blackmoon | 3a35a388c61fff187331ea105d0cae1b88e9f2a1d23abe1ab6a170cb350623fc

General

Target

3a35a388c61fff187331ea105d0cae1b88e9f2a1d23abe1ab6a170cb350623fc.exe
Size

1.2MB
MD5

8e45d5b74885685ac5f2c511f735f4eb
SHA1

e21fdce2bd9df28615a95fd27ae41dd79651fb4e
SHA256

3a35a388c61fff187331ea105d0cae1b88e9f2a1d23abe1ab6a170cb350623fc
SHA512

89f169a03bfdede04c1b9deaf19b0ddb9c07d8e4884da9be6ac71c269cf34a80a2decc0bc9889e258000fb7436ce75ee67d654f6050b624068a24bb60a118d2c
SSDEEP

24576:29SErcyzkNr60OQPvHEWBunS+CjkJZ0APR58CqimX:2wEAyc205PfEWgn+jS0APr0imX

Score

10^/10

blackmoon banker trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 2 IoCs

resource	yara_rule
behavioral2/files/0x00050000000006ef-9.dat	family_blackmoon
behavioral2/memory/3152-23-0x0000000000400000-0x0000000000698000-memory.dmp	family_blackmoon

Executes dropped EXE 1 IoCs

pid	Process
3152	RCZrB.exe

Loads dropped DLL 1 IoCs

pid	Process
3152	RCZrB.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4860-0-0x0000000000400000-0x00000000005B0000-memory.dmp	upx
behavioral2/files/0x000800000001db0e-4.dat	upx
behavioral2/memory/3152-6-0x0000000000400000-0x0000000000698000-memory.dmp	upx
behavioral2/memory/4860-15-0x0000000000400000-0x00000000005B0000-memory.dmp	upx
behavioral2/files/0x0003000000000715-20.dat	upx
behavioral2/memory/3152-23-0x0000000000400000-0x0000000000698000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\libexdui.dll	RCZrB.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
3624	taskkill.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3624	taskkill.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4860	3a35a388c61fff187331ea105d0cae1b88e9f2a1d23abe1ab6a170cb350623fc.exe
4860	3a35a388c61fff187331ea105d0cae1b88e9f2a1d23abe1ab6a170cb350623fc.exe
3152	RCZrB.exe
3152	RCZrB.exe
3152	RCZrB.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4860 wrote to memory of 3152	4860	3a35a388c61fff187331ea105d0cae1b88e9f2a1d23abe1ab6a170cb350623fc.exe	85
PID 4860 wrote to memory of 3152	4860	3a35a388c61fff187331ea105d0cae1b88e9f2a1d23abe1ab6a170cb350623fc.exe	85
PID 4860 wrote to memory of 3152	4860	3a35a388c61fff187331ea105d0cae1b88e9f2a1d23abe1ab6a170cb350623fc.exe	85
PID 4860 wrote to memory of 2484	4860	3a35a388c61fff187331ea105d0cae1b88e9f2a1d23abe1ab6a170cb350623fc.exe	86
PID 4860 wrote to memory of 2484	4860	3a35a388c61fff187331ea105d0cae1b88e9f2a1d23abe1ab6a170cb350623fc.exe	86
PID 4860 wrote to memory of 2484	4860	3a35a388c61fff187331ea105d0cae1b88e9f2a1d23abe1ab6a170cb350623fc.exe	86
PID 2484 wrote to memory of 3624	2484	cmd.exe	88
PID 2484 wrote to memory of 3624	2484	cmd.exe	88
PID 2484 wrote to memory of 3624	2484	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\3a35a388c61fff187331ea105d0cae1b88e9f2a1d23abe1ab6a170cb350623fc.exe
"C:\Users\Admin\AppData\Local\Temp\3a35a388c61fff187331ea105d0cae1b88e9f2a1d23abe1ab6a170cb350623fc.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4860
- C:\Users\Admin\AppData\Local\Temp\RCZrB.exe
  C:\Users\Admin\AppData\Local\Temp\RCZrB.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:3152
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kill.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2484
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im 3a35a388c61fff187331ea105d0cae1b88e9f2a1d23abe1ab6a170cb350623fc.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3624

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RCZrB.exe

Filesize
826KB

MD5
c65662bfa247b7f35030ef5e2ae66386

SHA1
e9c1a8972b36420d87abb50154782b6cbb475cd5

SHA256
ea7ae01d900e1a6d936aa4b786c37d9254b5fa022b915486c784d6c6ed4cbb9f

SHA512
27c6d38a06a49f0ae3bb8f3e5acab20d8e687d3fcaee4dd08ab1c22dba97b0fd107270d672e1c82efe5eb39a01d0771bcd8a187e5fbe36835394719d4ae75300

Download Submit
C:\Users\Admin\AppData\Local\Temp\kill.bat

Filesize
480B

MD5
d09c296e66cec974b03e0d6afd5f626b

SHA1
393c0de371781d6f0ec4a614e63a87dd57a4e966

SHA256
9fd337ae041efb3cac823163ab72294487a16f5be87c47cab8d4504e34d4c579

SHA512
eea663ad2c4c97729d083ba67a88123e5c0059efe8561738f7c035d666cbf4e1464d23e6981a07499c596631f513482ebf9843b08cf7d2464a8dc3c83d20949c

Download Submit
C:\Users\Admin\AppData\Local\Temp\upmd5.tmp

Filesize
1.2MB

MD5
147fc364b144503cc49afe4ded30b206

SHA1
70d8d18ef141971416eecfebe993fb98ee06e426

SHA256
5e3fd7a560197246e9f3bf26714985261ce40d649e19b62e103c9cf3e0c1c2f6

SHA512
a6b9003e7ba19ab788dc3b57a6ec3ad42959e9159bd80f06d5743ff4523c473ff680bab52b7f08d4408e229cefab365e6cae94073721273ef54ea6a3ebfa7007

Download Submit
C:\Windows\libexdui.dll

Filesize
660KB

MD5
edb2ae3f3a41f5e9939ab13b14231049

SHA1
dd72537627466033192d6ff3a7c65c515cf6df31

SHA256
d470bea39a4d942afe3789a4d8d90f6152b00b5bb2cc3f1bcff013da7cbaf061

SHA512
35f777e97fed4b082f64f288f0b822c7a57d09176bf5ba7bdfe2e9b2dc8444302451019e77c0b8c950c01389f56acc1216da1d88ca089694ba58103af06c2b8c

Download Submit
memory/3152-6-0x0000000000400000-0x0000000000698000-memory.dmp

Filesize
2.6MB

Download
memory/3152-17-0x0000000003400000-0x0000000003401000-memory.dmp

Filesize
4KB

Download
memory/3152-18-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/3152-19-0x00000000033F0000-0x00000000033F1000-memory.dmp

Filesize
4KB

Download
memory/3152-23-0x0000000000400000-0x0000000000698000-memory.dmp

Filesize
2.6MB

Download
memory/4860-0-0x0000000000400000-0x00000000005B0000-memory.dmp

Filesize
1.7MB

Download
memory/4860-15-0x0000000000400000-0x00000000005B0000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing