blackmoon | 2c25c74f6e95c83d05b38ff18490593a82ab252c81861637dc0a1bdeb2172b6e | Triage

Submit
Reports

Overview

overview

Static

static

2c25c74f6e...6e.exe

windows7-x64

2c25c74f6e...6e.exe

windows10-2004-x64

Sharing

General

Target

2c25c74f6e95c83d05b38ff18490593a82ab252c81861637dc0a1bdeb2172b6e
Size

437KB
Sample

240524-ysqa8ahc8t
MD5

18d3cb423bfa0e317a2c0445ebbb42c9
SHA1

dd6f79916556fc50828e419f25e6a2cb627f5573
SHA256

2c25c74f6e95c83d05b38ff18490593a82ab252c81861637dc0a1bdeb2172b6e
SHA512

1ef4c736f52bb325d5cffb3624336f0b0bfa61833bfa34ac69cbbd9d5a1ccc5cdd8c618e60c15eeab4d5c5ad78bd2175aa3d71ec595d03d69dc1df25e81b81dd
SSDEEP

6144:5fweR7gpANB0sv2YYuwfDoOPV1x0GwYpk09RhyQ3ZmF:J1R7gpAwsuvDNP/xyqk09TyCcF

Score

10^/10

blackmoon banker trojan upx

Static task

static1

5 signatures

Behavioral task

behavioral1

Sample

2c25c74f6e95c83d05b38ff18490593a82ab252c81861637dc0a1bdeb2172b6e.exe

Resource

win7-20231129-en

blackmoon banker trojan upx

windows7-x64

10 signatures

150 seconds

Behavioral task

behavioral2

Sample

2c25c74f6e95c83d05b38ff18490593a82ab252c81861637dc0a1bdeb2172b6e.exe

Resource

win10v2004-20240508-en

blackmoon banker trojan upx

windows10-2004-x64

10 signatures

150 seconds

Malware Config

Targets

- Target
  
  2c25c74f6e95c83d05b38ff18490593a82ab252c81861637dc0a1bdeb2172b6e
- Size
  
  437KB
- MD5
  
  18d3cb423bfa0e317a2c0445ebbb42c9
- SHA1
  
  dd6f79916556fc50828e419f25e6a2cb627f5573
- SHA256
  
  2c25c74f6e95c83d05b38ff18490593a82ab252c81861637dc0a1bdeb2172b6e
- SHA512
  
  1ef4c736f52bb325d5cffb3624336f0b0bfa61833bfa34ac69cbbd9d5a1ccc5cdd8c618e60c15eeab4d5c5ad78bd2175aa3d71ec595d03d69dc1df25e81b81dd
- SSDEEP
  
  6144:5fweR7gpANB0sv2YYuwfDoOPV1x0GwYpk09RhyQ3ZmF:J1R7gpAwsuvDNP/xyqk09TyCcF
Score

10^/10

blackmoon banker trojan upx
- Blackmoon, KrBanker
  Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
  trojan banker blackmoon
- Detect Blackmoon payload
- UPX dump on OEP (original entry point)
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

blackmoonbankertrojanupx

behavioral2

blackmoonbankertrojanupx

© 2018-2024

Terms | Privacy