blackmoon | 8ed28a33b7109234a832d4131723949736a78892d33228f2c078840018a21081

General

Target

8ed28a33b7109234a832d4131723949736a78892d33228f2c078840018a21081.exe
Size

1.4MB
MD5

0cf6ef89fd8080d6a8f81e863cd5b93f
SHA1

4473a8fd474a316a5c3fc0bbff565f1204401b20
SHA256

8ed28a33b7109234a832d4131723949736a78892d33228f2c078840018a21081
SHA512

433ec826bf7abef99c9a1ea7a4da5e16bcd07da36da0a5c02673f70fe2c5d391964f25429aa7fbd22e5f0fdf8245867e06044b07a37444ecf068a8d599531a6f
SSDEEP

24576:m0bajn5sNJOZDV1USRveLWoq/Ed6BVq+RGSbp8A7ifqVnRTRpSHgRiC:mxsNUFbRRveLWSYB4+I9A+fInzoHgkC

Score

10^/10

blackmoon banker trojan vmprotect

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1480-4-0x0000000010000000-0x0000000010067000-memory.dmp	family_blackmoon
behavioral2/memory/1484-24-0x00000000008B0000-0x00000000008EE000-memory.dmp	family_blackmoon

Drops startup file 1 IoCs

Processes:

8ed28a33b7109234a832d4131723949736a78892d33228f2c078840018a21081.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SYSTEM_START.lnk	8ed28a33b7109234a832d4131723949736a78892d33228f2c078840018a21081.exe

Executes dropped EXE 1 IoCs

Processes:

djaln.exe

pid process

1484 djaln.exe
Loads dropped DLL 1 IoCs

Processes:

djaln.exe

pid process

1484 djaln.exe

pid	process
1484	djaln.exe

pid	process
1484	djaln.exe

VMProtect packed file 8 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral2/memory/1480-0-0x0000000000400000-0x00000000006D6000-memory.dmp	vmprotect
behavioral2/memory/1480-2-0x0000000000400000-0x00000000006D6000-memory.dmp	vmprotect
behavioral2/memory/1480-8-0x0000000000400000-0x00000000006D6000-memory.dmp	vmprotect
C:\Users\Public\Videos\VSTelem\djaln\Language.dll	vmprotect
behavioral2/memory/1484-20-0x0000000010000000-0x000000001005D000-memory.dmp	vmprotect
behavioral2/memory/1484-21-0x0000000010000000-0x000000001005D000-memory.dmp	vmprotect
behavioral2/memory/1480-29-0x0000000000400000-0x00000000006D6000-memory.dmp	vmprotect
behavioral2/memory/1484-33-0x0000000010000000-0x000000001005D000-memory.dmp	vmprotect

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

8ed28a33b7109234a832d4131723949736a78892d33228f2c078840018a21081.exedjaln.exe

pid process

1480 8ed28a33b7109234a832d4131723949736a78892d33228f2c078840018a21081.exe
1484 djaln.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

djaln.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	djaln.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	djaln.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	djaln.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	djaln.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	djaln.exe

Modifies registry class 1 IoCs

Processes:

8ed28a33b7109234a832d4131723949736a78892d33228f2c078840018a21081.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	8ed28a33b7109234a832d4131723949736a78892d33228f2c078840018a21081.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

8ed28a33b7109234a832d4131723949736a78892d33228f2c078840018a21081.exedjaln.exe

pid	process
1480	8ed28a33b7109234a832d4131723949736a78892d33228f2c078840018a21081.exe
1480	8ed28a33b7109234a832d4131723949736a78892d33228f2c078840018a21081.exe
1480	8ed28a33b7109234a832d4131723949736a78892d33228f2c078840018a21081.exe
1480	8ed28a33b7109234a832d4131723949736a78892d33228f2c078840018a21081.exe
1484	djaln.exe
1484	djaln.exe
1484	djaln.exe
1484	djaln.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

OpenWith.exedjaln.exe

pid process

1376 OpenWith.exe
1484 djaln.exe

pid	process
1376	OpenWith.exe
1484	djaln.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

8ed28a33b7109234a832d4131723949736a78892d33228f2c078840018a21081.exe

description	pid	process	target process
PID 1480 wrote to memory of 1484	1480	8ed28a33b7109234a832d4131723949736a78892d33228f2c078840018a21081.exe	djaln.exe
PID 1480 wrote to memory of 1484	1480	8ed28a33b7109234a832d4131723949736a78892d33228f2c078840018a21081.exe	djaln.exe
PID 1480 wrote to memory of 1484	1480	8ed28a33b7109234a832d4131723949736a78892d33228f2c078840018a21081.exe	djaln.exe

C:\Users\Admin\AppData\Local\Temp\8ed28a33b7109234a832d4131723949736a78892d33228f2c078840018a21081.exe
"C:\Users\Admin\AppData\Local\Temp\8ed28a33b7109234a832d4131723949736a78892d33228f2c078840018a21081.exe"
1⤵
- Drops startup file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1480

C:\Users\Public\Videos\VSTelem\djaln\djaln.exe
C:\Users\Public\Videos\VSTelem\djaln\djaln.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1484

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1376

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Videos\VSTelem\djaln\Language.dll
Filesize
188KB

MD5
3dc8268e939ea269474b319e6ad64066

SHA1
37919c320708877525aa0b4443674b3b75d32ebc

SHA256
0e807eea09cfb000d965d3f32ac4dfba6fa9a480bf6289ffd3c7576dddfdbb5a

SHA512
05c0c4c8eb6e9af30739968bf70c308db9ac74b97d9a58e7adb6a0c42683f261b1018eddedee9fa0898275ca288f1af7cac7fa9a380a7745d80bc0d325f60fde

Download Submit
C:\Users\Public\Videos\VSTelem\djaln\Update.log
Filesize
73KB

MD5
7e651e861e25e68820d109b1f2618d79

SHA1
7a8263f724d1ba5891b3c7d96cbf140c9d731cc7

SHA256
e7b0140998a55eac72263fd9d41452851475ef99fea74e201dfb76a963e25b80

SHA512
6bc20c4c85c0399dbeb9e2f523b3e0e3368434da074fa669bc026105a8e6e67bf9fd5d78542ba295d8f470ca507eb3b5416bcf5c75f5ac0c9bba0a323ed19c00

Download Submit
C:\Users\Public\Videos\VSTelem\djaln\djaln.exe
Filesize
49KB

MD5
86810e2d993f7327eb5b25b5d17d21c1

SHA1
92be7e63223f3c7e37161b8fc1ab555813988d70

SHA256
63636cec408acbbc4d04c01f9efdbe4b9b08fa0c4390ec8729b9ff0c8be9d246

SHA512
148ef0d152260f874d2c32accf4afdc07d7b975fc15d2373d9c4d8fc4975dc4c54f37ca432eddb9b4e0d109386ab9ab8aad2dcea420ed8a5ee42e4aff341fd4c

Download Submit
memory/1480-2-0x0000000000400000-0x00000000006D6000-memory.dmp

Filesize
2.8MB

Download
memory/1480-4-0x0000000010000000-0x0000000010067000-memory.dmp

Filesize
412KB

Download
memory/1480-8-0x0000000000400000-0x00000000006D6000-memory.dmp

Filesize
2.8MB

Download
memory/1480-1-0x0000000000401000-0x0000000000487000-memory.dmp

Filesize
536KB

Download
memory/1480-0-0x0000000000400000-0x00000000006D6000-memory.dmp

Filesize
2.8MB

Download
memory/1480-29-0x0000000000400000-0x00000000006D6000-memory.dmp

Filesize
2.8MB

Download
memory/1484-20-0x0000000010000000-0x000000001005D000-memory.dmp

Filesize
372KB

Download
memory/1484-21-0x0000000010000000-0x000000001005D000-memory.dmp

Filesize
372KB

Download
memory/1484-24-0x00000000008B0000-0x00000000008EE000-memory.dmp

Filesize
248KB

Download
memory/1484-33-0x0000000010000000-0x000000001005D000-memory.dmp

Filesize
372KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads