blackmoon | d7fef5c1f77aada2389174feb94c2cebcd0466b07148c8f5ea9e1ac50014dc25

General

Target

d7fef5c1f77aada2389174feb94c2cebcd0466b07148c8f5ea9e1ac50014dc25.exe
Size

11.2MB
MD5

e25b344940a9a24c6902029cac4f2198
SHA1

2a8644b9271c07e13879baa19ec6de6cd126b44b
SHA256

d7fef5c1f77aada2389174feb94c2cebcd0466b07148c8f5ea9e1ac50014dc25
SHA512

afb4cf8c8a590fde3e3ed43323e13c31ea2d49915f30a0f50cc8c07964fe6711341af2e934ec820b236c7e9d77b59c53a9e4a5304df2b0592cc62f1491584a39
SSDEEP

196608:PYPDPyJZkHkNcwyi465hb5zqU2I9h655XqzduMaVW5ckj0Ryl/h80Jki:gPDPgkHkmE555eU7R+w44h80Wi

Score

10^/10

blackmoon aspackv2 banker trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 8 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3620-2-0x0000000000400000-0x0000000000926000-memory.dmp	family_blackmoon
behavioral2/memory/3620-1-0x0000000000400000-0x0000000000926000-memory.dmp	family_blackmoon
behavioral2/memory/3620-3-0x0000000000400000-0x0000000000926000-memory.dmp	family_blackmoon
behavioral2/memory/3620-21-0x0000000000400000-0x0000000000926000-memory.dmp	family_blackmoon
behavioral2/memory/2176-19-0x0000000000400000-0x0000000000926000-memory.dmp	family_blackmoon
behavioral2/memory/2176-20-0x0000000000400000-0x0000000000926000-memory.dmp	family_blackmoon
behavioral2/memory/2176-18-0x0000000000400000-0x0000000000926000-memory.dmp	family_blackmoon
behavioral2/memory/2176-50-0x0000000000400000-0x0000000000926000-memory.dmp	family_blackmoon

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Ñ³µÀY\16031d7fef5c1f77aada2389174feb94c2cebcd0466b07148c8f5ea9e1ac50014dc25.exe	aspack_v212_v242

Executes dropped EXE 1 IoCs

Processes:

16031d7fef5c1f77aada2389174feb94c2cebcd0466b07148c8f5ea9e1ac50014dc25.exe

pid process

2176 16031d7fef5c1f77aada2389174feb94c2cebcd0466b07148c8f5ea9e1ac50014dc25.exe

pid	process
2176	16031d7fef5c1f77aada2389174feb94c2cebcd0466b07148c8f5ea9e1ac50014dc25.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

d7fef5c1f77aada2389174feb94c2cebcd0466b07148c8f5ea9e1ac50014dc25.exe

description	ioc	process
File opened (read-only)	\??\X:	d7fef5c1f77aada2389174feb94c2cebcd0466b07148c8f5ea9e1ac50014dc25.exe
File opened (read-only)	\??\J:	d7fef5c1f77aada2389174feb94c2cebcd0466b07148c8f5ea9e1ac50014dc25.exe
File opened (read-only)	\??\L:	d7fef5c1f77aada2389174feb94c2cebcd0466b07148c8f5ea9e1ac50014dc25.exe
File opened (read-only)	\??\O:	d7fef5c1f77aada2389174feb94c2cebcd0466b07148c8f5ea9e1ac50014dc25.exe
File opened (read-only)	\??\U:	d7fef5c1f77aada2389174feb94c2cebcd0466b07148c8f5ea9e1ac50014dc25.exe
File opened (read-only)	\??\V:	d7fef5c1f77aada2389174feb94c2cebcd0466b07148c8f5ea9e1ac50014dc25.exe
File opened (read-only)	\??\A:	d7fef5c1f77aada2389174feb94c2cebcd0466b07148c8f5ea9e1ac50014dc25.exe
File opened (read-only)	\??\M:	d7fef5c1f77aada2389174feb94c2cebcd0466b07148c8f5ea9e1ac50014dc25.exe
File opened (read-only)	\??\Y:	d7fef5c1f77aada2389174feb94c2cebcd0466b07148c8f5ea9e1ac50014dc25.exe
File opened (read-only)	\??\T:	d7fef5c1f77aada2389174feb94c2cebcd0466b07148c8f5ea9e1ac50014dc25.exe
File opened (read-only)	\??\B:	d7fef5c1f77aada2389174feb94c2cebcd0466b07148c8f5ea9e1ac50014dc25.exe
File opened (read-only)	\??\H:	d7fef5c1f77aada2389174feb94c2cebcd0466b07148c8f5ea9e1ac50014dc25.exe
File opened (read-only)	\??\N:	d7fef5c1f77aada2389174feb94c2cebcd0466b07148c8f5ea9e1ac50014dc25.exe
File opened (read-only)	\??\Q:	d7fef5c1f77aada2389174feb94c2cebcd0466b07148c8f5ea9e1ac50014dc25.exe
File opened (read-only)	\??\R:	d7fef5c1f77aada2389174feb94c2cebcd0466b07148c8f5ea9e1ac50014dc25.exe
File opened (read-only)	\??\S:	d7fef5c1f77aada2389174feb94c2cebcd0466b07148c8f5ea9e1ac50014dc25.exe
File opened (read-only)	\??\W:	d7fef5c1f77aada2389174feb94c2cebcd0466b07148c8f5ea9e1ac50014dc25.exe
File opened (read-only)	\??\Z:	d7fef5c1f77aada2389174feb94c2cebcd0466b07148c8f5ea9e1ac50014dc25.exe
File opened (read-only)	\??\E:	d7fef5c1f77aada2389174feb94c2cebcd0466b07148c8f5ea9e1ac50014dc25.exe
File opened (read-only)	\??\G:	d7fef5c1f77aada2389174feb94c2cebcd0466b07148c8f5ea9e1ac50014dc25.exe
File opened (read-only)	\??\I:	d7fef5c1f77aada2389174feb94c2cebcd0466b07148c8f5ea9e1ac50014dc25.exe
File opened (read-only)	\??\K:	d7fef5c1f77aada2389174feb94c2cebcd0466b07148c8f5ea9e1ac50014dc25.exe
File opened (read-only)	\??\P:	d7fef5c1f77aada2389174feb94c2cebcd0466b07148c8f5ea9e1ac50014dc25.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

d7fef5c1f77aada2389174feb94c2cebcd0466b07148c8f5ea9e1ac50014dc25.exe16031d7fef5c1f77aada2389174feb94c2cebcd0466b07148c8f5ea9e1ac50014dc25.exe

pid	process
3620	d7fef5c1f77aada2389174feb94c2cebcd0466b07148c8f5ea9e1ac50014dc25.exe
3620	d7fef5c1f77aada2389174feb94c2cebcd0466b07148c8f5ea9e1ac50014dc25.exe
3620	d7fef5c1f77aada2389174feb94c2cebcd0466b07148c8f5ea9e1ac50014dc25.exe
2176	16031d7fef5c1f77aada2389174feb94c2cebcd0466b07148c8f5ea9e1ac50014dc25.exe
2176	16031d7fef5c1f77aada2389174feb94c2cebcd0466b07148c8f5ea9e1ac50014dc25.exe
2176	16031d7fef5c1f77aada2389174feb94c2cebcd0466b07148c8f5ea9e1ac50014dc25.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

d7fef5c1f77aada2389174feb94c2cebcd0466b07148c8f5ea9e1ac50014dc25.exe

description	pid	process	target process
PID 3620 wrote to memory of 2176	3620	d7fef5c1f77aada2389174feb94c2cebcd0466b07148c8f5ea9e1ac50014dc25.exe	16031d7fef5c1f77aada2389174feb94c2cebcd0466b07148c8f5ea9e1ac50014dc25.exe
PID 3620 wrote to memory of 2176	3620	d7fef5c1f77aada2389174feb94c2cebcd0466b07148c8f5ea9e1ac50014dc25.exe	16031d7fef5c1f77aada2389174feb94c2cebcd0466b07148c8f5ea9e1ac50014dc25.exe
PID 3620 wrote to memory of 2176	3620	d7fef5c1f77aada2389174feb94c2cebcd0466b07148c8f5ea9e1ac50014dc25.exe	16031d7fef5c1f77aada2389174feb94c2cebcd0466b07148c8f5ea9e1ac50014dc25.exe

C:\Users\Admin\AppData\Local\Temp\d7fef5c1f77aada2389174feb94c2cebcd0466b07148c8f5ea9e1ac50014dc25.exe
"C:\Users\Admin\AppData\Local\Temp\d7fef5c1f77aada2389174feb94c2cebcd0466b07148c8f5ea9e1ac50014dc25.exe"
1⤵
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3620

C:\Ñ³µÀY\16031d7fef5c1f77aada2389174feb94c2cebcd0466b07148c8f5ea9e1ac50014dc25.exe
C:\Ñ³µÀY\16031d7fef5c1f77aada2389174feb94c2cebcd0466b07148c8f5ea9e1ac50014dc25.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2176

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\50c5bfa3268adc0d15c79c67a3bfb13c.txt
Filesize
9B

MD5
3ea993015710393cc0bdf6f46f2ec880

SHA1
257dbfa1cc95eece12e41b3cbf78d1a31c52bad3

SHA256
61a4ff8e9f4db068dff802dc2094162b82683da663d36a8b51a447aecc196554

SHA512
46952503e2e5e901af0af90c238437cab45ccf27fc54120e9a316631fef58af88424da1def5f82d74bbded9baf59af8fc638942d2e751e0a915a6a164e5aef35

Download Submit
C:\Ñ³µÀY\16031d7fef5c1f77aada2389174feb94c2cebcd0466b07148c8f5ea9e1ac50014dc25.exe
Filesize
11.2MB

MD5
e25b344940a9a24c6902029cac4f2198

SHA1
2a8644b9271c07e13879baa19ec6de6cd126b44b

SHA256
d7fef5c1f77aada2389174feb94c2cebcd0466b07148c8f5ea9e1ac50014dc25

SHA512
afb4cf8c8a590fde3e3ed43323e13c31ea2d49915f30a0f50cc8c07964fe6711341af2e934ec820b236c7e9d77b59c53a9e4a5304df2b0592cc62f1491584a39

Download Submit
memory/2176-50-0x0000000000400000-0x0000000000926000-memory.dmp

Filesize
5.1MB

Download
memory/2176-18-0x0000000000400000-0x0000000000926000-memory.dmp

Filesize
5.1MB

Download
memory/2176-20-0x0000000000400000-0x0000000000926000-memory.dmp

Filesize
5.1MB

Download
memory/2176-19-0x0000000000400000-0x0000000000926000-memory.dmp

Filesize
5.1MB

Download
memory/2176-16-0x0000000000400000-0x0000000000926000-memory.dmp

Filesize
5.1MB

Download
memory/3620-7-0x0000000003CC0000-0x0000000003CC1000-memory.dmp

Filesize
4KB

Download
memory/3620-0-0x0000000000400000-0x0000000000926000-memory.dmp

Filesize
5.1MB

Download
memory/3620-21-0x0000000000400000-0x0000000000926000-memory.dmp

Filesize
5.1MB

Download
memory/3620-8-0x0000000003C60000-0x0000000003C61000-memory.dmp

Filesize
4KB

Download
memory/3620-9-0x0000000003FE0000-0x0000000003FE1000-memory.dmp

Filesize
4KB

Download
memory/3620-3-0x0000000000400000-0x0000000000926000-memory.dmp

Filesize
5.1MB

Download
memory/3620-1-0x0000000000400000-0x0000000000926000-memory.dmp

Filesize
5.1MB

Download
memory/3620-2-0x0000000000400000-0x0000000000926000-memory.dmp

Filesize
5.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads