blackmoon | 5cb5634fa445883e3d1ca828ba0efcba75fd97b91a9fedbc0b7ab78496465b93

General

Target

5cb5634fa445883e3d1ca828ba0efcba75fd97b91a9fedbc0b7ab78496465b93.exe
Size

14.7MB
MD5

967a03ef86521e8cb64023393be27b28
SHA1

c071cf1ee4a2246518c92816a44b1903ddd60431
SHA256

5cb5634fa445883e3d1ca828ba0efcba75fd97b91a9fedbc0b7ab78496465b93
SHA512

befd72ac63261a3c1f0749782352b309f3bd9df28c84cec4548e8b8ebb9f60d9591816aabe8a43dc79119715b9bb7f036b11d4c2d80cc7bac86321556813fed4
SSDEEP

393216:gPDPnpGNvIodC5d3LhAvxz9cFIvyqEULXEU7ujUC:YPpGeR5d3LaTcivQJUCP

Score

10^/10

blackmoon aspackv2 banker trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 9 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1612-2-0x0000000000400000-0x0000000000926000-memory.dmp	family_blackmoon
behavioral2/memory/1612-1-0x0000000000400000-0x0000000000926000-memory.dmp	family_blackmoon
behavioral2/memory/1612-3-0x0000000000400000-0x0000000000926000-memory.dmp	family_blackmoon
behavioral2/memory/2036-16-0x0000000000400000-0x0000000000926000-memory.dmp	family_blackmoon
behavioral2/memory/2036-17-0x0000000000400000-0x0000000000926000-memory.dmp	family_blackmoon
behavioral2/memory/1612-21-0x0000000000400000-0x0000000000926000-memory.dmp	family_blackmoon
behavioral2/memory/2036-18-0x0000000000400000-0x0000000000926000-memory.dmp	family_blackmoon
behavioral2/memory/2036-20-0x0000000000400000-0x0000000000926000-memory.dmp	family_blackmoon
behavioral2/memory/2036-50-0x0000000000400000-0x0000000000926000-memory.dmp	family_blackmoon

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\9SF÷ÈÓ°»ðÁú\387865cb5634fa445883e3d1ca828ba0efcba75fd97b91a9fedbc0b7ab78496465b93.exe	aspack_v212_v242

Executes dropped EXE 1 IoCs

Processes:

387865cb5634fa445883e3d1ca828ba0efcba75fd97b91a9fedbc0b7ab78496465b93.exe

pid process

2036 387865cb5634fa445883e3d1ca828ba0efcba75fd97b91a9fedbc0b7ab78496465b93.exe

pid	process
2036	387865cb5634fa445883e3d1ca828ba0efcba75fd97b91a9fedbc0b7ab78496465b93.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

5cb5634fa445883e3d1ca828ba0efcba75fd97b91a9fedbc0b7ab78496465b93.exe

description	ioc	process
File opened (read-only)	\??\M:	5cb5634fa445883e3d1ca828ba0efcba75fd97b91a9fedbc0b7ab78496465b93.exe
File opened (read-only)	\??\N:	5cb5634fa445883e3d1ca828ba0efcba75fd97b91a9fedbc0b7ab78496465b93.exe
File opened (read-only)	\??\O:	5cb5634fa445883e3d1ca828ba0efcba75fd97b91a9fedbc0b7ab78496465b93.exe
File opened (read-only)	\??\P:	5cb5634fa445883e3d1ca828ba0efcba75fd97b91a9fedbc0b7ab78496465b93.exe
File opened (read-only)	\??\B:	5cb5634fa445883e3d1ca828ba0efcba75fd97b91a9fedbc0b7ab78496465b93.exe
File opened (read-only)	\??\I:	5cb5634fa445883e3d1ca828ba0efcba75fd97b91a9fedbc0b7ab78496465b93.exe
File opened (read-only)	\??\J:	5cb5634fa445883e3d1ca828ba0efcba75fd97b91a9fedbc0b7ab78496465b93.exe
File opened (read-only)	\??\K:	5cb5634fa445883e3d1ca828ba0efcba75fd97b91a9fedbc0b7ab78496465b93.exe
File opened (read-only)	\??\Q:	5cb5634fa445883e3d1ca828ba0efcba75fd97b91a9fedbc0b7ab78496465b93.exe
File opened (read-only)	\??\T:	5cb5634fa445883e3d1ca828ba0efcba75fd97b91a9fedbc0b7ab78496465b93.exe
File opened (read-only)	\??\Y:	5cb5634fa445883e3d1ca828ba0efcba75fd97b91a9fedbc0b7ab78496465b93.exe
File opened (read-only)	\??\Z:	5cb5634fa445883e3d1ca828ba0efcba75fd97b91a9fedbc0b7ab78496465b93.exe
File opened (read-only)	\??\A:	5cb5634fa445883e3d1ca828ba0efcba75fd97b91a9fedbc0b7ab78496465b93.exe
File opened (read-only)	\??\S:	5cb5634fa445883e3d1ca828ba0efcba75fd97b91a9fedbc0b7ab78496465b93.exe
File opened (read-only)	\??\U:	5cb5634fa445883e3d1ca828ba0efcba75fd97b91a9fedbc0b7ab78496465b93.exe
File opened (read-only)	\??\X:	5cb5634fa445883e3d1ca828ba0efcba75fd97b91a9fedbc0b7ab78496465b93.exe
File opened (read-only)	\??\W:	5cb5634fa445883e3d1ca828ba0efcba75fd97b91a9fedbc0b7ab78496465b93.exe
File opened (read-only)	\??\E:	5cb5634fa445883e3d1ca828ba0efcba75fd97b91a9fedbc0b7ab78496465b93.exe
File opened (read-only)	\??\H:	5cb5634fa445883e3d1ca828ba0efcba75fd97b91a9fedbc0b7ab78496465b93.exe
File opened (read-only)	\??\L:	5cb5634fa445883e3d1ca828ba0efcba75fd97b91a9fedbc0b7ab78496465b93.exe
File opened (read-only)	\??\V:	5cb5634fa445883e3d1ca828ba0efcba75fd97b91a9fedbc0b7ab78496465b93.exe
File opened (read-only)	\??\G:	5cb5634fa445883e3d1ca828ba0efcba75fd97b91a9fedbc0b7ab78496465b93.exe
File opened (read-only)	\??\R:	5cb5634fa445883e3d1ca828ba0efcba75fd97b91a9fedbc0b7ab78496465b93.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

5cb5634fa445883e3d1ca828ba0efcba75fd97b91a9fedbc0b7ab78496465b93.exe387865cb5634fa445883e3d1ca828ba0efcba75fd97b91a9fedbc0b7ab78496465b93.exe

pid	process
1612	5cb5634fa445883e3d1ca828ba0efcba75fd97b91a9fedbc0b7ab78496465b93.exe
1612	5cb5634fa445883e3d1ca828ba0efcba75fd97b91a9fedbc0b7ab78496465b93.exe
1612	5cb5634fa445883e3d1ca828ba0efcba75fd97b91a9fedbc0b7ab78496465b93.exe
2036	387865cb5634fa445883e3d1ca828ba0efcba75fd97b91a9fedbc0b7ab78496465b93.exe
2036	387865cb5634fa445883e3d1ca828ba0efcba75fd97b91a9fedbc0b7ab78496465b93.exe
2036	387865cb5634fa445883e3d1ca828ba0efcba75fd97b91a9fedbc0b7ab78496465b93.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

5cb5634fa445883e3d1ca828ba0efcba75fd97b91a9fedbc0b7ab78496465b93.exe

description	pid	process	target process
PID 1612 wrote to memory of 2036	1612	5cb5634fa445883e3d1ca828ba0efcba75fd97b91a9fedbc0b7ab78496465b93.exe	387865cb5634fa445883e3d1ca828ba0efcba75fd97b91a9fedbc0b7ab78496465b93.exe
PID 1612 wrote to memory of 2036	1612	5cb5634fa445883e3d1ca828ba0efcba75fd97b91a9fedbc0b7ab78496465b93.exe	387865cb5634fa445883e3d1ca828ba0efcba75fd97b91a9fedbc0b7ab78496465b93.exe
PID 1612 wrote to memory of 2036	1612	5cb5634fa445883e3d1ca828ba0efcba75fd97b91a9fedbc0b7ab78496465b93.exe	387865cb5634fa445883e3d1ca828ba0efcba75fd97b91a9fedbc0b7ab78496465b93.exe

C:\Users\Admin\AppData\Local\Temp\5cb5634fa445883e3d1ca828ba0efcba75fd97b91a9fedbc0b7ab78496465b93.exe
"C:\Users\Admin\AppData\Local\Temp\5cb5634fa445883e3d1ca828ba0efcba75fd97b91a9fedbc0b7ab78496465b93.exe"
1⤵
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1612

C:\9SF÷ÈÓ°»ðÁú\387865cb5634fa445883e3d1ca828ba0efcba75fd97b91a9fedbc0b7ab78496465b93.exe
C:\9SF÷ÈÓ°»ðÁú\387865cb5634fa445883e3d1ca828ba0efcba75fd97b91a9fedbc0b7ab78496465b93.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2036

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\9SF÷ÈÓ°»ðÁú\387865cb5634fa445883e3d1ca828ba0efcba75fd97b91a9fedbc0b7ab78496465b93.exe
Filesize
14.7MB

MD5
967a03ef86521e8cb64023393be27b28

SHA1
c071cf1ee4a2246518c92816a44b1903ddd60431

SHA256
5cb5634fa445883e3d1ca828ba0efcba75fd97b91a9fedbc0b7ab78496465b93

SHA512
befd72ac63261a3c1f0749782352b309f3bd9df28c84cec4548e8b8ebb9f60d9591816aabe8a43dc79119715b9bb7f036b11d4c2d80cc7bac86321556813fed4

Download Submit
C:\Users\Admin\AppData\Local\Temp\a5f4ea6fedd1b7d5266807530021576e.txt
Filesize
15B

MD5
de5457aafb5421c5795fd82717bf358d

SHA1
7c03b21066b98d88fe99965a08dd4dc2fdca1437

SHA256
fac9f80e1474b46be8ac3f115af291e080dbd5e3cfd74a1e3b797e5a0bb9b8be

SHA512
c57878687cfe486bb88c5ff263d4c76febf49eb198746b057185356fdefb5557f3de1464e3805718b392aa44c5be7a9c2e41935ff5198b3d010b0e6892049151

Download Submit
memory/1612-7-0x0000000003FE0000-0x0000000003FE1000-memory.dmp

Filesize
4KB

Download
memory/1612-3-0x0000000000400000-0x0000000000926000-memory.dmp

Filesize
5.1MB

Download
memory/1612-9-0x0000000003FF0000-0x0000000003FF1000-memory.dmp

Filesize
4KB

Download
memory/1612-8-0x0000000003A50000-0x0000000003A51000-memory.dmp

Filesize
4KB

Download
memory/1612-0-0x0000000000400000-0x0000000000926000-memory.dmp

Filesize
5.1MB

Download
memory/1612-1-0x0000000000400000-0x0000000000926000-memory.dmp

Filesize
5.1MB

Download
memory/1612-21-0x0000000000400000-0x0000000000926000-memory.dmp

Filesize
5.1MB

Download
memory/1612-2-0x0000000000400000-0x0000000000926000-memory.dmp

Filesize
5.1MB

Download
memory/2036-16-0x0000000000400000-0x0000000000926000-memory.dmp

Filesize
5.1MB

Download
memory/2036-17-0x0000000000400000-0x0000000000926000-memory.dmp

Filesize
5.1MB

Download
memory/2036-18-0x0000000000400000-0x0000000000926000-memory.dmp

Filesize
5.1MB

Download
memory/2036-20-0x0000000000400000-0x0000000000926000-memory.dmp

Filesize
5.1MB

Download
memory/2036-50-0x0000000000400000-0x0000000000926000-memory.dmp

Filesize
5.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads