blackmoon | fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f

General

Target

fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe
Size

7.7MB
MD5

7ba0092f4fa7a1b28b7d87443458520f
SHA1

4e794596849a876ced83ff35463860dbcbfc85b5
SHA256

fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f
SHA512

c0da16c7f072af819e30b3555a1d879cc9af76f989dec46384b0c4050561a7705890b29e4a614a2b0e722ee692d77f78b2b5215ae0dde8c156247b3a28ad996f
SSDEEP

196608:s3DbJcDKlFBqZcPz0RK85Xs5XvyCMYpr/nGLtwN5:sTbODKlFBqakXsBvyCpLGLtw3

Score

10^/10

blackmoon banker spyware stealer trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\°×µ°Æ·ÅÆ\fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe	family_blackmoon
C:\Users\Admin\AppData\Roaming\°×µ°Æ·ÅÆ\1835FFF3D4E324B5CDE27633041CCA28.exe	family_blackmoon

Executes dropped EXE 2 IoCs

Processes:

fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe1835FFF3D4E324B5CDE27633041CCA28.exe

pid process

4664 fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe
1208 1835FFF3D4E324B5CDE27633041CCA28.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exefce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe

description	pid	process
Token: SeDebugPrivilege	372	fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe
Token: SeDebugPrivilege	372	fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe
Token: SeDebugPrivilege	4664	fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe
Token: SeDebugPrivilege	4664	fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe
Token: SeDebugPrivilege	4664	fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exefce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe

pid	process
4664	fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe
372	fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe

Suspicious use of SendNotifyMessage 2 IoCs

Processes:

fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exefce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe

pid	process
4664	fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe
372	fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exefce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe1835FFF3D4E324B5CDE27633041CCA28.exe

pid	process
372	fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe
4664	fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe
1208	1835FFF3D4E324B5CDE27633041CCA28.exe
1208	1835FFF3D4E324B5CDE27633041CCA28.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exefce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe

description	pid	process	target process
PID 372 wrote to memory of 4664	372	fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe	fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe
PID 372 wrote to memory of 4664	372	fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe	fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe
PID 372 wrote to memory of 4664	372	fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe	fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe
PID 4664 wrote to memory of 1208	4664	fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe	1835FFF3D4E324B5CDE27633041CCA28.exe
PID 4664 wrote to memory of 1208	4664	fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe	1835FFF3D4E324B5CDE27633041CCA28.exe
PID 4664 wrote to memory of 1208	4664	fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe	1835FFF3D4E324B5CDE27633041CCA28.exe

C:\Users\Admin\AppData\Local\Temp\fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe
"C:\Users\Admin\AppData\Local\Temp\fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:372

C:\Users\Admin\AppData\Roaming\°×µ°Æ·ÅÆ\fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe
"C:\Users\Admin\AppData\Roaming\°×µ°Æ·ÅÆ\fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4664

C:\Users\Admin\AppData\Roaming\°×µ°Æ·ÅÆ\1835FFF3D4E324B5CDE27633041CCA28.exe
"C:\Users\Admin\AppData\Roaming\°×µ°Æ·ÅÆ\1835FFF3D4E324B5CDE27633041CCA28.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\°×µ°Æ·ÅÆ\1835FFF3D4E324B5CDE27633041CCA28.exe

Filesize
7.2MB

MD5
e18a1c638d75d4c7086835860170282d

SHA1
eb1899e15dc0e02227907ffc15a94bce51412854

SHA256
1e78a1c0dcbf3803936393d884f8ac706d710f30fb97546ab3b3d59ae9008c1a

SHA512
4ae89ebae887597c6648f5caf5239a6b20d2836e4c15971e8b7b661f8f253c09fdd1aabce263c36f2ab591b2ecfe0e6dd5886e219367e7bc736bb236575a6942

Download Submit
C:\Users\Admin\AppData\Roaming\°×µ°Æ·ÅÆ\fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe

Filesize
7.7MB

MD5
7ba0092f4fa7a1b28b7d87443458520f

SHA1
4e794596849a876ced83ff35463860dbcbfc85b5

SHA256
fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f

SHA512
c0da16c7f072af819e30b3555a1d879cc9af76f989dec46384b0c4050561a7705890b29e4a614a2b0e722ee692d77f78b2b5215ae0dde8c156247b3a28ad996f

Download Submit
C:\Users\Admin\Desktop\°×µ°Æ·ÅÆ.lnk

Filesize
1KB

MD5
7abda6c97727eb698123a581a7eb4e84

SHA1
e59faf1b089a9c937eeaf598ea1a7baf22ca8b04

SHA256
d9c6cae0ac3e0656c86323c4b168ffa8e4b1bd7dc16b21569c289663c272081b

SHA512
b7e96f368afca79bc6bd0431a37733aa75b0523e8fa21ae9941a702e9d01c42e4faa2f9c62f45760cb50519267d0761c108bf279cd5502c8dedf507c448d4901

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads