blackmoon | 7fb6311af5551e178515d8ec3127c90afa9c2deb5376ba0f8a30980d213719f1

General

Target

ffc6f59282bd9f74a606023447d1fe10_NeikiAnalytics.exe
Size

380KB
MD5

ffc6f59282bd9f74a606023447d1fe10
SHA1

43c575deeb1b9ef3eebccc5f137e7ad41a44043a
SHA256

7fb6311af5551e178515d8ec3127c90afa9c2deb5376ba0f8a30980d213719f1
SHA512

9e7eb6825667e7ec8ee938ee8a85cb99a00522211f2f2aac5d6288acce90e9e1963e0f7d1ec3a9ed8be942d7e911576bbbd449f4f86174416d5a5f175989870b
SSDEEP

6144:bzYwwTDaRFpzA0+NVweuGCE9G2+E7fXyEWTLgWq/taluBkdGwxXCe6Nq3FgD3ZEB:bzYwYDa3S0+NVweuGCk/4gWqgluBZw1D

Score

10^/10

blackmoon banker trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2392-0-0x0000000000570000-0x000000000059E000-memory.dmp	family_blackmoon
behavioral1/memory/2392-7-0x0000000000570000-0x000000000059E000-memory.dmp	family_blackmoon
behavioral1/memory/2516-8-0x0000000001FE0000-0x000000000200E000-memory.dmp	family_blackmoon
behavioral1/memory/2516-15-0x0000000001FE0000-0x000000000200E000-memory.dmp	family_blackmoon

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2712 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

HemsVNksBnB.exeHemsVNksBnB.exe

pid process

2516 HemsVNksBnB.exe
2564 HemsVNksBnB.exe
Loads dropped DLL 2 IoCs

Processes:

ffc6f59282bd9f74a606023447d1fe10_NeikiAnalytics.exeHemsVNksBnB.exe

pid process

2392 ffc6f59282bd9f74a606023447d1fe10_NeikiAnalytics.exe
2516 HemsVNksBnB.exe

pid	process
2712	cmd.exe

pid	process
2516	HemsVNksBnB.exe
2564	HemsVNksBnB.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2564-16-0x00000000002A0000-0x00000000002AB000-memory.dmp	upx
behavioral1/memory/2564-17-0x0000000001EB0000-0x0000000001EBB000-memory.dmp	upx

Drops file in System32 directory 4 IoCs

Processes:

HemsVNksBnB.exeffc6f59282bd9f74a606023447d1fe10_NeikiAnalytics.exe

description	ioc	process
File opened for modification	C:\Windows\system32\HemsVNksBnB.exe	HemsVNksBnB.exe
File created	C:\Windows\SysWOW64\HemsVNksBnB.exe	ffc6f59282bd9f74a606023447d1fe10_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\HemsVNksBnB.exe	ffc6f59282bd9f74a606023447d1fe10_NeikiAnalytics.exe
File created	C:\Windows\system32\HemsVNksBnB.exe	HemsVNksBnB.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3048 PING.EXE

pid	process
3048	PING.EXE

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

ffc6f59282bd9f74a606023447d1fe10_NeikiAnalytics.exeHemsVNksBnB.exeHemsVNksBnB.exe

pid	process
2392	ffc6f59282bd9f74a606023447d1fe10_NeikiAnalytics.exe
2392	ffc6f59282bd9f74a606023447d1fe10_NeikiAnalytics.exe
2516	HemsVNksBnB.exe
2516	HemsVNksBnB.exe
2516	HemsVNksBnB.exe
2516	HemsVNksBnB.exe
2516	HemsVNksBnB.exe
2564	HemsVNksBnB.exe
2564	HemsVNksBnB.exe
2564	HemsVNksBnB.exe
2564	HemsVNksBnB.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

ffc6f59282bd9f74a606023447d1fe10_NeikiAnalytics.exe

pid process

2392 ffc6f59282bd9f74a606023447d1fe10_NeikiAnalytics.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

ffc6f59282bd9f74a606023447d1fe10_NeikiAnalytics.exe

description	pid	process
Token: SeLoadDriverPrivilege	2392	ffc6f59282bd9f74a606023447d1fe10_NeikiAnalytics.exe
Token: SeLoadDriverPrivilege	2392	ffc6f59282bd9f74a606023447d1fe10_NeikiAnalytics.exe
Token: SeLoadDriverPrivilege	2392	ffc6f59282bd9f74a606023447d1fe10_NeikiAnalytics.exe
Token: SeLoadDriverPrivilege	2392	ffc6f59282bd9f74a606023447d1fe10_NeikiAnalytics.exe
Token: SeLoadDriverPrivilege	2392	ffc6f59282bd9f74a606023447d1fe10_NeikiAnalytics.exe
Token: SeLoadDriverPrivilege	2392	ffc6f59282bd9f74a606023447d1fe10_NeikiAnalytics.exe
Token: SeLoadDriverPrivilege	2392	ffc6f59282bd9f74a606023447d1fe10_NeikiAnalytics.exe
Token: SeLoadDriverPrivilege	2392	ffc6f59282bd9f74a606023447d1fe10_NeikiAnalytics.exe
Token: SeLoadDriverPrivilege	2392	ffc6f59282bd9f74a606023447d1fe10_NeikiAnalytics.exe
Token: SeLoadDriverPrivilege	2392	ffc6f59282bd9f74a606023447d1fe10_NeikiAnalytics.exe
Token: SeLoadDriverPrivilege	2392	ffc6f59282bd9f74a606023447d1fe10_NeikiAnalytics.exe
Token: SeLoadDriverPrivilege	2392	ffc6f59282bd9f74a606023447d1fe10_NeikiAnalytics.exe
Token: SeLoadDriverPrivilege	2392	ffc6f59282bd9f74a606023447d1fe10_NeikiAnalytics.exe
Token: SeLoadDriverPrivilege	2392	ffc6f59282bd9f74a606023447d1fe10_NeikiAnalytics.exe
Token: SeLoadDriverPrivilege	2392	ffc6f59282bd9f74a606023447d1fe10_NeikiAnalytics.exe
Token: SeLoadDriverPrivilege	2392	ffc6f59282bd9f74a606023447d1fe10_NeikiAnalytics.exe
Token: SeLoadDriverPrivilege	2392	ffc6f59282bd9f74a606023447d1fe10_NeikiAnalytics.exe
Token: SeLoadDriverPrivilege	2392	ffc6f59282bd9f74a606023447d1fe10_NeikiAnalytics.exe
Token: SeLoadDriverPrivilege	2392	ffc6f59282bd9f74a606023447d1fe10_NeikiAnalytics.exe
Token: SeLoadDriverPrivilege	2392	ffc6f59282bd9f74a606023447d1fe10_NeikiAnalytics.exe
Token: SeLoadDriverPrivilege	2392	ffc6f59282bd9f74a606023447d1fe10_NeikiAnalytics.exe
Token: SeLoadDriverPrivilege	2392	ffc6f59282bd9f74a606023447d1fe10_NeikiAnalytics.exe
Token: SeLoadDriverPrivilege	2392	ffc6f59282bd9f74a606023447d1fe10_NeikiAnalytics.exe
Token: SeLoadDriverPrivilege	2392	ffc6f59282bd9f74a606023447d1fe10_NeikiAnalytics.exe
Token: SeLoadDriverPrivilege	2392	ffc6f59282bd9f74a606023447d1fe10_NeikiAnalytics.exe
Token: SeLoadDriverPrivilege	2392	ffc6f59282bd9f74a606023447d1fe10_NeikiAnalytics.exe
Token: SeLoadDriverPrivilege	2392	ffc6f59282bd9f74a606023447d1fe10_NeikiAnalytics.exe
Token: SeLoadDriverPrivilege	2392	ffc6f59282bd9f74a606023447d1fe10_NeikiAnalytics.exe
Token: SeLoadDriverPrivilege	2392	ffc6f59282bd9f74a606023447d1fe10_NeikiAnalytics.exe
Token: SeLoadDriverPrivilege	2392	ffc6f59282bd9f74a606023447d1fe10_NeikiAnalytics.exe
Token: SeLoadDriverPrivilege	2392	ffc6f59282bd9f74a606023447d1fe10_NeikiAnalytics.exe
Token: SeLoadDriverPrivilege	2392	ffc6f59282bd9f74a606023447d1fe10_NeikiAnalytics.exe
Token: SeLoadDriverPrivilege	2392	ffc6f59282bd9f74a606023447d1fe10_NeikiAnalytics.exe
Token: SeLoadDriverPrivilege	2392	ffc6f59282bd9f74a606023447d1fe10_NeikiAnalytics.exe
Token: SeLoadDriverPrivilege	2392	ffc6f59282bd9f74a606023447d1fe10_NeikiAnalytics.exe
Token: SeLoadDriverPrivilege	2392	ffc6f59282bd9f74a606023447d1fe10_NeikiAnalytics.exe
Token: SeLoadDriverPrivilege	2392	ffc6f59282bd9f74a606023447d1fe10_NeikiAnalytics.exe
Token: SeLoadDriverPrivilege	2392	ffc6f59282bd9f74a606023447d1fe10_NeikiAnalytics.exe
Token: SeLoadDriverPrivilege	2392	ffc6f59282bd9f74a606023447d1fe10_NeikiAnalytics.exe
Token: SeLoadDriverPrivilege	2392	ffc6f59282bd9f74a606023447d1fe10_NeikiAnalytics.exe
Token: SeLoadDriverPrivilege	2392	ffc6f59282bd9f74a606023447d1fe10_NeikiAnalytics.exe
Token: SeLoadDriverPrivilege	2392	ffc6f59282bd9f74a606023447d1fe10_NeikiAnalytics.exe
Token: SeLoadDriverPrivilege	2392	ffc6f59282bd9f74a606023447d1fe10_NeikiAnalytics.exe
Token: SeLoadDriverPrivilege	2392	ffc6f59282bd9f74a606023447d1fe10_NeikiAnalytics.exe
Token: SeLoadDriverPrivilege	2392	ffc6f59282bd9f74a606023447d1fe10_NeikiAnalytics.exe
Token: SeLoadDriverPrivilege	2392	ffc6f59282bd9f74a606023447d1fe10_NeikiAnalytics.exe
Token: SeLoadDriverPrivilege	2392	ffc6f59282bd9f74a606023447d1fe10_NeikiAnalytics.exe
Token: SeLoadDriverPrivilege	2392	ffc6f59282bd9f74a606023447d1fe10_NeikiAnalytics.exe
Token: SeLoadDriverPrivilege	2392	ffc6f59282bd9f74a606023447d1fe10_NeikiAnalytics.exe
Token: SeLoadDriverPrivilege	2392	ffc6f59282bd9f74a606023447d1fe10_NeikiAnalytics.exe
Token: SeLoadDriverPrivilege	2392	ffc6f59282bd9f74a606023447d1fe10_NeikiAnalytics.exe
Token: SeLoadDriverPrivilege	2392	ffc6f59282bd9f74a606023447d1fe10_NeikiAnalytics.exe
Token: SeLoadDriverPrivilege	2392	ffc6f59282bd9f74a606023447d1fe10_NeikiAnalytics.exe
Token: SeLoadDriverPrivilege	2392	ffc6f59282bd9f74a606023447d1fe10_NeikiAnalytics.exe
Token: SeLoadDriverPrivilege	2392	ffc6f59282bd9f74a606023447d1fe10_NeikiAnalytics.exe
Token: SeLoadDriverPrivilege	2392	ffc6f59282bd9f74a606023447d1fe10_NeikiAnalytics.exe
Token: SeLoadDriverPrivilege	2392	ffc6f59282bd9f74a606023447d1fe10_NeikiAnalytics.exe
Token: SeLoadDriverPrivilege	2392	ffc6f59282bd9f74a606023447d1fe10_NeikiAnalytics.exe
Token: SeLoadDriverPrivilege	2392	ffc6f59282bd9f74a606023447d1fe10_NeikiAnalytics.exe
Token: SeLoadDriverPrivilege	2392	ffc6f59282bd9f74a606023447d1fe10_NeikiAnalytics.exe
Token: SeLoadDriverPrivilege	2392	ffc6f59282bd9f74a606023447d1fe10_NeikiAnalytics.exe
Token: SeLoadDriverPrivilege	2392	ffc6f59282bd9f74a606023447d1fe10_NeikiAnalytics.exe
Token: SeLoadDriverPrivilege	2392	ffc6f59282bd9f74a606023447d1fe10_NeikiAnalytics.exe
Token: SeLoadDriverPrivilege	2392	ffc6f59282bd9f74a606023447d1fe10_NeikiAnalytics.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

ffc6f59282bd9f74a606023447d1fe10_NeikiAnalytics.exeHemsVNksBnB.exeHemsVNksBnB.exe

pid process

2392 ffc6f59282bd9f74a606023447d1fe10_NeikiAnalytics.exe
2516 HemsVNksBnB.exe
2564 HemsVNksBnB.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

ffc6f59282bd9f74a606023447d1fe10_NeikiAnalytics.execmd.exeHemsVNksBnB.exe

description	pid	process	target process
PID 2392 wrote to memory of 2516	2392	ffc6f59282bd9f74a606023447d1fe10_NeikiAnalytics.exe	HemsVNksBnB.exe
PID 2392 wrote to memory of 2516	2392	ffc6f59282bd9f74a606023447d1fe10_NeikiAnalytics.exe	HemsVNksBnB.exe
PID 2392 wrote to memory of 2516	2392	ffc6f59282bd9f74a606023447d1fe10_NeikiAnalytics.exe	HemsVNksBnB.exe
PID 2392 wrote to memory of 2516	2392	ffc6f59282bd9f74a606023447d1fe10_NeikiAnalytics.exe	HemsVNksBnB.exe
PID 2392 wrote to memory of 2712	2392	ffc6f59282bd9f74a606023447d1fe10_NeikiAnalytics.exe	cmd.exe
PID 2392 wrote to memory of 2712	2392	ffc6f59282bd9f74a606023447d1fe10_NeikiAnalytics.exe	cmd.exe
PID 2392 wrote to memory of 2712	2392	ffc6f59282bd9f74a606023447d1fe10_NeikiAnalytics.exe	cmd.exe
PID 2392 wrote to memory of 2712	2392	ffc6f59282bd9f74a606023447d1fe10_NeikiAnalytics.exe	cmd.exe
PID 2712 wrote to memory of 3048	2712	cmd.exe	PING.EXE
PID 2712 wrote to memory of 3048	2712	cmd.exe	PING.EXE
PID 2712 wrote to memory of 3048	2712	cmd.exe	PING.EXE
PID 2712 wrote to memory of 3048	2712	cmd.exe	PING.EXE
PID 2516 wrote to memory of 2564	2516	HemsVNksBnB.exe	HemsVNksBnB.exe
PID 2516 wrote to memory of 2564	2516	HemsVNksBnB.exe	HemsVNksBnB.exe
PID 2516 wrote to memory of 2564	2516	HemsVNksBnB.exe	HemsVNksBnB.exe
PID 2516 wrote to memory of 2564	2516	HemsVNksBnB.exe	HemsVNksBnB.exe

C:\Users\Admin\AppData\Local\Temp\ffc6f59282bd9f74a606023447d1fe10_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\ffc6f59282bd9f74a606023447d1fe10_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2392

C:\Windows\SysWOW64\HemsVNksBnB.exe
-auto C:\Windows\system32\\HemsVNksBnB.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2516

C:\Windows\system32\HemsVNksBnB.exe
-troj
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2564

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" cmd/c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\[email protected] > nul && exit
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2712

C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
3⤵
- Runs ping.exe
PID:3048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\HemsVNksBnB.exe

Filesize
380KB

MD5
ffc6f59282bd9f74a606023447d1fe10

SHA1
43c575deeb1b9ef3eebccc5f137e7ad41a44043a

SHA256
7fb6311af5551e178515d8ec3127c90afa9c2deb5376ba0f8a30980d213719f1

SHA512
9e7eb6825667e7ec8ee938ee8a85cb99a00522211f2f2aac5d6288acce90e9e1963e0f7d1ec3a9ed8be942d7e911576bbbd449f4f86174416d5a5f175989870b

Download Submit
memory/2392-0-0x0000000000570000-0x000000000059E000-memory.dmp

Filesize
184KB

Download
memory/2392-6-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2392-7-0x0000000000570000-0x000000000059E000-memory.dmp

Filesize
184KB

Download
memory/2516-8-0x0000000001FE0000-0x000000000200E000-memory.dmp

Filesize
184KB

Download
memory/2516-15-0x0000000001FE0000-0x000000000200E000-memory.dmp

Filesize
184KB

Download
memory/2564-16-0x00000000002A0000-0x00000000002AB000-memory.dmp

Filesize
44KB

Download
memory/2564-17-0x0000000001EB0000-0x0000000001EBB000-memory.dmp

Filesize
44KB

Download
memory/2564-18-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads