blackmoon | 3a35a388c61fff187331ea105d0cae1b88e9f2a1d23abe1ab6a170cb350623fc

General

Target

3a35a388c61fff187331ea105d0cae1b88e9f2a1d23abe1ab6a170cb350623fc.exe
Size

1.2MB
MD5

8e45d5b74885685ac5f2c511f735f4eb
SHA1

e21fdce2bd9df28615a95fd27ae41dd79651fb4e
SHA256

3a35a388c61fff187331ea105d0cae1b88e9f2a1d23abe1ab6a170cb350623fc
SHA512

89f169a03bfdede04c1b9deaf19b0ddb9c07d8e4884da9be6ac71c269cf34a80a2decc0bc9889e258000fb7436ce75ee67d654f6050b624068a24bb60a118d2c
SSDEEP

24576:29SErcyzkNr60OQPvHEWBunS+CjkJZ0APR58CqimX:2wEAyc205PfEWgn+jS0APr0imX

Score

10^/10

blackmoon banker trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 2 IoCs

resource	yara_rule
behavioral1/memory/3060-8-0x0000000000400000-0x0000000000698000-memory.dmp	family_blackmoon
behavioral1/memory/3060-28-0x0000000000400000-0x0000000000698000-memory.dmp	family_blackmoon

Deletes itself 1 IoCs

pid	Process
2644	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
3060	IN8j0.exe

Loads dropped DLL 1 IoCs

pid	Process
1968	3a35a388c61fff187331ea105d0cae1b88e9f2a1d23abe1ab6a170cb350623fc.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1968-0-0x0000000000400000-0x00000000005B0000-memory.dmp	upx
behavioral1/files/0x000b00000001332e-3.dat	upx
behavioral1/memory/3060-8-0x0000000000400000-0x0000000000698000-memory.dmp	upx
behavioral1/memory/1968-20-0x0000000000400000-0x00000000005B0000-memory.dmp	upx
behavioral1/files/0x000300000000369f-25.dat	upx
behavioral1/memory/3060-28-0x0000000000400000-0x0000000000698000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\libexdui.dll	IN8j0.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2516	taskkill.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2516	taskkill.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1968	3a35a388c61fff187331ea105d0cae1b88e9f2a1d23abe1ab6a170cb350623fc.exe
1968	3a35a388c61fff187331ea105d0cae1b88e9f2a1d23abe1ab6a170cb350623fc.exe
3060	IN8j0.exe
3060	IN8j0.exe
3060	IN8j0.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 3060	1968	3a35a388c61fff187331ea105d0cae1b88e9f2a1d23abe1ab6a170cb350623fc.exe	28
PID 1968 wrote to memory of 3060	1968	3a35a388c61fff187331ea105d0cae1b88e9f2a1d23abe1ab6a170cb350623fc.exe	28
PID 1968 wrote to memory of 3060	1968	3a35a388c61fff187331ea105d0cae1b88e9f2a1d23abe1ab6a170cb350623fc.exe	28
PID 1968 wrote to memory of 3060	1968	3a35a388c61fff187331ea105d0cae1b88e9f2a1d23abe1ab6a170cb350623fc.exe	28
PID 1968 wrote to memory of 2644	1968	3a35a388c61fff187331ea105d0cae1b88e9f2a1d23abe1ab6a170cb350623fc.exe	29
PID 1968 wrote to memory of 2644	1968	3a35a388c61fff187331ea105d0cae1b88e9f2a1d23abe1ab6a170cb350623fc.exe	29
PID 1968 wrote to memory of 2644	1968	3a35a388c61fff187331ea105d0cae1b88e9f2a1d23abe1ab6a170cb350623fc.exe	29
PID 1968 wrote to memory of 2644	1968	3a35a388c61fff187331ea105d0cae1b88e9f2a1d23abe1ab6a170cb350623fc.exe	29
PID 2644 wrote to memory of 2516	2644	cmd.exe	31
PID 2644 wrote to memory of 2516	2644	cmd.exe	31
PID 2644 wrote to memory of 2516	2644	cmd.exe	31
PID 2644 wrote to memory of 2516	2644	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\3a35a388c61fff187331ea105d0cae1b88e9f2a1d23abe1ab6a170cb350623fc.exe
"C:\Users\Admin\AppData\Local\Temp\3a35a388c61fff187331ea105d0cae1b88e9f2a1d23abe1ab6a170cb350623fc.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Users\Admin\AppData\Local\Temp\IN8j0.exe
  C:\Users\Admin\AppData\Local\Temp\IN8j0.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:3060
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\kill.bat
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im 3a35a388c61fff187331ea105d0cae1b88e9f2a1d23abe1ab6a170cb350623fc.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2516

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\kill.bat

Filesize
480B

MD5
d09c296e66cec974b03e0d6afd5f626b

SHA1
393c0de371781d6f0ec4a614e63a87dd57a4e966

SHA256
9fd337ae041efb3cac823163ab72294487a16f5be87c47cab8d4504e34d4c579

SHA512
eea663ad2c4c97729d083ba67a88123e5c0059efe8561738f7c035d666cbf4e1464d23e6981a07499c596631f513482ebf9843b08cf7d2464a8dc3c83d20949c

Download Submit
C:\Users\Admin\AppData\Local\Temp\upmd5.tmp

Filesize
1.2MB

MD5
45e24fc39eb1810d1227c64b64475e8e

SHA1
02e3bb2cc72cf42734553cceda64475e6da63fb3

SHA256
74329d5b60b609bf035471141b3bb1a3fd9739045c8c589315638112b0895a77

SHA512
f9180f1c757725d5d1945311752e8fdf2d633b97c1c3e34a4e8c3368678e79aed10820b16c68031d1687e526dfd9d8eceb23a40841562f2caa1988c21f294577

Download Submit
\Users\Admin\AppData\Local\Temp\IN8j0.exe

Filesize
826KB

MD5
398d00ac77ee2774b57c6af72495446a

SHA1
f1124a84e4c04f3a5c57588dba8171b7ef4d4150

SHA256
08f9c6249f86bdc2b4846c6bb8a5b91391c3152d811efc0e586a7216cb52a193

SHA512
96bbc2328cf3447f234f252783f54778f8b158be1ea702a84e6cd394f4c12374cf680644eae524963da5f6eac2da9c200a27cf65246fde857a46ae2874f92324

Download Submit
memory/1968-0-0x0000000000400000-0x00000000005B0000-memory.dmp

Filesize
1.7MB

Download
memory/1968-7-0x00000000020F0000-0x0000000002388000-memory.dmp

Filesize
2.6MB

Download
memory/1968-20-0x0000000000400000-0x00000000005B0000-memory.dmp

Filesize
1.7MB

Download
memory/3060-8-0x0000000000400000-0x0000000000698000-memory.dmp

Filesize
2.6MB

Download
memory/3060-22-0x00000000037E0000-0x00000000037E1000-memory.dmp

Filesize
4KB

Download
memory/3060-23-0x0000000002380000-0x0000000002381000-memory.dmp

Filesize
4KB

Download
memory/3060-24-0x0000000002E20000-0x0000000002E21000-memory.dmp

Filesize
4KB

Download
memory/3060-28-0x0000000000400000-0x0000000000698000-memory.dmp

Filesize
2.6MB

Download

Analysis

Sharing