blackmoon | ac7cdfc98a9d2ba7fa4b851727156d0aee97336867fcab4a4a00a57e398fafd2

General

Target

ac7cdfc98a9d2ba7fa4b851727156d0aee97336867fcab4a4a00a57e398fafd2.exe
Size

15.4MB
MD5

23f87f4db9da43225c083271aefbc337
SHA1

95e0246ad205e61045dea39617bfca2d27f317b6
SHA256

ac7cdfc98a9d2ba7fa4b851727156d0aee97336867fcab4a4a00a57e398fafd2
SHA512

e4813623352478ba195590a7e9c296ead59f193523dffca8197ba77fabe676500ad85e1bd9f849a2081a8776e35733f1264628545666b877bc677d14a708aa65
SSDEEP

393216:UnaetWreNcKL2Drs9LiA+S3jHRNUO0GoU/WhonaC:YcreqKik9+i3jxQhU/6onB

Score

10^/10

blackmoon aspackv2 banker trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 13 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2896-1-0x0000000000400000-0x0000000000927000-memory.dmp	family_blackmoon
behavioral1/memory/2896-2-0x0000000000400000-0x0000000000927000-memory.dmp	family_blackmoon
behavioral1/memory/2896-3-0x0000000000400000-0x0000000000927000-memory.dmp	family_blackmoon
behavioral1/memory/2896-8-0x0000000000400000-0x0000000000927000-memory.dmp	family_blackmoon
behavioral1/memory/2896-9-0x0000000000400000-0x0000000000927000-memory.dmp	family_blackmoon
behavioral1/memory/2896-10-0x0000000000400000-0x0000000000927000-memory.dmp	family_blackmoon
behavioral1/memory/2764-48-0x0000000000400000-0x0000000000927000-memory.dmp	family_blackmoon
behavioral1/memory/2764-45-0x0000000000400000-0x0000000000927000-memory.dmp	family_blackmoon
behavioral1/memory/2764-44-0x0000000000400000-0x0000000000927000-memory.dmp	family_blackmoon
behavioral1/memory/2896-43-0x0000000000400000-0x0000000000927000-memory.dmp	family_blackmoon
behavioral1/memory/2764-46-0x0000000000400000-0x0000000000927000-memory.dmp	family_blackmoon
behavioral1/memory/2764-77-0x0000000000400000-0x0000000000927000-memory.dmp	family_blackmoon
behavioral1/memory/2764-78-0x0000000000400000-0x0000000000927000-memory.dmp	family_blackmoon

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
\ÖîÉñ´«Ëµ\19306ac7cdfc98a9d2ba7fa4b851727156d0aee97336867fcab4a4a00a57e398fafd2.exe	aspack_v212_v242

Executes dropped EXE 1 IoCs

Processes:

19306ac7cdfc98a9d2ba7fa4b851727156d0aee97336867fcab4a4a00a57e398fafd2.exe

pid process

2764 19306ac7cdfc98a9d2ba7fa4b851727156d0aee97336867fcab4a4a00a57e398fafd2.exe
Loads dropped DLL 1 IoCs

Processes:

ac7cdfc98a9d2ba7fa4b851727156d0aee97336867fcab4a4a00a57e398fafd2.exe

pid process

2896 ac7cdfc98a9d2ba7fa4b851727156d0aee97336867fcab4a4a00a57e398fafd2.exe

pid	process
2764	19306ac7cdfc98a9d2ba7fa4b851727156d0aee97336867fcab4a4a00a57e398fafd2.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

