blackmoon | 18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328

General

Target

18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe
Size

7.7MB
MD5

105cd89b0ddfd8e86235ca852c2c57dd
SHA1

38e643be21749f86929f1fb624a562f5d9fd0e93
SHA256

18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328
SHA512

c6162d35d8173ecf91e0095c49dc6e0a7b0175e9607fa6b889cba6533ab79e607fd31757900a02997adf220d7e7058973dbcf5f9cfd58135795fb1b7bc2a0a3f
SSDEEP

196608:sZDtJcDKlFBqhRK85Xs5XvyCMYpr/nGLtwNo:s9tODKlFBq7XsBvyCpLGLtw2

Score

10^/10

blackmoon banker spyware stealer trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 2 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\°×µ°\18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe	family_blackmoon
\Users\Admin\AppData\Roaming\°×µ°\C148FAE227FC6914.exe	family_blackmoon

Executes dropped EXE 2 IoCs

Processes:

18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exeC148FAE227FC6914.exe

pid process

2148 18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe
2720 C148FAE227FC6914.exe

Loads dropped DLL 3 IoCs

Processes:

18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe

pid	process
1576	18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe
1576	18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe
2148	18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe

description	pid	process
Token: SeDebugPrivilege	1576	18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe
Token: SeDebugPrivilege	1576	18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe
Token: SeDebugPrivilege	2148	18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe
Token: SeDebugPrivilege	2148	18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe
Token: SeDebugPrivilege	2148	18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe

pid	process
2148	18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe
1576	18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe

Suspicious use of SendNotifyMessage 2 IoCs

Processes:

18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe

pid	process
2148	18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe
1576	18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exeC148FAE227FC6914.exe

pid	process
1576	18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe
2148	18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe
2720	C148FAE227FC6914.exe
2720	C148FAE227FC6914.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe

description	pid	process	target process
PID 1576 wrote to memory of 2148	1576	18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe	18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe
PID 1576 wrote to memory of 2148	1576	18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe	18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe
PID 1576 wrote to memory of 2148	1576	18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe	18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe
PID 1576 wrote to memory of 2148	1576	18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe	18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe
PID 2148 wrote to memory of 2720	2148	18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe	C148FAE227FC6914.exe
PID 2148 wrote to memory of 2720	2148	18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe	C148FAE227FC6914.exe
PID 2148 wrote to memory of 2720	2148	18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe	C148FAE227FC6914.exe
PID 2148 wrote to memory of 2720	2148	18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe	C148FAE227FC6914.exe

C:\Users\Admin\AppData\Local\Temp\18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe
"C:\Users\Admin\AppData\Local\Temp\18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1576

C:\Users\Admin\AppData\Roaming\°×µ°\18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe
"C:\Users\Admin\AppData\Roaming\°×µ°\18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2148

C:\Users\Admin\AppData\Roaming\°×µ°\C148FAE227FC6914.exe
"C:\Users\Admin\AppData\Roaming\°×µ°\C148FAE227FC6914.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2720

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\°×µ°.lnk
Filesize
1KB

MD5
3dff333abbb975ca1802604e2b44e8bb

SHA1
5d9da6e6de2ada59081f919a35da7d887120793f

SHA256
6b6da3f0f6ad0e96ece0aaec33fe5c1b1d2e734beda03be15ca836e7c3e02e7d

SHA512
40998eff39fc8e2f2dc70834e911c4d0a1ba359148f582ea231aa7514e0975c3e4b127d1ac3d2f682bcc249c09f871c1c7a474f4ac93eb1bd5aa15a05296d9ff

Download Submit
\Users\Admin\AppData\Roaming\°×µ°\18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe
Filesize
7.7MB

MD5
105cd89b0ddfd8e86235ca852c2c57dd

SHA1
38e643be21749f86929f1fb624a562f5d9fd0e93

SHA256
18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328

SHA512
c6162d35d8173ecf91e0095c49dc6e0a7b0175e9607fa6b889cba6533ab79e607fd31757900a02997adf220d7e7058973dbcf5f9cfd58135795fb1b7bc2a0a3f

Download Submit
\Users\Admin\AppData\Roaming\°×µ°\C148FAE227FC6914.exe
Filesize
7.2MB

MD5
a6746c7beaf77b3895b0c6a996bd3fc2

SHA1
ab2864186175b96652967f38a204ebb41f608f50

SHA256
91a454a925fa4ab29ce0eaa131bb44877637d95897340f9c2485f418b1605560

SHA512
0792403db7edb69577fc3964362b38eb27445e23d906084e4bb1dc2737e25e24d25eed2f47525a0c069f8f6bdc7f7534dbcbd50c9aa970939ba04ccd50016619

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads