blackmoon | 85e67caed2a6ce894acdffbae48d92af12cbad9198f72e3e87b477b5cffe55f7

General

Target

85e67caed2a6ce894acdffbae48d92af12cbad9198f72e3e87b477b5cffe55f7.exe
Size

7.9MB
MD5

d32f78a71fd09d09c544f05e8dd3d40c
SHA1

767ddca3599eab75b14e6539ccbd95b17e66cf86
SHA256

85e67caed2a6ce894acdffbae48d92af12cbad9198f72e3e87b477b5cffe55f7
SHA512

23e469e09426abda7ec0587b4676f2eb375864aac77bc8cb103b5880ac2b7509a3a1c4a6be636cb4f88376d0950fab46e825e6b40f2c58c764c696fab827c599
SSDEEP

196608:hh32TxDNiotZgs21BRLdoQlSOLM8gYQ9HPDPiVp:bmTF4otZoBRC0tL9gYQ9HmVp

Score

10^/10

blackmoon banker persistence trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
behavioral1/memory/2592-46-0x0000000010000000-0x0000000010097000-memory.dmp	family_blackmoon

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	20GU6JZ92A.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\20GU6JZ92A = "C:\\ProgramData\\TTQQinstall\\{i392751vDk83z}\\20GU6JZ92A.exe"	20GU6JZ92A.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0007000000014b12-39.dat	acprotect

Executes dropped EXE 4 IoCs

pid	Process
2116	壹游1.70月卡合击.exe
2584	壹游1.70月卡合.exe
2688	壹游1.70月卡合.exe
2592	20GU6JZ92A.exe

Loads dropped DLL 7 IoCs

pid	Process
2340	85e67caed2a6ce894acdffbae48d92af12cbad9198f72e3e87b477b5cffe55f7.exe
2340	85e67caed2a6ce894acdffbae48d92af12cbad9198f72e3e87b477b5cffe55f7.exe
2340	85e67caed2a6ce894acdffbae48d92af12cbad9198f72e3e87b477b5cffe55f7.exe
2340	85e67caed2a6ce894acdffbae48d92af12cbad9198f72e3e87b477b5cffe55f7.exe
2340	85e67caed2a6ce894acdffbae48d92af12cbad9198f72e3e87b477b5cffe55f7.exe
2584	壹游1.70月卡合.exe
2592	20GU6JZ92A.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	壹游1.70月卡合击.exe
File opened (read-only)	\??\I:	壹游1.70月卡合击.exe
File opened (read-only)	\??\K:	壹游1.70月卡合击.exe
File opened (read-only)	\??\L:	壹游1.70月卡合击.exe
File opened (read-only)	\??\M:	壹游1.70月卡合击.exe
File opened (read-only)	\??\R:	壹游1.70月卡合击.exe
File opened (read-only)	\??\S:	壹游1.70月卡合击.exe
File opened (read-only)	\??\U:	壹游1.70月卡合击.exe
File opened (read-only)	\??\H:	壹游1.70月卡合击.exe
File opened (read-only)	\??\J:	壹游1.70月卡合击.exe
File opened (read-only)	\??\O:	壹游1.70月卡合击.exe
File opened (read-only)	\??\P:	壹游1.70月卡合击.exe
File opened (read-only)	\??\T:	壹游1.70月卡合击.exe
File opened (read-only)	\??\V:	壹游1.70月卡合击.exe
File opened (read-only)	\??\W:	壹游1.70月卡合击.exe
File opened (read-only)	\??\Z:	壹游1.70月卡合击.exe
File opened (read-only)	\??\G:	壹游1.70月卡合击.exe
File opened (read-only)	\??\N:	壹游1.70月卡合击.exe
File opened (read-only)	\??\Q:	壹游1.70月卡合击.exe
File opened (read-only)	\??\Y:	壹游1.70月卡合击.exe
File opened (read-only)	\??\E:	壹游1.70月卡合击.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	壹游1.70月卡合击.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	壹游1.70月卡合击.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	壹游1.70月卡合击.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	壹游1.70月卡合击.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	壹游1.70月卡合击.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	壹游1.70月卡合击.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2592	20GU6JZ92A.exe
2592	20GU6JZ92A.exe
2592	20GU6JZ92A.exe
2592	20GU6JZ92A.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2592	20GU6JZ92A.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2584	壹游1.70月卡合.exe
2688	壹游1.70月卡合.exe
2592	20GU6JZ92A.exe
2592	20GU6JZ92A.exe
2592	20GU6JZ92A.exe
2592	20GU6JZ92A.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 2116	2340	85e67caed2a6ce894acdffbae48d92af12cbad9198f72e3e87b477b5cffe55f7.exe	28
PID 2340 wrote to memory of 2116	2340	85e67caed2a6ce894acdffbae48d92af12cbad9198f72e3e87b477b5cffe55f7.exe	28
PID 2340 wrote to memory of 2116	2340	85e67caed2a6ce894acdffbae48d92af12cbad9198f72e3e87b477b5cffe55f7.exe	28
PID 2340 wrote to memory of 2116	2340	85e67caed2a6ce894acdffbae48d92af12cbad9198f72e3e87b477b5cffe55f7.exe	28
PID 2340 wrote to memory of 2584	2340	85e67caed2a6ce894acdffbae48d92af12cbad9198f72e3e87b477b5cffe55f7.exe	29
PID 2340 wrote to memory of 2584	2340	85e67caed2a6ce894acdffbae48d92af12cbad9198f72e3e87b477b5cffe55f7.exe	29
PID 2340 wrote to memory of 2584	2340	85e67caed2a6ce894acdffbae48d92af12cbad9198f72e3e87b477b5cffe55f7.exe	29
PID 2340 wrote to memory of 2584	2340	85e67caed2a6ce894acdffbae48d92af12cbad9198f72e3e87b477b5cffe55f7.exe	29
PID 2584 wrote to memory of 2688	2584	壹游1.70月卡合.exe	30
PID 2584 wrote to memory of 2688	2584	壹游1.70月卡合.exe	30
PID 2584 wrote to memory of 2688	2584	壹游1.70月卡合.exe	30
PID 2688 wrote to memory of 2592	2688	壹游1.70月卡合.exe	31
PID 2688 wrote to memory of 2592	2688	壹游1.70月卡合.exe	31
PID 2688 wrote to memory of 2592	2688	壹游1.70月卡合.exe	31
PID 2688 wrote to memory of 2592	2688	壹游1.70月卡合.exe	31

C:\Users\Admin\AppData\Local\Temp\85e67caed2a6ce894acdffbae48d92af12cbad9198f72e3e87b477b5cffe55f7.exe
"C:\Users\Admin\AppData\Local\Temp\85e67caed2a6ce894acdffbae48d92af12cbad9198f72e3e87b477b5cffe55f7.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2340
- C:\ProgramData\TTQQinstall\壹游1.70月卡合击.exe
  "C:\ProgramData\TTQQinstall\壹游1.70月卡合击.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:2116
- C:\ProgramData\TTQQinstall\壹游1.70月卡合.exe
  "C:\ProgramData\TTQQinstall\壹游1.70月卡合.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2584
- - C:\ProgramData\TTQQinstall\壹游1.70月卡合.exe
    C:\ProgramData\TTQQinstall\壹游1.70月卡合.exe 490A300A560A5A0A780A650A6D0A780A6B0A670A4E0A6B0A7E0A6B0A560A5E0A5E0A5B0A5B0A630A640A790A7E0A6B0A660A660A560A710A630A390A330A380A3D0A3F0A3B0A7C0A4E0A610A320A390A700A770A560A380A3A0A4D0A5F0A3C0A400A500A330A380A4B0A-2
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - C:\ProgramData\TTQQinstall\{i392751vDk83z}\20GU6JZ92A.exe
      "C:\ProgramData\TTQQinstall\{i392751vDk83z}\20GU6JZ92A.exe"
      4⤵
      Adds policy Run key to start application
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\TTQQinstall\{i392751vDk83z}\20GU6JZ92A.exe

Filesize
30KB

MD5
9e80b662cc6335824592af506a46c20c

SHA1
76f447db453e28835de09f7c865f373903bb50b4

SHA256
18716cd861b4de03f9d2ea9b32c4bed8473cf7e09410d04b5bb3db70be3863c1

SHA512
ea304340afe0137f7920c4ceeb0fbe226638339ba2b0b9f742770bee49cdd8b0dea886ce47c80cd1c5840654e67ecda5c61ece09fa0a0f00176aff0c222e58ae

Download Submit
C:\ProgramData\TTQQinstall\{i392751vDk83z}\20GU6JZ92A.txt

Filesize
269B

MD5
38296012d815bf39eb65962a77395abd

SHA1
f07c54d99c6a6648a086a630bdc40f2e9afcab2e

SHA256
1857e9e8c85448caaf4a0206331e1a8362987bf628bc6b4530489a58e1d379a1

SHA512
e2c109bc3bab70f7cd504b9ce10762c7444d39458fa9e1b28cc17be5dc7c3317a9d45ec0ca8dd4584b93b2e3e9b7d91fd7fef7a3027cc28d90a7372869d8b585

Download Submit
C:\ProgramData\TTQQinstall\{i392751vDk83z}\ctxmui.dll

Filesize
390KB

MD5
c77f430fa7442382402d2f86d7bd49de

SHA1
75517e2a5a6d9d98c49bc429b96d5ec31e420a30

SHA256
c229f622424c9643e51930f601a979c14773eaae037fabe099bed393f8f6c507

SHA512
36aaece801c8642476b7fe61d7b030495b7865d7dd1555e297b9dda4c67b3ea0e3c111a3049fd267ab401cbd7eed998aa51e9610a13030f78b34c2724d7c122d

Download Submit
\ProgramData\TTQQinstall\壹游1.70月卡合.exe

Filesize
10.2MB

MD5
b3991b3ab21beae0511ead9c1f1d9da7

SHA1
2eac3c6ab582431b9915cdfa16f25f0f95be22fb

SHA256
09dc3e8bbd2a073847dab02976cd6f383fac26740127948da2fd6eb7371920eb

SHA512
4fe1445aba6f0a1eb0222f3c2b60d8cbd9dc70d648941fa8c6af69917181a547a4296bee57c591cb41e474b363dc9592a3da1038e33a5560153d1cb1829ad784

Download Submit
\ProgramData\TTQQinstall\壹游1.70月卡合击.exe

Filesize
5.2MB

MD5
77ec837714fdd0dc1836dc6929f47acc

SHA1
c6d52a05ad944488fa88970006f164f1bc798b10

SHA256
7c8a167b5b33f983f05cec03df0501f173d8eda6496c520d904043934df1cb5d

SHA512
a92fb499bd52e59fa90b2ca2856101573903f71404c3b01fabe6d5cebf3872da79ad83b8fe4988dcc2c4405bd9e12038fba56eb668df12c8efc1575a262c731e

Download Submit
memory/2116-30-0x0000000000400000-0x0000000000CC3000-memory.dmp

Filesize
8.8MB

Download
memory/2116-31-0x0000000000400000-0x0000000000CC3000-memory.dmp

Filesize
8.8MB

Download
memory/2116-29-0x0000000000400000-0x0000000000CC3000-memory.dmp

Filesize
8.8MB

Download
memory/2116-34-0x0000000000400000-0x0000000000CC3000-memory.dmp

Filesize
8.8MB

Download
memory/2340-25-0x0000000003D40000-0x0000000004603000-memory.dmp

Filesize
8.8MB

Download
memory/2340-18-0x0000000003D40000-0x0000000004603000-memory.dmp

Filesize
8.8MB

Download
memory/2340-17-0x0000000003D40000-0x0000000004603000-memory.dmp

Filesize
8.8MB

Download
memory/2592-42-0x0000000002340000-0x0000000002427000-memory.dmp

Filesize
924KB

Download
memory/2592-44-0x0000000002340000-0x0000000002427000-memory.dmp

Filesize
924KB

Download
memory/2592-41-0x0000000010000000-0x0000000010097000-memory.dmp

Filesize
604KB

Download
memory/2592-46-0x0000000010000000-0x0000000010097000-memory.dmp

Filesize
604KB

Download
memory/2592-55-0x0000000004390000-0x000000000447B000-memory.dmp

Filesize
940KB

Download
memory/2592-58-0x0000000004970000-0x0000000004AE5000-memory.dmp

Filesize
1.5MB

Download
memory/2592-60-0x0000000003F70000-0x0000000004181000-memory.dmp

Filesize
2.1MB

Download
memory/2592-62-0x00000000028A0000-0x00000000028F2000-memory.dmp

Filesize
328KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads