blackmoon | cb90401e5372abf32cf1e0a44139cad63cd16e853a89fd617d9b098a18c45ff4

Analysis

max time kernel
90s
max time network
99s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
10/05/2024, 13:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cb90401e5372abf32cf1e0a44139cad63cd16e853a89fd617d9b098a18c45ff4.exe
Size

836KB
MD5

61f58076832d097fbbae4752f7ee5732
SHA1

941b45dd4297cc910134fc45889d6b47637eda77
SHA256

cb90401e5372abf32cf1e0a44139cad63cd16e853a89fd617d9b098a18c45ff4
SHA512

5059756a46a9c1300c6f9ec48ab2fa6f6371d19566fc946b197526fff4ea2162b14ab30d0d930dca27a85687ba1398ca92e2b78a6b6c760e43d3afe0de1ecb3d
SSDEEP

24576:TFYLJfZXhoXnH0WahXUvK3QyOOrTxW7+EmTRR3QtgGxLWv2Pxw:TSBLA3P2

Score

10^/10

blackmoon banker persistence trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
behavioral2/memory/1856-0-0x0000000000400000-0x00000000004EB000-memory.dmp	family_blackmoon

Sets file execution options in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cb90401e5372abf32cf1e0a44139cad63cd16e853a89fd617d9b098a18c45ff4.exe	cb90401e5372abf32cf1e0a44139cad63cd16e853a89fd617d9b098a18c45ff4.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CB90401E5372ABF32CF1E0A44139CAD63CD16E853A89FD617D9B098A18C45FF4.EXE	cb90401e5372abf32cf1e0a44139cad63cd16e853a89fd617d9b098a18c45ff4.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1856	cb90401e5372abf32cf1e0a44139cad63cd16e853a89fd617d9b098a18c45ff4.exe
Token: SeBackupPrivilege	1856	cb90401e5372abf32cf1e0a44139cad63cd16e853a89fd617d9b098a18c45ff4.exe
Token: SeRestorePrivilege	1856	cb90401e5372abf32cf1e0a44139cad63cd16e853a89fd617d9b098a18c45ff4.exe

C:\Users\Admin\AppData\Local\Temp\cb90401e5372abf32cf1e0a44139cad63cd16e853a89fd617d9b098a18c45ff4.exe
"C:\Users\Admin\AppData\Local\Temp\cb90401e5372abf32cf1e0a44139cad63cd16e853a89fd617d9b098a18c45ff4.exe"
1⤵
- Sets file execution options in registry
- Suspicious use of AdjustPrivilegeToken
PID:1856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1856-0-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/1856-1-0x000000006F160000-0x000000006F170000-memory.dmp

Filesize
64KB

Download
memory/1856-4-0x0000000077175000-0x0000000077176000-memory.dmp

Filesize
4KB

Download
memory/1856-3-0x0000000077174000-0x0000000077175000-memory.dmp

Filesize
4KB

Download
memory/1856-2-0x0000000010000000-0x0000000010009000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads