blackmoon | 09dc3e8bbd2a073847dab02976cd6f383fac26740127948da2fd6eb7371920eb

General

Target

09dc3e8bbd2a073847dab02976cd6f383fac26740127948da2fd6eb7371920eb.exe
Size

10.2MB
MD5

b3991b3ab21beae0511ead9c1f1d9da7
SHA1

2eac3c6ab582431b9915cdfa16f25f0f95be22fb
SHA256

09dc3e8bbd2a073847dab02976cd6f383fac26740127948da2fd6eb7371920eb
SHA512

4fe1445aba6f0a1eb0222f3c2b60d8cbd9dc70d648941fa8c6af69917181a547a4296bee57c591cb41e474b363dc9592a3da1038e33a5560153d1cb1829ad784
SSDEEP

49152:i18You03cT8xUGvYD2BXh/KYJESnoX1IwSTnyhtxB+XywheZZXfpd8extOJcCjGe:NtswUG6ShSYs4ybzFhdLOzZYyFpz

Score

10^/10

blackmoon banker persistence trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2260-14-0x0000000010000000-0x0000000010097000-memory.dmp	family_blackmoon

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

l44bNB1X.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	l44bNB1X.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\l44bNB1X = "C:\\ProgramData\\TTQQinstall\\{QfAGF90sE405Z9760Ndh}\\l44bNB1X.exe"	l44bNB1X.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\ProgramData\TTQQinstall\{QfAGF90sE405Z9760Ndh}\ctxmui.dll	acprotect

Executes dropped EXE 1 IoCs

Processes:

l44bNB1X.exe

pid process

2260 l44bNB1X.exe
Loads dropped DLL 1 IoCs

Processes:

l44bNB1X.exe

pid process

2260 l44bNB1X.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

l44bNB1X.exe

pid process

2260 l44bNB1X.exe
2260 l44bNB1X.exe
2260 l44bNB1X.exe
2260 l44bNB1X.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

l44bNB1X.exe

description pid process

Token: SeDebugPrivilege 2260 l44bNB1X.exe

pid	process
2260	l44bNB1X.exe

pid	process
2260	l44bNB1X.exe

pid	process
2260	l44bNB1X.exe
2260	l44bNB1X.exe
2260	l44bNB1X.exe
2260	l44bNB1X.exe

description	pid	process
Token: SeDebugPrivilege	2260	l44bNB1X.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

09dc3e8bbd2a073847dab02976cd6f383fac26740127948da2fd6eb7371920eb.exe09dc3e8bbd2a073847dab02976cd6f383fac26740127948da2fd6eb7371920eb.exel44bNB1X.exe

pid	process
2860	09dc3e8bbd2a073847dab02976cd6f383fac26740127948da2fd6eb7371920eb.exe
1812	09dc3e8bbd2a073847dab02976cd6f383fac26740127948da2fd6eb7371920eb.exe
2260	l44bNB1X.exe
2260	l44bNB1X.exe
2260	l44bNB1X.exe
2260	l44bNB1X.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

09dc3e8bbd2a073847dab02976cd6f383fac26740127948da2fd6eb7371920eb.exe09dc3e8bbd2a073847dab02976cd6f383fac26740127948da2fd6eb7371920eb.exe

description	pid	process	target process
PID 2860 wrote to memory of 1812	2860	09dc3e8bbd2a073847dab02976cd6f383fac26740127948da2fd6eb7371920eb.exe	09dc3e8bbd2a073847dab02976cd6f383fac26740127948da2fd6eb7371920eb.exe
PID 2860 wrote to memory of 1812	2860	09dc3e8bbd2a073847dab02976cd6f383fac26740127948da2fd6eb7371920eb.exe	09dc3e8bbd2a073847dab02976cd6f383fac26740127948da2fd6eb7371920eb.exe
PID 2860 wrote to memory of 1812	2860	09dc3e8bbd2a073847dab02976cd6f383fac26740127948da2fd6eb7371920eb.exe	09dc3e8bbd2a073847dab02976cd6f383fac26740127948da2fd6eb7371920eb.exe
PID 1812 wrote to memory of 2260	1812	09dc3e8bbd2a073847dab02976cd6f383fac26740127948da2fd6eb7371920eb.exe	l44bNB1X.exe
PID 1812 wrote to memory of 2260	1812	09dc3e8bbd2a073847dab02976cd6f383fac26740127948da2fd6eb7371920eb.exe	l44bNB1X.exe
PID 1812 wrote to memory of 2260	1812	09dc3e8bbd2a073847dab02976cd6f383fac26740127948da2fd6eb7371920eb.exe	l44bNB1X.exe
PID 1812 wrote to memory of 2260	1812	09dc3e8bbd2a073847dab02976cd6f383fac26740127948da2fd6eb7371920eb.exe	l44bNB1X.exe

C:\Users\Admin\AppData\Local\Temp\09dc3e8bbd2a073847dab02976cd6f383fac26740127948da2fd6eb7371920eb.exe
"C:\Users\Admin\AppData\Local\Temp\09dc3e8bbd2a073847dab02976cd6f383fac26740127948da2fd6eb7371920eb.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2860

C:\Users\Admin\AppData\Local\Temp\09dc3e8bbd2a073847dab02976cd6f383fac26740127948da2fd6eb7371920eb.exe
C:\Users\Admin\AppData\Local\Temp\09dc3e8bbd2a073847dab02976cd6f383fac26740127948da2fd6eb7371920eb.exe 490A300A560A5A0A780A650A6D0A780A6B0A670A4E0A6B0A7E0A6B0A560A5E0A5E0A5B0A5B0A630A640A790A7E0A6B0A660A660A560A710A5B0A6C0A4B0A4D0A4C0A330A3A0A790A4F0A3E0A3A0A3F0A500A330A3D0A3C0A3A0A440A6E0A620A770A560A660A3E0A3E0A680A440A480A3B0A520A-2
2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1812

C:\ProgramData\TTQQinstall\{QfAGF90sE405Z9760Ndh}\l44bNB1X.exe
"C:\ProgramData\TTQQinstall\{QfAGF90sE405Z9760Ndh}\l44bNB1X.exe"
3⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\TTQQinstall\{QfAGF90sE405Z9760Ndh}\ctxmui.dll
Filesize
390KB

MD5
c77f430fa7442382402d2f86d7bd49de

SHA1
75517e2a5a6d9d98c49bc429b96d5ec31e420a30

SHA256
c229f622424c9643e51930f601a979c14773eaae037fabe099bed393f8f6c507

SHA512
36aaece801c8642476b7fe61d7b030495b7865d7dd1555e297b9dda4c67b3ea0e3c111a3049fd267ab401cbd7eed998aa51e9610a13030f78b34c2724d7c122d

Download Submit
C:\ProgramData\TTQQinstall\{QfAGF90sE405Z9760Ndh}\l44bNB1X.exe
Filesize
30KB

MD5
9e80b662cc6335824592af506a46c20c

SHA1
76f447db453e28835de09f7c865f373903bb50b4

SHA256
18716cd861b4de03f9d2ea9b32c4bed8473cf7e09410d04b5bb3db70be3863c1

SHA512
ea304340afe0137f7920c4ceeb0fbe226638339ba2b0b9f742770bee49cdd8b0dea886ce47c80cd1c5840654e67ecda5c61ece09fa0a0f00176aff0c222e58ae

Download Submit
C:\ProgramData\TTQQinstall\{QfAGF90sE405Z9760Ndh}\l44bNB1X.txt
Filesize
269B

MD5
38296012d815bf39eb65962a77395abd

SHA1
f07c54d99c6a6648a086a630bdc40f2e9afcab2e

SHA256
1857e9e8c85448caaf4a0206331e1a8362987bf628bc6b4530489a58e1d379a1

SHA512
e2c109bc3bab70f7cd504b9ce10762c7444d39458fa9e1b28cc17be5dc7c3317a9d45ec0ca8dd4584b93b2e3e9b7d91fd7fef7a3027cc28d90a7372869d8b585

Download Submit
memory/2260-21-0x00000000006D0000-0x0000000000726000-memory.dmp

Filesize
344KB

Download
memory/2260-26-0x0000000004530000-0x00000000046A5000-memory.dmp

Filesize
1.5MB

Download
memory/2260-11-0x0000000002520000-0x0000000002607000-memory.dmp

Filesize
924KB

Download
memory/2260-13-0x0000000002520000-0x0000000002607000-memory.dmp

Filesize
924KB

Download
memory/2260-9-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/2260-14-0x0000000010000000-0x0000000010097000-memory.dmp

Filesize
604KB

Download
memory/2260-15-0x0000000004310000-0x0000000004521000-memory.dmp

Filesize
2.1MB

Download
memory/2260-19-0x0000000002420000-0x000000000250B000-memory.dmp

Filesize
940KB

Download
memory/2260-22-0x0000000002420000-0x000000000250B000-memory.dmp

Filesize
940KB

Download
memory/2260-8-0x0000000010000000-0x0000000010097000-memory.dmp

Filesize
604KB

Download
memory/2260-25-0x0000000004530000-0x00000000046A5000-memory.dmp

Filesize
1.5MB

Download
memory/2260-10-0x0000000002520000-0x0000000002607000-memory.dmp

Filesize
924KB

Download
memory/2260-24-0x0000000002BC0000-0x0000000002C59000-memory.dmp

Filesize
612KB

Download
memory/2260-28-0x00000000033F0000-0x0000000003442000-memory.dmp

Filesize
328KB

Download
memory/2260-29-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2260-30-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2260-31-0x0000000004310000-0x0000000004521000-memory.dmp

Filesize
2.1MB

Download
memory/2260-32-0x00000000033F0000-0x0000000003442000-memory.dmp

Filesize
328KB

Download
memory/2260-33-0x0000000002520000-0x0000000002607000-memory.dmp

Filesize
924KB

Download
memory/2260-34-0x0000000004310000-0x0000000004521000-memory.dmp

Filesize
2.1MB

Download
memory/2260-35-0x0000000002420000-0x000000000250B000-memory.dmp

Filesize
940KB

Download
memory/2260-36-0x0000000002BC0000-0x0000000002C59000-memory.dmp

Filesize
612KB

Download
memory/2260-37-0x0000000004530000-0x00000000046A5000-memory.dmp

Filesize
1.5MB

Download
memory/2260-38-0x00000000033F0000-0x0000000003442000-memory.dmp

Filesize
328KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads