blackmoon | cb4b93e2ac4c4e80248665b05bcd348a35218812766bd9502016e46263bc0f38

General

Target

cb4b93e2ac4c4e80248665b05bcd348a35218812766bd9502016e46263bc0f38.exe
Size

11.6MB
MD5

21969d0786176e7e9efb43f9fe28096e
SHA1

f71e8ec275db33454bd40ed12b6f2fefb2485b9a
SHA256

cb4b93e2ac4c4e80248665b05bcd348a35218812766bd9502016e46263bc0f38
SHA512

a3e3a3c08c3620e8d921af4c09e9625962cd15a5b5c32350c04be6809781a18ef698a14d6204994977b5e1219e8e6640d0f50140107aa4e83dc6fba581b31999
SSDEEP

196608:7Mls/Ke1jEMLnza8a2fO7bOZyvSGA+6btIMrbht+8d/IxhiA+LPycfE3Oc:7GwKe1jEMHwQOQOnh01rbzRd/IxhiA+W

Score

10^/10

blackmoon banker trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 7 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3436-12-0x0000000000400000-0x0000000001C56000-memory.dmp	family_blackmoon
behavioral2/memory/3436-9-0x0000000000400000-0x0000000001C56000-memory.dmp	family_blackmoon
behavioral2/memory/3436-17-0x0000000000400000-0x0000000001C56000-memory.dmp	family_blackmoon
C:\Windows\components\xa.dll	family_blackmoon
behavioral2/memory/3436-37-0x0000000000400000-0x0000000001C56000-memory.dmp	family_blackmoon
behavioral2/memory/3436-40-0x0000000000400000-0x0000000001C56000-memory.dmp	family_blackmoon
behavioral2/memory/3436-41-0x0000000000400000-0x0000000001C56000-memory.dmp	family_blackmoon

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

cb4b93e2ac4c4e80248665b05bcd348a35218812766bd9502016e46263bc0f38.exe

pid	process
3436	cb4b93e2ac4c4e80248665b05bcd348a35218812766bd9502016e46263bc0f38.exe
3436	cb4b93e2ac4c4e80248665b05bcd348a35218812766bd9502016e46263bc0f38.exe

Drops file in Windows directory 1 IoCs

Processes:

cb4b93e2ac4c4e80248665b05bcd348a35218812766bd9502016e46263bc0f38.exe

description ioc process

File created C:\Windows\components\xa.dll cb4b93e2ac4c4e80248665b05bcd348a35218812766bd9502016e46263bc0f38.exe

description	ioc	process
File created	C:\Windows\components\xa.dll	cb4b93e2ac4c4e80248665b05bcd348a35218812766bd9502016e46263bc0f38.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

cb4b93e2ac4c4e80248665b05bcd348a35218812766bd9502016e46263bc0f38.exe

pid	process
3436	cb4b93e2ac4c4e80248665b05bcd348a35218812766bd9502016e46263bc0f38.exe
3436	cb4b93e2ac4c4e80248665b05bcd348a35218812766bd9502016e46263bc0f38.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

cb4b93e2ac4c4e80248665b05bcd348a35218812766bd9502016e46263bc0f38.exe

description pid process

Token: SeDebugPrivilege 3436 cb4b93e2ac4c4e80248665b05bcd348a35218812766bd9502016e46263bc0f38.exe

description	pid	process
Token: SeDebugPrivilege	3436	cb4b93e2ac4c4e80248665b05bcd348a35218812766bd9502016e46263bc0f38.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

cb4b93e2ac4c4e80248665b05bcd348a35218812766bd9502016e46263bc0f38.exe

pid	process
3436	cb4b93e2ac4c4e80248665b05bcd348a35218812766bd9502016e46263bc0f38.exe
3436	cb4b93e2ac4c4e80248665b05bcd348a35218812766bd9502016e46263bc0f38.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

cb4b93e2ac4c4e80248665b05bcd348a35218812766bd9502016e46263bc0f38.execmd.exe

description	pid	process	target process
PID 3436 wrote to memory of 2300	3436	cb4b93e2ac4c4e80248665b05bcd348a35218812766bd9502016e46263bc0f38.exe	cmd.exe
PID 3436 wrote to memory of 2300	3436	cb4b93e2ac4c4e80248665b05bcd348a35218812766bd9502016e46263bc0f38.exe	cmd.exe
PID 3436 wrote to memory of 2300	3436	cb4b93e2ac4c4e80248665b05bcd348a35218812766bd9502016e46263bc0f38.exe	cmd.exe
PID 2300 wrote to memory of 2624	2300	cmd.exe	cmd.exe
PID 2300 wrote to memory of 2624	2300	cmd.exe	cmd.exe
PID 2300 wrote to memory of 2624	2300	cmd.exe	cmd.exe
PID 2300 wrote to memory of 4468	2300	cmd.exe	cacls.exe
PID 2300 wrote to memory of 4468	2300	cmd.exe	cacls.exe
PID 2300 wrote to memory of 4468	2300	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\cb4b93e2ac4c4e80248665b05bcd348a35218812766bd9502016e46263bc0f38.exe
"C:\Users\Admin\AppData\Local\Temp\cb4b93e2ac4c4e80248665b05bcd348a35218812766bd9502016e46263bc0f38.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3436

C:\Windows\SysWOW64\cmd.exe
cmd /c echo Y| cacls C:\Windows\components\* /p everyone:f
2⤵
- Suspicious use of WriteProcessMemory
PID:2300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:2624

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\components\* /p everyone:f
3⤵
PID:4468

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\components\xa.dll
Filesize
356KB

MD5
23a8a0142c2749092fe3ae90e724150e

SHA1
e0b97c05813f20ff00a513457d4b167001ff010c

SHA256
25f7a9598b8159c6461c7ee5a716701b6779a87411afdc86a3efd8acb79289fb

SHA512
775d064707923116f8ee32e66bd4f6c8598c618a5e4f6fffad7b387134c48c266bd356d97873dc151fc2f97a7bc5121cf6339218dd6366b38f60679ca3610cc4

Download Submit
memory/3436-34-0x0000000008560000-0x0000000008594000-memory.dmp

Filesize
208KB

Download
memory/3436-6-0x0000000001EA0000-0x0000000001EA1000-memory.dmp

Filesize
4KB

Download
memory/3436-7-0x0000000001EB0000-0x0000000001EB1000-memory.dmp

Filesize
4KB

Download
memory/3436-0-0x0000000000D3E000-0x00000000010B9000-memory.dmp

Filesize
3.5MB

Download
memory/3436-5-0x0000000001E90000-0x0000000001E91000-memory.dmp

Filesize
4KB

Download
memory/3436-33-0x0000000008560000-0x0000000008594000-memory.dmp

Filesize
208KB

Download
memory/3436-3-0x0000000001E50000-0x0000000001E51000-memory.dmp

Filesize
4KB

Download
memory/3436-2-0x0000000001E40000-0x0000000001E41000-memory.dmp

Filesize
4KB

Download
memory/3436-12-0x0000000000400000-0x0000000001C56000-memory.dmp

Filesize
24.3MB

Download
memory/3436-9-0x0000000000400000-0x0000000001C56000-memory.dmp

Filesize
24.3MB

Download
memory/3436-13-0x0000000010000000-0x0000000010114000-memory.dmp

Filesize
1.1MB

Download
memory/3436-17-0x0000000000400000-0x0000000001C56000-memory.dmp

Filesize
24.3MB

Download
memory/3436-20-0x0000000008560000-0x0000000008594000-memory.dmp

Filesize
208KB

Download
memory/3436-36-0x0000000008560000-0x0000000008594000-memory.dmp

Filesize
208KB

Download
memory/3436-35-0x0000000008560000-0x0000000008594000-memory.dmp

Filesize
208KB

Download
memory/3436-1-0x0000000001E30000-0x0000000001E31000-memory.dmp

Filesize
4KB

Download
memory/3436-40-0x0000000000400000-0x0000000001C56000-memory.dmp

Filesize
24.3MB

Download
memory/3436-8-0x00000000023C0000-0x00000000023C1000-memory.dmp

Filesize
4KB

Download
memory/3436-4-0x0000000001E80000-0x0000000001E81000-memory.dmp

Filesize
4KB

Download
memory/3436-32-0x0000000008560000-0x0000000008594000-memory.dmp

Filesize
208KB

Download
memory/3436-31-0x0000000008560000-0x0000000008594000-memory.dmp

Filesize
208KB

Download
memory/3436-30-0x0000000008560000-0x0000000008594000-memory.dmp

Filesize
208KB

Download
memory/3436-29-0x0000000008560000-0x0000000008594000-memory.dmp

Filesize
208KB

Download
memory/3436-28-0x0000000008560000-0x0000000008594000-memory.dmp

Filesize
208KB

Download
memory/3436-27-0x0000000008560000-0x0000000008594000-memory.dmp

Filesize
208KB

Download
memory/3436-26-0x0000000008560000-0x0000000008594000-memory.dmp

Filesize
208KB

Download
memory/3436-25-0x0000000008560000-0x0000000008594000-memory.dmp

Filesize
208KB

Download
memory/3436-24-0x0000000008560000-0x0000000008594000-memory.dmp

Filesize
208KB

Download
memory/3436-23-0x0000000008560000-0x0000000008594000-memory.dmp

Filesize
208KB

Download
memory/3436-22-0x0000000008560000-0x0000000008594000-memory.dmp

Filesize
208KB

Download
memory/3436-21-0x0000000008560000-0x0000000008594000-memory.dmp

Filesize
208KB

Download
memory/3436-19-0x0000000008560000-0x0000000008594000-memory.dmp

Filesize
208KB

Download
memory/3436-39-0x0000000000D3E000-0x00000000010B9000-memory.dmp

Filesize
3.5MB

Download
memory/3436-37-0x0000000000400000-0x0000000001C56000-memory.dmp

Filesize
24.3MB

Download
memory/3436-41-0x0000000000400000-0x0000000001C56000-memory.dmp

Filesize
24.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads