blackmoon | 60f853180a79a596f490b01c554832dac7f2e469a94d8a213b1e5452c1e49d5b

General

Target

2024-05-24_e8d2018514da477fc1c3e218a24125d6_magniber.exe
Size

4.7MB
MD5

e8d2018514da477fc1c3e218a24125d6
SHA1

6d7cfc49bb0929c2eb0f4028fe97983b876516cc
SHA256

60f853180a79a596f490b01c554832dac7f2e469a94d8a213b1e5452c1e49d5b
SHA512

98446881984402431b960ae7bd4faa1c420b5e2c0ebca2bb1bba01e070fc314884ce97b690f7211da76b3baabb17c1a4e773c63168bc97fbe38339babc68f303
SSDEEP

98304:ABTTPtxvAOlouIZdRytp5UJ8rA9s9o36B:rHm2J8rACn

Score

10^/10

blackmoon banker persistence trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

Processes:

resource	yara_rule
\ProgramData\cande\{1NfU6JQmH2nGn8PX2o}\winfsp-x86.dll	family_blackmoon

UPX dump on OEP (original entry point) 17 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2572-18-0x00000000023C0000-0x00000000024A7000-memory.dmp	UPX
behavioral1/memory/2572-16-0x00000000023C0000-0x00000000024A7000-memory.dmp	UPX
behavioral1/memory/2572-15-0x00000000023C0000-0x00000000024A7000-memory.dmp	UPX
behavioral1/memory/2572-19-0x0000000004310000-0x0000000004521000-memory.dmp	UPX
behavioral1/memory/2572-24-0x0000000004530000-0x000000000461B000-memory.dmp	UPX
behavioral1/memory/2572-23-0x0000000000AF0000-0x0000000000B46000-memory.dmp	UPX
behavioral1/memory/2572-25-0x0000000004530000-0x000000000461B000-memory.dmp	UPX
behavioral1/memory/2572-28-0x0000000004810000-0x00000000048A9000-memory.dmp	UPX
behavioral1/memory/2572-29-0x0000000004DB0000-0x0000000004F25000-memory.dmp	UPX
behavioral1/memory/2572-30-0x0000000004DB0000-0x0000000004F25000-memory.dmp	UPX
behavioral1/memory/2572-34-0x0000000004310000-0x0000000004521000-memory.dmp	UPX
behavioral1/memory/2572-36-0x00000000023C0000-0x00000000024A7000-memory.dmp	UPX
behavioral1/memory/2572-37-0x0000000004310000-0x0000000004521000-memory.dmp	UPX
behavioral1/memory/2572-38-0x0000000000AF0000-0x0000000000B46000-memory.dmp	UPX
behavioral1/memory/2572-39-0x0000000004530000-0x000000000461B000-memory.dmp	UPX
behavioral1/memory/2572-40-0x0000000004810000-0x00000000048A9000-memory.dmp	UPX
behavioral1/memory/2572-41-0x0000000004DB0000-0x0000000004F25000-memory.dmp	UPX

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2KpRcn6.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	2KpRcn6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\2KpRcn6 = "C:\\ProgramData\\cande\\{1NfU6JQmH2nGn8PX2o}\\2KpRcn6.exe"	2KpRcn6.exe

Executes dropped EXE 1 IoCs

Processes:

2KpRcn6.exe

pid process

2572 2KpRcn6.exe
Loads dropped DLL 2 IoCs

Processes:

2024-05-24_e8d2018514da477fc1c3e218a24125d6_magniber.exe2KpRcn6.exe

pid process

1752 2024-05-24_e8d2018514da477fc1c3e218a24125d6_magniber.exe
2572 2KpRcn6.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

2KpRcn6.exe

pid process

2572 2KpRcn6.exe
2572 2KpRcn6.exe
2572 2KpRcn6.exe
2572 2KpRcn6.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

2KpRcn6.exe

description pid process

Token: SeDebugPrivilege 2572 2KpRcn6.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

2KpRcn6.exe

pid process

2572 2KpRcn6.exe
2572 2KpRcn6.exe
2572 2KpRcn6.exe
2572 2KpRcn6.exe

pid	process
2572	2KpRcn6.exe

pid	process
1752	2024-05-24_e8d2018514da477fc1c3e218a24125d6_magniber.exe
2572	2KpRcn6.exe

pid	process
2572	2KpRcn6.exe
2572	2KpRcn6.exe
2572	2KpRcn6.exe
2572	2KpRcn6.exe

description	pid	process
Token: SeDebugPrivilege	2572	2KpRcn6.exe

pid	process
2572	2KpRcn6.exe
2572	2KpRcn6.exe
2572	2KpRcn6.exe
2572	2KpRcn6.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

2024-05-24_e8d2018514da477fc1c3e218a24125d6_magniber.exe2024-05-24_e8d2018514da477fc1c3e218a24125d6_magniber.exe

description	pid	process	target process
PID 780 wrote to memory of 1752	780	2024-05-24_e8d2018514da477fc1c3e218a24125d6_magniber.exe	2024-05-24_e8d2018514da477fc1c3e218a24125d6_magniber.exe
PID 780 wrote to memory of 1752	780	2024-05-24_e8d2018514da477fc1c3e218a24125d6_magniber.exe	2024-05-24_e8d2018514da477fc1c3e218a24125d6_magniber.exe
PID 780 wrote to memory of 1752	780	2024-05-24_e8d2018514da477fc1c3e218a24125d6_magniber.exe	2024-05-24_e8d2018514da477fc1c3e218a24125d6_magniber.exe
PID 780 wrote to memory of 1752	780	2024-05-24_e8d2018514da477fc1c3e218a24125d6_magniber.exe	2024-05-24_e8d2018514da477fc1c3e218a24125d6_magniber.exe
PID 1752 wrote to memory of 2572	1752	2024-05-24_e8d2018514da477fc1c3e218a24125d6_magniber.exe	2KpRcn6.exe
PID 1752 wrote to memory of 2572	1752	2024-05-24_e8d2018514da477fc1c3e218a24125d6_magniber.exe	2KpRcn6.exe
PID 1752 wrote to memory of 2572	1752	2024-05-24_e8d2018514da477fc1c3e218a24125d6_magniber.exe	2KpRcn6.exe
PID 1752 wrote to memory of 2572	1752	2024-05-24_e8d2018514da477fc1c3e218a24125d6_magniber.exe	2KpRcn6.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e8d2018514da477fc1c3e218a24125d6_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_e8d2018514da477fc1c3e218a24125d6_magniber.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:780

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e8d2018514da477fc1c3e218a24125d6_magniber.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e8d2018514da477fc1c3e218a24125d6_magniber.exe 46053F055905550577056A05620577056405680541056405710564055905660564056B056105600559057E0534054B056305500533054F05540568054D0537056B0542056B053D0555055D0537056A057805590537054E057505570566056B053305--365
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1752

C:\ProgramData\cande\{1NfU6JQmH2nGn8PX2o}\2KpRcn6.exe
"C:\ProgramData\cande\{1NfU6JQmH2nGn8PX2o}\2KpRcn6.exe"
3⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\cande\{1NfU6JQmH2nGn8PX2o}\2KpRcn6.exe
Filesize
41KB

MD5
90f1cbf523b201c20adf2e6cb5a91e2d

SHA1
e485907216de02d71a127623d6d8b155fa25aafa

SHA256
84ef8cba9b668bf3c2f47cfe2efc6fb4821fada314959a36419443efe41967d2

SHA512
6d121b48dba3a48d7dceb0baad629b7ad195b7f47d267f8f3295cead8940836ced45abac716fd54504b603ad9d3eb57ffd2a36f2c3e183d65df051ceba694521

Download Submit
C:\ProgramData\cande\{1NfU6JQmH2nGn8PX2o}\2KpRcn6.txt
Filesize
369B

MD5
4bd2afe90974a48e19b9916c7b10ef08

SHA1
8ffbec325a46696244f42fb13565a894bcfe3f00

SHA256
af0b941914e0a9d7a65f049e9e7468dfd63e8afb465dc8849e9c56e985172ee7

SHA512
59517e502f146c705cff4810ba1a2e07c37dffdf7f20352a8c8dae671333e45697387f24563553fb6d872d7396bbcf5c791c07a956caa23783721deeddaffe73

Download Submit
\ProgramData\cande\{1NfU6JQmH2nGn8PX2o}\winfsp-x86.dll
Filesize
3.3MB

MD5
e705514b37a15fe778a12406ea309f0c

SHA1
b517800efdfb174aa9ad14632e330a8043bd94e4

SHA256
b00df8776e786fdb006f315bfe68c404d76758582eae0f92c6398e109cfee036

SHA512
05ed9c0be82729c4219b83facb42dba6029aaff5545a1883cbcddb673ff0297b9abc69da6161b985545b7a24b9a022fe69ca506f96dc2524046dcb71ff611667

Download Submit
memory/2572-25-0x0000000004530000-0x000000000461B000-memory.dmp

Filesize
940KB

Download
memory/2572-29-0x0000000004DB0000-0x0000000004F25000-memory.dmp

Filesize
1.5MB

Download
memory/2572-18-0x00000000023C0000-0x00000000024A7000-memory.dmp

Filesize
924KB

Download
memory/2572-15-0x00000000023C0000-0x00000000024A7000-memory.dmp

Filesize
924KB

Download
memory/2572-14-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2572-12-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/2572-19-0x0000000004310000-0x0000000004521000-memory.dmp

Filesize
2.1MB

Download
memory/2572-24-0x0000000004530000-0x000000000461B000-memory.dmp

Filesize
940KB

Download
memory/2572-23-0x0000000000AF0000-0x0000000000B46000-memory.dmp

Filesize
344KB

Download
memory/2572-13-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/2572-28-0x0000000004810000-0x00000000048A9000-memory.dmp

Filesize
612KB

Download
memory/2572-16-0x00000000023C0000-0x00000000024A7000-memory.dmp

Filesize
924KB

Download
memory/2572-30-0x0000000004DB0000-0x0000000004F25000-memory.dmp

Filesize
1.5MB

Download
memory/2572-32-0x0000000002260000-0x00000000022B2000-memory.dmp

Filesize
328KB

Download
memory/2572-33-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2572-34-0x0000000004310000-0x0000000004521000-memory.dmp

Filesize
2.1MB

Download
memory/2572-35-0x0000000002260000-0x00000000022B2000-memory.dmp

Filesize
328KB

Download
memory/2572-36-0x00000000023C0000-0x00000000024A7000-memory.dmp

Filesize
924KB

Download
memory/2572-37-0x0000000004310000-0x0000000004521000-memory.dmp

Filesize
2.1MB

Download
memory/2572-38-0x0000000000AF0000-0x0000000000B46000-memory.dmp

Filesize
344KB

Download
memory/2572-39-0x0000000004530000-0x000000000461B000-memory.dmp

Filesize
940KB

Download
memory/2572-40-0x0000000004810000-0x00000000048A9000-memory.dmp

Filesize
612KB

Download
memory/2572-41-0x0000000004DB0000-0x0000000004F25000-memory.dmp

Filesize
1.5MB

Download
memory/2572-42-0x0000000002260000-0x00000000022B2000-memory.dmp

Filesize
328KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads