7d357750501954f1c61e27542f55cde61b866fe83363a784414908bff37ec4cded33470d78456bb2af7f958e860dd2a0c983087bb1
- SSDEEP
  
  98304:jWiD4pvFeiye1JCCXeyY2RBkzjxtFj0JhYA:jNcpvF3ye1JJM2OxjjaY
Score

10^/10

blackmoon banker persistence trojan vmprotect
- Blackmoon, KrBanker
  Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
  trojan banker blackmoon
- Detect Blackmoon payload
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- Loads dropped DLL
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

blackmoonbankerpersistencetrojanvmprotect

behavioral2

blackmoonbankerpersistencetrojanvmprotect

© 2018-2025

Terms | Privacy