blackmoon | af2d10183adf141618f88f8f7a046b1b1a7f1aa53b3e93515360cf24ad233415

General

Target

af2d10183adf141618f88f8f7a046b1b1a7f1aa53b3e93515360cf24ad233415.exe
Size

15.9MB
MD5

d654e7e7e0cc5eb6c947226d9db97f44
SHA1

77c9a230a34c0c623882ae73e8e5860aa48c7dba
SHA256

af2d10183adf141618f88f8f7a046b1b1a7f1aa53b3e93515360cf24ad233415
SHA512

cacf217c24f47defd6f8d8a0cb39ae53446c9253b0ac77f93ffc648beaafc6d4104ab347f6c54172feec6b710dd3c452f739659414b468d54476d3be29c0c422
SSDEEP

393216:iOfkbacqN0WPLWTrPPi/wjYF4DpX/cUJ3r4FP:1fiqhaXP8aYFYp0W0t

Score

10^/10

blackmoon banker trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 9 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2084-6-0x0000000000400000-0x00000000009FA000-memory.dmp	family_blackmoon
behavioral1/memory/2084-7-0x0000000000400000-0x00000000009FA000-memory.dmp	family_blackmoon
behavioral1/memory/2084-8-0x0000000000400000-0x00000000009FA000-memory.dmp	family_blackmoon
behavioral1/memory/2084-10-0x0000000000400000-0x00000000009FA000-memory.dmp	family_blackmoon
behavioral1/memory/2084-9-0x0000000000400000-0x00000000009FA000-memory.dmp	family_blackmoon
behavioral1/memory/2084-46-0x0000000000400000-0x00000000009FA000-memory.dmp	family_blackmoon
behavioral1/memory/2488-48-0x0000000000400000-0x00000000009FA000-memory.dmp	family_blackmoon
behavioral1/memory/2488-81-0x0000000000400000-0x00000000009FA000-memory.dmp	family_blackmoon
behavioral1/memory/2488-82-0x0000000000400000-0x00000000009FA000-memory.dmp	family_blackmoon

Executes dropped EXE 1 IoCs

Processes:

11361af2d10183adf141618f88f8f7a046b1b1a7f1aa53b3e93515360cf24ad233415.exe

pid process

2488 11361af2d10183adf141618f88f8f7a046b1b1a7f1aa53b3e93515360cf24ad233415.exe
Loads dropped DLL 1 IoCs

Processes:

af2d10183adf141618f88f8f7a046b1b1a7f1aa53b3e93515360cf24ad233415.exe

pid process

2084 af2d10183adf141618f88f8f7a046b1b1a7f1aa53b3e93515360cf24ad233415.exe

pid	process
2488	11361af2d10183adf141618f88f8f7a046b1b1a7f1aa53b3e93515360cf24ad233415.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

af2d10183adf141618f88f8f7a046b1b1a7f1aa53b3e93515360cf24ad233415.exe

description	ioc	process
File opened (read-only)	\??\Q:	af2d10183adf141618f88f8f7a046b1b1a7f1aa53b3e93515360cf24ad233415.exe
File opened (read-only)	\??\R:	af2d10183adf141618f88f8f7a046b1b1a7f1aa53b3e93515360cf24ad233415.exe
File opened (read-only)	\??\T:	af2d10183adf141618f88f8f7a046b1b1a7f1aa53b3e93515360cf24ad233415.exe
File opened (read-only)	\??\X:	af2d10183adf141618f88f8f7a046b1b1a7f1aa53b3e93515360cf24ad233415.exe
File opened (read-only)	\??\Y:	af2d10183adf141618f88f8f7a046b1b1a7f1aa53b3e93515360cf24ad233415.exe
File opened (read-only)	\??\G:	af2d10183adf141618f88f8f7a046b1b1a7f1aa53b3e93515360cf24ad233415.exe
File opened (read-only)	\??\H:	af2d10183adf141618f88f8f7a046b1b1a7f1aa53b3e93515360cf24ad233415.exe
File opened (read-only)	\??\O:	af2d10183adf141618f88f8f7a046b1b1a7f1aa53b3e93515360cf24ad233415.exe
File opened (read-only)	\??\M:	af2d10183adf141618f88f8f7a046b1b1a7f1aa53b3e93515360cf24ad233415.exe
File opened (read-only)	\??\N:	af2d10183adf141618f88f8f7a046b1b1a7f1aa53b3e93515360cf24ad233415.exe
File opened (read-only)	\??\U:	af2d10183adf141618f88f8f7a046b1b1a7f1aa53b3e93515360cf24ad233415.exe
File opened (read-only)	\??\B:	af2d10183adf141618f88f8f7a046b1b1a7f1aa53b3e93515360cf24ad233415.exe
File opened (read-only)	\??\E:	af2d10183adf141618f88f8f7a046b1b1a7f1aa53b3e93515360cf24ad233415.exe
File opened (read-only)	\??\J:	af2d10183adf141618f88f8f7a046b1b1a7f1aa53b3e93515360cf24ad233415.exe
File opened (read-only)	\??\Z:	af2d10183adf141618f88f8f7a046b1b1a7f1aa53b3e93515360cf24ad233415.exe
File opened (read-only)	\??\K:	af2d10183adf141618f88f8f7a046b1b1a7f1aa53b3e93515360cf24ad233415.exe
File opened (read-only)	\??\L:	af2d10183adf141618f88f8f7a046b1b1a7f1aa53b3e93515360cf24ad233415.exe
File opened (read-only)	\??\P:	af2d10183adf141618f88f8f7a046b1b1a7f1aa53b3e93515360cf24ad233415.exe
File opened (read-only)	\??\V:	af2d10183adf141618f88f8f7a046b1b1a7f1aa53b3e93515360cf24ad233415.exe
File opened (read-only)	\??\W:	af2d10183adf141618f88f8f7a046b1b1a7f1aa53b3e93515360cf24ad233415.exe
File opened (read-only)	\??\A:	af2d10183adf141618f88f8f7a046b1b1a7f1aa53b3e93515360cf24ad233415.exe
File opened (read-only)	\??\I:	af2d10183adf141618f88f8f7a046b1b1a7f1aa53b3e93515360cf24ad233415.exe
File opened (read-only)	\??\S:	af2d10183adf141618f88f8f7a046b1b1a7f1aa53b3e93515360cf24ad233415.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

af2d10183adf141618f88f8f7a046b1b1a7f1aa53b3e93515360cf24ad233415.exe11361af2d10183adf141618f88f8f7a046b1b1a7f1aa53b3e93515360cf24ad233415.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	af2d10183adf141618f88f8f7a046b1b1a7f1aa53b3e93515360cf24ad233415.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	11361af2d10183adf141618f88f8f7a046b1b1a7f1aa53b3e93515360cf24ad233415.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

af2d10183adf141618f88f8f7a046b1b1a7f1aa53b3e93515360cf24ad233415.exe11361af2d10183adf141618f88f8f7a046b1b1a7f1aa53b3e93515360cf24ad233415.exe

pid	process
2084	af2d10183adf141618f88f8f7a046b1b1a7f1aa53b3e93515360cf24ad233415.exe
2084	af2d10183adf141618f88f8f7a046b1b1a7f1aa53b3e93515360cf24ad233415.exe
2084	af2d10183adf141618f88f8f7a046b1b1a7f1aa53b3e93515360cf24ad233415.exe
2488	11361af2d10183adf141618f88f8f7a046b1b1a7f1aa53b3e93515360cf24ad233415.exe
2488	11361af2d10183adf141618f88f8f7a046b1b1a7f1aa53b3e93515360cf24ad233415.exe
2488	11361af2d10183adf141618f88f8f7a046b1b1a7f1aa53b3e93515360cf24ad233415.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

af2d10183adf141618f88f8f7a046b1b1a7f1aa53b3e93515360cf24ad233415.exe

description	pid	process	target process
PID 2084 wrote to memory of 2488	2084	af2d10183adf141618f88f8f7a046b1b1a7f1aa53b3e93515360cf24ad233415.exe	11361af2d10183adf141618f88f8f7a046b1b1a7f1aa53b3e93515360cf24ad233415.exe
PID 2084 wrote to memory of 2488	2084	af2d10183adf141618f88f8f7a046b1b1a7f1aa53b3e93515360cf24ad233415.exe	11361af2d10183adf141618f88f8f7a046b1b1a7f1aa53b3e93515360cf24ad233415.exe
PID 2084 wrote to memory of 2488	2084	af2d10183adf141618f88f8f7a046b1b1a7f1aa53b3e93515360cf24ad233415.exe	11361af2d10183adf141618f88f8f7a046b1b1a7f1aa53b3e93515360cf24ad233415.exe
PID 2084 wrote to memory of 2488	2084	af2d10183adf141618f88f8f7a046b1b1a7f1aa53b3e93515360cf24ad233415.exe	11361af2d10183adf141618f88f8f7a046b1b1a7f1aa53b3e93515360cf24ad233415.exe

C:\Users\Admin\AppData\Local\Temp\af2d10183adf141618f88f8f7a046b1b1a7f1aa53b3e93515360cf24ad233415.exe
"C:\Users\Admin\AppData\Local\Temp\af2d10183adf141618f88f8f7a046b1b1a7f1aa53b3e93515360cf24ad233415.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2084

C:\¡¶ÂåÑþ×¨Êô¡·\11361af2d10183adf141618f88f8f7a046b1b1a7f1aa53b3e93515360cf24ad233415.exe
C:\¡¶ÂåÑþ×¨Êô¡·\11361af2d10183adf141618f88f8f7a046b1b1a7f1aa53b3e93515360cf24ad233415.exe
2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2488

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MEFTDE7Q\errorPageStrings[1]
Filesize
2KB

MD5
e3e4a98353f119b80b323302f26b78fa

SHA1
20ee35a370cdd3a8a7d04b506410300fd0a6a864

SHA256
9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66

SHA512
d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SVBQZB4R\httpErrorPagesScripts[1]
Filesize
8KB

MD5
3f57b781cb3ef114dd0b665151571b7b

SHA1
ce6a63f996df3a1cccb81720e21204b825e0238c

SHA256
46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad

SHA512
8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\864369dde4e7c2fc9ed08c0ff162768a.txt
Filesize
16B

MD5
367128b34d713ace2ec909a731cb1861

SHA1
24c978593959b7c7ee45c40a5c1ac8dce3417374

SHA256
f0e67d2b451e7f95889cfd73d1fc76e6cc1011eb62049550fb480ff4d168d7fa

SHA512
a2ae80381ed539dbcc79b1f577ea0bcab7d0387759b026f0cc0327594a1f8d61475948fc1f4e0d8e9e075a20b86241f1c34f9c89f91fc2b380cbc82ada5b473a

Download Submit
\¡¶ÂåÑþ×¨Êô¡·\11361af2d10183adf141618f88f8f7a046b1b1a7f1aa53b3e93515360cf24ad233415.exe
Filesize
15.9MB

MD5
d654e7e7e0cc5eb6c947226d9db97f44

SHA1
77c9a230a34c0c623882ae73e8e5860aa48c7dba

SHA256
af2d10183adf141618f88f8f7a046b1b1a7f1aa53b3e93515360cf24ad233415

SHA512
cacf217c24f47defd6f8d8a0cb39ae53446c9253b0ac77f93ffc648beaafc6d4104ab347f6c54172feec6b710dd3c452f739659414b468d54476d3be29c0c422

Download Submit
memory/2084-7-0x0000000000400000-0x00000000009FA000-memory.dmp

Filesize
6.0MB

Download
memory/2084-47-0x000000000CDF0000-0x000000000D3EA000-memory.dmp

Filesize
6.0MB

Download
memory/2084-10-0x0000000000400000-0x00000000009FA000-memory.dmp

Filesize
6.0MB

Download
memory/2084-9-0x0000000000400000-0x00000000009FA000-memory.dmp

Filesize
6.0MB

Download
memory/2084-0-0x0000000000400000-0x00000000009FA000-memory.dmp

Filesize
6.0MB

Download
memory/2084-46-0x0000000000400000-0x00000000009FA000-memory.dmp

Filesize
6.0MB

Download
memory/2084-1-0x00000000001D0000-0x00000000001D3000-memory.dmp

Filesize
12KB

Download
memory/2084-8-0x0000000000400000-0x00000000009FA000-memory.dmp

Filesize
6.0MB

Download
memory/2084-45-0x00000000001D0000-0x00000000001D3000-memory.dmp

Filesize
12KB

Download
memory/2084-6-0x0000000000400000-0x00000000009FA000-memory.dmp

Filesize
6.0MB

Download
memory/2084-5-0x00000000004FF000-0x0000000000500000-memory.dmp

Filesize
4KB

Download
memory/2488-48-0x0000000000400000-0x00000000009FA000-memory.dmp

Filesize
6.0MB

Download
memory/2488-81-0x0000000000400000-0x00000000009FA000-memory.dmp

Filesize
6.0MB

Download
memory/2488-82-0x0000000000400000-0x00000000009FA000-memory.dmp

Filesize
6.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads