blackmoon | 18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328

General

Target

18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe
Size

7.7MB
MD5

105cd89b0ddfd8e86235ca852c2c57dd
SHA1

38e643be21749f86929f1fb624a562f5d9fd0e93
SHA256

18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328
SHA512

c6162d35d8173ecf91e0095c49dc6e0a7b0175e9607fa6b889cba6533ab79e607fd31757900a02997adf220d7e7058973dbcf5f9cfd58135795fb1b7bc2a0a3f
SSDEEP

196608:sZDtJcDKlFBqhRK85Xs5XvyCMYpr/nGLtwNo:s9tODKlFBq7XsBvyCpLGLtw2

Score

10^/10

blackmoon banker spyware stealer trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\°×µ°\18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe	family_blackmoon
C:\Users\Admin\AppData\Roaming\°×µ°\C148FAE227FC6914.exe	family_blackmoon

Executes dropped EXE 2 IoCs

Processes:

18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exeC148FAE227FC6914.exe

pid process

3760 18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe
2836 C148FAE227FC6914.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe

description	pid	process
Token: SeDebugPrivilege	2904	18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe
Token: SeDebugPrivilege	2904	18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe
Token: SeDebugPrivilege	3760	18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe
Token: SeDebugPrivilege	3760	18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe
Token: SeDebugPrivilege	3760	18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe

pid	process
3760	18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe
2904	18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe

Suspicious use of SendNotifyMessage 2 IoCs

Processes:

18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe

pid	process
3760	18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe
2904	18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exeC148FAE227FC6914.exe

pid	process
2904	18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe
3760	18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe
2836	C148FAE227FC6914.exe
2836	C148FAE227FC6914.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe

description	pid	process	target process
PID 2904 wrote to memory of 3760	2904	18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe	18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe
PID 2904 wrote to memory of 3760	2904	18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe	18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe
PID 2904 wrote to memory of 3760	2904	18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe	18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe
PID 3760 wrote to memory of 2836	3760	18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe	C148FAE227FC6914.exe
PID 3760 wrote to memory of 2836	3760	18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe	C148FAE227FC6914.exe
PID 3760 wrote to memory of 2836	3760	18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe	C148FAE227FC6914.exe

C:\Users\Admin\AppData\Local\Temp\18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe
"C:\Users\Admin\AppData\Local\Temp\18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2904

C:\Users\Admin\AppData\Roaming\°×µ°\18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe
"C:\Users\Admin\AppData\Roaming\°×µ°\18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3760

C:\Users\Admin\AppData\Roaming\°×µ°\C148FAE227FC6914.exe
"C:\Users\Admin\AppData\Roaming\°×µ°\C148FAE227FC6914.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2836

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\°×µ°\18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe
Filesize
7.7MB

MD5
105cd89b0ddfd8e86235ca852c2c57dd

SHA1
38e643be21749f86929f1fb624a562f5d9fd0e93

SHA256
18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328

SHA512
c6162d35d8173ecf91e0095c49dc6e0a7b0175e9607fa6b889cba6533ab79e607fd31757900a02997adf220d7e7058973dbcf5f9cfd58135795fb1b7bc2a0a3f

Download Submit
C:\Users\Admin\AppData\Roaming\°×µ°\C148FAE227FC6914.exe
Filesize
7.2MB

MD5
a6746c7beaf77b3895b0c6a996bd3fc2

SHA1
ab2864186175b96652967f38a204ebb41f608f50

SHA256
91a454a925fa4ab29ce0eaa131bb44877637d95897340f9c2485f418b1605560

SHA512
0792403db7edb69577fc3964362b38eb27445e23d906084e4bb1dc2737e25e24d25eed2f47525a0c069f8f6bdc7f7534dbcbd50c9aa970939ba04ccd50016619

Download Submit
C:\Users\Admin\Desktop\°×µ°.lnk
Filesize
1KB

MD5
fb5b4f87feaee1f5349e23201decf763

SHA1
9a0a5adb0a085287259a31a5dda045305bd98e5a

SHA256
72e045c4a0b27b35abcd1859dd300e6bc0fc9d146770a27d9e3488639b63bfae

SHA512
9902de7a095db92db8b9477368f35fca83faaca684b25cee845a0c592e02dbc6eb5f8141daafcf6e4eb2cbff4fd6fb704a00a3f91475507682eb06a67e77af1b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads