blackmoon | d36f19ae84d802e4dd51916e92b272f17bd14f9ed3a91d61b95f63dd13f8593c

General

Target

d36f19ae84d802e4dd51916e92b272f17bd14f9ed3a91d61b95f63dd13f8593c.exe
Size

10.8MB
MD5

80c197ffef9b5b63c2dc081063fa64b2
SHA1

e3dfab32ddf92c7a4b51cdbb57b92f23c77e454d
SHA256

d36f19ae84d802e4dd51916e92b272f17bd14f9ed3a91d61b95f63dd13f8593c
SHA512

20489868402c510c6f4adb0addba7f96219b1eea6974423c9b6c2aa54e9a9db8cb2ec255a01bd415e4d05dbe9beebeee38248cfbdba1243674f9e1b35c670af4
SSDEEP

196608:hrly/HDDQ32xE0LjsXkMxLJPRIGsg51CN7aeL8nDfd+n+ycjoJlcM44QdvK8Ue/M:ryhxhLjsX1xLJ57sicgeS1+nlc03f441

Score

10^/10

blackmoon banker persistence trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000016cab-35.dat	family_blackmoon

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	3MIInT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\3MIInT = "C:\\ProgramData\\{2MP5fQP4Gcz0l6o26zef}\\3MIInT.exe"	3MIInT.exe

Executes dropped EXE 4 IoCs

pid	Process
2588	块手传奇【盾】.exe
2568	快手传奇【盾】.exe
2760	块手传奇【盾】.exe
2416	3MIInT.exe

Loads dropped DLL 8 IoCs

pid	Process
2916	d36f19ae84d802e4dd51916e92b272f17bd14f9ed3a91d61b95f63dd13f8593c.exe
2916	d36f19ae84d802e4dd51916e92b272f17bd14f9ed3a91d61b95f63dd13f8593c.exe
2916	d36f19ae84d802e4dd51916e92b272f17bd14f9ed3a91d61b95f63dd13f8593c.exe
2916	d36f19ae84d802e4dd51916e92b272f17bd14f9ed3a91d61b95f63dd13f8593c.exe
2916	d36f19ae84d802e4dd51916e92b272f17bd14f9ed3a91d61b95f63dd13f8593c.exe
2916	d36f19ae84d802e4dd51916e92b272f17bd14f9ed3a91d61b95f63dd13f8593c.exe
2588	块手传奇【盾】.exe
2416	3MIInT.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2416	3MIInT.exe
2416	3MIInT.exe
2416	3MIInT.exe
2416	3MIInT.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2416	3MIInT.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2568	快手传奇【盾】.exe
2416	3MIInT.exe
2416	3MIInT.exe
2416	3MIInT.exe
2416	3MIInT.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2916 wrote to memory of 2568	2916	d36f19ae84d802e4dd51916e92b272f17bd14f9ed3a91d61b95f63dd13f8593c.exe	28
PID 2916 wrote to memory of 2568	2916	d36f19ae84d802e4dd51916e92b272f17bd14f9ed3a91d61b95f63dd13f8593c.exe	28
PID 2916 wrote to memory of 2568	2916	d36f19ae84d802e4dd51916e92b272f17bd14f9ed3a91d61b95f63dd13f8593c.exe	28
PID 2916 wrote to memory of 2568	2916	d36f19ae84d802e4dd51916e92b272f17bd14f9ed3a91d61b95f63dd13f8593c.exe	28
PID 2916 wrote to memory of 2588	2916	d36f19ae84d802e4dd51916e92b272f17bd14f9ed3a91d61b95f63dd13f8593c.exe	29
PID 2916 wrote to memory of 2588	2916	d36f19ae84d802e4dd51916e92b272f17bd14f9ed3a91d61b95f63dd13f8593c.exe	29
PID 2916 wrote to memory of 2588	2916	d36f19ae84d802e4dd51916e92b272f17bd14f9ed3a91d61b95f63dd13f8593c.exe	29
PID 2916 wrote to memory of 2588	2916	d36f19ae84d802e4dd51916e92b272f17bd14f9ed3a91d61b95f63dd13f8593c.exe	29
PID 2588 wrote to memory of 2760	2588	块手传奇【盾】.exe	30
PID 2588 wrote to memory of 2760	2588	块手传奇【盾】.exe	30
PID 2588 wrote to memory of 2760	2588	块手传奇【盾】.exe	30
PID 2760 wrote to memory of 2416	2760	块手传奇【盾】.exe	31
PID 2760 wrote to memory of 2416	2760	块手传奇【盾】.exe	31
PID 2760 wrote to memory of 2416	2760	块手传奇【盾】.exe	31
PID 2760 wrote to memory of 2416	2760	块手传奇【盾】.exe	31

C:\Users\Admin\AppData\Local\Temp\d36f19ae84d802e4dd51916e92b272f17bd14f9ed3a91d61b95f63dd13f8593c.exe
"C:\Users\Admin\AppData\Local\Temp\d36f19ae84d802e4dd51916e92b272f17bd14f9ed3a91d61b95f63dd13f8593c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2916
- C:\ProgramData\快手传奇【盾】.exe
  "C:\ProgramData\快手传奇【盾】.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2568
- C:\ProgramData\块手传奇【盾】.exe
  "C:\ProgramData\块手传奇【盾】.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2588
- - C:\ProgramData\块手传奇【盾】.exe
    C:\ProgramData\块手传奇【盾】.exe 490A300A560A5A0A780A650A6D0A780A6B0A670A4E0A6B0A7E0A6B0A560A710A380A470A5A0A3F0A6C0A5B0A5A0A3E0A4D0A690A700A3A0A660A3C0A650A380A3C0A700A6F0A6C0A770A560A390A470A430A430A640A5E0A-0
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\ProgramData\{2MP5fQP4Gcz0l6o26zef}\3MIInT.exe
      "C:\ProgramData\{2MP5fQP4Gcz0l6o26zef}\3MIInT.exe"
      4⤵
      Adds policy Run key to start application
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\{2MP5fQP4Gcz0l6o26zef}\3MIInT.exe

Filesize
30KB

MD5
9e80b662cc6335824592af506a46c20c

SHA1
76f447db453e28835de09f7c865f373903bb50b4

SHA256
18716cd861b4de03f9d2ea9b32c4bed8473cf7e09410d04b5bb3db70be3863c1

SHA512
ea304340afe0137f7920c4ceeb0fbe226638339ba2b0b9f742770bee49cdd8b0dea886ce47c80cd1c5840654e67ecda5c61ece09fa0a0f00176aff0c222e58ae

Download Submit
C:\ProgramData\{2MP5fQP4Gcz0l6o26zef}\3MIInT.txt

Filesize
269B

MD5
38296012d815bf39eb65962a77395abd

SHA1
f07c54d99c6a6648a086a630bdc40f2e9afcab2e

SHA256
1857e9e8c85448caaf4a0206331e1a8362987bf628bc6b4530489a58e1d379a1

SHA512
e2c109bc3bab70f7cd504b9ce10762c7444d39458fa9e1b28cc17be5dc7c3317a9d45ec0ca8dd4584b93b2e3e9b7d91fd7fef7a3027cc28d90a7372869d8b585

Download Submit
C:\ProgramData\{2MP5fQP4Gcz0l6o26zef}\ctxmui.dll

Filesize
620KB

MD5
0cb6f6e96088df211fc775308d0d3c76

SHA1
8742f2b0217c4c713f112f81897d866e6be8a895

SHA256
1275a2a6a039209d40b960d8736909867b07f8814789ed794fb7e95594a4cc60

SHA512
8992d157c9f73a4cb2586a0f9bc14c593b63b8c3ad265e446a24166104f26f2f278287191c0036ef69481d2140fdffc5296e80bc4a7365435cf160068d4a1e7e

Download Submit
\ProgramData\块手传奇【盾】.exe

Filesize
1.2MB

MD5
5515de7957086d6889f32e29022855b3

SHA1
296e06481623144908613aa78086d9f76a9f5cef

SHA256
1a91a368898eff84850aabfdc0ca57d586bad2990f5fe593096b2fdb0cef4195

SHA512
7dabf4f6b2ab8d6f31e1ded5b244c776d30ac8a0b4661ee1ffeda793e9560172218bd742b69a4d8fc0105367351c82a340a2d875647c5165da382e6e774387e6

Download Submit
\ProgramData\快手传奇【盾】.exe

Filesize
35.0MB

MD5
44fce30e45a43448fb68005516017e46

SHA1
431ac46383aa6e76324f19a3f181a47f560362c6

SHA256
55dd3f3076323a4fe4a8ff240a6259542afc5f707027e5e2a1a210ca32266288

SHA512
89f5988acada2dcb80dfee5e1e154f718e06c72fbfa33c2ff4c9cb412099cbcba402c0e6b3a8ad4881c55c16d0b6ac615aef7d38bbb1e702f5a59278a63fbfba

Download Submit
memory/2416-50-0x00000000043C0000-0x00000000044AB000-memory.dmp

Filesize
940KB

Download
memory/2416-39-0x0000000000FC0000-0x00000000010A7000-memory.dmp

Filesize
924KB

Download
memory/2416-37-0x0000000000FC0000-0x00000000010A7000-memory.dmp

Filesize
924KB

Download
memory/2416-53-0x0000000004D00000-0x0000000004E75000-memory.dmp

Filesize
1.5MB

Download
memory/2416-55-0x00000000040A0000-0x00000000042B1000-memory.dmp

Filesize
2.1MB

Download
memory/2416-56-0x0000000000DA0000-0x0000000000DF2000-memory.dmp

Filesize
328KB

Download
memory/2568-41-0x0000000010000000-0x0000000010B48000-memory.dmp

Filesize
11.3MB

Download
memory/2568-40-0x0000000010000000-0x0000000010B48000-memory.dmp

Filesize
11.3MB

Download
memory/2568-44-0x0000000010000000-0x0000000010B48000-memory.dmp

Filesize
11.3MB

Download
memory/2916-46-0x0000000003B40000-0x00000000061B3000-memory.dmp

Filesize
38.4MB

Download
memory/2916-28-0x0000000003B40000-0x00000000061B3000-memory.dmp

Filesize
38.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads