blackmoon | df2be2e1ecbf2fd8a6f6ca3fae6e8ade12518fd9952ec731bb0237004a71f6cf

General

Target

df2be2e1ecbf2fd8a6f6ca3fae6e8ade12518fd9952ec731bb0237004a71f6cf.exe
Size

11.6MB
MD5

008dfb42fb70c4eebd4478059ae0edc6
SHA1

76a4a873aa6d1f09d1cd292d679becbc5ad38348
SHA256

df2be2e1ecbf2fd8a6f6ca3fae6e8ade12518fd9952ec731bb0237004a71f6cf
SHA512

42998749cb762a99b01a27af960feacd1dff8e84594cf196b0c8cb421944037b0fe9aabe58fa0cd10444927d661b4b72bc327d04336407fc643991b5418ab3da
SSDEEP

196608:GZzrENt07+s5HLnr07w+G0ckFlON5udy0V3VBlYMD+cpvJ/4H3nmghWoa/fsysMi:GZVzn49ckLy0V3VBlYMFgXnU7sElKy

Score

10^/10

blackmoon banker evasion spyware stealer trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2760-70-0x0000000000400000-0x0000000000B03000-memory.dmp	family_blackmoon
behavioral1/memory/2760-72-0x0000000000400000-0x0000000000B03000-memory.dmp	family_blackmoon
behavioral1/memory/2760-73-0x0000000000400000-0x0000000000B03000-memory.dmp	family_blackmoon
behavioral1/memory/2760-74-0x0000000000400000-0x0000000000B03000-memory.dmp	family_blackmoon

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

cbr0pTev9LemH7v.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions cbr0pTev9LemH7v.exe
Executes dropped EXE 2 IoCs

Processes:

cbr0pTev9LemH7v.exe龙腾江湖.dat

pid process

1184 cbr0pTev9LemH7v.exe
2760 龙腾江湖.dat

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions	cbr0pTev9LemH7v.exe

Loads dropped DLL 2 IoCs

Processes:

df2be2e1ecbf2fd8a6f6ca3fae6e8ade12518fd9952ec731bb0237004a71f6cf.exe

pid	process
1632	df2be2e1ecbf2fd8a6f6ca3fae6e8ade12518fd9952ec731bb0237004a71f6cf.exe
1632	df2be2e1ecbf2fd8a6f6ca3fae6e8ade12518fd9952ec731bb0237004a71f6cf.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\龙腾江湖.dat	upx
behavioral1/memory/2760-24-0x0000000000400000-0x0000000000B03000-memory.dmp	upx
behavioral1/memory/1632-23-0x0000000003F50000-0x0000000004653000-memory.dmp	upx
behavioral1/memory/2760-70-0x0000000000400000-0x0000000000B03000-memory.dmp	upx
behavioral1/memory/2760-72-0x0000000000400000-0x0000000000B03000-memory.dmp	upx
behavioral1/memory/2760-73-0x0000000000400000-0x0000000000B03000-memory.dmp	upx
behavioral1/memory/2760-74-0x0000000000400000-0x0000000000B03000-memory.dmp	upx

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

龙腾江湖.dat

description	ioc	process
File opened (read-only)	\??\S:	龙腾江湖.dat
File opened (read-only)	\??\T:	龙腾江湖.dat
File opened (read-only)	\??\U:	龙腾江湖.dat
File opened (read-only)	\??\V:	龙腾江湖.dat
File opened (read-only)	\??\Z:	龙腾江湖.dat
File opened (read-only)	\??\H:	龙腾江湖.dat
File opened (read-only)	\??\O:	龙腾江湖.dat
File opened (read-only)	\??\K:	龙腾江湖.dat
File opened (read-only)	\??\L:	龙腾江湖.dat
File opened (read-only)	\??\Y:	龙腾江湖.dat
File opened (read-only)	\??\G:	龙腾江湖.dat
File opened (read-only)	\??\J:	龙腾江湖.dat
File opened (read-only)	\??\P:	龙腾江湖.dat
File opened (read-only)	\??\R:	龙腾江湖.dat
File opened (read-only)	\??\W:	龙腾江湖.dat
File opened (read-only)	\??\M:	龙腾江湖.dat
File opened (read-only)	\??\N:	龙腾江湖.dat
File opened (read-only)	\??\E:	龙腾江湖.dat
File opened (read-only)	\??\I:	龙腾江湖.dat
File opened (read-only)	\??\Q:	龙腾江湖.dat
File opened (read-only)	\??\X:	龙腾江湖.dat
File opened (read-only)	\??\A:	龙腾江湖.dat
File opened (read-only)	\??\B:	龙腾江湖.dat

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

cbr0pTev9LemH7v.exe

pid	process
1184	cbr0pTev9LemH7v.exe
1184	cbr0pTev9LemH7v.exe
1184	cbr0pTev9LemH7v.exe
1184	cbr0pTev9LemH7v.exe
1184	cbr0pTev9LemH7v.exe
1184	cbr0pTev9LemH7v.exe
1184	cbr0pTev9LemH7v.exe
1184	cbr0pTev9LemH7v.exe
1184	cbr0pTev9LemH7v.exe
1184	cbr0pTev9LemH7v.exe
1184	cbr0pTev9LemH7v.exe
1184	cbr0pTev9LemH7v.exe
1184	cbr0pTev9LemH7v.exe
1184	cbr0pTev9LemH7v.exe
1184	cbr0pTev9LemH7v.exe
1184	cbr0pTev9LemH7v.exe
1184	cbr0pTev9LemH7v.exe
1184	cbr0pTev9LemH7v.exe
1184	cbr0pTev9LemH7v.exe
1184	cbr0pTev9LemH7v.exe
1184	cbr0pTev9LemH7v.exe
1184	cbr0pTev9LemH7v.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

cbr0pTev9LemH7v.exe

description	pid	process
Token: SeShutdownPrivilege	1184	cbr0pTev9LemH7v.exe
Token: SeShutdownPrivilege	1184	cbr0pTev9LemH7v.exe
Token: SeShutdownPrivilege	1184	cbr0pTev9LemH7v.exe
Token: SeShutdownPrivilege	1184	cbr0pTev9LemH7v.exe
Token: SeShutdownPrivilege	1184	cbr0pTev9LemH7v.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

cbr0pTev9LemH7v.exe

pid process

1184 cbr0pTev9LemH7v.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

cbr0pTev9LemH7v.exe

pid process

1184 cbr0pTev9LemH7v.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

龙腾江湖.dat

pid process

2760 龙腾江湖.dat
2760 龙腾江湖.dat

pid	process
2760	龙腾江湖.dat
2760	龙腾江湖.dat

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

df2be2e1ecbf2fd8a6f6ca3fae6e8ade12518fd9952ec731bb0237004a71f6cf.exe

description	pid	process	target process
PID 1632 wrote to memory of 1184	1632	df2be2e1ecbf2fd8a6f6ca3fae6e8ade12518fd9952ec731bb0237004a71f6cf.exe	cbr0pTev9LemH7v.exe
PID 1632 wrote to memory of 1184	1632	df2be2e1ecbf2fd8a6f6ca3fae6e8ade12518fd9952ec731bb0237004a71f6cf.exe	cbr0pTev9LemH7v.exe
PID 1632 wrote to memory of 1184	1632	df2be2e1ecbf2fd8a6f6ca3fae6e8ade12518fd9952ec731bb0237004a71f6cf.exe	cbr0pTev9LemH7v.exe
PID 1632 wrote to memory of 1184	1632	df2be2e1ecbf2fd8a6f6ca3fae6e8ade12518fd9952ec731bb0237004a71f6cf.exe	cbr0pTev9LemH7v.exe
PID 1632 wrote to memory of 2760	1632	df2be2e1ecbf2fd8a6f6ca3fae6e8ade12518fd9952ec731bb0237004a71f6cf.exe	龙腾江湖.dat
PID 1632 wrote to memory of 2760	1632	df2be2e1ecbf2fd8a6f6ca3fae6e8ade12518fd9952ec731bb0237004a71f6cf.exe	龙腾江湖.dat
PID 1632 wrote to memory of 2760	1632	df2be2e1ecbf2fd8a6f6ca3fae6e8ade12518fd9952ec731bb0237004a71f6cf.exe	龙腾江湖.dat
PID 1632 wrote to memory of 2760	1632	df2be2e1ecbf2fd8a6f6ca3fae6e8ade12518fd9952ec731bb0237004a71f6cf.exe	龙腾江湖.dat

C:\Users\Admin\AppData\Local\Temp\df2be2e1ecbf2fd8a6f6ca3fae6e8ade12518fd9952ec731bb0237004a71f6cf.exe
"C:\Users\Admin\AppData\Local\Temp\df2be2e1ecbf2fd8a6f6ca3fae6e8ade12518fd9952ec731bb0237004a71f6cf.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1632

C:\Users\Admin\AppData\Local\Temp\ytool\cbr0pTev9LemH7v.exe
"C:\Users\Admin\AppData\Local\Temp\df2be2e1ecbf2fd8a6f6ca3fae6e8ade12518fd9952ec731bb0237004a71f6cf.exe" "C:\Users\Admin\AppData\Local\Temp\df2be2e1ecbf2fd8a6f6ca3fae6e8ade12518fd9952ec731bb0237004a71f6cf.exe"
2⤵
- Looks for VirtualBox Guest Additions in registry
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1184

C:\Users\Admin\AppData\Local\Temp\龙腾江湖.dat
"C:\Users\Admin\AppData\Local\Temp\龙腾江湖.dat"
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

Filesize
258B

MD5
1f54225bb8e5ecabff945d2e506fcd15

SHA1
dfc38e3e8f25631483788cfd46ddab98c8898c26

SHA256
7226a6500214e57c9bd5f4a99b96f48b989794dc367e131205294fc3146137da

SHA512
507a9a0f15ed33245e07172eda374a06f421253aff348004783933e84f74803d803d65a8fc9d3621a9d4428f8d03f72fd42b0aa7ed9911b9f4d6862845a1a166

Download Submit
C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

Filesize
658B

MD5
ee094fef1a9d80a1ad7e492c11141ab9

SHA1
52487512786514f1b922ad4183e20c12a0b8d44a

SHA256
8d22df663a32e4e0a8e4b080574ba825f41e7091c64f9ba13e6ab9794bbb5e93

SHA512
85fe09766ac960576e58ee3c3efb2782f52b28b0ba63328d4e8ccd5e533934eb2c82c1c7ddb3ac46b5f7f90aee0d216b52254d287849aa5932ebeb70be8249c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

Filesize
3KB

MD5
782ccac95901355e531add108b6d08f8

SHA1
ece594f0b7b91eed9e5c216ca48f6f9844c64653

SHA256
59d1fbfdd394979fc24f4d465c69b2c7ef6cb602f99e929fe5602e0ca0188800

SHA512
4afe6ef94c1698962395f7ea53ca5d0535ad9ab7da118cf136dfac1b1377be195a99dc031e5fcb1f05cf4d9dfdb9c2006c3b856caddd3c8995f1e462fb7fe915

Download Submit
C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

Filesize
4KB

MD5
d200a5c539e17f10820fe295cb5404d6

SHA1
67c79467267bd5e4bfe9791b5e6c48791f0ed599

SHA256
908520d6f15e8b52036c56de036e0f16ccf7f3372148c0aba5c66abf227a6d7d

SHA512
829b60ec201c070418375f299cf6cdca92155e4dc5c767c914ca6dccfc04043e0763726740819c1e690cb37e7c7c20b2e3fc993eb7e6930c0ca70b57cedd6ede

Download Submit
C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

Filesize
4KB

MD5
652dc49ee7961e3c68f6f55672c3a220

SHA1
3232e01565626553f2431b4e6dee2d3bd1bc2384

SHA256
7b16c770c387bf462de1a63ddfaeea62a100f060b51a6a9a88a75b3e834f10de

SHA512
b1eec20095920f0b9fbf0483fbe6f465e4e33c1213a290da750f49e9e1127e64b33ddc61d6e7456a08d41bbd2d398e0bc2933dbf67181fd4b116cf8d2505c4d8

Download Submit
\Users\Admin\AppData\Local\Temp\ytool\cbr0pTev9LemH7v.exe

Filesize
5.7MB

MD5
0ad67c41fa429add5c4ffd25a55b5673

SHA1
0d20eb34709f292f25088da85c5c3a0fc2100b8f

SHA256
b96bbbb673e57413df996e8a7f76575014bf57238d93fa401979af9cda87f943

SHA512
e3625118e3c0d4881084b70c40ad1b17600f4772a8200081beb5ecba632448e2aecc5f522776644581c868d902e3074d23430e677fab9d3a5e86a2851ab51df5

Download Submit
\Users\Admin\AppData\Local\Temp\龙腾江湖.dat

Filesize
2.9MB

MD5
87b9fe04a11f8a982ba96c632ae33298

SHA1
6022993c031ef91c36d6fdbe1cfad7fab1f64064

SHA256
c50b22eb17e6762c3bee1dd42faea65219d61dc867b6a3f0d770cf14c49bc200

SHA512
2a3cac2af94d0c8431e5a5d89943e8c025e5484848d4430e4dc0e494a02cf362adb7f9a0f1dfb7d73e26354c0563909370e21c49ad055f44815f03fda3b315aa

Download Submit
memory/1632-23-0x0000000003F50000-0x0000000004653000-memory.dmp

Filesize
7.0MB

Download
memory/2760-24-0x0000000000400000-0x0000000000B03000-memory.dmp

Filesize
7.0MB

Download
memory/2760-70-0x0000000000400000-0x0000000000B03000-memory.dmp

Filesize
7.0MB

Download
memory/2760-72-0x0000000000400000-0x0000000000B03000-memory.dmp

Filesize
7.0MB

Download
memory/2760-73-0x0000000000400000-0x0000000000B03000-memory.dmp

Filesize
7.0MB

Download
memory/2760-74-0x0000000000400000-0x0000000000B03000-memory.dmp

Filesize
7.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads