blackmoon | a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc

General

Target

a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exe
Size

9.1MB
MD5

5fc8d0eb10acf166b7e4e46f7532a8c4
SHA1

a1b0cf0a7721c6e4b29ec3ef03bef814bbf16708
SHA256

a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc
SHA512

e96fb93be49c6045c3f12c64ff19974f8488f5ad54ba52b4768e4649efa369bdeeee12892fe561435c478df31dc3cc80e90e1536ce580631cf7954d8e7bff554
SSDEEP

196608:cXhm5Mgv2fjWLHP9laG5nudSH2RXg2ECNSiLKXSR:KhCMg0jylajdd5g2EaSiLKXSR

Score

10^/10

blackmoon banker evasion persistence themida trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 22 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2752-4-0x0000000000400000-0x0000000000D5A000-memory.dmp	family_blackmoon
behavioral2/memory/2752-5-0x0000000000400000-0x0000000000D5A000-memory.dmp	family_blackmoon
behavioral2/memory/2752-6-0x0000000000400000-0x0000000000D5A000-memory.dmp	family_blackmoon
behavioral2/memory/2752-7-0x0000000000400000-0x0000000000D5A000-memory.dmp	family_blackmoon
behavioral2/memory/2752-14-0x0000000000400000-0x0000000000D5A000-memory.dmp	family_blackmoon
behavioral2/memory/2752-16-0x0000000000400000-0x0000000000D5A000-memory.dmp	family_blackmoon
behavioral2/memory/2752-17-0x00000000036D0000-0x000000000415C000-memory.dmp	family_blackmoon
behavioral2/memory/2752-19-0x00000000036D0000-0x000000000415C000-memory.dmp	family_blackmoon
behavioral2/memory/2752-18-0x00000000036D0000-0x000000000415C000-memory.dmp	family_blackmoon
behavioral2/memory/2752-20-0x00000000036D0000-0x000000000415C000-memory.dmp	family_blackmoon
behavioral2/memory/2752-21-0x00000000036D0000-0x000000000415C000-memory.dmp	family_blackmoon
behavioral2/memory/2752-23-0x00000000036D0000-0x000000000415C000-memory.dmp	family_blackmoon
behavioral2/memory/2752-22-0x00000000036D0000-0x000000000415C000-memory.dmp	family_blackmoon
behavioral2/memory/2752-29-0x0000000000400000-0x0000000000D5A000-memory.dmp	family_blackmoon
behavioral2/memory/2752-30-0x0000000000400000-0x0000000000D5A000-memory.dmp	family_blackmoon
behavioral2/memory/2752-31-0x00000000036D0000-0x000000000415C000-memory.dmp	family_blackmoon
behavioral2/memory/2752-34-0x00000000036D0000-0x000000000415C000-memory.dmp	family_blackmoon
behavioral2/memory/2752-36-0x0000000000400000-0x0000000000D5A000-memory.dmp	family_blackmoon
behavioral2/memory/2752-40-0x00000000036D0000-0x000000000415C000-memory.dmp	family_blackmoon
behavioral2/memory/2752-45-0x00000000036D0000-0x000000000415C000-memory.dmp	family_blackmoon
behavioral2/memory/2752-52-0x00000000036D0000-0x000000000415C000-memory.dmp	family_blackmoon
behavioral2/memory/2752-59-0x00000000036D0000-0x000000000415C000-memory.dmp	family_blackmoon

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Dultxiy39xiy\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Dultxiy39xiy.sys"	a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exe

Executes dropped EXE 2 IoCs

Processes:

certmgr.execertmgr.exe

pid process

4020 certmgr.exe
4796 certmgr.exe

pid	process
4020	certmgr.exe
4796	certmgr.exe

Loads dropped DLL 2 IoCs

Processes:

a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exe

pid	process
2752	a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exe
2752	a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exe

Themida packer 15 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\logitech.dll	themida
behavioral2/memory/2752-15-0x00000000036D0000-0x000000000415C000-memory.dmp	themida
behavioral2/memory/2752-17-0x00000000036D0000-0x000000000415C000-memory.dmp	themida
behavioral2/memory/2752-19-0x00000000036D0000-0x000000000415C000-memory.dmp	themida
behavioral2/memory/2752-18-0x00000000036D0000-0x000000000415C000-memory.dmp	themida
behavioral2/memory/2752-20-0x00000000036D0000-0x000000000415C000-memory.dmp	themida
behavioral2/memory/2752-21-0x00000000036D0000-0x000000000415C000-memory.dmp	themida
behavioral2/memory/2752-23-0x00000000036D0000-0x000000000415C000-memory.dmp	themida
behavioral2/memory/2752-22-0x00000000036D0000-0x000000000415C000-memory.dmp	themida
behavioral2/memory/2752-31-0x00000000036D0000-0x000000000415C000-memory.dmp	themida
behavioral2/memory/2752-34-0x00000000036D0000-0x000000000415C000-memory.dmp	themida
behavioral2/memory/2752-40-0x00000000036D0000-0x000000000415C000-memory.dmp	themida
behavioral2/memory/2752-45-0x00000000036D0000-0x000000000415C000-memory.dmp	themida
behavioral2/memory/2752-52-0x00000000036D0000-0x000000000415C000-memory.dmp	themida
behavioral2/memory/2752-59-0x00000000036D0000-0x000000000415C000-memory.dmp	themida

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2752-0-0x0000000010000000-0x0000000010019000-memory.dmp	upx
behavioral2/memory/2752-1-0x0000000010000000-0x0000000010019000-memory.dmp	upx

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exe

Drops file in System32 directory 2 IoCs

Processes:

a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Dult.dll	a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exe
File created	C:\Windows\SysWOW64\setie.bat	a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exe = "11001"	a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING	a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING\a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exe = "1"	a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exe

description	pid	process
Token: SeDebugPrivilege	2752	a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exe
Token: SeDebugPrivilege	2752	a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exe
Token: SeDebugPrivilege	2752	a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exe
Token: 1	2752	a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exe
Token: SeDebugPrivilege	2752	a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exe

pid	process
2752	a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exe
2752	a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exe
2752	a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.execmd.exe

description	pid	process	target process
PID 2752 wrote to memory of 1932	2752	a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exe	cmd.exe
PID 2752 wrote to memory of 1932	2752	a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exe	cmd.exe
PID 2752 wrote to memory of 1932	2752	a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exe	cmd.exe
PID 1932 wrote to memory of 3416	1932	cmd.exe	regini.exe
PID 1932 wrote to memory of 3416	1932	cmd.exe	regini.exe
PID 1932 wrote to memory of 3416	1932	cmd.exe	regini.exe
PID 2752 wrote to memory of 4020	2752	a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exe	certmgr.exe
PID 2752 wrote to memory of 4020	2752	a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exe	certmgr.exe
PID 2752 wrote to memory of 4020	2752	a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exe	certmgr.exe
PID 2752 wrote to memory of 4796	2752	a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exe	certmgr.exe
PID 2752 wrote to memory of 4796	2752	a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exe	certmgr.exe
PID 2752 wrote to memory of 4796	2752	a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exe	certmgr.exe

C:\Users\Admin\AppData\Local\Temp\a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exe
"C:\Users\Admin\AppData\Local\Temp\a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Sets service image path in registry
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\System32\setie.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1932

C:\Windows\SysWOW64\regini.exe
regini.exe c:\regset.ini
3⤵
PID:3416

C:\Users\Admin\AppData\Local\Temp\certmgr.exe
"C:\Users\Admin\AppData\Local\Temp\\certmgr.exe" -add "C:\Users\Admin\AppData\Local\Temp\\newCA.cer" -s -r currentUser trustedpublisher
2⤵
- Executes dropped EXE
PID:4020

C:\Users\Admin\AppData\Local\Temp\certmgr.exe
"C:\Users\Admin\AppData\Local\Temp\\certmgr.exe" -add "C:\Users\Admin\AppData\Local\Temp\\newCA.cer" -s -r currentUser root
2⤵
- Executes dropped EXE
PID:4796

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

2

T1012

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\certmgr.exe
Filesize
73KB

MD5
d56b22e2495e4cb73aefe3faef046c93

SHA1
383e9460d2426a98abfaad0e8dfca7dd436733c9

SHA256
38fe38349068c264ff653c2d1d273f2a8154f0da485364d962b83f2a75bddb45

SHA512
6d6213d6122d85171b910c392c717cd1a19d14f0b483accaf33f8677c841f92ccae4092fc47740a8a2a57098b68208416197c84b62ea41bd5790cf3c1b905dfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\logitech.dll
Filesize
4.4MB

MD5
81f17e2646be7a2c1378f6f45247c06a

SHA1
1318734082fb4a141dcec26436019af08c92eaf2

SHA256
31e1dbec882158fc7c64c46401e3b15a18ae4d3aba62ee7024b981266664f04f

SHA512
812fe51d3e3b12617e878f82d9583364b3571a0f890f3ac9a56dfae6b3eee2aaf6c88c0e4fa11c1bd9316c92754e897ff6d94e882bb0f0807530dc64d6da4690

Download Submit
C:\Windows\SysWOW64\setie.bat
Filesize
24B

MD5
23a007ebe89849e7997a4afb9e5b722b

SHA1
1cd87b9c2be0ce63b8a4633adbfed0c414379ae3

SHA256
0703e1f7e9e53f3eb0044c37d0232cecb4e95a5c6eeeca8897635774ad0870a1

SHA512
b126b39fca6b91b806f06e46e2a82644db9858e4e8ee3748a13ac7560cf33e2298c278a7af784feb167acc62e99a3b97d7d40e1baa314e58583eb063323f169b

Download Submit
\??\c:\regset.ini
Filesize
81B

MD5
a67c03c1b51dfbb7e31d33a1b9344936

SHA1
0cec23c581c31bf6bcadc34dcf6706cbd75cd33c

SHA256
4859d6cc634295d4ab4b4ee49ae90d1e8d73611ee3d9dc8b8581a235b9e66834

SHA512
ffadc454b5682281aa519dd3e1ef2812334db5965545448d28ce6c4cf75d4edc68d1525ed606723d3061801ce7a9680eacab6c443f5453500a03732ac0edfcad

Download Submit
memory/2752-20-0x00000000036D0000-0x000000000415C000-memory.dmp

Filesize
10.5MB

Download
memory/2752-22-0x00000000036D0000-0x000000000415C000-memory.dmp

Filesize
10.5MB

Download
memory/2752-7-0x0000000000400000-0x0000000000D5A000-memory.dmp

Filesize
9.4MB

Download
memory/2752-5-0x0000000000400000-0x0000000000D5A000-memory.dmp

Filesize
9.4MB

Download
memory/2752-14-0x0000000000400000-0x0000000000D5A000-memory.dmp

Filesize
9.4MB

Download
memory/2752-15-0x00000000036D0000-0x000000000415C000-memory.dmp

Filesize
10.5MB

Download
memory/2752-16-0x0000000000400000-0x0000000000D5A000-memory.dmp

Filesize
9.4MB

Download
memory/2752-17-0x00000000036D0000-0x000000000415C000-memory.dmp

Filesize
10.5MB

Download
memory/2752-19-0x00000000036D0000-0x000000000415C000-memory.dmp

Filesize
10.5MB

Download
memory/2752-18-0x00000000036D0000-0x000000000415C000-memory.dmp

Filesize
10.5MB

Download
memory/2752-0-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2752-21-0x00000000036D0000-0x000000000415C000-memory.dmp

Filesize
10.5MB

Download
memory/2752-23-0x00000000036D0000-0x000000000415C000-memory.dmp

Filesize
10.5MB

Download
memory/2752-6-0x0000000000400000-0x0000000000D5A000-memory.dmp

Filesize
9.4MB

Download
memory/2752-29-0x0000000000400000-0x0000000000D5A000-memory.dmp

Filesize
9.4MB

Download
memory/2752-30-0x0000000000400000-0x0000000000D5A000-memory.dmp

Filesize
9.4MB

Download
memory/2752-31-0x00000000036D0000-0x000000000415C000-memory.dmp

Filesize
10.5MB

Download
memory/2752-34-0x00000000036D0000-0x000000000415C000-memory.dmp

Filesize
10.5MB

Download
memory/2752-36-0x0000000000400000-0x0000000000D5A000-memory.dmp

Filesize
9.4MB

Download
memory/2752-40-0x00000000036D0000-0x000000000415C000-memory.dmp

Filesize
10.5MB

Download
memory/2752-4-0x0000000000400000-0x0000000000D5A000-memory.dmp

Filesize
9.4MB

Download
memory/2752-3-0x00000000004CF000-0x00000000004D0000-memory.dmp

Filesize
4KB

Download
memory/2752-45-0x00000000036D0000-0x000000000415C000-memory.dmp

Filesize
10.5MB

Download
memory/2752-1-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2752-52-0x00000000036D0000-0x000000000415C000-memory.dmp

Filesize
10.5MB

Download
memory/2752-59-0x00000000036D0000-0x000000000415C000-memory.dmp

Filesize
10.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads