blackmoon | 26f4213caab3e93c2d50fccc6716df2fb4e0bed666c37e2ec8142d6c176ba7d7

General

Target

26f4213caab3e93c2d50fccc6716df2fb4e0bed666c37e2ec8142d6c176ba7d7.exe
Size

13.7MB
MD5

f754de0303fc8630411914324e18e268
SHA1

3320bcc2ca0cda7df4663023c4f8e327ef50ba0a
SHA256

26f4213caab3e93c2d50fccc6716df2fb4e0bed666c37e2ec8142d6c176ba7d7
SHA512

4e05a92304a0997cd3f69cd7f9dd35840ed5fadbd9314342ce4d5b6d838f6166d093fdeed6c433274f2cd234803a1354d4710bc8a16d4e05536671232d1d8538
SSDEEP

393216:iO4kpD4W2odC5v3LhAvxrnQMrvqQaHfo8VEbE40Fmy5ST:14kpDf2R5v3LaVQayo8VEEDA

Score

10^/10

blackmoon banker trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 8 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2288-6-0x0000000000400000-0x00000000009FA000-memory.dmp	family_blackmoon
behavioral1/memory/2288-7-0x0000000000400000-0x00000000009FA000-memory.dmp	family_blackmoon
behavioral1/memory/2288-10-0x0000000000400000-0x00000000009FA000-memory.dmp	family_blackmoon
behavioral1/memory/2288-9-0x0000000000400000-0x00000000009FA000-memory.dmp	family_blackmoon
behavioral1/memory/2288-8-0x0000000000400000-0x00000000009FA000-memory.dmp	family_blackmoon
behavioral1/memory/2288-44-0x0000000000400000-0x00000000009FA000-memory.dmp	family_blackmoon
behavioral1/memory/2840-76-0x0000000000400000-0x00000000009FA000-memory.dmp	family_blackmoon
behavioral1/memory/2840-77-0x0000000000400000-0x00000000009FA000-memory.dmp	family_blackmoon

Executes dropped EXE 1 IoCs

Processes:

3852526f4213caab3e93c2d50fccc6716df2fb4e0bed666c37e2ec8142d6c176ba7d7.exe

pid process

2840 3852526f4213caab3e93c2d50fccc6716df2fb4e0bed666c37e2ec8142d6c176ba7d7.exe
Loads dropped DLL 1 IoCs

Processes:

26f4213caab3e93c2d50fccc6716df2fb4e0bed666c37e2ec8142d6c176ba7d7.exe

pid process

2288 26f4213caab3e93c2d50fccc6716df2fb4e0bed666c37e2ec8142d6c176ba7d7.exe

pid	process
2840	3852526f4213caab3e93c2d50fccc6716df2fb4e0bed666c37e2ec8142d6c176ba7d7.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

26f4213caab3e93c2d50fccc6716df2fb4e0bed666c37e2ec8142d6c176ba7d7.exe

description	ioc	process
File opened (read-only)	\??\Q:	26f4213caab3e93c2d50fccc6716df2fb4e0bed666c37e2ec8142d6c176ba7d7.exe
File opened (read-only)	\??\G:	26f4213caab3e93c2d50fccc6716df2fb4e0bed666c37e2ec8142d6c176ba7d7.exe
File opened (read-only)	\??\I:	26f4213caab3e93c2d50fccc6716df2fb4e0bed666c37e2ec8142d6c176ba7d7.exe
File opened (read-only)	\??\J:	26f4213caab3e93c2d50fccc6716df2fb4e0bed666c37e2ec8142d6c176ba7d7.exe
File opened (read-only)	\??\L:	26f4213caab3e93c2d50fccc6716df2fb4e0bed666c37e2ec8142d6c176ba7d7.exe
File opened (read-only)	\??\M:	26f4213caab3e93c2d50fccc6716df2fb4e0bed666c37e2ec8142d6c176ba7d7.exe
File opened (read-only)	\??\P:	26f4213caab3e93c2d50fccc6716df2fb4e0bed666c37e2ec8142d6c176ba7d7.exe
File opened (read-only)	\??\V:	26f4213caab3e93c2d50fccc6716df2fb4e0bed666c37e2ec8142d6c176ba7d7.exe
File opened (read-only)	\??\Y:	26f4213caab3e93c2d50fccc6716df2fb4e0bed666c37e2ec8142d6c176ba7d7.exe
File opened (read-only)	\??\A:	26f4213caab3e93c2d50fccc6716df2fb4e0bed666c37e2ec8142d6c176ba7d7.exe
File opened (read-only)	\??\E:	26f4213caab3e93c2d50fccc6716df2fb4e0bed666c37e2ec8142d6c176ba7d7.exe
File opened (read-only)	\??\K:	26f4213caab3e93c2d50fccc6716df2fb4e0bed666c37e2ec8142d6c176ba7d7.exe
File opened (read-only)	\??\O:	26f4213caab3e93c2d50fccc6716df2fb4e0bed666c37e2ec8142d6c176ba7d7.exe
File opened (read-only)	\??\R:	26f4213caab3e93c2d50fccc6716df2fb4e0bed666c37e2ec8142d6c176ba7d7.exe
File opened (read-only)	\??\T:	26f4213caab3e93c2d50fccc6716df2fb4e0bed666c37e2ec8142d6c176ba7d7.exe
File opened (read-only)	\??\Z:	26f4213caab3e93c2d50fccc6716df2fb4e0bed666c37e2ec8142d6c176ba7d7.exe
File opened (read-only)	\??\B:	26f4213caab3e93c2d50fccc6716df2fb4e0bed666c37e2ec8142d6c176ba7d7.exe
File opened (read-only)	\??\H:	26f4213caab3e93c2d50fccc6716df2fb4e0bed666c37e2ec8142d6c176ba7d7.exe
File opened (read-only)	\??\N:	26f4213caab3e93c2d50fccc6716df2fb4e0bed666c37e2ec8142d6c176ba7d7.exe
File opened (read-only)	\??\U:	26f4213caab3e93c2d50fccc6716df2fb4e0bed666c37e2ec8142d6c176ba7d7.exe
File opened (read-only)	\??\W:	26f4213caab3e93c2d50fccc6716df2fb4e0bed666c37e2ec8142d6c176ba7d7.exe
File opened (read-only)	\??\X:	26f4213caab3e93c2d50fccc6716df2fb4e0bed666c37e2ec8142d6c176ba7d7.exe
File opened (read-only)	\??\S:	26f4213caab3e93c2d50fccc6716df2fb4e0bed666c37e2ec8142d6c176ba7d7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

26f4213caab3e93c2d50fccc6716df2fb4e0bed666c37e2ec8142d6c176ba7d7.exe3852526f4213caab3e93c2d50fccc6716df2fb4e0bed666c37e2ec8142d6c176ba7d7.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	26f4213caab3e93c2d50fccc6716df2fb4e0bed666c37e2ec8142d6c176ba7d7.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	3852526f4213caab3e93c2d50fccc6716df2fb4e0bed666c37e2ec8142d6c176ba7d7.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

26f4213caab3e93c2d50fccc6716df2fb4e0bed666c37e2ec8142d6c176ba7d7.exe3852526f4213caab3e93c2d50fccc6716df2fb4e0bed666c37e2ec8142d6c176ba7d7.exe

pid	process
2288	26f4213caab3e93c2d50fccc6716df2fb4e0bed666c37e2ec8142d6c176ba7d7.exe
2288	26f4213caab3e93c2d50fccc6716df2fb4e0bed666c37e2ec8142d6c176ba7d7.exe
2288	26f4213caab3e93c2d50fccc6716df2fb4e0bed666c37e2ec8142d6c176ba7d7.exe
2840	3852526f4213caab3e93c2d50fccc6716df2fb4e0bed666c37e2ec8142d6c176ba7d7.exe
2840	3852526f4213caab3e93c2d50fccc6716df2fb4e0bed666c37e2ec8142d6c176ba7d7.exe
2840	3852526f4213caab3e93c2d50fccc6716df2fb4e0bed666c37e2ec8142d6c176ba7d7.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

26f4213caab3e93c2d50fccc6716df2fb4e0bed666c37e2ec8142d6c176ba7d7.exe

description	pid	process	target process
PID 2288 wrote to memory of 2840	2288	26f4213caab3e93c2d50fccc6716df2fb4e0bed666c37e2ec8142d6c176ba7d7.exe	3852526f4213caab3e93c2d50fccc6716df2fb4e0bed666c37e2ec8142d6c176ba7d7.exe
PID 2288 wrote to memory of 2840	2288	26f4213caab3e93c2d50fccc6716df2fb4e0bed666c37e2ec8142d6c176ba7d7.exe	3852526f4213caab3e93c2d50fccc6716df2fb4e0bed666c37e2ec8142d6c176ba7d7.exe
PID 2288 wrote to memory of 2840	2288	26f4213caab3e93c2d50fccc6716df2fb4e0bed666c37e2ec8142d6c176ba7d7.exe	3852526f4213caab3e93c2d50fccc6716df2fb4e0bed666c37e2ec8142d6c176ba7d7.exe
PID 2288 wrote to memory of 2840	2288	26f4213caab3e93c2d50fccc6716df2fb4e0bed666c37e2ec8142d6c176ba7d7.exe	3852526f4213caab3e93c2d50fccc6716df2fb4e0bed666c37e2ec8142d6c176ba7d7.exe

C:\Users\Admin\AppData\Local\Temp\26f4213caab3e93c2d50fccc6716df2fb4e0bed666c37e2ec8142d6c176ba7d7.exe
"C:\Users\Admin\AppData\Local\Temp\26f4213caab3e93c2d50fccc6716df2fb4e0bed666c37e2ec8142d6c176ba7d7.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2288

C:\9SFÔÉñÊÀ½ç\3852526f4213caab3e93c2d50fccc6716df2fb4e0bed666c37e2ec8142d6c176ba7d7.exe
C:\9SFÔÉñÊÀ½ç\3852526f4213caab3e93c2d50fccc6716df2fb4e0bed666c37e2ec8142d6c176ba7d7.exe
2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2840

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\528EVS6A\errorPageStrings[1]
Filesize
2KB

MD5
e3e4a98353f119b80b323302f26b78fa

SHA1
20ee35a370cdd3a8a7d04b506410300fd0a6a864

SHA256
9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66

SHA512
d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OV51DDG5\httpErrorPagesScripts[1]
Filesize
8KB

MD5
3f57b781cb3ef114dd0b665151571b7b

SHA1
ce6a63f996df3a1cccb81720e21204b825e0238c

SHA256
46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad

SHA512
8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce4c9e1dbc907e4f4ae843367ca5a46e.txt
Filesize
15B

MD5
18c4ac2680305c3363812424f6e2ed39

SHA1
f332b41f5aaba3eb5061648d2ccfc768250b7a2f

SHA256
2f47ee82967feb1107747eb74e0a8937421974be0108ea03987c438cf963ee4f

SHA512
158d2383ca3cc34b4b3251201f5030b2dfd1c7244d89bd877d627dc4804e716e8ccc015febdf13e1f595ac8b0da5a2c3cbb18bf11c7bd40c8f388b17e4b70055

Download Submit
\9SFÔÉñÊÀ½ç\3852526f4213caab3e93c2d50fccc6716df2fb4e0bed666c37e2ec8142d6c176ba7d7.exe
Filesize
13.7MB

MD5
f754de0303fc8630411914324e18e268

SHA1
3320bcc2ca0cda7df4663023c4f8e327ef50ba0a

SHA256
26f4213caab3e93c2d50fccc6716df2fb4e0bed666c37e2ec8142d6c176ba7d7

SHA512
4e05a92304a0997cd3f69cd7f9dd35840ed5fadbd9314342ce4d5b6d838f6166d093fdeed6c433274f2cd234803a1354d4710bc8a16d4e05536671232d1d8538

Download Submit
memory/2288-7-0x0000000000400000-0x00000000009FA000-memory.dmp

Filesize
6.0MB

Download
memory/2288-5-0x00000000004FF000-0x0000000000500000-memory.dmp

Filesize
4KB

Download
memory/2288-9-0x0000000000400000-0x00000000009FA000-memory.dmp

Filesize
6.0MB

Download
memory/2288-8-0x0000000000400000-0x00000000009FA000-memory.dmp

Filesize
6.0MB

Download
memory/2288-0-0x0000000000400000-0x00000000009FA000-memory.dmp

Filesize
6.0MB

Download
memory/2288-42-0x000000000CE40000-0x000000000D43A000-memory.dmp

Filesize
6.0MB

Download
memory/2288-44-0x0000000000400000-0x00000000009FA000-memory.dmp

Filesize
6.0MB

Download
memory/2288-1-0x0000000000230000-0x0000000000233000-memory.dmp

Filesize
12KB

Download
memory/2288-41-0x0000000000230000-0x0000000000233000-memory.dmp

Filesize
12KB

Download
memory/2288-6-0x0000000000400000-0x00000000009FA000-memory.dmp

Filesize
6.0MB

Download
memory/2288-10-0x0000000000400000-0x00000000009FA000-memory.dmp

Filesize
6.0MB

Download
memory/2840-45-0x0000000000400000-0x00000000009FA000-memory.dmp

Filesize
6.0MB

Download
memory/2840-76-0x0000000000400000-0x00000000009FA000-memory.dmp

Filesize
6.0MB

Download
memory/2840-77-0x0000000000400000-0x00000000009FA000-memory.dmp

Filesize
6.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads