blackmoon | df2be2e1ecbf2fd8a6f6ca3fae6e8ade12518fd9952ec731bb0237004a71f6cf

General

Target

df2be2e1ecbf2fd8a6f6ca3fae6e8ade12518fd9952ec731bb0237004a71f6cf.exe
Size

11.6MB
MD5

008dfb42fb70c4eebd4478059ae0edc6
SHA1

76a4a873aa6d1f09d1cd292d679becbc5ad38348
SHA256

df2be2e1ecbf2fd8a6f6ca3fae6e8ade12518fd9952ec731bb0237004a71f6cf
SHA512

42998749cb762a99b01a27af960feacd1dff8e84594cf196b0c8cb421944037b0fe9aabe58fa0cd10444927d661b4b72bc327d04336407fc643991b5418ab3da
SSDEEP

196608:GZzrENt07+s5HLnr07w+G0ckFlON5udy0V3VBlYMD+cpvJ/4H3nmghWoa/fsysMi:GZVzn49ckLy0V3VBlYMFgXnU7sElKy

Score

10^/10

blackmoon banker spyware stealer trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 7 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4680-66-0x0000000000400000-0x0000000000B03000-memory.dmp	family_blackmoon
behavioral2/memory/4680-68-0x0000000000400000-0x0000000000B03000-memory.dmp	family_blackmoon
behavioral2/memory/4680-69-0x0000000000400000-0x0000000000B03000-memory.dmp	family_blackmoon
behavioral2/memory/4680-70-0x0000000000400000-0x0000000000B03000-memory.dmp	family_blackmoon
behavioral2/memory/4680-71-0x0000000000400000-0x0000000000B03000-memory.dmp	family_blackmoon
behavioral2/memory/4680-72-0x0000000000400000-0x0000000000B03000-memory.dmp	family_blackmoon
behavioral2/memory/4680-73-0x0000000000400000-0x0000000000B03000-memory.dmp	family_blackmoon

Executes dropped EXE 2 IoCs

Processes:

cbr0pTev9LemH7v.exe龙腾江湖.dat

pid process

2452 cbr0pTev9LemH7v.exe
4680 龙腾江湖.dat
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2452	cbr0pTev9LemH7v.exe
4680	龙腾江湖.dat

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\龙腾江湖.dat	upx
behavioral2/memory/4680-21-0x0000000000400000-0x0000000000B03000-memory.dmp	upx
behavioral2/memory/4680-66-0x0000000000400000-0x0000000000B03000-memory.dmp	upx
behavioral2/memory/4680-68-0x0000000000400000-0x0000000000B03000-memory.dmp	upx
behavioral2/memory/4680-69-0x0000000000400000-0x0000000000B03000-memory.dmp	upx
behavioral2/memory/4680-70-0x0000000000400000-0x0000000000B03000-memory.dmp	upx
behavioral2/memory/4680-71-0x0000000000400000-0x0000000000B03000-memory.dmp	upx
behavioral2/memory/4680-72-0x0000000000400000-0x0000000000B03000-memory.dmp	upx
behavioral2/memory/4680-73-0x0000000000400000-0x0000000000B03000-memory.dmp	upx

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

龙腾江湖.dat

description	ioc	process
File opened (read-only)	\??\H:	龙腾江湖.dat
File opened (read-only)	\??\Q:	龙腾江湖.dat
File opened (read-only)	\??\T:	龙腾江湖.dat
File opened (read-only)	\??\U:	龙腾江湖.dat
File opened (read-only)	\??\B:	龙腾江湖.dat
File opened (read-only)	\??\E:	龙腾江湖.dat
File opened (read-only)	\??\G:	龙腾江湖.dat
File opened (read-only)	\??\J:	龙腾江湖.dat
File opened (read-only)	\??\K:	龙腾江湖.dat
File opened (read-only)	\??\R:	龙腾江湖.dat
File opened (read-only)	\??\S:	龙腾江湖.dat
File opened (read-only)	\??\L:	龙腾江湖.dat
File opened (read-only)	\??\M:	龙腾江湖.dat
File opened (read-only)	\??\N:	龙腾江湖.dat
File opened (read-only)	\??\O:	龙腾江湖.dat
File opened (read-only)	\??\V:	龙腾江湖.dat
File opened (read-only)	\??\Z:	龙腾江湖.dat
File opened (read-only)	\??\A:	龙腾江湖.dat
File opened (read-only)	\??\I:	龙腾江湖.dat
File opened (read-only)	\??\P:	龙腾江湖.dat
File opened (read-only)	\??\W:	龙腾江湖.dat
File opened (read-only)	\??\X:	龙腾江湖.dat
File opened (read-only)	\??\Y:	龙腾江湖.dat

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

cbr0pTev9LemH7v.exe

pid process

2452 cbr0pTev9LemH7v.exe
2452 cbr0pTev9LemH7v.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

cbr0pTev9LemH7v.exe

pid process

2452 cbr0pTev9LemH7v.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

cbr0pTev9LemH7v.exe

pid process

2452 cbr0pTev9LemH7v.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

龙腾江湖.dat

pid process

4680 龙腾江湖.dat
4680 龙腾江湖.dat

pid	process
2452	cbr0pTev9LemH7v.exe
2452	cbr0pTev9LemH7v.exe

pid	process
2452	cbr0pTev9LemH7v.exe

pid	process
2452	cbr0pTev9LemH7v.exe

pid	process
4680	龙腾江湖.dat
4680	龙腾江湖.dat

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

df2be2e1ecbf2fd8a6f6ca3fae6e8ade12518fd9952ec731bb0237004a71f6cf.exe

description	pid	process	target process
PID 2344 wrote to memory of 2452	2344	df2be2e1ecbf2fd8a6f6ca3fae6e8ade12518fd9952ec731bb0237004a71f6cf.exe	cbr0pTev9LemH7v.exe
PID 2344 wrote to memory of 2452	2344	df2be2e1ecbf2fd8a6f6ca3fae6e8ade12518fd9952ec731bb0237004a71f6cf.exe	cbr0pTev9LemH7v.exe
PID 2344 wrote to memory of 2452	2344	df2be2e1ecbf2fd8a6f6ca3fae6e8ade12518fd9952ec731bb0237004a71f6cf.exe	cbr0pTev9LemH7v.exe
PID 2344 wrote to memory of 4680	2344	df2be2e1ecbf2fd8a6f6ca3fae6e8ade12518fd9952ec731bb0237004a71f6cf.exe	龙腾江湖.dat
PID 2344 wrote to memory of 4680	2344	df2be2e1ecbf2fd8a6f6ca3fae6e8ade12518fd9952ec731bb0237004a71f6cf.exe	龙腾江湖.dat
PID 2344 wrote to memory of 4680	2344	df2be2e1ecbf2fd8a6f6ca3fae6e8ade12518fd9952ec731bb0237004a71f6cf.exe	龙腾江湖.dat

C:\Users\Admin\AppData\Local\Temp\df2be2e1ecbf2fd8a6f6ca3fae6e8ade12518fd9952ec731bb0237004a71f6cf.exe
"C:\Users\Admin\AppData\Local\Temp\df2be2e1ecbf2fd8a6f6ca3fae6e8ade12518fd9952ec731bb0237004a71f6cf.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2344

C:\Users\Admin\AppData\Local\Temp\ytool\cbr0pTev9LemH7v.exe
"C:\Users\Admin\AppData\Local\Temp\df2be2e1ecbf2fd8a6f6ca3fae6e8ade12518fd9952ec731bb0237004a71f6cf.exe" "C:\Users\Admin\AppData\Local\Temp\df2be2e1ecbf2fd8a6f6ca3fae6e8ade12518fd9952ec731bb0237004a71f6cf.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2452

C:\Users\Admin\AppData\Local\Temp\龙腾江湖.dat
"C:\Users\Admin\AppData\Local\Temp\龙腾江湖.dat"
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
PID:4680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

Filesize
316B

MD5
deca09695247b19d941744cd764d2f45

SHA1
84b1045b6c0b1487f7d2e565a872e4b2c3aa3b9e

SHA256
99d1d18c88c9ce796e914b60817fd9a163579f0cd9b3963f80f16e72aabeb6b9

SHA512
d516a3a3b736e4d35b0696f75515d590d252cf5e1c00d5fbe6c887e6a3daed8d5452d268a292913a285625ef668cdbbaca182e3f9867e9d6035cb15acb07096e

Download Submit
C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

Filesize
658B

MD5
6504d5e5b2312017c06c2f0523360edd

SHA1
ab3be97264dc9d3c498709b6380e916406374673

SHA256
c8af3affe93dbf880d32cdae7e299a9cbd6ac5a1049024883d3261d6af104a41

SHA512
69293631b93e191e17473765c90ba138e6a59fbf054407ac4a6c0f99b8ecd069ece6cffbc3e09c58b15f5b9b96f2baae424f8600df1de41dae5c3b8dfcd3b557

Download Submit
C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

Filesize
4KB

MD5
e0e65bae23c73c45f52ed3b7eb211068

SHA1
2369959d8eebefd15c1c788715f14ede2c54b9f5

SHA256
d51e70c2c825420741efb5c4abad8c0c7c611638cbe706ba6a3ec021ca2e13dc

SHA512
15ad9659febd6d878a35365ccc41946c1a9bf12ba51e80f862721f2ab5d86c994ad77f2ac662c1fba5fe98822959b2374431ca44609da85d2d2d23dacfd82a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ytool\cbr0pTev9LemH7v.exe

Filesize
5.7MB

MD5
0ad67c41fa429add5c4ffd25a55b5673

SHA1
0d20eb34709f292f25088da85c5c3a0fc2100b8f

SHA256
b96bbbb673e57413df996e8a7f76575014bf57238d93fa401979af9cda87f943

SHA512
e3625118e3c0d4881084b70c40ad1b17600f4772a8200081beb5ecba632448e2aecc5f522776644581c868d902e3074d23430e677fab9d3a5e86a2851ab51df5

Download Submit
C:\Users\Admin\AppData\Local\Temp\龙腾江湖.dat

Filesize
2.9MB

MD5
87b9fe04a11f8a982ba96c632ae33298

SHA1
6022993c031ef91c36d6fdbe1cfad7fab1f64064

SHA256
c50b22eb17e6762c3bee1dd42faea65219d61dc867b6a3f0d770cf14c49bc200

SHA512
2a3cac2af94d0c8431e5a5d89943e8c025e5484848d4430e4dc0e494a02cf362adb7f9a0f1dfb7d73e26354c0563909370e21c49ad055f44815f03fda3b315aa

Download Submit
memory/4680-66-0x0000000000400000-0x0000000000B03000-memory.dmp

Filesize
7.0MB

Download
memory/4680-21-0x0000000000400000-0x0000000000B03000-memory.dmp

Filesize
7.0MB

Download
memory/4680-68-0x0000000000400000-0x0000000000B03000-memory.dmp

Filesize
7.0MB

Download
memory/4680-69-0x0000000000400000-0x0000000000B03000-memory.dmp

Filesize
7.0MB

Download
memory/4680-70-0x0000000000400000-0x0000000000B03000-memory.dmp

Filesize
7.0MB

Download
memory/4680-71-0x0000000000400000-0x0000000000B03000-memory.dmp

Filesize
7.0MB

Download
memory/4680-72-0x0000000000400000-0x0000000000B03000-memory.dmp

Filesize
7.0MB

Download
memory/4680-73-0x0000000000400000-0x0000000000B03000-memory.dmp

Filesize
7.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads