blackmoon | 60f853180a79a596f490b01c554832dac7f2e469a94d8a213b1e5452c1e49d5b

General

Target

60f853180a79a596f490b01c554832dac7f2e469a94d8a213b1e5452c1e49d5b.exe
Size

4.7MB
MD5

e8d2018514da477fc1c3e218a24125d6
SHA1

6d7cfc49bb0929c2eb0f4028fe97983b876516cc
SHA256

60f853180a79a596f490b01c554832dac7f2e469a94d8a213b1e5452c1e49d5b
SHA512

98446881984402431b960ae7bd4faa1c420b5e2c0ebca2bb1bba01e070fc314884ce97b690f7211da76b3baabb17c1a4e773c63168bc97fbe38339babc68f303
SSDEEP

98304:ABTTPtxvAOlouIZdRytp5UJ8rA9s9o36B:rHm2J8rACn

Score

10^/10

blackmoon banker persistence trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

Processes:

resource	yara_rule
C:\ProgramData\cande\{xpo2ctL7ppp3b}\winfsp-x86.dll	family_blackmoon

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

DgjOsDW383p.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	DgjOsDW383p.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DgjOsDW383p = "C:\\ProgramData\\cande\\{xpo2ctL7ppp3b}\\DgjOsDW383p.exe"	DgjOsDW383p.exe

Executes dropped EXE 1 IoCs

Processes:

DgjOsDW383p.exe

pid process

2748 DgjOsDW383p.exe
Loads dropped DLL 2 IoCs

Processes:

60f853180a79a596f490b01c554832dac7f2e469a94d8a213b1e5452c1e49d5b.exeDgjOsDW383p.exe

pid process

1516 60f853180a79a596f490b01c554832dac7f2e469a94d8a213b1e5452c1e49d5b.exe
2748 DgjOsDW383p.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

DgjOsDW383p.exe

pid process

2748 DgjOsDW383p.exe
2748 DgjOsDW383p.exe
2748 DgjOsDW383p.exe
2748 DgjOsDW383p.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

DgjOsDW383p.exe

description pid process

Token: SeDebugPrivilege 2748 DgjOsDW383p.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

DgjOsDW383p.exe

pid process

2748 DgjOsDW383p.exe
2748 DgjOsDW383p.exe
2748 DgjOsDW383p.exe
2748 DgjOsDW383p.exe

pid	process
2748	DgjOsDW383p.exe

pid	process
1516	60f853180a79a596f490b01c554832dac7f2e469a94d8a213b1e5452c1e49d5b.exe
2748	DgjOsDW383p.exe

pid	process
2748	DgjOsDW383p.exe
2748	DgjOsDW383p.exe
2748	DgjOsDW383p.exe
2748	DgjOsDW383p.exe

description	pid	process
Token: SeDebugPrivilege	2748	DgjOsDW383p.exe

pid	process
2748	DgjOsDW383p.exe
2748	DgjOsDW383p.exe
2748	DgjOsDW383p.exe
2748	DgjOsDW383p.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

60f853180a79a596f490b01c554832dac7f2e469a94d8a213b1e5452c1e49d5b.exe60f853180a79a596f490b01c554832dac7f2e469a94d8a213b1e5452c1e49d5b.exe

description	pid	process	target process
PID 2896 wrote to memory of 1516	2896	60f853180a79a596f490b01c554832dac7f2e469a94d8a213b1e5452c1e49d5b.exe	60f853180a79a596f490b01c554832dac7f2e469a94d8a213b1e5452c1e49d5b.exe
PID 2896 wrote to memory of 1516	2896	60f853180a79a596f490b01c554832dac7f2e469a94d8a213b1e5452c1e49d5b.exe	60f853180a79a596f490b01c554832dac7f2e469a94d8a213b1e5452c1e49d5b.exe
PID 2896 wrote to memory of 1516	2896	60f853180a79a596f490b01c554832dac7f2e469a94d8a213b1e5452c1e49d5b.exe	60f853180a79a596f490b01c554832dac7f2e469a94d8a213b1e5452c1e49d5b.exe
PID 2896 wrote to memory of 1516	2896	60f853180a79a596f490b01c554832dac7f2e469a94d8a213b1e5452c1e49d5b.exe	60f853180a79a596f490b01c554832dac7f2e469a94d8a213b1e5452c1e49d5b.exe
PID 1516 wrote to memory of 2748	1516	60f853180a79a596f490b01c554832dac7f2e469a94d8a213b1e5452c1e49d5b.exe	DgjOsDW383p.exe
PID 1516 wrote to memory of 2748	1516	60f853180a79a596f490b01c554832dac7f2e469a94d8a213b1e5452c1e49d5b.exe	DgjOsDW383p.exe
PID 1516 wrote to memory of 2748	1516	60f853180a79a596f490b01c554832dac7f2e469a94d8a213b1e5452c1e49d5b.exe	DgjOsDW383p.exe
PID 1516 wrote to memory of 2748	1516	60f853180a79a596f490b01c554832dac7f2e469a94d8a213b1e5452c1e49d5b.exe	DgjOsDW383p.exe

C:\Users\Admin\AppData\Local\Temp\60f853180a79a596f490b01c554832dac7f2e469a94d8a213b1e5452c1e49d5b.exe
"C:\Users\Admin\AppData\Local\Temp\60f853180a79a596f490b01c554832dac7f2e469a94d8a213b1e5452c1e49d5b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2896

C:\Users\Admin\AppData\Local\Temp\60f853180a79a596f490b01c554832dac7f2e469a94d8a213b1e5452c1e49d5b.exe
C:\Users\Admin\AppData\Local\Temp\60f853180a79a596f490b01c554832dac7f2e469a94d8a213b1e5452c1e49d5b.exe 46053F055905550577056A05620577056405680541056405710564055905660564056B056105600559057E057D0575056A05370566057105490532057505750575053605670578055905410562056F054A0576054105520536053D0536057505--365
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1516

C:\ProgramData\cande\{xpo2ctL7ppp3b}\DgjOsDW383p.exe
"C:\ProgramData\cande\{xpo2ctL7ppp3b}\DgjOsDW383p.exe"
3⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\cande\{xpo2ctL7ppp3b}\DgjOsDW383p.txt
Filesize
369B

MD5
4bd2afe90974a48e19b9916c7b10ef08

SHA1
8ffbec325a46696244f42fb13565a894bcfe3f00

SHA256
af0b941914e0a9d7a65f049e9e7468dfd63e8afb465dc8849e9c56e985172ee7

SHA512
59517e502f146c705cff4810ba1a2e07c37dffdf7f20352a8c8dae671333e45697387f24563553fb6d872d7396bbcf5c791c07a956caa23783721deeddaffe73

Download Submit
C:\ProgramData\cande\{xpo2ctL7ppp3b}\winfsp-x86.dll
Filesize
3.3MB

MD5
e705514b37a15fe778a12406ea309f0c

SHA1
b517800efdfb174aa9ad14632e330a8043bd94e4

SHA256
b00df8776e786fdb006f315bfe68c404d76758582eae0f92c6398e109cfee036

SHA512
05ed9c0be82729c4219b83facb42dba6029aaff5545a1883cbcddb673ff0297b9abc69da6161b985545b7a24b9a022fe69ca506f96dc2524046dcb71ff611667

Download Submit
\ProgramData\cande\{xpo2ctL7ppp3b}\DgjOsDW383p.exe
Filesize
41KB

MD5
90f1cbf523b201c20adf2e6cb5a91e2d

SHA1
e485907216de02d71a127623d6d8b155fa25aafa

SHA256
84ef8cba9b668bf3c2f47cfe2efc6fb4821fada314959a36419443efe41967d2

SHA512
6d121b48dba3a48d7dceb0baad629b7ad195b7f47d267f8f3295cead8940836ced45abac716fd54504b603ad9d3eb57ffd2a36f2c3e183d65df051ceba694521

Download Submit
memory/2748-25-0x0000000004370000-0x000000000445B000-memory.dmp

Filesize
940KB

Download
memory/2748-28-0x0000000000BA0000-0x0000000000C39000-memory.dmp

Filesize
612KB

Download
memory/2748-15-0x00000000023B0000-0x0000000002497000-memory.dmp

Filesize
924KB

Download
memory/2748-16-0x00000000023B0000-0x0000000002497000-memory.dmp

Filesize
924KB

Download
memory/2748-18-0x00000000023B0000-0x0000000002497000-memory.dmp

Filesize
924KB

Download
memory/2748-12-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2748-19-0x0000000004150000-0x0000000004361000-memory.dmp

Filesize
2.1MB

Download
memory/2748-24-0x0000000004370000-0x000000000445B000-memory.dmp

Filesize
940KB

Download
memory/2748-23-0x0000000000B40000-0x0000000000B96000-memory.dmp

Filesize
344KB

Download
memory/2748-13-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2748-29-0x0000000004660000-0x00000000047D5000-memory.dmp

Filesize
1.5MB

Download
memory/2748-14-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2748-30-0x0000000004660000-0x00000000047D5000-memory.dmp

Filesize
1.5MB

Download
memory/2748-32-0x0000000000E50000-0x0000000000EA2000-memory.dmp

Filesize
328KB

Download
memory/2748-33-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2748-34-0x0000000004150000-0x0000000004361000-memory.dmp

Filesize
2.1MB

Download
memory/2748-35-0x0000000000E50000-0x0000000000EA2000-memory.dmp

Filesize
328KB

Download
memory/2748-36-0x00000000023B0000-0x0000000002497000-memory.dmp

Filesize
924KB

Download
memory/2748-37-0x0000000004150000-0x0000000004361000-memory.dmp

Filesize
2.1MB

Download
memory/2748-38-0x0000000000B40000-0x0000000000B96000-memory.dmp

Filesize
344KB

Download
memory/2748-39-0x0000000004370000-0x000000000445B000-memory.dmp

Filesize
940KB

Download
memory/2748-40-0x0000000000BA0000-0x0000000000C39000-memory.dmp

Filesize
612KB

Download
memory/2748-41-0x0000000004660000-0x00000000047D5000-memory.dmp

Filesize
1.5MB

Download
memory/2748-42-0x0000000000E50000-0x0000000000EA2000-memory.dmp

Filesize
328KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads