blackmoon | 85e67caed2a6ce894acdffbae48d92af12cbad9198f72e3e87b477b5cffe55f7 | Triage

Submit
Reports

Overview

overview

Static

static

3

85e67caed2...f7.exe

windows7-x64

85e67caed2...f7.exe

windows10-2004-x64

Sharing

General

Target

85e67caed2a6ce894acdffbae48d92af12cbad9198f72e3e87b477b5cffe55f7
Size

7.9MB
Sample

240524-pvh59ace5t
MD5

d32f78a71fd09d09c544f05e8dd3d40c
SHA1

767ddca3599eab75b14e6539ccbd95b17e66cf86
SHA256

85e67caed2a6ce894acdffbae48d92af12cbad9198f72e3e87b477b5cffe55f7
SHA512

23e469e09426abda7ec0587b4676f2eb375864aac77bc8cb103b5880ac2b7509a3a1c4a6be636cb4f88376d0950fab46e825e6b40f2c58c764c696fab827c599
SSDEEP

196608:hh32TxDNiotZgs21BRLdoQlSOLM8gYQ9HPDPiVp:bmTF4otZoBRC0tL9gYQ9HmVp

Score

10^/10

blackmoon banker persistence trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

85e67caed2a6ce894acdffbae48d92af12cbad9198f72e3e87b477b5cffe55f7.exe

Resource

win7-20240221-en

blackmoon banker persistence trojan

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

85e67caed2a6ce894acdffbae48d92af12cbad9198f72e3e87b477b5cffe55f7.exe

Resource

win10v2004-20240426-en

blackmoon banker persistence trojan

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Targets

- Target
  
  85e67caed2a6ce894acdffbae48d92af12cbad9198f72e3e87b477b5cffe55f7
- Size
  
  7.9MB
- MD5
  
  d32f78a71fd09d09c544f05e8dd3d40c
- SHA1
  
  767ddca3599eab75b14e6539ccbd95b17e66cf86
- SHA256
  
  85e67caed2a6ce894acdffbae48d92af12cbad9198f72e3e87b477b5cffe55f7
- SHA512
  
  23e469e09426abda7ec0587b4676f2eb375864aac77bc8cb103b5880ac2b7509a3a1c4a6be636cb4f88376d0950fab46e825e6b40f2c58c764c696fab827c599
- SSDEEP
  
  196608:hh32TxDNiotZgs21BRLdoQlSOLM8gYQ9HPDPiVp:bmTF4otZoBRC0tL9gYQ9HmVp
Score

10^/10

blackmoon banker persistence trojan
- Blackmoon, KrBanker
  Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
  trojan banker blackmoon
- Detect Blackmoon payload
- Adds policy Run key to start application
  persistence
- ACProtect 1.3x - 1.4x DLL software
  Detects file using ACProtect software.
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

blackmoonbankerpersistencetrojan

behavioral2

blackmoonbankerpersistencetrojan

© 2018-2024

Terms | Privacy