blackmoon | 31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817

General

Target

31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe
Size

9.5MB
MD5

7757ee8cf24323b67fb5a40802fb2f36
SHA1

8e9625603b39809eeadcc68ff533c1fe9a7ed010
SHA256

31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817
SHA512

ed49d5f68be598e88bd56985ce0cd806b098b487337e04173773f8c90d5a7be608f856e17af1a8126c2b44bbf76e744ee3bec0f32cfd7e95dc04a70e67b01c21
SSDEEP

196608:ZjVJcDKlFBqkwDxURK8vyqByLdlf3hRQIgLKNc:ZxODKlFBqHayOclfhRQIG2c

Score

10^/10

blackmoon banker spyware stealer trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 2 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\ÀíÏëÄ§Óò\31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe	family_blackmoon
\Users\Admin\AppData\Roaming\ÀíÏëÄ§Óò\ÀíÏëÄ§Óò.exe	family_blackmoon

Executes dropped EXE 2 IoCs

Processes:

31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exeÀíÏëÄ§Óò.exe

pid process

2892 31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe
2848 ÀíÏëÄ§Óò.exe

Loads dropped DLL 3 IoCs

Processes:

31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe

pid	process
2744	31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe
2744	31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe
2892	31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe

description	pid	process
Token: SeDebugPrivilege	2744	31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe
Token: SeDebugPrivilege	2744	31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe
Token: SeDebugPrivilege	2892	31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe
Token: SeDebugPrivilege	2892	31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe
Token: SeDebugPrivilege	2892	31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe

pid	process
2892	31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe
2744	31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe

Suspicious use of SendNotifyMessage 2 IoCs

Processes:

31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe

pid	process
2892	31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe
2744	31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exeÀíÏëÄ§Óò.exe

pid	process
2744	31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe
2892	31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe
2848	ÀíÏëÄ§Óò.exe
2848	ÀíÏëÄ§Óò.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe

description	pid	process	target process
PID 2744 wrote to memory of 2892	2744	31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe	31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe
PID 2744 wrote to memory of 2892	2744	31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe	31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe
PID 2744 wrote to memory of 2892	2744	31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe	31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe
PID 2744 wrote to memory of 2892	2744	31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe	31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe
PID 2892 wrote to memory of 2848	2892	31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe	ÀíÏëÄ§Óò.exe
PID 2892 wrote to memory of 2848	2892	31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe	ÀíÏëÄ§Óò.exe
PID 2892 wrote to memory of 2848	2892	31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe	ÀíÏëÄ§Óò.exe
PID 2892 wrote to memory of 2848	2892	31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe	ÀíÏëÄ§Óò.exe

C:\Users\Admin\AppData\Local\Temp\31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe
"C:\Users\Admin\AppData\Local\Temp\31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2744

C:\Users\Admin\AppData\Roaming\ÀíÏëÄ§Óò\31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe
"C:\Users\Admin\AppData\Roaming\ÀíÏëÄ§Óò\31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2892

C:\Users\Admin\AppData\Roaming\ÀíÏëÄ§Óò\ÀíÏëÄ§Óò.exe
"C:\Users\Admin\AppData\Roaming\ÀíÏëÄ§Óò\ÀíÏëÄ§Óò.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2848

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\ÀíÏëÄ§Óò.lnk
Filesize
1KB

MD5
5742615f75b6ea2f3b7c2545f96c7b15

SHA1
3e5f3a378d2a4b7f760990cd0290d3730fda2088

SHA256
beabb4b53b3f47b24805879ef94a519dbbc13db32bc54b8fba2b4aaac8089998

SHA512
8c5b4d91e70d3d1c7aa4a80858fd5a94e3b838ac5e6f9378907019df8b39b21f9f5a357f9a8fc57abdce2dbdd86ced400694d1b9d4c6de19bb2f1951b81574fe

Download Submit
\Users\Admin\AppData\Roaming\ÀíÏëÄ§Óò\31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe
Filesize
9.5MB

MD5
7757ee8cf24323b67fb5a40802fb2f36

SHA1
8e9625603b39809eeadcc68ff533c1fe9a7ed010

SHA256
31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817

SHA512
ed49d5f68be598e88bd56985ce0cd806b098b487337e04173773f8c90d5a7be608f856e17af1a8126c2b44bbf76e744ee3bec0f32cfd7e95dc04a70e67b01c21

Download Submit
\Users\Admin\AppData\Roaming\ÀíÏëÄ§Óò\ÀíÏëÄ§Óò.exe
Filesize
9.0MB

MD5
d796dca47874d2848f19ba80859a1dbb

SHA1
7a6def1eab1a93ef93a4182f22c0a7eedb2f0314

SHA256
413ca8a2b0be9632c2f626f9e8b630e3985adf011102e563462fc9d092f18ef6

SHA512
506c6d3e41bc5e212068383ff790bc4a871af36008d47c956528e5901e85a5df21002cdb665f967f6f5b690dc961ac7d65a11b61a8527a98b025507c3dfd1734

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads