blackmoon | 9f295b556f1731c0355b778e9a6c61b7ef6c4773451886592a9839aadc63f77b

General

Target

9f295b556f1731c0355b778e9a6c61b7ef6c4773451886592a9839aadc63f77b.exe
Size

9.2MB
MD5

220d436be62924e45fc4e7a08cb590bf
SHA1

f55c9e0c26d096104bac7ff081e9673223500ac8
SHA256

9f295b556f1731c0355b778e9a6c61b7ef6c4773451886592a9839aadc63f77b
SHA512

8de4b59d3b7628f75ca6e0f2760e200425d5c14f926100c93caaf642865e39e93ef12eec90d0691ab4c66daabe7046c2e77d1c3e48c8ebc527759c6b74898004
SSDEEP

196608:10/mSzMt7DznB220+69n/yzELjK+7i7/qv+Tfp4K:iOTt7DznB7l69/O+7i7C2TfpN

Score

10^/10

blackmoon banker trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 2 IoCs

resource	yara_rule
behavioral2/memory/4592-16-0x0000000000400000-0x00000000009FA000-memory.dmp	family_blackmoon
behavioral2/memory/4360-47-0x0000000000400000-0x00000000009FA000-memory.dmp	family_blackmoon

Executes dropped EXE 1 IoCs

pid	Process
4360	404719f295b556f1731c0355b778e9a6c61b7ef6c4773451886592a9839aadc63f77b.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	9f295b556f1731c0355b778e9a6c61b7ef6c4773451886592a9839aadc63f77b.exe
File opened (read-only)	\??\G:	9f295b556f1731c0355b778e9a6c61b7ef6c4773451886592a9839aadc63f77b.exe
File opened (read-only)	\??\L:	9f295b556f1731c0355b778e9a6c61b7ef6c4773451886592a9839aadc63f77b.exe
File opened (read-only)	\??\M:	9f295b556f1731c0355b778e9a6c61b7ef6c4773451886592a9839aadc63f77b.exe
File opened (read-only)	\??\O:	9f295b556f1731c0355b778e9a6c61b7ef6c4773451886592a9839aadc63f77b.exe
File opened (read-only)	\??\Q:	9f295b556f1731c0355b778e9a6c61b7ef6c4773451886592a9839aadc63f77b.exe
File opened (read-only)	\??\B:	9f295b556f1731c0355b778e9a6c61b7ef6c4773451886592a9839aadc63f77b.exe
File opened (read-only)	\??\J:	9f295b556f1731c0355b778e9a6c61b7ef6c4773451886592a9839aadc63f77b.exe
File opened (read-only)	\??\T:	9f295b556f1731c0355b778e9a6c61b7ef6c4773451886592a9839aadc63f77b.exe
File opened (read-only)	\??\U:	9f295b556f1731c0355b778e9a6c61b7ef6c4773451886592a9839aadc63f77b.exe
File opened (read-only)	\??\V:	9f295b556f1731c0355b778e9a6c61b7ef6c4773451886592a9839aadc63f77b.exe
File opened (read-only)	\??\Z:	9f295b556f1731c0355b778e9a6c61b7ef6c4773451886592a9839aadc63f77b.exe
File opened (read-only)	\??\A:	9f295b556f1731c0355b778e9a6c61b7ef6c4773451886592a9839aadc63f77b.exe
File opened (read-only)	\??\E:	9f295b556f1731c0355b778e9a6c61b7ef6c4773451886592a9839aadc63f77b.exe
File opened (read-only)	\??\I:	9f295b556f1731c0355b778e9a6c61b7ef6c4773451886592a9839aadc63f77b.exe
File opened (read-only)	\??\P:	9f295b556f1731c0355b778e9a6c61b7ef6c4773451886592a9839aadc63f77b.exe
File opened (read-only)	\??\S:	9f295b556f1731c0355b778e9a6c61b7ef6c4773451886592a9839aadc63f77b.exe
File opened (read-only)	\??\Y:	9f295b556f1731c0355b778e9a6c61b7ef6c4773451886592a9839aadc63f77b.exe
File opened (read-only)	\??\H:	9f295b556f1731c0355b778e9a6c61b7ef6c4773451886592a9839aadc63f77b.exe
File opened (read-only)	\??\K:	9f295b556f1731c0355b778e9a6c61b7ef6c4773451886592a9839aadc63f77b.exe
File opened (read-only)	\??\N:	9f295b556f1731c0355b778e9a6c61b7ef6c4773451886592a9839aadc63f77b.exe
File opened (read-only)	\??\R:	9f295b556f1731c0355b778e9a6c61b7ef6c4773451886592a9839aadc63f77b.exe
File opened (read-only)	\??\W:	9f295b556f1731c0355b778e9a6c61b7ef6c4773451886592a9839aadc63f77b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4592	9f295b556f1731c0355b778e9a6c61b7ef6c4773451886592a9839aadc63f77b.exe
4592	9f295b556f1731c0355b778e9a6c61b7ef6c4773451886592a9839aadc63f77b.exe
4592	9f295b556f1731c0355b778e9a6c61b7ef6c4773451886592a9839aadc63f77b.exe
4360	404719f295b556f1731c0355b778e9a6c61b7ef6c4773451886592a9839aadc63f77b.exe
4360	404719f295b556f1731c0355b778e9a6c61b7ef6c4773451886592a9839aadc63f77b.exe
4360	404719f295b556f1731c0355b778e9a6c61b7ef6c4773451886592a9839aadc63f77b.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4592 wrote to memory of 4360	4592	9f295b556f1731c0355b778e9a6c61b7ef6c4773451886592a9839aadc63f77b.exe	86
PID 4592 wrote to memory of 4360	4592	9f295b556f1731c0355b778e9a6c61b7ef6c4773451886592a9839aadc63f77b.exe	86
PID 4592 wrote to memory of 4360	4592	9f295b556f1731c0355b778e9a6c61b7ef6c4773451886592a9839aadc63f77b.exe	86

C:\Users\Admin\AppData\Local\Temp\9f295b556f1731c0355b778e9a6c61b7ef6c4773451886592a9839aadc63f77b.exe
"C:\Users\Admin\AppData\Local\Temp\9f295b556f1731c0355b778e9a6c61b7ef6c4773451886592a9839aadc63f77b.exe"
1⤵
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4592
- C:\ÏÉÔµ³ÁÄ¬3.0¡¾53XF.COM¡¿\404719f295b556f1731c0355b778e9a6c61b7ef6c4773451886592a9839aadc63f77b.exe
  C:\ÏÉÔµ³ÁÄ¬3.0¡¾53XF.COM¡¿\404719f295b556f1731c0355b778e9a6c61b7ef6c4773451886592a9839aadc63f77b.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\438abc856025ef41ea21f71c2dd6453e.txt

Filesize
27B

MD5
a046fa99d1888b01f88675556d81e497

SHA1
af69545274f263b6146264aec9acf3e4d17fbac7

SHA256
f7e5b933be46d1985352de80088b4266306fbad5b4fecfc1dbaa334728599a07

SHA512
62a339e05d70a5bdd5183f34c5aea5ef469c9db5b35efd56930ff44e9b0db632e0678c659ae9722489c3be591a521c6143458b6af946eee2c34e16bcc0d4e219

Download Submit
C:\ÏÉÔµ³ÁÄ¬3.0¡¾53XF.COM¡¿\404719f295b556f1731c0355b778e9a6c61b7ef6c4773451886592a9839aadc63f77b.exe

Filesize
9.2MB

MD5
220d436be62924e45fc4e7a08cb590bf

SHA1
f55c9e0c26d096104bac7ff081e9673223500ac8

SHA256
9f295b556f1731c0355b778e9a6c61b7ef6c4773451886592a9839aadc63f77b

SHA512
8de4b59d3b7628f75ca6e0f2760e200425d5c14f926100c93caaf642865e39e93ef12eec90d0691ab4c66daabe7046c2e77d1c3e48c8ebc527759c6b74898004

Download Submit
memory/4360-17-0x0000000000400000-0x00000000009FA000-memory.dmp

Filesize
6.0MB

Download
memory/4360-49-0x0000000000A60000-0x0000000000A63000-memory.dmp

Filesize
12KB

Download
memory/4360-47-0x0000000000400000-0x00000000009FA000-memory.dmp

Filesize
6.0MB

Download
memory/4360-18-0x0000000000A60000-0x0000000000A63000-memory.dmp

Filesize
12KB

Download
memory/4592-16-0x0000000000400000-0x00000000009FA000-memory.dmp

Filesize
6.0MB

Download
memory/4592-0-0x0000000000400000-0x00000000009FA000-memory.dmp

Filesize
6.0MB

Download
memory/4592-5-0x00000000040B0000-0x00000000040B1000-memory.dmp

Filesize
4KB

Download
memory/4592-15-0x0000000000BC0000-0x0000000000BC3000-memory.dmp

Filesize
12KB

Download
memory/4592-7-0x00000000040C0000-0x00000000040C1000-memory.dmp

Filesize
4KB

Download
memory/4592-6-0x0000000003F50000-0x0000000003F51000-memory.dmp

Filesize
4KB

Download
memory/4592-1-0x0000000000BC0000-0x0000000000BC3000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing