blackmoon | bafd54f03848de4dfef3c7e8cbdf5c5d743db75b8a1e6012d0380589e8b1abe5

General

Target

be5183757aade6aaead3c0534a82d590_NeikiAnalytics.exe
Size

274KB
MD5

be5183757aade6aaead3c0534a82d590
SHA1

356d496741833d1c7601ef7af4a214a609919513
SHA256

bafd54f03848de4dfef3c7e8cbdf5c5d743db75b8a1e6012d0380589e8b1abe5
SHA512

a86bb4c46f24c4b523f92a2663ee43e956b8b4c44b9e966585d6ebe1720d49e46fd9ff64b854b4b521dc558d7cac05ce27a5a4be5cc4931a97018fca6fea5776
SSDEEP

6144:Rds8mzWmX7O5KsZT1kT7lEjvjmAtpnjpo:Rds8XpKsZ5m7lEjvSAXn

Score

10^/10

blackmoon banker trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2188-0-0x0000000000350000-0x000000000037E000-memory.dmp	family_blackmoon
behavioral1/memory/2188-7-0x0000000000350000-0x000000000037E000-memory.dmp	family_blackmoon
behavioral1/memory/2240-8-0x0000000000460000-0x000000000048E000-memory.dmp	family_blackmoon
behavioral1/memory/2240-14-0x0000000000460000-0x000000000048E000-memory.dmp	family_blackmoon

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

3044 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

KceeZWHkVeT.exeKceeZWHkVeT.exe

pid process

2240 KceeZWHkVeT.exe
2260 KceeZWHkVeT.exe
Loads dropped DLL 2 IoCs

Processes:

be5183757aade6aaead3c0534a82d590_NeikiAnalytics.exeKceeZWHkVeT.exe

pid process

2188 be5183757aade6aaead3c0534a82d590_NeikiAnalytics.exe
2240 KceeZWHkVeT.exe

pid	process
3044	cmd.exe

pid	process
2240	KceeZWHkVeT.exe
2260	KceeZWHkVeT.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2260-16-0x0000000000310000-0x000000000031B000-memory.dmp	upx
behavioral1/memory/2260-17-0x0000000002130000-0x000000000213B000-memory.dmp	upx

Drops file in System32 directory 4 IoCs

Processes:

KceeZWHkVeT.exebe5183757aade6aaead3c0534a82d590_NeikiAnalytics.exe

description	ioc	process
File opened for modification	C:\Windows\system32\KceeZWHkVeT.exe	KceeZWHkVeT.exe
File created	C:\Windows\SysWOW64\KceeZWHkVeT.exe	be5183757aade6aaead3c0534a82d590_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\KceeZWHkVeT.exe	be5183757aade6aaead3c0534a82d590_NeikiAnalytics.exe
File created	C:\Windows\system32\KceeZWHkVeT.exe	KceeZWHkVeT.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2568 PING.EXE

pid	process
2568	PING.EXE

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

be5183757aade6aaead3c0534a82d590_NeikiAnalytics.exeKceeZWHkVeT.exeKceeZWHkVeT.exe

pid	process
2188	be5183757aade6aaead3c0534a82d590_NeikiAnalytics.exe
2188	be5183757aade6aaead3c0534a82d590_NeikiAnalytics.exe
2240	KceeZWHkVeT.exe
2240	KceeZWHkVeT.exe
2240	KceeZWHkVeT.exe
2240	KceeZWHkVeT.exe
2240	KceeZWHkVeT.exe
2260	KceeZWHkVeT.exe
2260	KceeZWHkVeT.exe
2260	KceeZWHkVeT.exe
2260	KceeZWHkVeT.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

be5183757aade6aaead3c0534a82d590_NeikiAnalytics.exe

pid process

2188 be5183757aade6aaead3c0534a82d590_NeikiAnalytics.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

KceeZWHkVeT.exe

description pid process

Token: SeDebugPrivilege 2260 KceeZWHkVeT.exe
Token: SeDebugPrivilege 2260 KceeZWHkVeT.exe
Token: SeDebugPrivilege 2260 KceeZWHkVeT.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

be5183757aade6aaead3c0534a82d590_NeikiAnalytics.exeKceeZWHkVeT.exeKceeZWHkVeT.exe

pid process

2188 be5183757aade6aaead3c0534a82d590_NeikiAnalytics.exe
2240 KceeZWHkVeT.exe
2260 KceeZWHkVeT.exe

description	pid	process
Token: SeDebugPrivilege	2260	KceeZWHkVeT.exe
Token: SeDebugPrivilege	2260	KceeZWHkVeT.exe
Token: SeDebugPrivilege	2260	KceeZWHkVeT.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

be5183757aade6aaead3c0534a82d590_NeikiAnalytics.execmd.exeKceeZWHkVeT.exe

description	pid	process	target process
PID 2188 wrote to memory of 2240	2188	be5183757aade6aaead3c0534a82d590_NeikiAnalytics.exe	KceeZWHkVeT.exe
PID 2188 wrote to memory of 2240	2188	be5183757aade6aaead3c0534a82d590_NeikiAnalytics.exe	KceeZWHkVeT.exe
PID 2188 wrote to memory of 2240	2188	be5183757aade6aaead3c0534a82d590_NeikiAnalytics.exe	KceeZWHkVeT.exe
PID 2188 wrote to memory of 2240	2188	be5183757aade6aaead3c0534a82d590_NeikiAnalytics.exe	KceeZWHkVeT.exe
PID 2188 wrote to memory of 3044	2188	be5183757aade6aaead3c0534a82d590_NeikiAnalytics.exe	cmd.exe
PID 2188 wrote to memory of 3044	2188	be5183757aade6aaead3c0534a82d590_NeikiAnalytics.exe	cmd.exe
PID 2188 wrote to memory of 3044	2188	be5183757aade6aaead3c0534a82d590_NeikiAnalytics.exe	cmd.exe
PID 2188 wrote to memory of 3044	2188	be5183757aade6aaead3c0534a82d590_NeikiAnalytics.exe	cmd.exe
PID 3044 wrote to memory of 2568	3044	cmd.exe	PING.EXE
PID 3044 wrote to memory of 2568	3044	cmd.exe	PING.EXE
PID 3044 wrote to memory of 2568	3044	cmd.exe	PING.EXE
PID 3044 wrote to memory of 2568	3044	cmd.exe	PING.EXE
PID 2240 wrote to memory of 2260	2240	KceeZWHkVeT.exe	KceeZWHkVeT.exe
PID 2240 wrote to memory of 2260	2240	KceeZWHkVeT.exe	KceeZWHkVeT.exe
PID 2240 wrote to memory of 2260	2240	KceeZWHkVeT.exe	KceeZWHkVeT.exe
PID 2240 wrote to memory of 2260	2240	KceeZWHkVeT.exe	KceeZWHkVeT.exe

C:\Users\Admin\AppData\Local\Temp\be5183757aade6aaead3c0534a82d590_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\be5183757aade6aaead3c0534a82d590_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2188

C:\Windows\SysWOW64\KceeZWHkVeT.exe
-auto C:\Windows\system32\\KceeZWHkVeT.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2240

C:\Windows\system32\KceeZWHkVeT.exe
-troj
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2260

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" cmd/c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\[email protected] > nul && exit
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:3044

C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
3⤵
- Runs ping.exe
PID:2568

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\KceeZWHkVeT.exe
Filesize
274KB

MD5
be5183757aade6aaead3c0534a82d590

SHA1
356d496741833d1c7601ef7af4a214a609919513

SHA256
bafd54f03848de4dfef3c7e8cbdf5c5d743db75b8a1e6012d0380589e8b1abe5

SHA512
a86bb4c46f24c4b523f92a2663ee43e956b8b4c44b9e966585d6ebe1720d49e46fd9ff64b854b4b521dc558d7cac05ce27a5a4be5cc4931a97018fca6fea5776

Download Submit
memory/2188-0-0x0000000000350000-0x000000000037E000-memory.dmp

Filesize
184KB

Download
memory/2188-7-0x0000000000350000-0x000000000037E000-memory.dmp

Filesize
184KB

Download
memory/2188-6-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2240-8-0x0000000000460000-0x000000000048E000-memory.dmp

Filesize
184KB

Download
memory/2240-14-0x0000000000460000-0x000000000048E000-memory.dmp

Filesize
184KB

Download
memory/2260-16-0x0000000000310000-0x000000000031B000-memory.dmp

Filesize
44KB

Download
memory/2260-17-0x0000000002130000-0x000000000213B000-memory.dmp

Filesize
44KB

Download
memory/2260-18-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads