blackmoon | f6181f9e5f4c319804561999c27f5ab02d1c6820e832823044816f1974ebc7d1

General

Target

f6181f9e5f4c319804561999c27f5ab02d1c6820e832823044816f1974ebc7d1.exe
Size

6.0MB
MD5

8c0f0f48bf7086d1f9d9190a5c8a0b6e
SHA1

1f5b4c8b25d68c5696d48c96fba5680dd82a4dd5
SHA256

f6181f9e5f4c319804561999c27f5ab02d1c6820e832823044816f1974ebc7d1
SHA512

eba62d38dd16d3a711762638751278bc83cc5c7e670e67270427c1f79fd0066977b0b4c6838521014d6c687b896458d51e05b931208262455cf440cb01bba4cf
SSDEEP

98304:YJSdDP4p289p8NyUJYnBquzfc050vvZ16oAcs9XIcGcU09AQFGbVDs9o36QA:D9Eh9pk9JYnBDzk0qZ16oAcs9XI1ksKb

Score

10^/10

blackmoon banker persistence trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
behavioral1/files/0x00070000000153c7-11.dat	family_blackmoon

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	44WI0n0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\44WI0n0 = "C:\\ProgramData\\Aicica\\{E8dzJaUJX3X34h08}\\44WI0n0.exe"	44WI0n0.exe

Executes dropped EXE 1 IoCs

pid	Process
2756	44WI0n0.exe

Loads dropped DLL 2 IoCs

pid	Process
2936	f6181f9e5f4c319804561999c27f5ab02d1c6820e832823044816f1974ebc7d1.exe
2756	44WI0n0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2756	44WI0n0.exe
2756	44WI0n0.exe
2756	44WI0n0.exe
2756	44WI0n0.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2756	44WI0n0.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2756	44WI0n0.exe
2756	44WI0n0.exe
2756	44WI0n0.exe
2756	44WI0n0.exe
2756	44WI0n0.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 2936	2868	f6181f9e5f4c319804561999c27f5ab02d1c6820e832823044816f1974ebc7d1.exe	28
PID 2868 wrote to memory of 2936	2868	f6181f9e5f4c319804561999c27f5ab02d1c6820e832823044816f1974ebc7d1.exe	28
PID 2868 wrote to memory of 2936	2868	f6181f9e5f4c319804561999c27f5ab02d1c6820e832823044816f1974ebc7d1.exe	28
PID 2868 wrote to memory of 2936	2868	f6181f9e5f4c319804561999c27f5ab02d1c6820e832823044816f1974ebc7d1.exe	28
PID 2936 wrote to memory of 2756	2936	f6181f9e5f4c319804561999c27f5ab02d1c6820e832823044816f1974ebc7d1.exe	29
PID 2936 wrote to memory of 2756	2936	f6181f9e5f4c319804561999c27f5ab02d1c6820e832823044816f1974ebc7d1.exe	29
PID 2936 wrote to memory of 2756	2936	f6181f9e5f4c319804561999c27f5ab02d1c6820e832823044816f1974ebc7d1.exe	29
PID 2936 wrote to memory of 2756	2936	f6181f9e5f4c319804561999c27f5ab02d1c6820e832823044816f1974ebc7d1.exe	29

C:\Users\Admin\AppData\Local\Temp\f6181f9e5f4c319804561999c27f5ab02d1c6820e832823044816f1974ebc7d1.exe
"C:\Users\Admin\AppData\Local\Temp\f6181f9e5f4c319804561999c27f5ab02d1c6820e832823044816f1974ebc7d1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Users\Admin\AppData\Local\Temp\f6181f9e5f4c319804561999c27f5ab02d1c6820e832823044816f1974ebc7d1.exe
  C:\Users\Admin\AppData\Local\Temp\f6181f9e5f4c319804561999c27f5ab02d1c6820e832823044816f1974ebc7d1.exe 45063C065A065606740669066106740667066B0642066706720667065A0647066F0665066F06650667065A067D0643063E0662067C064C06670653064C065E0635065E06350632066E0636063E067B065A063206320651064F06360668063606--365
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\ProgramData\Aicica\{E8dzJaUJX3X34h08}\44WI0n0.exe
    "C:\ProgramData\Aicica\{E8dzJaUJX3X34h08}\44WI0n0.exe"
    3⤵
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Aicica\{E8dzJaUJX3X34h08}\44WI0n0.txt

Filesize
369B

MD5
4e30f5f935e911d761695dc7cbafc7df

SHA1
75d6e98a53276fa4a746e998b53fa0a0795c0023

SHA256
617cc5c99b2445b4c66e437de26214d559c04f94b301d306d4a222ed75b62af0

SHA512
8bc18bfe4fd9a844fa8c7c9a3a8a3006f802047fcaf1c3c3ab38061f64183cdc5b77ece0441ea7d9d7c87e864dc291c270734eea834fc5b77bb508847dfe99aa

Download Submit
\ProgramData\Aicica\{E8dzJaUJX3X34h08}\44WI0n0.exe

Filesize
41KB

MD5
90f1cbf523b201c20adf2e6cb5a91e2d

SHA1
e485907216de02d71a127623d6d8b155fa25aafa

SHA256
84ef8cba9b668bf3c2f47cfe2efc6fb4821fada314959a36419443efe41967d2

SHA512
6d121b48dba3a48d7dceb0baad629b7ad195b7f47d267f8f3295cead8940836ced45abac716fd54504b603ad9d3eb57ffd2a36f2c3e183d65df051ceba694521

Download Submit
\ProgramData\Aicica\{E8dzJaUJX3X34h08}\winfsp-x86.dll

Filesize
4.5MB

MD5
ba1443306d4b071b8be748ce6b643615

SHA1
30b0541cc9da303e0d79ab1a2c9549253a8290e3

SHA256
cf0887a6af4acbb23090700e13600ad62b1fb93ecca7994c1c6a5a1d439d3d72

SHA512
c9faab1fd7d9b646547e829fc0082efa5a234900eebb4bd75d57ad859d3d1ac3ef691613cfcfff9d38a789f95d66ec5f727c8c54e83816fb647cd8f6763cca51

Download Submit
memory/2756-32-0x0000000002920000-0x0000000002972000-memory.dmp

Filesize
328KB

Download
memory/2756-39-0x0000000003980000-0x0000000003A6B000-memory.dmp

Filesize
940KB

Download
memory/2756-13-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/2756-16-0x0000000002260000-0x0000000002347000-memory.dmp

Filesize
924KB

Download
memory/2756-15-0x0000000002260000-0x0000000002347000-memory.dmp

Filesize
924KB

Download
memory/2756-14-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2756-19-0x0000000004020000-0x0000000004231000-memory.dmp

Filesize
2.1MB

Download
memory/2756-24-0x0000000003980000-0x0000000003A6B000-memory.dmp

Filesize
940KB

Download
memory/2756-23-0x0000000000AE0000-0x0000000000B36000-memory.dmp

Filesize
344KB

Download
memory/2756-25-0x0000000003980000-0x0000000003A6B000-memory.dmp

Filesize
940KB

Download
memory/2756-28-0x0000000003D90000-0x0000000003E29000-memory.dmp

Filesize
612KB

Download
memory/2756-30-0x0000000004A20000-0x0000000004B95000-memory.dmp

Filesize
1.5MB

Download
memory/2756-29-0x0000000004A20000-0x0000000004B95000-memory.dmp

Filesize
1.5MB

Download
memory/2756-12-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2756-18-0x0000000002260000-0x0000000002347000-memory.dmp

Filesize
924KB

Download
memory/2756-33-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2756-41-0x0000000004A20000-0x0000000004B95000-memory.dmp

Filesize
1.5MB

Download
memory/2756-36-0x0000000002260000-0x0000000002347000-memory.dmp

Filesize
924KB

Download
memory/2756-37-0x0000000004020000-0x0000000004231000-memory.dmp

Filesize
2.1MB

Download
memory/2756-38-0x0000000000AE0000-0x0000000000B36000-memory.dmp

Filesize
344KB

Download
memory/2756-34-0x0000000004020000-0x0000000004231000-memory.dmp

Filesize
2.1MB

Download
memory/2756-40-0x0000000003D90000-0x0000000003E29000-memory.dmp

Filesize
612KB

Download
memory/2756-35-0x0000000002920000-0x0000000002972000-memory.dmp

Filesize
328KB

Download
memory/2756-42-0x0000000002920000-0x0000000002972000-memory.dmp

Filesize
328KB

Download
memory/2756-43-0x0000000001FE0000-0x0000000001FE1000-memory.dmp

Filesize
4KB

Download
memory/2756-44-0x0000000000B50000-0x0000000000B70000-memory.dmp

Filesize
128KB

Download
memory/2756-45-0x0000000004F30000-0x000000000502C000-memory.dmp

Filesize
1008KB

Download
memory/2756-46-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/2756-47-0x0000000002670000-0x0000000002690000-memory.dmp

Filesize
128KB

Download
memory/2756-48-0x0000000004F30000-0x000000000502C000-memory.dmp

Filesize
1008KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads