blackmoon | b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988

General

Target

b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe
Size

14.8MB
MD5

b7e42c5d729af5810c633e4687bc4a2b
SHA1

810cd73f1db3f513df31640823baa004a8f1cf00
SHA256

b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988
SHA512

1597e958573f664b93bcfc6583c70f16bb7f388a4f8d7840daaa6c537658ec9b44c52066bb84e003f105a9063836afccdbab2bcbc3afda96e6d906a51b190f87
SSDEEP

393216:gPDPJepGNvUodC5g3LhAvxw5r/6Wv3bDj3dq:YBepGuR5g3LaarPLdq

Score

10^/10

blackmoon aspackv2 banker trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 8 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3428-1-0x0000000000400000-0x0000000000926000-memory.dmp	family_blackmoon
behavioral2/memory/3428-2-0x0000000000400000-0x0000000000926000-memory.dmp	family_blackmoon
behavioral2/memory/3428-3-0x0000000000400000-0x0000000000926000-memory.dmp	family_blackmoon
behavioral2/memory/3428-18-0x0000000000400000-0x0000000000926000-memory.dmp	family_blackmoon
behavioral2/memory/4004-21-0x0000000000400000-0x0000000000926000-memory.dmp	family_blackmoon
behavioral2/memory/4004-20-0x0000000000400000-0x0000000000926000-memory.dmp	family_blackmoon
behavioral2/memory/4004-19-0x0000000000400000-0x0000000000926000-memory.dmp	family_blackmoon
behavioral2/memory/4004-50-0x0000000000400000-0x0000000000926000-memory.dmp	family_blackmoon

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\9SFÀ×öªÍò¾û\40931b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe	aspack_v212_v242

Executes dropped EXE 1 IoCs

Processes:

40931b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe

pid process

4004 40931b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe

pid	process
4004	40931b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe

description	ioc	process
File opened (read-only)	\??\H:	b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe
File opened (read-only)	\??\R:	b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe
File opened (read-only)	\??\T:	b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe
File opened (read-only)	\??\W:	b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe
File opened (read-only)	\??\Y:	b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe
File opened (read-only)	\??\S:	b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe
File opened (read-only)	\??\E:	b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe
File opened (read-only)	\??\G:	b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe
File opened (read-only)	\??\J:	b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe
File opened (read-only)	\??\L:	b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe
File opened (read-only)	\??\M:	b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe
File opened (read-only)	\??\O:	b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe
File opened (read-only)	\??\Q:	b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe
File opened (read-only)	\??\U:	b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe
File opened (read-only)	\??\Z:	b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe
File opened (read-only)	\??\B:	b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe
File opened (read-only)	\??\I:	b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe
File opened (read-only)	\??\N:	b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe
File opened (read-only)	\??\P:	b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe
File opened (read-only)	\??\A:	b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe
File opened (read-only)	\??\K:	b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe
File opened (read-only)	\??\V:	b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe
File opened (read-only)	\??\X:	b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe40931b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe

pid	process
3428	b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe
3428	b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe
3428	b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe
4004	40931b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe
4004	40931b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe
4004	40931b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe

description	pid	process	target process
PID 3428 wrote to memory of 4004	3428	b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe	40931b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe
PID 3428 wrote to memory of 4004	3428	b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe	40931b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe
PID 3428 wrote to memory of 4004	3428	b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe	40931b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe

C:\Users\Admin\AppData\Local\Temp\b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe
"C:\Users\Admin\AppData\Local\Temp\b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe"
1⤵
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3428

C:\9SFÀ×öªÍò¾û\40931b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe
C:\9SFÀ×öªÍò¾û\40931b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4004

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\9SFÀ×öªÍò¾û\40931b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988.exe
Filesize
14.8MB

MD5
b7e42c5d729af5810c633e4687bc4a2b

SHA1
810cd73f1db3f513df31640823baa004a8f1cf00

SHA256
b5338a51cf4a0fc419e21ce160bfc810135c7c25fc034585c73bd380eaef0988

SHA512
1597e958573f664b93bcfc6583c70f16bb7f388a4f8d7840daaa6c537658ec9b44c52066bb84e003f105a9063836afccdbab2bcbc3afda96e6d906a51b190f87

Download Submit
C:\Users\Admin\AppData\Local\Temp\0c039c99da555107bb9419756c9e4450.txt
Filesize
15B

MD5
497bf022493f3514f261b6ca92377c76

SHA1
91c1ca15bfbef475dd62cd8a89dae3c1dd5855ea

SHA256
9ae34ca360510d594d068b6eaf432159cc5902c65105ada3ba6f03bdff1b0714

SHA512
43bfe70d6407962e0d9e017942ceab9dcf8925273713e17ef88acd8edd6f2a56741201cd7bfa8aa55c0f0aac488b6d5e57820b05923145ba03f149c2817e8419

Download Submit
memory/3428-7-0x0000000003A30000-0x0000000003A31000-memory.dmp

Filesize
4KB

Download
memory/3428-3-0x0000000000400000-0x0000000000926000-memory.dmp

Filesize
5.1MB

Download
memory/3428-9-0x0000000003CE0000-0x0000000003CE1000-memory.dmp

Filesize
4KB

Download
memory/3428-8-0x0000000003A10000-0x0000000003A11000-memory.dmp

Filesize
4KB

Download
memory/3428-0-0x0000000000400000-0x0000000000926000-memory.dmp

Filesize
5.1MB

Download
memory/3428-2-0x0000000000400000-0x0000000000926000-memory.dmp

Filesize
5.1MB

Download
memory/3428-18-0x0000000000400000-0x0000000000926000-memory.dmp

Filesize
5.1MB

Download
memory/3428-1-0x0000000000400000-0x0000000000926000-memory.dmp

Filesize
5.1MB

Download
memory/4004-17-0x0000000000400000-0x0000000000926000-memory.dmp

Filesize
5.1MB

Download
memory/4004-21-0x0000000000400000-0x0000000000926000-memory.dmp

Filesize
5.1MB

Download
memory/4004-20-0x0000000000400000-0x0000000000926000-memory.dmp

Filesize
5.1MB

Download
memory/4004-19-0x0000000000400000-0x0000000000926000-memory.dmp

Filesize
5.1MB

Download
memory/4004-50-0x0000000000400000-0x0000000000926000-memory.dmp

Filesize
5.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads