blackmoon | 60afa1da090d4ae091c03c92cae5e2f59753bd3236968bccc7998efd1f651901

General

Target

60afa1da090d4ae091c03c92cae5e2f59753bd3236968bccc7998efd1f651901.exe
Size

15.4MB
MD5

6c383722ad1c17ca56ec68423b58164f
SHA1

770a9217fd95d2fb5346f46d114ba9bf7dc75cb3
SHA256

60afa1da090d4ae091c03c92cae5e2f59753bd3236968bccc7998efd1f651901
SHA512

0e3f9afc8d9983816d56bb93cb1a03c024e83aa3ead68d6611867570bdd127d4c2ac2b8c00c1d29332004de15098dee4ea1cae7c6202cf2c17d595b419b4296e
SSDEEP

393216:gPDPKFpGNvnodC5/3LhAvxvkKL0+8zFf32YJzW1aJ:YSFpGZR5/3LaVkoYh2YJW10

Score

10^/10

blackmoon aspackv2 banker trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 16 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2996-2-0x0000000000400000-0x0000000000926000-memory.dmp	family_blackmoon
behavioral1/memory/2996-1-0x0000000000400000-0x0000000000926000-memory.dmp	family_blackmoon
behavioral1/memory/2996-3-0x0000000000400000-0x0000000000926000-memory.dmp	family_blackmoon
behavioral1/memory/2996-8-0x0000000000400000-0x0000000000926000-memory.dmp	family_blackmoon
behavioral1/memory/2996-11-0x0000000000400000-0x0000000000926000-memory.dmp	family_blackmoon
behavioral1/memory/2996-10-0x0000000000400000-0x0000000000926000-memory.dmp	family_blackmoon
behavioral1/memory/2996-9-0x0000000000400000-0x0000000000926000-memory.dmp	family_blackmoon
behavioral1/memory/2996-12-0x0000000000400000-0x0000000000926000-memory.dmp	family_blackmoon
behavioral1/memory/2892-24-0x0000000000400000-0x0000000000926000-memory.dmp	family_blackmoon
behavioral1/memory/2892-25-0x0000000000400000-0x0000000000926000-memory.dmp	family_blackmoon
behavioral1/memory/2996-22-0x0000000000400000-0x0000000000926000-memory.dmp	family_blackmoon
behavioral1/memory/2892-26-0x0000000000400000-0x0000000000926000-memory.dmp	family_blackmoon
behavioral1/memory/2892-30-0x0000000000400000-0x0000000000926000-memory.dmp	family_blackmoon
behavioral1/memory/2892-32-0x0000000000400000-0x0000000000926000-memory.dmp	family_blackmoon
behavioral1/memory/2892-58-0x0000000000400000-0x0000000000926000-memory.dmp	family_blackmoon
behavioral1/memory/2892-60-0x0000000000400000-0x0000000000926000-memory.dmp	family_blackmoon

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
\9SFÍò½çÄ§Ö÷\4268060afa1da090d4ae091c03c92cae5e2f59753bd3236968bccc7998efd1f651901.exe	aspack_v212_v242

Executes dropped EXE 1 IoCs

Processes:

4268060afa1da090d4ae091c03c92cae5e2f59753bd3236968bccc7998efd1f651901.exe

pid process

2892 4268060afa1da090d4ae091c03c92cae5e2f59753bd3236968bccc7998efd1f651901.exe
Loads dropped DLL 1 IoCs

Processes:

60afa1da090d4ae091c03c92cae5e2f59753bd3236968bccc7998efd1f651901.exe

pid process

2996 60afa1da090d4ae091c03c92cae5e2f59753bd3236968bccc7998efd1f651901.exe

pid	process
2892	4268060afa1da090d4ae091c03c92cae5e2f59753bd3236968bccc7998efd1f651901.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

60afa1da090d4ae091c03c92cae5e2f59753bd3236968bccc7998efd1f651901.exe

description	ioc	process
File opened (read-only)	\??\I:	60afa1da090d4ae091c03c92cae5e2f59753bd3236968bccc7998efd1f651901.exe
File opened (read-only)	\??\T:	60afa1da090d4ae091c03c92cae5e2f59753bd3236968bccc7998efd1f651901.exe
File opened (read-only)	\??\V:	60afa1da090d4ae091c03c92cae5e2f59753bd3236968bccc7998efd1f651901.exe
File opened (read-only)	\??\W:	60afa1da090d4ae091c03c92cae5e2f59753bd3236968bccc7998efd1f651901.exe
File opened (read-only)	\??\A:	60afa1da090d4ae091c03c92cae5e2f59753bd3236968bccc7998efd1f651901.exe
File opened (read-only)	\??\G:	60afa1da090d4ae091c03c92cae5e2f59753bd3236968bccc7998efd1f651901.exe
File opened (read-only)	\??\K:	60afa1da090d4ae091c03c92cae5e2f59753bd3236968bccc7998efd1f651901.exe
File opened (read-only)	\??\L:	60afa1da090d4ae091c03c92cae5e2f59753bd3236968bccc7998efd1f651901.exe
File opened (read-only)	\??\N:	60afa1da090d4ae091c03c92cae5e2f59753bd3236968bccc7998efd1f651901.exe
File opened (read-only)	\??\O:	60afa1da090d4ae091c03c92cae5e2f59753bd3236968bccc7998efd1f651901.exe
File opened (read-only)	\??\Q:	60afa1da090d4ae091c03c92cae5e2f59753bd3236968bccc7998efd1f651901.exe
File opened (read-only)	\??\S:	60afa1da090d4ae091c03c92cae5e2f59753bd3236968bccc7998efd1f651901.exe
File opened (read-only)	\??\B:	60afa1da090d4ae091c03c92cae5e2f59753bd3236968bccc7998efd1f651901.exe
File opened (read-only)	\??\R:	60afa1da090d4ae091c03c92cae5e2f59753bd3236968bccc7998efd1f651901.exe
File opened (read-only)	\??\U:	60afa1da090d4ae091c03c92cae5e2f59753bd3236968bccc7998efd1f651901.exe
File opened (read-only)	\??\M:	60afa1da090d4ae091c03c92cae5e2f59753bd3236968bccc7998efd1f651901.exe
File opened (read-only)	\??\H:	60afa1da090d4ae091c03c92cae5e2f59753bd3236968bccc7998efd1f651901.exe
File opened (read-only)	\??\J:	60afa1da090d4ae091c03c92cae5e2f59753bd3236968bccc7998efd1f651901.exe
File opened (read-only)	\??\P:	60afa1da090d4ae091c03c92cae5e2f59753bd3236968bccc7998efd1f651901.exe
File opened (read-only)	\??\X:	60afa1da090d4ae091c03c92cae5e2f59753bd3236968bccc7998efd1f651901.exe
File opened (read-only)	\??\Y:	60afa1da090d4ae091c03c92cae5e2f59753bd3236968bccc7998efd1f651901.exe
File opened (read-only)	\??\Z:	60afa1da090d4ae091c03c92cae5e2f59753bd3236968bccc7998efd1f651901.exe
File opened (read-only)	\??\E:	60afa1da090d4ae091c03c92cae5e2f59753bd3236968bccc7998efd1f651901.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

4268060afa1da090d4ae091c03c92cae5e2f59753bd3236968bccc7998efd1f651901.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	4268060afa1da090d4ae091c03c92cae5e2f59753bd3236968bccc7998efd1f651901.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

60afa1da090d4ae091c03c92cae5e2f59753bd3236968bccc7998efd1f651901.exe4268060afa1da090d4ae091c03c92cae5e2f59753bd3236968bccc7998efd1f651901.exe

pid	process
2996	60afa1da090d4ae091c03c92cae5e2f59753bd3236968bccc7998efd1f651901.exe
2996	60afa1da090d4ae091c03c92cae5e2f59753bd3236968bccc7998efd1f651901.exe
2996	60afa1da090d4ae091c03c92cae5e2f59753bd3236968bccc7998efd1f651901.exe
2892	4268060afa1da090d4ae091c03c92cae5e2f59753bd3236968bccc7998efd1f651901.exe
2892	4268060afa1da090d4ae091c03c92cae5e2f59753bd3236968bccc7998efd1f651901.exe
2892	4268060afa1da090d4ae091c03c92cae5e2f59753bd3236968bccc7998efd1f651901.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

60afa1da090d4ae091c03c92cae5e2f59753bd3236968bccc7998efd1f651901.exe

description	pid	process	target process
PID 2996 wrote to memory of 2892	2996	60afa1da090d4ae091c03c92cae5e2f59753bd3236968bccc7998efd1f651901.exe	4268060afa1da090d4ae091c03c92cae5e2f59753bd3236968bccc7998efd1f651901.exe
PID 2996 wrote to memory of 2892	2996	60afa1da090d4ae091c03c92cae5e2f59753bd3236968bccc7998efd1f651901.exe	4268060afa1da090d4ae091c03c92cae5e2f59753bd3236968bccc7998efd1f651901.exe
PID 2996 wrote to memory of 2892	2996	60afa1da090d4ae091c03c92cae5e2f59753bd3236968bccc7998efd1f651901.exe	4268060afa1da090d4ae091c03c92cae5e2f59753bd3236968bccc7998efd1f651901.exe
PID 2996 wrote to memory of 2892	2996	60afa1da090d4ae091c03c92cae5e2f59753bd3236968bccc7998efd1f651901.exe	4268060afa1da090d4ae091c03c92cae5e2f59753bd3236968bccc7998efd1f651901.exe

C:\Users\Admin\AppData\Local\Temp\60afa1da090d4ae091c03c92cae5e2f59753bd3236968bccc7998efd1f651901.exe
"C:\Users\Admin\AppData\Local\Temp\60afa1da090d4ae091c03c92cae5e2f59753bd3236968bccc7998efd1f651901.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2996

C:\9SFÍò½çÄ§Ö÷\4268060afa1da090d4ae091c03c92cae5e2f59753bd3236968bccc7998efd1f651901.exe
C:\9SFÍò½çÄ§Ö÷\4268060afa1da090d4ae091c03c92cae5e2f59753bd3236968bccc7998efd1f651901.exe
2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2892

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\12dbfc28a8a34a98a84a0db77a8f2134.txt
Filesize
15B

MD5
bc39f4faa60ec6b3a3fc283a05984747

SHA1
c5c8d1faabdc13e1f7db6399d36ec9cf48ccd45a

SHA256
e7acdccd5bc382a74ea1b9a5da5a4b76cc268df250d27f29b5967c0dbbccc4ca

SHA512
100af08b64c2aa1b2021be03707a8d4e1f462a39b8b31da38c860f9d5e513f5ee43535b5425d2e2070ff2df52d61515166f58ce97b0ecb56aad4a8cc5e58b343

Download Submit
\9SFÍò½çÄ§Ö÷\4268060afa1da090d4ae091c03c92cae5e2f59753bd3236968bccc7998efd1f651901.exe
Filesize
15.4MB

MD5
6c383722ad1c17ca56ec68423b58164f

SHA1
770a9217fd95d2fb5346f46d114ba9bf7dc75cb3

SHA256
60afa1da090d4ae091c03c92cae5e2f59753bd3236968bccc7998efd1f651901

SHA512
0e3f9afc8d9983816d56bb93cb1a03c024e83aa3ead68d6611867570bdd127d4c2ac2b8c00c1d29332004de15098dee4ea1cae7c6202cf2c17d595b419b4296e

Download Submit
memory/2892-23-0x0000000000400000-0x0000000000926000-memory.dmp

Filesize
5.1MB

Download
memory/2892-24-0x0000000000400000-0x0000000000926000-memory.dmp

Filesize
5.1MB

Download
memory/2892-60-0x0000000000400000-0x0000000000926000-memory.dmp

Filesize
5.1MB

Download
memory/2892-58-0x0000000000400000-0x0000000000926000-memory.dmp

Filesize
5.1MB

Download
memory/2892-32-0x0000000000400000-0x0000000000926000-memory.dmp

Filesize
5.1MB

Download
memory/2892-30-0x0000000000400000-0x0000000000926000-memory.dmp

Filesize
5.1MB

Download
memory/2892-26-0x0000000000400000-0x0000000000926000-memory.dmp

Filesize
5.1MB

Download
memory/2892-25-0x0000000000400000-0x0000000000926000-memory.dmp

Filesize
5.1MB

Download
memory/2996-20-0x000000000B9C0000-0x000000000BEE6000-memory.dmp

Filesize
5.1MB

Download
memory/2996-3-0x0000000000400000-0x0000000000926000-memory.dmp

Filesize
5.1MB

Download
memory/2996-1-0x0000000000400000-0x0000000000926000-memory.dmp

Filesize
5.1MB

Download
memory/2996-12-0x0000000000400000-0x0000000000926000-memory.dmp

Filesize
5.1MB

Download
memory/2996-22-0x0000000000400000-0x0000000000926000-memory.dmp

Filesize
5.1MB

Download
memory/2996-0-0x0000000000400000-0x0000000000926000-memory.dmp

Filesize
5.1MB

Download
memory/2996-9-0x0000000000400000-0x0000000000926000-memory.dmp

Filesize
5.1MB

Download
memory/2996-10-0x0000000000400000-0x0000000000926000-memory.dmp

Filesize
5.1MB

Download
memory/2996-11-0x0000000000400000-0x0000000000926000-memory.dmp

Filesize
5.1MB

Download
memory/2996-2-0x0000000000400000-0x0000000000926000-memory.dmp

Filesize
5.1MB

Download
memory/2996-8-0x0000000000400000-0x0000000000926000-memory.dmp

Filesize
5.1MB

Download
memory/2996-7-0x000000000091E000-0x000000000091F000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads