blackmoon | 7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7

General

Target

7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe
Size

9.5MB
MD5

84d7cbb723c1ba711b069377f4b54b8b
SHA1

0bfa62d923644a537649b34b832b6a3ceeb9333c
SHA256

7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7
SHA512

7950226be8800beddda43e43613711fb5f37233af41a0ff3fbaa592c1905052c51f719d293e844246fed4918151d7b6886c1868d03513bcedefebde230330d4b
SSDEEP

196608:ZILJcDKlFBqkwDxURK8vyqByLdlf3hRQIgLKNc:ZgODKlFBqHayOclfhRQIG2c

Score

10^/10

blackmoon banker spyware stealer trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Ä§Óò\7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe	family_blackmoon
C:\Users\Admin\AppData\Roaming\Ä§Óò\D5F24BC4FB8AC171.exe	family_blackmoon

Executes dropped EXE 2 IoCs

Processes:

7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exeD5F24BC4FB8AC171.exe

pid process

3872 7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe
5104 D5F24BC4FB8AC171.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe

description	pid	process
Token: SeDebugPrivilege	60	7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe
Token: SeDebugPrivilege	60	7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe
Token: SeDebugPrivilege	3872	7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe
Token: SeDebugPrivilege	3872	7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe
Token: SeDebugPrivilege	3872	7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe

pid	process
3872	7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe
60	7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe

Suspicious use of SendNotifyMessage 2 IoCs

Processes:

7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe

pid	process
3872	7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe
60	7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exeD5F24BC4FB8AC171.exe

pid	process
60	7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe
3872	7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe
5104	D5F24BC4FB8AC171.exe
5104	D5F24BC4FB8AC171.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe

description	pid	process	target process
PID 60 wrote to memory of 3872	60	7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe	7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe
PID 60 wrote to memory of 3872	60	7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe	7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe
PID 60 wrote to memory of 3872	60	7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe	7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe
PID 3872 wrote to memory of 5104	3872	7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe	D5F24BC4FB8AC171.exe
PID 3872 wrote to memory of 5104	3872	7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe	D5F24BC4FB8AC171.exe
PID 3872 wrote to memory of 5104	3872	7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe	D5F24BC4FB8AC171.exe

C:\Users\Admin\AppData\Local\Temp\7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe
"C:\Users\Admin\AppData\Local\Temp\7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:60

C:\Users\Admin\AppData\Roaming\Ä§Óò\7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe
"C:\Users\Admin\AppData\Roaming\Ä§Óò\7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3872

C:\Users\Admin\AppData\Roaming\Ä§Óò\D5F24BC4FB8AC171.exe
"C:\Users\Admin\AppData\Roaming\Ä§Óò\D5F24BC4FB8AC171.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5104

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Ä§Óò\7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe
Filesize
9.5MB

MD5
84d7cbb723c1ba711b069377f4b54b8b

SHA1
0bfa62d923644a537649b34b832b6a3ceeb9333c

SHA256
7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7

SHA512
7950226be8800beddda43e43613711fb5f37233af41a0ff3fbaa592c1905052c51f719d293e844246fed4918151d7b6886c1868d03513bcedefebde230330d4b

Download Submit
C:\Users\Admin\AppData\Roaming\Ä§Óò\D5F24BC4FB8AC171.exe
Filesize
9.0MB

MD5
87c18ed11024984d6bdf0aff810c89ea

SHA1
9da51cac8acc292445452a4c102650c8ccfc24aa

SHA256
7874d03354836ea8632264c475ba3bea89b497d2fa6863b31a78372e4715d8e2

SHA512
3fcda14a97f6e80be600b3ef7845aaed04a6075fa410a7565c4b916c55b4107435cb5a83625f80457403b9a61901c84f7ade09cf30f639d09295fffb6cc6cf77

Download Submit
C:\Users\Admin\Desktop\Ä§Óò.lnk
Filesize
1KB

MD5
ebfd609f773be4d9a5170dd491930c16

SHA1
f01d1e3a9083f5b8459d0c3dd11ad4d837a864fb

SHA256
e9db302dd77aa9bbefef2b84e709fae0f2a01aeeba8e98b928c4154fbc64541a

SHA512
01faeeb43968206c6f6d6cbb61ff17dd0e328949e97be41d1b3d496a4c0fadf958c982228ee239c2ad50362574ae610420c43841877aa72a3c62b2ddb2254b39

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads