blackmoon | b6d483bd126006d04b41fc22a65fe2aac865b3a8428ba6268167ebabcdcc0a1e

General

Target

b6d483bd126006d04b41fc22a65fe2aac865b3a8428ba6268167ebabcdcc0a1e.exe
Size

14.0MB
MD5

230eb730fabea981ed415196ff515074
SHA1

d91ffca5f97e8189d103a6509411ca4a0ac1b962
SHA256

b6d483bd126006d04b41fc22a65fe2aac865b3a8428ba6268167ebabcdcc0a1e
SHA512

8d962c0cf808fe865c837145ceb3fe01e277d21bdad9d1cbf56184d2aebb66c453a3562396cc7cadaf872f58d8a6186aeebffb14c85ce9f9696f35f646da44b6
SSDEEP

393216:AZVz+7klbx2ZIDw3rth5jOWbjMFgXnU7sElly:AZg7oPDEPsWbjtXnas

Score

10^/10

blackmoon banker trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\龍腾江湖.exe	family_blackmoon

Executes dropped EXE 2 IoCs

Processes:

2YexKmOS9WeyT3l.exe龍腾江湖.exe

pid process

2064 2YexKmOS9WeyT3l.exe
3180 龍腾江湖.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

2YexKmOS9WeyT3l.exe

pid process

2064 2YexKmOS9WeyT3l.exe
2064 2YexKmOS9WeyT3l.exe
2064 2YexKmOS9WeyT3l.exe
2064 2YexKmOS9WeyT3l.exe
2064 2YexKmOS9WeyT3l.exe
2064 2YexKmOS9WeyT3l.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

2YexKmOS9WeyT3l.exe龍腾江湖.exe

pid process

2064 2YexKmOS9WeyT3l.exe
3180 龍腾江湖.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

2YexKmOS9WeyT3l.exe龍腾江湖.exe

pid process

2064 2YexKmOS9WeyT3l.exe
3180 龍腾江湖.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

龍腾江湖.exe

pid process

3180 龍腾江湖.exe
3180 龍腾江湖.exe
3180 龍腾江湖.exe
3180 龍腾江湖.exe

pid	process
2064	2YexKmOS9WeyT3l.exe
3180	龍腾江湖.exe

pid	process
2064	2YexKmOS9WeyT3l.exe
2064	2YexKmOS9WeyT3l.exe
2064	2YexKmOS9WeyT3l.exe
2064	2YexKmOS9WeyT3l.exe
2064	2YexKmOS9WeyT3l.exe
2064	2YexKmOS9WeyT3l.exe

pid	process
2064	2YexKmOS9WeyT3l.exe
3180	龍腾江湖.exe

pid	process
2064	2YexKmOS9WeyT3l.exe
3180	龍腾江湖.exe

pid	process
3180	龍腾江湖.exe
3180	龍腾江湖.exe
3180	龍腾江湖.exe
3180	龍腾江湖.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

b6d483bd126006d04b41fc22a65fe2aac865b3a8428ba6268167ebabcdcc0a1e.exe

description	pid	process	target process
PID 3560 wrote to memory of 2064	3560	b6d483bd126006d04b41fc22a65fe2aac865b3a8428ba6268167ebabcdcc0a1e.exe	2YexKmOS9WeyT3l.exe
PID 3560 wrote to memory of 2064	3560	b6d483bd126006d04b41fc22a65fe2aac865b3a8428ba6268167ebabcdcc0a1e.exe	2YexKmOS9WeyT3l.exe
PID 3560 wrote to memory of 2064	3560	b6d483bd126006d04b41fc22a65fe2aac865b3a8428ba6268167ebabcdcc0a1e.exe	2YexKmOS9WeyT3l.exe
PID 3560 wrote to memory of 3180	3560	b6d483bd126006d04b41fc22a65fe2aac865b3a8428ba6268167ebabcdcc0a1e.exe	龍腾江湖.exe
PID 3560 wrote to memory of 3180	3560	b6d483bd126006d04b41fc22a65fe2aac865b3a8428ba6268167ebabcdcc0a1e.exe	龍腾江湖.exe
PID 3560 wrote to memory of 3180	3560	b6d483bd126006d04b41fc22a65fe2aac865b3a8428ba6268167ebabcdcc0a1e.exe	龍腾江湖.exe

C:\Users\Admin\AppData\Local\Temp\b6d483bd126006d04b41fc22a65fe2aac865b3a8428ba6268167ebabcdcc0a1e.exe
"C:\Users\Admin\AppData\Local\Temp\b6d483bd126006d04b41fc22a65fe2aac865b3a8428ba6268167ebabcdcc0a1e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3560

C:\Users\Admin\AppData\Local\Temp\ytool\2YexKmOS9WeyT3l.exe
"C:\Users\Admin\AppData\Local\Temp\b6d483bd126006d04b41fc22a65fe2aac865b3a8428ba6268167ebabcdcc0a1e.exe" "C:\Users\Admin\AppData\Local\Temp\b6d483bd126006d04b41fc22a65fe2aac865b3a8428ba6268167ebabcdcc0a1e.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2064

C:\Users\Admin\AppData\Local\Temp\龍腾江湖.exe
"C:\Users\Admin\AppData\Local\Temp\龍腾江湖.exe"
2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3180

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log
Filesize
316B

MD5
5016065c19aab2e6adfaa4c75a91b634

SHA1
d7c7a9cf7a102a1b66879208b14e8bd7c2d5dcc6

SHA256
0e362ff563da79f3ac3283e783f268f91e7ed41443e39167bd1a7c47d3b0652b

SHA512
ae85fa1c1a595e4c76c298068ce932469c65351bcb4e55034c1bd3fb33c6d2a459e75d2c866689712dde53d9f217960df4c846fd701bd6d2f9bbb2803039fc0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log
Filesize
658B

MD5
a190bf9d4735d6e6b2d783aa73394a9d

SHA1
df3c863813eb54ac76f7f66d7e4dfc7c9d4400b0

SHA256
506c467cd61903683bb103b023dbfe46d22fded5bd18c94afbdfbff5aace2c97

SHA512
da1a9f5a3d7d99c27a41d60a8c8c8a0af95ba702104ecfb864de0522d969a227b2787a1bfd22b6e538b7e2c2faa7c76958a4aedaa379b9bdbd510bbb5de9109b

Download Submit
C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log
Filesize
6KB

MD5
16c62f7be0805af8efaa18ab8e5408f5

SHA1
c8676dfe87a2bba8fd64b83ec287b49b7afcf72e

SHA256
e0beda8d55912fc160786f7284434a88b612fed61052d4daaeb900d054077ff3

SHA512
db6dd45502b95d8c4c756a0d101cea1ab370c042ff3b69374d2893b9711e35ddac5cab6bf0b0db1ac80e206faac76a084e2527c957e0f2490dda647745d0b846

Download Submit
C:\Users\Admin\AppData\Local\Temp\ytool\2YexKmOS9WeyT3l.exe
Filesize
5.7MB

MD5
9bb3207279960ff22efa8de7ee2baf48

SHA1
1ee4e546eb13d15891dd408b95e7b95c4600e2ab

SHA256
683557b0b0de9ff6f461c29241f7aedca31fa7a3d19e7997e150dad4fd708073

SHA512
cdff330ca66f3727e464a07319989d02992bbf02813e7524326ef5ea8da53e6cd70a14eecb9cf28744172b7ae528df0013942206ab3f7e8a192d587352507058

Download Submit
C:\Users\Admin\AppData\Local\Temp\龍腾江湖.exe
Filesize
5.4MB

MD5
3894bea30d39768f2362cec512e6b44c

SHA1
9bb47a10bcdc8c531dd4bdef5d2f20bffac02b39

SHA256
d163c824d15be9b20e1638f373478127daa0905ad1208375edaf79c84c0d0161

SHA512
b3318b41dd2d622a036b851d73aefed26b72dd4dbb232e6ede3774cf912a984255f4a49bd6e6f23d123b55b7d59b159ecd264864155930c4c82ef532aa6dbf35

Download Submit

Analysis

Sharing