ac7cdfc98a9d2ba7fa4b851727156d0aee97336867fcab4a4a00a57e398fafd2.exe

description	ioc	process
File opened (read-only)	\??\L:	ac7cdfc98a9d2ba7fa4b851727156d0aee97336867fcab4a4a00a57e398fafd2.exe
File opened (read-only)	\??\M:	ac7cdfc98a9d2ba7fa4b851727156d0aee97336867fcab4a4a00a57e398fafd2.exe
File opened (read-only)	\??\V:	ac7cdfc98a9d2ba7fa4b851727156d0aee97336867fcab4a4a00a57e398fafd2.exe
File opened (read-only)	\??\Y:	ac7cdfc98a9d2ba7fa4b851727156d0aee97336867fcab4a4a00a57e398fafd2.exe
File opened (read-only)	\??\H:	ac7cdfc98a9d2ba7fa4b851727156d0aee97336867fcab4a4a00a57e398fafd2.exe
File opened (read-only)	\??\J:	ac7cdfc98a9d2ba7fa4b851727156d0aee97336867fcab4a4a00a57e398fafd2.exe
File opened (read-only)	\??\K:	ac7cdfc98a9d2ba7fa4b851727156d0aee97336867fcab4a4a00a57e398fafd2.exe
File opened (read-only)	\??\B:	ac7cdfc98a9d2ba7fa4b851727156d0aee97336867fcab4a4a00a57e398fafd2.exe
File opened (read-only)	\??\S:	ac7cdfc98a9d2ba7fa4b851727156d0aee97336867fcab4a4a00a57e398fafd2.exe
File opened (read-only)	\??\T:	ac7cdfc98a9d2ba7fa4b851727156d0aee97336867fcab4a4a00a57e398fafd2.exe
File opened (read-only)	\??\X:	ac7cdfc98a9d2ba7fa4b851727156d0aee97336867fcab4a4a00a57e398fafd2.exe
File opened (read-only)	\??\Z:	ac7cdfc98a9d2ba7fa4b851727156d0aee97336867fcab4a4a00a57e398fafd2.exe
File opened (read-only)	\??\A:	ac7cdfc98a9d2ba7fa4b851727156d0aee97336867fcab4a4a00a57e398fafd2.exe
File opened (read-only)	\??\G:	ac7cdfc98a9d2ba7fa4b851727156d0aee97336867fcab4a4a00a57e398fafd2.exe
File opened (read-only)	\??\R:	ac7cdfc98a9d2ba7fa4b851727156d0aee97336867fcab4a4a00a57e398fafd2.exe
File opened (read-only)	\??\O:	ac7cdfc98a9d2ba7fa4b851727156d0aee97336867fcab4a4a00a57e398fafd2.exe
File opened (read-only)	\??\P:	ac7cdfc98a9d2ba7fa4b851727156d0aee97336867fcab4a4a00a57e398fafd2.exe
File opened (read-only)	\??\Q:	ac7cdfc98a9d2ba7fa4b851727156d0aee97336867fcab4a4a00a57e398fafd2.exe
File opened (read-only)	\??\U:	ac7cdfc98a9d2ba7fa4b851727156d0aee97336867fcab4a4a00a57e398fafd2.exe
File opened (read-only)	\??\W:	ac7cdfc98a9d2ba7fa4b851727156d0aee97336867fcab4a4a00a57e398fafd2.exe
File opened (read-only)	\??\E:	ac7cdfc98a9d2ba7fa4b851727156d0aee97336867fcab4a4a00a57e398fafd2.exe
File opened (read-only)	\??\I:	ac7cdfc98a9d2ba7fa4b851727156d0aee97336867fcab4a4a00a57e398fafd2.exe
File opened (read-only)	\??\N:	ac7cdfc98a9d2ba7fa4b851727156d0aee97336867fcab4a4a00a57e398fafd2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

ac7cdfc98a9d2ba7fa4b851727156d0aee97336867fcab4a4a00a57e398fafd2.exe19306ac7cdfc98a9d2ba7fa4b851727156d0aee97336867fcab4a4a00a57e398fafd2.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	ac7cdfc98a9d2ba7fa4b851727156d0aee97336867fcab4a4a00a57e398fafd2.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	19306ac7cdfc98a9d2ba7fa4b851727156d0aee97336867fcab4a4a00a57e398fafd2.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

ac7cdfc98a9d2ba7fa4b851727156d0aee97336867fcab4a4a00a57e398fafd2.exe19306ac7cdfc98a9d2ba7fa4b851727156d0aee97336867fcab4a4a00a57e398fafd2.exe

pid	process
2896	ac7cdfc98a9d2ba7fa4b851727156d0aee97336867fcab4a4a00a57e398fafd2.exe
2896	ac7cdfc98a9d2ba7fa4b851727156d0aee97336867fcab4a4a00a57e398fafd2.exe
2896	ac7cdfc98a9d2ba7fa4b851727156d0aee97336867fcab4a4a00a57e398fafd2.exe
2764	19306ac7cdfc98a9d2ba7fa4b851727156d0aee97336867fcab4a4a00a57e398fafd2.exe
2764	19306ac7cdfc98a9d2ba7fa4b851727156d0aee97336867fcab4a4a00a57e398fafd2.exe
2764	19306ac7cdfc98a9d2ba7fa4b851727156d0aee97336867fcab4a4a00a57e398fafd2.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

ac7cdfc98a9d2ba7fa4b851727156d0aee97336867fcab4a4a00a57e398fafd2.exe

description	pid	process	target process
PID 2896 wrote to memory of 2764	2896	ac7cdfc98a9d2ba7fa4b851727156d0aee97336867fcab4a4a00a57e398fafd2.exe	19306ac7cdfc98a9d2ba7fa4b851727156d0aee97336867fcab4a4a00a57e398fafd2.exe
PID 2896 wrote to memory of 2764	2896	ac7cdfc98a9d2ba7fa4b851727156d0aee97336867fcab4a4a00a57e398fafd2.exe	19306ac7cdfc98a9d2ba7fa4b851727156d0aee97336867fcab4a4a00a57e398fafd2.exe
PID 2896 wrote to memory of 2764	2896	ac7cdfc98a9d2ba7fa4b851727156d0aee97336867fcab4a4a00a57e398fafd2.exe	19306ac7cdfc98a9d2ba7fa4b851727156d0aee97336867fcab4a4a00a57e398fafd2.exe
PID 2896 wrote to memory of 2764	2896	ac7cdfc98a9d2ba7fa4b851727156d0aee97336867fcab4a4a00a57e398fafd2.exe	19306ac7cdfc98a9d2ba7fa4b851727156d0aee97336867fcab4a4a00a57e398fafd2.exe

C:\Users\Admin\AppData\Local\Temp\ac7cdfc98a9d2ba7fa4b851727156d0aee97336867fcab4a4a00a57e398fafd2.exe
"C:\Users\Admin\AppData\Local\Temp\ac7cdfc98a9d2ba7fa4b851727156d0aee97336867fcab4a4a00a57e398fafd2.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2896

C:\ÖîÉñ´«Ëµ\19306ac7cdfc98a9d2ba7fa4b851727156d0aee97336867fcab4a4a00a57e398fafd2.exe
C:\ÖîÉñ´«Ëµ\19306ac7cdfc98a9d2ba7fa4b851727156d0aee97336867fcab4a4a00a57e398fafd2.exe
2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2764

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IO0LJX84\errorPageStrings[1]
Filesize
2KB

MD5
e3e4a98353f119b80b323302f26b78fa

SHA1
20ee35a370cdd3a8a7d04b506410300fd0a6a864

SHA256
9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66

SHA512
d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MEFTDE7Q\httpErrorPagesScripts[1]
Filesize
8KB

MD5
3f57b781cb3ef114dd0b665151571b7b

SHA1
ce6a63f996df3a1cccb81720e21204b825e0238c

SHA256
46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad

SHA512
8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\1c0dafa2764931e74179a9ab0028cc5a.txt
Filesize
12B

MD5
2018fad0d562984421a6daedc428d0ec

SHA1
f5ef2e251a75b272770ea623cdc99742a5a04a92

SHA256
ae8a77c9bca81f3d2883066984a87213b97601be540cd1a7c8fcb8f9996367ad

SHA512
4270f94bfa1c0a9e59395a7433614db127d2fcf110c218e8b73b95413b3df358f3a53f5115089e2135935ad3b0eeddc7dd92b649082d8408c867f0ba16c3a5be

Download Submit
\ÖîÉñ´«Ëµ\19306ac7cdfc98a9d2ba7fa4b851727156d0aee97336867fcab4a4a00a57e398fafd2.exe
Filesize
15.4MB

MD5
23f87f4db9da43225c083271aefbc337

SHA1
95e0246ad205e61045dea39617bfca2d27f317b6

SHA256
ac7cdfc98a9d2ba7fa4b851727156d0aee97336867fcab4a4a00a57e398fafd2

SHA512
e4813623352478ba195590a7e9c296ead59f193523dffca8197ba77fabe676500ad85e1bd9f849a2081a8776e35733f1264628545666b877bc677d14a708aa65

Download Submit
memory/2764-48-0x0000000000400000-0x0000000000927000-memory.dmp

Filesize
5.2MB

Download
memory/2764-46-0x0000000000400000-0x0000000000927000-memory.dmp

Filesize
5.2MB

Download
memory/2764-78-0x0000000000400000-0x0000000000927000-memory.dmp

Filesize
5.2MB

Download
memory/2764-77-0x0000000000400000-0x0000000000927000-memory.dmp

Filesize
5.2MB

Download
memory/2764-44-0x0000000000400000-0x0000000000927000-memory.dmp

Filesize
5.2MB

Download
memory/2764-45-0x0000000000400000-0x0000000000927000-memory.dmp

Filesize
5.2MB

Download
memory/2896-0-0x0000000000400000-0x0000000000927000-memory.dmp

Filesize
5.2MB

Download
memory/2896-47-0x000000000C810000-0x000000000CD37000-memory.dmp

Filesize
5.2MB

Download
memory/2896-7-0x000000000091F000-0x0000000000920000-memory.dmp

Filesize
4KB

Download
memory/2896-43-0x0000000000400000-0x0000000000927000-memory.dmp

Filesize
5.2MB

Download
memory/2896-8-0x0000000000400000-0x0000000000927000-memory.dmp

Filesize
5.2MB

Download
memory/2896-3-0x0000000000400000-0x0000000000927000-memory.dmp

Filesize
5.2MB

Download
memory/2896-2-0x0000000000400000-0x0000000000927000-memory.dmp

Filesize
5.2MB

Download
memory/2896-1-0x0000000000400000-0x0000000000927000-memory.dmp

Filesize
5.2MB

Download
memory/2896-10-0x0000000000400000-0x0000000000927000-memory.dmp

Filesize
5.2MB

Download
memory/2896-9-0x0000000000400000-0x0000000000927000-memory.dmp

Filesize
5.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads