blackmoon | fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f

General

Target

fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe
Size

7.7MB
MD5

7ba0092f4fa7a1b28b7d87443458520f
SHA1

4e794596849a876ced83ff35463860dbcbfc85b5
SHA256

fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f
SHA512

c0da16c7f072af819e30b3555a1d879cc9af76f989dec46384b0c4050561a7705890b29e4a614a2b0e722ee692d77f78b2b5215ae0dde8c156247b3a28ad996f
SSDEEP

196608:s3DbJcDKlFBqZcPz0RK85Xs5XvyCMYpr/nGLtwN5:sTbODKlFBqakXsBvyCpLGLtw3

Score

10^/10

blackmoon banker spyware stealer trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 2 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\°×µ°Æ·ÅÆ\fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe	family_blackmoon
\Users\Admin\AppData\Roaming\°×µ°Æ·ÅÆ\1835FFF3D4E324B5CDE27633041CCA28.exe	family_blackmoon

Executes dropped EXE 2 IoCs

Processes:

fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe1835FFF3D4E324B5CDE27633041CCA28.exe

pid process

2696 fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe
2540 1835FFF3D4E324B5CDE27633041CCA28.exe

Loads dropped DLL 3 IoCs

Processes:

fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exefce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe

pid	process
2244	fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe
2244	fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe
2696	fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exefce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe

description	pid	process
Token: SeDebugPrivilege	2244	fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe
Token: SeDebugPrivilege	2244	fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe
Token: SeDebugPrivilege	2696	fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe
Token: SeDebugPrivilege	2696	fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe
Token: SeDebugPrivilege	2696	fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exefce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe

pid	process
2696	fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe
2244	fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe

Suspicious use of SendNotifyMessage 2 IoCs

Processes:

fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exefce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe

pid	process
2696	fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe
2244	fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exefce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe1835FFF3D4E324B5CDE27633041CCA28.exe

pid	process
2244	fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe
2696	fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe
2540	1835FFF3D4E324B5CDE27633041CCA28.exe
2540	1835FFF3D4E324B5CDE27633041CCA28.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exefce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe

description	pid	process	target process
PID 2244 wrote to memory of 2696	2244	fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe	fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe
PID 2244 wrote to memory of 2696	2244	fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe	fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe
PID 2244 wrote to memory of 2696	2244	fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe	fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe
PID 2244 wrote to memory of 2696	2244	fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe	fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe
PID 2696 wrote to memory of 2540	2696	fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe	1835FFF3D4E324B5CDE27633041CCA28.exe
PID 2696 wrote to memory of 2540	2696	fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe	1835FFF3D4E324B5CDE27633041CCA28.exe
PID 2696 wrote to memory of 2540	2696	fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe	1835FFF3D4E324B5CDE27633041CCA28.exe
PID 2696 wrote to memory of 2540	2696	fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe	1835FFF3D4E324B5CDE27633041CCA28.exe

C:\Users\Admin\AppData\Local\Temp\fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe
"C:\Users\Admin\AppData\Local\Temp\fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2244

C:\Users\Admin\AppData\Roaming\°×µ°Æ·ÅÆ\fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe
"C:\Users\Admin\AppData\Roaming\°×µ°Æ·ÅÆ\fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2696

C:\Users\Admin\AppData\Roaming\°×µ°Æ·ÅÆ\1835FFF3D4E324B5CDE27633041CCA28.exe
"C:\Users\Admin\AppData\Roaming\°×µ°Æ·ÅÆ\1835FFF3D4E324B5CDE27633041CCA28.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2540

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\°×µ°Æ·ÅÆ.lnk
Filesize
1KB

MD5
a3d5d3ed0ef61f3e01597c30147f887d

SHA1
6a877d55f666fec860da9b7c459f789f39e532e6

SHA256
7638147ec6093c99ecb329e7786ff8874e572f5acde510d8ecef455b5004f7d1

SHA512
eae9d78ad9d856f962817833449e4cd60201fefaef97b24dd1feb157a8859abc19d189ba1bec981d5507c3db7c3801a2ebc43b17b0873c6d140f4e3fcea0345c

Download Submit
\Users\Admin\AppData\Roaming\°×µ°Æ·ÅÆ\1835FFF3D4E324B5CDE27633041CCA28.exe
Filesize
7.2MB

MD5
e18a1c638d75d4c7086835860170282d

SHA1
eb1899e15dc0e02227907ffc15a94bce51412854

SHA256
1e78a1c0dcbf3803936393d884f8ac706d710f30fb97546ab3b3d59ae9008c1a

SHA512
4ae89ebae887597c6648f5caf5239a6b20d2836e4c15971e8b7b661f8f253c09fdd1aabce263c36f2ab591b2ecfe0e6dd5886e219367e7bc736bb236575a6942

Download Submit
\Users\Admin\AppData\Roaming\°×µ°Æ·ÅÆ\fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe
Filesize
7.7MB

MD5
7ba0092f4fa7a1b28b7d87443458520f

SHA1
4e794596849a876ced83ff35463860dbcbfc85b5

SHA256
fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f

SHA512
c0da16c7f072af819e30b3555a1d879cc9af76f989dec46384b0c4050561a7705890b29e4a614a2b0e722ee692d77f78b2b5215ae0dde8c156247b3a28ad996f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads