blackmoon | 479a8e3fe4fe0d22c6fe2527ba47de243ea749d542f274a07a207714781331da

General

Target

479a8e3fe4fe0d22c6fe2527ba47de243ea749d542f274a07a207714781331da.exe
Size

14.7MB
MD5

5c6fb210d8da691453b79456b560ae90
SHA1

35b5b71cf2fc3293b5cce909b66fb77fa0526f7e
SHA256

479a8e3fe4fe0d22c6fe2527ba47de243ea749d542f274a07a207714781331da
SHA512

aad43980acb0ac3311301b5e7a9df6ccb09a0ebbbd3086730070480aabe7653dccd551cd5a11bd9e1d22dfefc0d789c74457c9233a44ebab928ed59cbb878f46
SSDEEP

393216:gPDP+pGNvLi8oIf73hW3qy/P3i6i84IH7kEjqpYFCC2:Y2pGl6If7RlEjJ4mwEjEUk

Score

10^/10

blackmoon aspackv2 banker trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 16 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2940-2-0x0000000000400000-0x0000000000926000-memory.dmp	family_blackmoon
behavioral1/memory/2940-3-0x0000000000400000-0x0000000000926000-memory.dmp	family_blackmoon
behavioral1/memory/2940-1-0x0000000000400000-0x0000000000926000-memory.dmp	family_blackmoon
behavioral1/memory/2940-8-0x0000000000400000-0x0000000000926000-memory.dmp	family_blackmoon
behavioral1/memory/2940-9-0x0000000000400000-0x0000000000926000-memory.dmp	family_blackmoon
behavioral1/memory/2940-10-0x0000000000400000-0x0000000000926000-memory.dmp	family_blackmoon
behavioral1/memory/2940-12-0x0000000000400000-0x0000000000926000-memory.dmp	family_blackmoon
behavioral1/memory/2940-11-0x0000000000400000-0x0000000000926000-memory.dmp	family_blackmoon
behavioral1/memory/2308-25-0x0000000000400000-0x0000000000926000-memory.dmp	family_blackmoon
behavioral1/memory/2308-26-0x0000000000400000-0x0000000000926000-memory.dmp	family_blackmoon
behavioral1/memory/2308-24-0x0000000000400000-0x0000000000926000-memory.dmp	family_blackmoon
behavioral1/memory/2940-22-0x0000000000400000-0x0000000000926000-memory.dmp	family_blackmoon
behavioral1/memory/2308-30-0x0000000000400000-0x0000000000926000-memory.dmp	family_blackmoon
behavioral1/memory/2308-32-0x0000000000400000-0x0000000000926000-memory.dmp	family_blackmoon
behavioral1/memory/2308-57-0x0000000000400000-0x0000000000926000-memory.dmp	family_blackmoon
behavioral1/memory/2308-59-0x0000000000400000-0x0000000000926000-memory.dmp	family_blackmoon

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\¹Å½£×¨Êô[VDY]\36080479a8e3fe4fe0d22c6fe2527ba47de243ea749d542f274a07a207714781331da.exe	aspack_v212_v242

Executes dropped EXE 1 IoCs

Processes:

36080479a8e3fe4fe0d22c6fe2527ba47de243ea749d542f274a07a207714781331da.exe

pid process

2308 36080479a8e3fe4fe0d22c6fe2527ba47de243ea749d542f274a07a207714781331da.exe
Loads dropped DLL 1 IoCs

Processes:

479a8e3fe4fe0d22c6fe2527ba47de243ea749d542f274a07a207714781331da.exe

pid process

2940 479a8e3fe4fe0d22c6fe2527ba47de243ea749d542f274a07a207714781331da.exe

pid	process
2308	36080479a8e3fe4fe0d22c6fe2527ba47de243ea749d542f274a07a207714781331da.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

479a8e3fe4fe0d22c6fe2527ba47de243ea749d542f274a07a207714781331da.exe

description	ioc	process
File opened (read-only)	\??\K:	479a8e3fe4fe0d22c6fe2527ba47de243ea749d542f274a07a207714781331da.exe
File opened (read-only)	\??\M:	479a8e3fe4fe0d22c6fe2527ba47de243ea749d542f274a07a207714781331da.exe
File opened (read-only)	\??\N:	479a8e3fe4fe0d22c6fe2527ba47de243ea749d542f274a07a207714781331da.exe
File opened (read-only)	\??\P:	479a8e3fe4fe0d22c6fe2527ba47de243ea749d542f274a07a207714781331da.exe
File opened (read-only)	\??\Q:	479a8e3fe4fe0d22c6fe2527ba47de243ea749d542f274a07a207714781331da.exe
File opened (read-only)	\??\E:	479a8e3fe4fe0d22c6fe2527ba47de243ea749d542f274a07a207714781331da.exe
File opened (read-only)	\??\H:	479a8e3fe4fe0d22c6fe2527ba47de243ea749d542f274a07a207714781331da.exe
File opened (read-only)	\??\I:	479a8e3fe4fe0d22c6fe2527ba47de243ea749d542f274a07a207714781331da.exe
File opened (read-only)	\??\V:	479a8e3fe4fe0d22c6fe2527ba47de243ea749d542f274a07a207714781331da.exe
File opened (read-only)	\??\Y:	479a8e3fe4fe0d22c6fe2527ba47de243ea749d542f274a07a207714781331da.exe
File opened (read-only)	\??\B:	479a8e3fe4fe0d22c6fe2527ba47de243ea749d542f274a07a207714781331da.exe
File opened (read-only)	\??\R:	479a8e3fe4fe0d22c6fe2527ba47de243ea749d542f274a07a207714781331da.exe
File opened (read-only)	\??\Z:	479a8e3fe4fe0d22c6fe2527ba47de243ea749d542f274a07a207714781331da.exe
File opened (read-only)	\??\X:	479a8e3fe4fe0d22c6fe2527ba47de243ea749d542f274a07a207714781331da.exe
File opened (read-only)	\??\A:	479a8e3fe4fe0d22c6fe2527ba47de243ea749d542f274a07a207714781331da.exe
File opened (read-only)	\??\L:	479a8e3fe4fe0d22c6fe2527ba47de243ea749d542f274a07a207714781331da.exe
File opened (read-only)	\??\U:	479a8e3fe4fe0d22c6fe2527ba47de243ea749d542f274a07a207714781331da.exe
File opened (read-only)	\??\S:	479a8e3fe4fe0d22c6fe2527ba47de243ea749d542f274a07a207714781331da.exe
File opened (read-only)	\??\T:	479a8e3fe4fe0d22c6fe2527ba47de243ea749d542f274a07a207714781331da.exe
File opened (read-only)	\??\W:	479a8e3fe4fe0d22c6fe2527ba47de243ea749d542f274a07a207714781331da.exe
File opened (read-only)	\??\G:	479a8e3fe4fe0d22c6fe2527ba47de243ea749d542f274a07a207714781331da.exe
File opened (read-only)	\??\J:	479a8e3fe4fe0d22c6fe2527ba47de243ea749d542f274a07a207714781331da.exe
File opened (read-only)	\??\O:	479a8e3fe4fe0d22c6fe2527ba47de243ea749d542f274a07a207714781331da.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

36080479a8e3fe4fe0d22c6fe2527ba47de243ea749d542f274a07a207714781331da.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	36080479a8e3fe4fe0d22c6fe2527ba47de243ea749d542f274a07a207714781331da.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

479a8e3fe4fe0d22c6fe2527ba47de243ea749d542f274a07a207714781331da.exe36080479a8e3fe4fe0d22c6fe2527ba47de243ea749d542f274a07a207714781331da.exe

pid	process
2940	479a8e3fe4fe0d22c6fe2527ba47de243ea749d542f274a07a207714781331da.exe
2940	479a8e3fe4fe0d22c6fe2527ba47de243ea749d542f274a07a207714781331da.exe
2940	479a8e3fe4fe0d22c6fe2527ba47de243ea749d542f274a07a207714781331da.exe
2308	36080479a8e3fe4fe0d22c6fe2527ba47de243ea749d542f274a07a207714781331da.exe
2308	36080479a8e3fe4fe0d22c6fe2527ba47de243ea749d542f274a07a207714781331da.exe
2308	36080479a8e3fe4fe0d22c6fe2527ba47de243ea749d542f274a07a207714781331da.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

479a8e3fe4fe0d22c6fe2527ba47de243ea749d542f274a07a207714781331da.exe

description	pid	process	target process
PID 2940 wrote to memory of 2308	2940	479a8e3fe4fe0d22c6fe2527ba47de243ea749d542f274a07a207714781331da.exe	36080479a8e3fe4fe0d22c6fe2527ba47de243ea749d542f274a07a207714781331da.exe
PID 2940 wrote to memory of 2308	2940	479a8e3fe4fe0d22c6fe2527ba47de243ea749d542f274a07a207714781331da.exe	36080479a8e3fe4fe0d22c6fe2527ba47de243ea749d542f274a07a207714781331da.exe
PID 2940 wrote to memory of 2308	2940	479a8e3fe4fe0d22c6fe2527ba47de243ea749d542f274a07a207714781331da.exe	36080479a8e3fe4fe0d22c6fe2527ba47de243ea749d542f274a07a207714781331da.exe
PID 2940 wrote to memory of 2308	2940	479a8e3fe4fe0d22c6fe2527ba47de243ea749d542f274a07a207714781331da.exe	36080479a8e3fe4fe0d22c6fe2527ba47de243ea749d542f274a07a207714781331da.exe

C:\Users\Admin\AppData\Local\Temp\479a8e3fe4fe0d22c6fe2527ba47de243ea749d542f274a07a207714781331da.exe
"C:\Users\Admin\AppData\Local\Temp\479a8e3fe4fe0d22c6fe2527ba47de243ea749d542f274a07a207714781331da.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2940

C:\¹Å½£×¨Êô[VDY]\36080479a8e3fe4fe0d22c6fe2527ba47de243ea749d542f274a07a207714781331da.exe
C:\¹Å½£×¨Êô[VDY]\36080479a8e3fe4fe0d22c6fe2527ba47de243ea749d542f274a07a207714781331da.exe
2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2308

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1699784ed9adee5113cb924e977ef1c2.txt
Filesize
17B

MD5
7acec360264d8b72b4fd728179d5cf66

SHA1
ab03e43c8fb570895da41ad5c68a1850d88175a9

SHA256
f971f123ae58b2d69e285ec53a61ad870df4e49b16758e700d8a101170c0a0a3

SHA512
eaee6c419d19827929af059fc7863b9557c9e0d79730ae99cdf6cdd6906f5789521b8792d21242d6e170649ba897ab248ef0b89ad718aa6e6186b6892443be01

Download Submit
C:\¹Å½£×¨Êô[VDY]\36080479a8e3fe4fe0d22c6fe2527ba47de243ea749d542f274a07a207714781331da.exe
Filesize
14.7MB

MD5
5c6fb210d8da691453b79456b560ae90

SHA1
35b5b71cf2fc3293b5cce909b66fb77fa0526f7e

SHA256
479a8e3fe4fe0d22c6fe2527ba47de243ea749d542f274a07a207714781331da

SHA512
aad43980acb0ac3311301b5e7a9df6ccb09a0ebbbd3086730070480aabe7653dccd551cd5a11bd9e1d22dfefc0d789c74457c9233a44ebab928ed59cbb878f46

Download Submit
memory/2308-59-0x0000000000400000-0x0000000000926000-memory.dmp

Filesize
5.1MB

Download
memory/2308-57-0x0000000000400000-0x0000000000926000-memory.dmp

Filesize
5.1MB

Download
memory/2308-32-0x0000000000400000-0x0000000000926000-memory.dmp

Filesize
5.1MB

Download
memory/2308-30-0x0000000000400000-0x0000000000926000-memory.dmp

Filesize
5.1MB

Download
memory/2308-24-0x0000000000400000-0x0000000000926000-memory.dmp

Filesize
5.1MB

Download
memory/2308-26-0x0000000000400000-0x0000000000926000-memory.dmp

Filesize
5.1MB

Download
memory/2308-25-0x0000000000400000-0x0000000000926000-memory.dmp

Filesize
5.1MB

Download
memory/2308-23-0x0000000000400000-0x0000000000926000-memory.dmp

Filesize
5.1MB

Download
memory/2940-8-0x0000000000400000-0x0000000000926000-memory.dmp

Filesize
5.1MB

Download
memory/2940-11-0x0000000000400000-0x0000000000926000-memory.dmp

Filesize
5.1MB

Download
memory/2940-12-0x0000000000400000-0x0000000000926000-memory.dmp

Filesize
5.1MB

Download
memory/2940-10-0x0000000000400000-0x0000000000926000-memory.dmp

Filesize
5.1MB

Download
memory/2940-9-0x0000000000400000-0x0000000000926000-memory.dmp

Filesize
5.1MB

Download
memory/2940-22-0x0000000000400000-0x0000000000926000-memory.dmp

Filesize
5.1MB

Download
memory/2940-21-0x0000000006C40000-0x0000000007166000-memory.dmp

Filesize
5.1MB

Download
memory/2940-0-0x0000000000400000-0x0000000000926000-memory.dmp

Filesize
5.1MB

Download
memory/2940-7-0x000000000091E000-0x000000000091F000-memory.dmp

Filesize
4KB

Download
memory/2940-1-0x0000000000400000-0x0000000000926000-memory.dmp

Filesize
5.1MB

Download
memory/2940-3-0x0000000000400000-0x0000000000926000-memory.dmp

Filesize
5.1MB

Download
memory/2940-2-0x0000000000400000-0x0000000000926000-memory.dmp

Filesize
5.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads