blackmoon | ad99cbc76ed40899ee1c49e1c8152c375a0a7aaaa2614c7f62feea3986d2ec05

General

Target

ad99cbc76ed40899ee1c49e1c8152c375a0a7aaaa2614c7f62feea3986d2ec05.exe
Size

1.3MB
MD5

c4812dcb6dd986e91af0670150dc3136
SHA1

205dea58b7131fa8e1642476e7a6d99aac8dd31e
SHA256

ad99cbc76ed40899ee1c49e1c8152c375a0a7aaaa2614c7f62feea3986d2ec05
SHA512

fc487d5a4c96bdaf5d2d779ccd12f0ceb73321d5315d636ba952f10c993f9c196a11760572dd50b1c4a550c3b90f8a74e4aaca0c554aed6da0592f01c28f242f
SSDEEP

24576:DoRK/YeUfeaaih1Qmim2hi0ROVsLuewkOWj:DoRTeUzainQXHhi0ROVsLuewkpj

Score

10^/10

blackmoon banker trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0008000000013acb-5.dat	family_blackmoon

UPX dump on OEP (original entry point) 4 IoCs

resource	yara_rule
behavioral1/memory/2136-7-0x0000000002170000-0x0000000002259000-memory.dmp	UPX
behavioral1/memory/2136-8-0x0000000002170000-0x0000000002259000-memory.dmp	UPX
behavioral1/memory/2136-10-0x0000000002170000-0x0000000002259000-memory.dmp	UPX
behavioral1/memory/2136-11-0x0000000002170000-0x0000000002259000-memory.dmp	UPX

Executes dropped EXE 1 IoCs

pid	Process
2136	5v6l84aG.exe

Loads dropped DLL 6 IoCs

pid	Process
2136	5v6l84aG.exe
2692	WerFault.exe
2692	WerFault.exe
2692	WerFault.exe
2692	WerFault.exe
2692	WerFault.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2692	2136	WerFault.exe	35

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2136	5v6l84aG.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2136	5v6l84aG.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 1660	1940	ad99cbc76ed40899ee1c49e1c8152c375a0a7aaaa2614c7f62feea3986d2ec05.exe	28
PID 1940 wrote to memory of 1660	1940	ad99cbc76ed40899ee1c49e1c8152c375a0a7aaaa2614c7f62feea3986d2ec05.exe	28
PID 1940 wrote to memory of 1660	1940	ad99cbc76ed40899ee1c49e1c8152c375a0a7aaaa2614c7f62feea3986d2ec05.exe	28
PID 1940 wrote to memory of 2900	1940	ad99cbc76ed40899ee1c49e1c8152c375a0a7aaaa2614c7f62feea3986d2ec05.exe	30
PID 1940 wrote to memory of 2900	1940	ad99cbc76ed40899ee1c49e1c8152c375a0a7aaaa2614c7f62feea3986d2ec05.exe	30
PID 1940 wrote to memory of 2900	1940	ad99cbc76ed40899ee1c49e1c8152c375a0a7aaaa2614c7f62feea3986d2ec05.exe	30
PID 2900 wrote to memory of 2364	2900	cmd.exe	32
PID 2900 wrote to memory of 2364	2900	cmd.exe	32
PID 2900 wrote to memory of 2364	2900	cmd.exe	32
PID 2364 wrote to memory of 2740	2364	ad99cbc76ed40899ee1c49e1c8152c375a0a7aaaa2614c7f62feea3986d2ec05.exe	33
PID 2364 wrote to memory of 2740	2364	ad99cbc76ed40899ee1c49e1c8152c375a0a7aaaa2614c7f62feea3986d2ec05.exe	33
PID 2364 wrote to memory of 2740	2364	ad99cbc76ed40899ee1c49e1c8152c375a0a7aaaa2614c7f62feea3986d2ec05.exe	33
PID 2740 wrote to memory of 2136	2740	cmd.exe	35
PID 2740 wrote to memory of 2136	2740	cmd.exe	35
PID 2740 wrote to memory of 2136	2740	cmd.exe	35
PID 2740 wrote to memory of 2136	2740	cmd.exe	35
PID 2136 wrote to memory of 2692	2136	5v6l84aG.exe	38
PID 2136 wrote to memory of 2692	2136	5v6l84aG.exe	38
PID 2136 wrote to memory of 2692	2136	5v6l84aG.exe	38
PID 2136 wrote to memory of 2692	2136	5v6l84aG.exe	38

C:\Users\Admin\AppData\Local\Temp\ad99cbc76ed40899ee1c49e1c8152c375a0a7aaaa2614c7f62feea3986d2ec05.exe
"C:\Users\Admin\AppData\Local\Temp\ad99cbc76ed40899ee1c49e1c8152c375a0a7aaaa2614c7f62feea3986d2ec05.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Windows\system32\cmd.exe
  cmd /c mkdir C:\ProgramData\9W3qe34gk45
  2⤵
  PID:1660
- C:\Windows\system32\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\ad99cbc76ed40899ee1c49e1c8152c375a0a7aaaa2614c7f62feea3986d2ec05.exe" C:\ProgramData\9W3qe34gk45 C:\ProgramData\9W3qe34gk45
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Users\Admin\AppData\Local\Temp\ad99cbc76ed40899ee1c49e1c8152c375a0a7aaaa2614c7f62feea3986d2ec05.exe
    C:\Users\Admin\AppData\Local\Temp\ad99cbc76ed40899ee1c49e1c8152c375a0a7aaaa2614c7f62feea3986d2ec05.exe C:\ProgramData\9W3qe34gk45 C:\ProgramData\9W3qe34gk45
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2364
  - - C:\Windows\system32\cmd.exe
      cmd /c C:\ProgramData\9W3qe34gk45\5v6l84aG.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2740
    - - C:\ProgramData\9W3qe34gk45\5v6l84aG.exe
        
        C:\ProgramData\9W3qe34gk45\5v6l84aG.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2136
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2136 -s 508
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:2692

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\9W3qe34gk45\5v6l84aG.exe

Filesize
125KB

MD5
8929530afda63d45859ecbabc5e9edb4

SHA1
7f8a88b9d815399ee0047f8bc67c7a2a1d7c16bd

SHA256
f4f76935e15ae533d47434880b455297a7b57bd45cd98e124eabf4cfe5b24723

SHA512
fae7e1027de3ece5ad06b24ead5c07912c0b5c6217677d2702ebec49c968c7a6f3feffb73491a1557878c6cc5cc69045bc818abc71a48c5a2408f1359f9bd583

Download Submit
C:\ProgramData\9W3qe34gk45\5v6l84aG.txt

Filesize
363B

MD5
72ed37d10aed0e80cf7f7ad6afb9986a

SHA1
6b306cb386522f8f6c8722a56c7f71b20bb0a044

SHA256
081f61de098d09e7237825297efb5b8f1f1900b933889746cce3203bda9ae58e

SHA512
27bfd0393a1b5bb5d6663a70f200a3ee280447549369e10ca36b5694bcee9a748981f4d992a969d51d2bad3f851e298c9c8bc9bc9cd54ebeee24b254684a2c1f

Download Submit
C:\ProgramData\9W3qe34gk45\ctxmui.dll

Filesize
744KB

MD5
7013543b023ddfd98c8908daa78b6473

SHA1
3a1176c3404faa505c1080b47163137e06df54cb

SHA256
04bb798004973767f7fcdc682cc50f8a84c27aa74003f5c995fd5d00e6617c30

SHA512
a6dc65515639b747c962610cf5ebadbbc047072aac05b657a2222d909295d307b01372f850fc5c603d797a59d260a4463c418f91f951fe5f4545d570f10c4c0c

Download Submit
memory/2136-7-0x0000000002170000-0x0000000002259000-memory.dmp

Filesize
932KB

Download
memory/2136-8-0x0000000002170000-0x0000000002259000-memory.dmp

Filesize
932KB

Download
memory/2136-10-0x0000000002170000-0x0000000002259000-memory.dmp

Filesize
932KB

Download
memory/2136-11-0x0000000002170000-0x0000000002259000-memory.dmp

Filesize
932KB

Download

Analysis

Sharing