blackmoon | b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988

General

Target

b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe
Size

14.8MB
MD5

b7e42c5d729af5810c633e4687bc4a2b
SHA1

810cd73f1db3f513df31640823baa004a8f1cf00
SHA256

b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988
SHA512

1597e958573f664b93bcfc6583c70f16bb7f388a4f8d7840daaa6c537658ec9b44c52066bb84e003f105a9063836afccdbab2bcbc3afda96e6d906a51b190f87
SSDEEP

393216:gPDPJepGNvUodC5g3LhAvxw5r/6Wv3bDj3dq:YBepGuR5g3LaarPLdq

Score

10^/10

blackmoon aspackv2 banker trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 13 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2840-3-0x0000000000400000-0x0000000000926000-memory.dmp	family_blackmoon
behavioral1/memory/2840-2-0x0000000000400000-0x0000000000926000-memory.dmp	family_blackmoon
behavioral1/memory/2840-1-0x0000000000400000-0x0000000000926000-memory.dmp	family_blackmoon
behavioral1/memory/2840-8-0x0000000000400000-0x0000000000926000-memory.dmp	family_blackmoon
behavioral1/memory/2840-10-0x0000000000400000-0x0000000000926000-memory.dmp	family_blackmoon
behavioral1/memory/2840-11-0x0000000000400000-0x0000000000926000-memory.dmp	family_blackmoon
behavioral1/memory/2840-9-0x0000000000400000-0x0000000000926000-memory.dmp	family_blackmoon
behavioral1/memory/2840-37-0x0000000000400000-0x0000000000926000-memory.dmp	family_blackmoon
behavioral1/memory/2796-41-0x0000000000400000-0x0000000000926000-memory.dmp	family_blackmoon
behavioral1/memory/2796-39-0x0000000000400000-0x0000000000926000-memory.dmp	family_blackmoon
behavioral1/memory/2796-40-0x0000000000400000-0x0000000000926000-memory.dmp	family_blackmoon
behavioral1/memory/2796-68-0x0000000000400000-0x0000000000926000-memory.dmp	family_blackmoon
behavioral1/memory/2796-69-0x0000000000400000-0x0000000000926000-memory.dmp	family_blackmoon

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
\9SFÀ×öªÍò¾û\25880b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe	aspack_v212_v242

Executes dropped EXE 1 IoCs

Processes:

25880b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe

pid process

2796 25880b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe
Loads dropped DLL 1 IoCs

Processes:

b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe

pid process

2840 b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe

pid	process
2796	25880b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe

description	ioc	process
File opened (read-only)	\??\I:	b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe
File opened (read-only)	\??\P:	b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe
File opened (read-only)	\??\R:	b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe
File opened (read-only)	\??\X:	b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe
File opened (read-only)	\??\E:	b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe
File opened (read-only)	\??\W:	b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe
File opened (read-only)	\??\L:	b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe
File opened (read-only)	\??\K:	b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe
File opened (read-only)	\??\N:	b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe
File opened (read-only)	\??\O:	b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe
File opened (read-only)	\??\Q:	b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe
File opened (read-only)	\??\S:	b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe
File opened (read-only)	\??\U:	b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe
File opened (read-only)	\??\Z:	b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe
File opened (read-only)	\??\A:	b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe
File opened (read-only)	\??\G:	b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe
File opened (read-only)	\??\H:	b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe
File opened (read-only)	\??\J:	b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe
File opened (read-only)	\??\M:	b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe
File opened (read-only)	\??\T:	b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe
File opened (read-only)	\??\V:	b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe
File opened (read-only)	\??\Y:	b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe
File opened (read-only)	\??\B:	b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe25880b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main	b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main	25880b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe25880b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe

pid	process
2840	b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe
2840	b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe
2840	b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe
2796	25880b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe
2796	25880b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe
2796	25880b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe

description	pid	process	target process
PID 2840 wrote to memory of 2796	2840	b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe	25880b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe
PID 2840 wrote to memory of 2796	2840	b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe	25880b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe
PID 2840 wrote to memory of 2796	2840	b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe	25880b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe
PID 2840 wrote to memory of 2796	2840	b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe	25880b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe

C:\Users\Admin\AppData\Local\Temp\b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe
"C:\Users\Admin\AppData\Local\Temp\b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2840

C:\9SFÀ×öªÍò¾û\25880b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe
C:\9SFÀ×öªÍò¾û\25880b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe
2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2796

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NVDR4C1U\errorPageStrings[1]
Filesize
2KB

MD5
e3e4a98353f119b80b323302f26b78fa

SHA1
20ee35a370cdd3a8a7d04b506410300fd0a6a864

SHA256
9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66

SHA512
d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

Download Submit
C:\Users\Admin\AppData\Local\Temp\0c039c99da555107bb9419756c9e4450.txt
Filesize
15B

MD5
497bf022493f3514f261b6ca92377c76

SHA1
91c1ca15bfbef475dd62cd8a89dae3c1dd5855ea

SHA256
9ae34ca360510d594d068b6eaf432159cc5902c65105ada3ba6f03bdff1b0714

SHA512
43bfe70d6407962e0d9e017942ceab9dcf8925273713e17ef88acd8edd6f2a56741201cd7bfa8aa55c0f0aac488b6d5e57820b05923145ba03f149c2817e8419

Download Submit
\9SFÀ×öªÍò¾û\25880b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe
Filesize
14.8MB

MD5
b7e42c5d729af5810c633e4687bc4a2b

SHA1
810cd73f1db3f513df31640823baa004a8f1cf00

SHA256
b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988

SHA512
1597e958573f664b93bcfc6583c70f16bb7f388a4f8d7840daaa6c537658ec9b44c52066bb84e003f105a9063836afccdbab2bcbc3afda96e6d906a51b190f87

Download Submit
memory/2796-69-0x0000000000400000-0x0000000000926000-memory.dmp

Filesize
5.1MB

Download
memory/2796-68-0x0000000000400000-0x0000000000926000-memory.dmp

Filesize
5.1MB

Download
memory/2796-40-0x0000000000400000-0x0000000000926000-memory.dmp

Filesize
5.1MB

Download
memory/2796-39-0x0000000000400000-0x0000000000926000-memory.dmp

Filesize
5.1MB

Download
memory/2796-41-0x0000000000400000-0x0000000000926000-memory.dmp

Filesize
5.1MB

Download
memory/2796-38-0x0000000000400000-0x0000000000926000-memory.dmp

Filesize
5.1MB

Download
memory/2840-7-0x000000000091E000-0x000000000091F000-memory.dmp

Filesize
4KB

Download
memory/2840-37-0x0000000000400000-0x0000000000926000-memory.dmp

Filesize
5.1MB

Download
memory/2840-9-0x0000000000400000-0x0000000000926000-memory.dmp

Filesize
5.1MB

Download
memory/2840-11-0x0000000000400000-0x0000000000926000-memory.dmp

Filesize
5.1MB

Download
memory/2840-10-0x0000000000400000-0x0000000000926000-memory.dmp

Filesize
5.1MB

Download
memory/2840-8-0x0000000000400000-0x0000000000926000-memory.dmp

Filesize
5.1MB

Download
memory/2840-0-0x0000000000400000-0x0000000000926000-memory.dmp

Filesize
5.1MB

Download
memory/2840-1-0x0000000000400000-0x0000000000926000-memory.dmp

Filesize
5.1MB

Download
memory/2840-2-0x0000000000400000-0x0000000000926000-memory.dmp

Filesize
5.1MB

Download
memory/2840-3-0x0000000000400000-0x0000000000926000-memory.dmp

Filesize
5.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads