blackmoon | ad99cbc76ed40899ee1c49e1c8152c375a0a7aaaa2614c7f62feea3986d2ec05

General

Target

ad99cbc76ed40899ee1c49e1c8152c375a0a7aaaa2614c7f62feea3986d2ec05.exe
Size

1.3MB
MD5

c4812dcb6dd986e91af0670150dc3136
SHA1

205dea58b7131fa8e1642476e7a6d99aac8dd31e
SHA256

ad99cbc76ed40899ee1c49e1c8152c375a0a7aaaa2614c7f62feea3986d2ec05
SHA512

fc487d5a4c96bdaf5d2d779ccd12f0ceb73321d5315d636ba952f10c993f9c196a11760572dd50b1c4a550c3b90f8a74e4aaca0c554aed6da0592f01c28f242f
SSDEEP

24576:DoRK/YeUfeaaih1Qmim2hi0ROVsLuewkOWj:DoRTeUzainQXHhi0ROVsLuewkpj

Score

10^/10

blackmoon banker persistence trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
behavioral2/files/0x000700000002340e-6.dat	family_blackmoon

UPX dump on OEP (original entry point) 17 IoCs

resource	yara_rule
behavioral2/memory/3980-8-0x0000000002D10000-0x0000000002DF9000-memory.dmp	UPX
behavioral2/memory/3980-9-0x0000000002D10000-0x0000000002DF9000-memory.dmp	UPX
behavioral2/memory/3980-11-0x0000000002D10000-0x0000000002DF9000-memory.dmp	UPX
behavioral2/memory/3980-12-0x0000000002D10000-0x0000000002DF9000-memory.dmp	UPX
behavioral2/memory/3980-13-0x0000000003F30000-0x0000000004141000-memory.dmp	UPX
behavioral2/memory/3980-18-0x0000000004350000-0x000000000443B000-memory.dmp	UPX
behavioral2/memory/3980-17-0x0000000001000000-0x0000000001056000-memory.dmp	UPX
behavioral2/memory/3980-19-0x0000000004350000-0x000000000443B000-memory.dmp	UPX
behavioral2/memory/3980-22-0x0000000004970000-0x0000000004AE5000-memory.dmp	UPX
behavioral2/memory/3980-21-0x0000000004460000-0x00000000044F9000-memory.dmp	UPX
behavioral2/memory/3980-23-0x0000000004970000-0x0000000004AE5000-memory.dmp	UPX
behavioral2/memory/3980-28-0x0000000003F30000-0x0000000004141000-memory.dmp	UPX
behavioral2/memory/3980-30-0x0000000003F30000-0x0000000004141000-memory.dmp	UPX
behavioral2/memory/3980-31-0x0000000001000000-0x0000000001056000-memory.dmp	UPX
behavioral2/memory/3980-32-0x0000000004350000-0x000000000443B000-memory.dmp	UPX
behavioral2/memory/3980-33-0x0000000004460000-0x00000000044F9000-memory.dmp	UPX
behavioral2/memory/3980-34-0x0000000004970000-0x0000000004AE5000-memory.dmp	UPX

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	h4p9SqPF4m.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\h4p9SqPF4m = "C:\\ProgramData\\39n39AIw6K6d7i\\h4p9SqPF4m.exe"	h4p9SqPF4m.exe

Executes dropped EXE 1 IoCs

pid	Process
3980	h4p9SqPF4m.exe

Loads dropped DLL 1 IoCs

pid	Process
3980	h4p9SqPF4m.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3980	h4p9SqPF4m.exe
3980	h4p9SqPF4m.exe
3980	h4p9SqPF4m.exe
3980	h4p9SqPF4m.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3980	h4p9SqPF4m.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3980	h4p9SqPF4m.exe
3980	h4p9SqPF4m.exe
3980	h4p9SqPF4m.exe
3980	h4p9SqPF4m.exe
3980	h4p9SqPF4m.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4608 wrote to memory of 1036	4608	ad99cbc76ed40899ee1c49e1c8152c375a0a7aaaa2614c7f62feea3986d2ec05.exe	84
PID 4608 wrote to memory of 1036	4608	ad99cbc76ed40899ee1c49e1c8152c375a0a7aaaa2614c7f62feea3986d2ec05.exe	84
PID 4608 wrote to memory of 992	4608	ad99cbc76ed40899ee1c49e1c8152c375a0a7aaaa2614c7f62feea3986d2ec05.exe	86
PID 4608 wrote to memory of 992	4608	ad99cbc76ed40899ee1c49e1c8152c375a0a7aaaa2614c7f62feea3986d2ec05.exe	86
PID 992 wrote to memory of 4456	992	cmd.exe	88
PID 992 wrote to memory of 4456	992	cmd.exe	88
PID 4456 wrote to memory of 3712	4456	ad99cbc76ed40899ee1c49e1c8152c375a0a7aaaa2614c7f62feea3986d2ec05.exe	89
PID 4456 wrote to memory of 3712	4456	ad99cbc76ed40899ee1c49e1c8152c375a0a7aaaa2614c7f62feea3986d2ec05.exe	89
PID 3712 wrote to memory of 3980	3712	cmd.exe	91
PID 3712 wrote to memory of 3980	3712	cmd.exe	91
PID 3712 wrote to memory of 3980	3712	cmd.exe	91

C:\Users\Admin\AppData\Local\Temp\ad99cbc76ed40899ee1c49e1c8152c375a0a7aaaa2614c7f62feea3986d2ec05.exe
"C:\Users\Admin\AppData\Local\Temp\ad99cbc76ed40899ee1c49e1c8152c375a0a7aaaa2614c7f62feea3986d2ec05.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4608
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c mkdir C:\ProgramData\39n39AIw6K6d7i
  2⤵
  PID:1036
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\ad99cbc76ed40899ee1c49e1c8152c375a0a7aaaa2614c7f62feea3986d2ec05.exe" C:\ProgramData\39n39AIw6K6d7i C:\ProgramData\39n39AIw6K6d7i
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:992
- - C:\Users\Admin\AppData\Local\Temp\ad99cbc76ed40899ee1c49e1c8152c375a0a7aaaa2614c7f62feea3986d2ec05.exe
    C:\Users\Admin\AppData\Local\Temp\ad99cbc76ed40899ee1c49e1c8152c375a0a7aaaa2614c7f62feea3986d2ec05.exe C:\ProgramData\39n39AIw6K6d7i C:\ProgramData\39n39AIw6K6d7i
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4456
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /c C:\ProgramData\39n39AIw6K6d7i\h4p9SqPF4m.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3712
    - - C:\ProgramData\39n39AIw6K6d7i\h4p9SqPF4m.exe
        
        C:\ProgramData\39n39AIw6K6d7i\h4p9SqPF4m.exe
        5⤵
        Adds policy Run key to start application
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\39n39AIw6K6d7i\ctxmui.dll

Filesize
744KB

MD5
7013543b023ddfd98c8908daa78b6473

SHA1
3a1176c3404faa505c1080b47163137e06df54cb

SHA256
04bb798004973767f7fcdc682cc50f8a84c27aa74003f5c995fd5d00e6617c30

SHA512
a6dc65515639b747c962610cf5ebadbbc047072aac05b657a2222d909295d307b01372f850fc5c603d797a59d260a4463c418f91f951fe5f4545d570f10c4c0c

Download Submit
C:\ProgramData\39n39AIw6K6d7i\h4p9SqPF4m.exe

Filesize
125KB

MD5
8929530afda63d45859ecbabc5e9edb4

SHA1
7f8a88b9d815399ee0047f8bc67c7a2a1d7c16bd

SHA256
f4f76935e15ae533d47434880b455297a7b57bd45cd98e124eabf4cfe5b24723

SHA512
fae7e1027de3ece5ad06b24ead5c07912c0b5c6217677d2702ebec49c968c7a6f3feffb73491a1557878c6cc5cc69045bc818abc71a48c5a2408f1359f9bd583

Download Submit
C:\ProgramData\39n39AIw6K6d7i\h4p9SqPF4m.txt

Filesize
363B

MD5
72ed37d10aed0e80cf7f7ad6afb9986a

SHA1
6b306cb386522f8f6c8722a56c7f71b20bb0a044

SHA256
081f61de098d09e7237825297efb5b8f1f1900b933889746cce3203bda9ae58e

SHA512
27bfd0393a1b5bb5d6663a70f200a3ee280447549369e10ca36b5694bcee9a748981f4d992a969d51d2bad3f851e298c9c8bc9bc9cd54ebeee24b254684a2c1f

Download Submit
memory/3980-25-0x0000000004AF0000-0x0000000004B42000-memory.dmp

Filesize
328KB

Download
memory/3980-26-0x0000000000F80000-0x0000000000F81000-memory.dmp

Filesize
4KB

Download
memory/3980-11-0x0000000002D10000-0x0000000002DF9000-memory.dmp

Filesize
932KB

Download
memory/3980-12-0x0000000002D10000-0x0000000002DF9000-memory.dmp

Filesize
932KB

Download
memory/3980-13-0x0000000003F30000-0x0000000004141000-memory.dmp

Filesize
2.1MB

Download
memory/3980-18-0x0000000004350000-0x000000000443B000-memory.dmp

Filesize
940KB

Download
memory/3980-17-0x0000000001000000-0x0000000001056000-memory.dmp

Filesize
344KB

Download
memory/3980-19-0x0000000004350000-0x000000000443B000-memory.dmp

Filesize
940KB

Download
memory/3980-22-0x0000000004970000-0x0000000004AE5000-memory.dmp

Filesize
1.5MB

Download
memory/3980-21-0x0000000004460000-0x00000000044F9000-memory.dmp

Filesize
612KB

Download
memory/3980-23-0x0000000004970000-0x0000000004AE5000-memory.dmp

Filesize
1.5MB

Download
memory/3980-8-0x0000000002D10000-0x0000000002DF9000-memory.dmp

Filesize
932KB

Download
memory/3980-27-0x0000000000C70000-0x0000000000C71000-memory.dmp

Filesize
4KB

Download
memory/3980-9-0x0000000002D10000-0x0000000002DF9000-memory.dmp

Filesize
932KB

Download
memory/3980-28-0x0000000003F30000-0x0000000004141000-memory.dmp

Filesize
2.1MB

Download
memory/3980-29-0x0000000004AF0000-0x0000000004B42000-memory.dmp

Filesize
328KB

Download
memory/3980-30-0x0000000003F30000-0x0000000004141000-memory.dmp

Filesize
2.1MB

Download
memory/3980-31-0x0000000001000000-0x0000000001056000-memory.dmp

Filesize
344KB

Download
memory/3980-32-0x0000000004350000-0x000000000443B000-memory.dmp

Filesize
940KB

Download
memory/3980-33-0x0000000004460000-0x00000000044F9000-memory.dmp

Filesize
612KB

Download
memory/3980-34-0x0000000004970000-0x0000000004AE5000-memory.dmp

Filesize
1.5MB

Download
memory/3980-35-0x0000000004AF0000-0x0000000004B42000-memory.dmp

Filesize
328KB

Download
memory/3980-36-0x0000000004B50000-0x0000000004B51000-memory.dmp

Filesize
4KB

Download
memory/3980-37-0x0000000000C10000-0x0000000000C30000-memory.dmp

Filesize
128KB

Download
memory/3980-38-0x0000000001080000-0x000000000117C000-memory.dmp

Filesize
1008KB

Download
memory/3980-39-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

Filesize
4KB

Download
memory/3980-40-0x0000000002E50000-0x0000000002E70000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads