blackmoon | b189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b

General

Target

b189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b.exe
Size

9.5MB
MD5

c1a327f80304feb7842e1f35cbcf131c
SHA1

193bff007356348b1327c100a7a3cf0e30c2967f
SHA256

b189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b
SHA512

eca17a38069af074e77c0c52f880ac5b468e8ec453e8705886fa2c4c3ad91e14bbf321bf6ded0ee655db1ad85d0e853019dc3e459f9c2290fbefaf08af365cfd
SSDEEP

196608:J/MJcDKlFBqkwDxURK8vyqByLdlf3hRQIgLKNg:JUODKlFBqHayOclfhRQIG2g

Score

10^/10

blackmoon banker spyware stealer trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Ç§ÇïÄ§Óò\b189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b.exe	family_blackmoon
C:\Users\Admin\AppData\Roaming\Ç§ÇïÄ§Óò\5E0A676E54A8365AFB17FD466BCDF925.exe	family_blackmoon

Executes dropped EXE 2 IoCs

Processes:

b189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b.exe5E0A676E54A8365AFB17FD466BCDF925.exe

pid process

2472 b189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b.exe
4352 5E0A676E54A8365AFB17FD466BCDF925.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

b189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b.exeb189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b.exe

description	pid	process
Token: SeDebugPrivilege	2336	b189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b.exe
Token: SeDebugPrivilege	2336	b189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b.exe
Token: SeDebugPrivilege	2472	b189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b.exe
Token: SeDebugPrivilege	2472	b189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b.exe
Token: SeDebugPrivilege	2472	b189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

b189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b.exeb189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b.exe

pid	process
2472	b189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b.exe
2336	b189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b.exe

Suspicious use of SendNotifyMessage 2 IoCs

Processes:

b189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b.exeb189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b.exe

pid	process
2472	b189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b.exe
2336	b189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

b189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b.exeb189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b.exe5E0A676E54A8365AFB17FD466BCDF925.exe

pid	process
2336	b189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b.exe
2472	b189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b.exe
4352	5E0A676E54A8365AFB17FD466BCDF925.exe
4352	5E0A676E54A8365AFB17FD466BCDF925.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

b189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b.exeb189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b.exe

description	pid	process	target process
PID 2336 wrote to memory of 2472	2336	b189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b.exe	b189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b.exe
PID 2336 wrote to memory of 2472	2336	b189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b.exe	b189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b.exe
PID 2336 wrote to memory of 2472	2336	b189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b.exe	b189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b.exe
PID 2472 wrote to memory of 4352	2472	b189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b.exe	5E0A676E54A8365AFB17FD466BCDF925.exe
PID 2472 wrote to memory of 4352	2472	b189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b.exe	5E0A676E54A8365AFB17FD466BCDF925.exe
PID 2472 wrote to memory of 4352	2472	b189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b.exe	5E0A676E54A8365AFB17FD466BCDF925.exe

C:\Users\Admin\AppData\Local\Temp\b189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b.exe
"C:\Users\Admin\AppData\Local\Temp\b189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2336

C:\Users\Admin\AppData\Roaming\Ç§ÇïÄ§Óò\b189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b.exe
"C:\Users\Admin\AppData\Roaming\Ç§ÇïÄ§Óò\b189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2472

C:\Users\Admin\AppData\Roaming\Ç§ÇïÄ§Óò\5E0A676E54A8365AFB17FD466BCDF925.exe
"C:\Users\Admin\AppData\Roaming\Ç§ÇïÄ§Óò\5E0A676E54A8365AFB17FD466BCDF925.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4352

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Ç§ÇïÄ§Óò\5E0A676E54A8365AFB17FD466BCDF925.exe
Filesize
9.0MB

MD5
0b00122c4eac3c5c6f1b1c783a7aa94f

SHA1
584ef0295c0b1d714dfe9de916a1d69dd2e76646

SHA256
923cb3c28f626586174f3768fc49b4146b008a6d5f92ee27f5605ea68ac206bc

SHA512
27f867c785598a7fb683d79d5ca7a1a56b799e77742d136b912e7de55f0196a8a25bec69d1417d7448b45bfed8190b5686fcb962dadbb764396689b86d1eea24

Download Submit
C:\Users\Admin\AppData\Roaming\Ç§ÇïÄ§Óò\b189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b.exe
Filesize
9.5MB

MD5
c1a327f80304feb7842e1f35cbcf131c

SHA1
193bff007356348b1327c100a7a3cf0e30c2967f

SHA256
b189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b

SHA512
eca17a38069af074e77c0c52f880ac5b468e8ec453e8705886fa2c4c3ad91e14bbf321bf6ded0ee655db1ad85d0e853019dc3e459f9c2290fbefaf08af365cfd

Download Submit
C:\Users\Admin\Desktop\Ç§ÇïÄ§Óò.lnk
Filesize
1KB

MD5
92d0c1c13d8d5516dc381aaf489caf8f

SHA1
a4776d357e5e65161048bfc6a697b1b10412b1f3

SHA256
b55f22c7fbdc770f5b5d6d31ea064b5fc17e794a6b2cd671581a854032546246

SHA512
2aeb09cebef90e85dd1ae9e7ad8d95563c405c527d69cb84081e441077076b35edadf30dab11d2d8388384b380409d6a37edd26eb4d62ef9f15fbb8031bb0eb1

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads