blackmoon | 31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817

General

Target

31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe
Size

9.5MB
MD5

7757ee8cf24323b67fb5a40802fb2f36
SHA1

8e9625603b39809eeadcc68ff533c1fe9a7ed010
SHA256

31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817
SHA512

ed49d5f68be598e88bd56985ce0cd806b098b487337e04173773f8c90d5a7be608f856e17af1a8126c2b44bbf76e744ee3bec0f32cfd7e95dc04a70e67b01c21
SSDEEP

196608:ZjVJcDKlFBqkwDxURK8vyqByLdlf3hRQIgLKNc:ZxODKlFBqHayOclfhRQIG2c

Score

10^/10

blackmoon banker spyware stealer trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\ÀíÏëÄ§Óò\31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe	family_blackmoon
C:\Users\Admin\AppData\Roaming\ÀíÏëÄ§Óò\ÀíÏëÄ§Óò.exe	family_blackmoon

Executes dropped EXE 2 IoCs

Processes:

31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exeÀíÏëÄ§Óò.exe

pid process

756 31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe
1816 ÀíÏëÄ§Óò.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe

description	pid	process
Token: SeDebugPrivilege	264	31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe
Token: SeDebugPrivilege	264	31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe
Token: SeDebugPrivilege	756	31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe
Token: SeDebugPrivilege	756	31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe
Token: SeDebugPrivilege	756	31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe

pid	process
756	31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe
264	31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe

Suspicious use of SendNotifyMessage 2 IoCs

Processes:

31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe

pid	process
756	31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe
264	31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exeÀíÏëÄ§Óò.exe

pid	process
264	31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe
756	31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe
1816	ÀíÏëÄ§Óò.exe
1816	ÀíÏëÄ§Óò.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe

description	pid	process	target process
PID 264 wrote to memory of 756	264	31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe	31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe
PID 264 wrote to memory of 756	264	31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe	31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe
PID 264 wrote to memory of 756	264	31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe	31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe
PID 756 wrote to memory of 1816	756	31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe	ÀíÏëÄ§Óò.exe
PID 756 wrote to memory of 1816	756	31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe	ÀíÏëÄ§Óò.exe
PID 756 wrote to memory of 1816	756	31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe	ÀíÏëÄ§Óò.exe

C:\Users\Admin\AppData\Local\Temp\31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe
"C:\Users\Admin\AppData\Local\Temp\31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:264

C:\Users\Admin\AppData\Roaming\ÀíÏëÄ§Óò\31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe
"C:\Users\Admin\AppData\Roaming\ÀíÏëÄ§Óò\31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:756

C:\Users\Admin\AppData\Roaming\ÀíÏëÄ§Óò\ÀíÏëÄ§Óò.exe
"C:\Users\Admin\AppData\Roaming\ÀíÏëÄ§Óò\ÀíÏëÄ§Óò.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ÀíÏëÄ§Óò\31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe
Filesize
9.5MB

MD5
7757ee8cf24323b67fb5a40802fb2f36

SHA1
8e9625603b39809eeadcc68ff533c1fe9a7ed010

SHA256
31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817

SHA512
ed49d5f68be598e88bd56985ce0cd806b098b487337e04173773f8c90d5a7be608f856e17af1a8126c2b44bbf76e744ee3bec0f32cfd7e95dc04a70e67b01c21

Download Submit
C:\Users\Admin\AppData\Roaming\ÀíÏëÄ§Óò\ÀíÏëÄ§Óò.exe
Filesize
9.0MB

MD5
d796dca47874d2848f19ba80859a1dbb

SHA1
7a6def1eab1a93ef93a4182f22c0a7eedb2f0314

SHA256
413ca8a2b0be9632c2f626f9e8b630e3985adf011102e563462fc9d092f18ef6

SHA512
506c6d3e41bc5e212068383ff790bc4a871af36008d47c956528e5901e85a5df21002cdb665f967f6f5b690dc961ac7d65a11b61a8527a98b025507c3dfd1734

Download Submit
C:\Users\Admin\Desktop\ÀíÏëÄ§Óò.lnk
Filesize
1KB

MD5
44499572e79456123108b10e4f9632f8

SHA1
788fa8aadc01636236fef4d6e4203bcdd45ef4d4

SHA256
494d6c75ea80f12f41a77a1369bb65e03e0e01fe60b8943022e63c250b29ec70

SHA512
7bf4e9c1ca1362c8c2d42ea9230db2a5c014a0f8ee7e03175359f9b3e4368829cd4cf3c6da43e3e07621e60174a4f499a9b7f9dff824e7a2dab4e0d427b420cd

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads