blackmoon | f85b7ecb049631b69899a069c303dc0c4f0662541449c5b960770dd683ef04a4

General

Target

f85b7ecb049631b69899a069c303dc0c4f0662541449c5b960770dd683ef04a4
Size

5.7MB
Sample

240522-r2fd2sef63
MD5

c76cf800c598cd5392733b5bd7dc443e
SHA1

ecd84981ff706f199eaf1167cd99ac356d6a39ca
SHA256

f85b7ecb049631b69899a069c303dc0c4f0662541449c5b960770dd683ef04a4
SHA512

0ec80e0f9d197fa2d57989e6cb3ffb8f44261bd2ecd2da4b597e15641e179218c46d5fc0a002075c04da946d72addaa68133661d4e1a08301bb194222c084bad
SSDEEP

98304:dPLK8ZNkZ4rk5w3k5gH5Zmj5yWf9b4TwX7ivBz+Dkkglw17HqriAKUXLFGpxDQz3:dPBZN24ACpYFJxX7ih+DkkglwZUiTqxx

Score

10^/10

Malware Config

Targets

- Target
  
  f85b7ecb049631b69899a069c303dc0c4f0662541449c5b960770dd683ef04a4
- Size
  
  5.7MB
- MD5
  
  c76cf800c598cd5392733b5bd7dc443e
- SHA1
  
  ecd84981ff706f199eaf1167cd99ac356d6a39ca
- SHA256
  
  f85b7ecb049631b69899a069c303dc0c4f0662541449c5b960770dd683ef04a4
- SHA512
  
  0ec80e0f9d197fa2d57989e6cb3ffb8f44261bd2ecd2da4b597e15641e179218c46d5fc0a002075c04da946d72addaa68133661d4e1a08301bb194222c084bad
- SSDEEP
  
  98304:dPLK8ZNkZ4rk5w3k5gH5Zmj5yWf9b4TwX7ivBz+Dkkglw17HqriAKUXLFGpxDQz3:dPBZN24ACpYFJxX7ih+DkkglwZUiTqxx
Score

10^/10

blackmoon aspackv2 banker evasion themida trojan
- Blackmoon, KrBanker
  Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
  trojan banker blackmoon
- Detect Blackmoon payload
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Loads dropped DLL
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Targets

Blackmoon, KrBanker

Detect Blackmoon payload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

ASPack v2.12-2.42

Checks BIOS information in registry

Loads dropped DLL

Themida packer

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2