blackmoon | f6181f9e5f4c319804561999c27f5ab02d1c6820e832823044816f1974ebc7d1

General

Target

f6181f9e5f4c319804561999c27f5ab02d1c6820e832823044816f1974ebc7d1.exe
Size

6.0MB
MD5

8c0f0f48bf7086d1f9d9190a5c8a0b6e
SHA1

1f5b4c8b25d68c5696d48c96fba5680dd82a4dd5
SHA256

f6181f9e5f4c319804561999c27f5ab02d1c6820e832823044816f1974ebc7d1
SHA512

eba62d38dd16d3a711762638751278bc83cc5c7e670e67270427c1f79fd0066977b0b4c6838521014d6c687b896458d51e05b931208262455cf440cb01bba4cf
SSDEEP

98304:YJSdDP4p289p8NyUJYnBquzfc050vvZ16oAcs9XIcGcU09AQFGbVDs9o36QA:D9Eh9pk9JYnBDzk0qZ16oAcs9XI1ksKb

Score

10^/10

blackmoon banker persistence trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
behavioral2/files/0x000c00000002336a-15.dat	family_blackmoon

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	qLc7os47l.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qLc7os47l = "C:\\ProgramData\\Aicica\\{p22l33sz6Ui5wx09}\\qLc7os47l.exe"	qLc7os47l.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	f6181f9e5f4c319804561999c27f5ab02d1c6820e832823044816f1974ebc7d1.exe

Executes dropped EXE 1 IoCs

pid	Process
1840	qLc7os47l.exe

Loads dropped DLL 1 IoCs

pid	Process
1840	qLc7os47l.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1840	qLc7os47l.exe
1840	qLc7os47l.exe
1840	qLc7os47l.exe
1840	qLc7os47l.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1840	qLc7os47l.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1840	qLc7os47l.exe
1840	qLc7os47l.exe
1840	qLc7os47l.exe
1840	qLc7os47l.exe
1840	qLc7os47l.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3732 wrote to memory of 4008	3732	f6181f9e5f4c319804561999c27f5ab02d1c6820e832823044816f1974ebc7d1.exe	82
PID 3732 wrote to memory of 4008	3732	f6181f9e5f4c319804561999c27f5ab02d1c6820e832823044816f1974ebc7d1.exe	82
PID 3732 wrote to memory of 4008	3732	f6181f9e5f4c319804561999c27f5ab02d1c6820e832823044816f1974ebc7d1.exe	82
PID 4008 wrote to memory of 1840	4008	f6181f9e5f4c319804561999c27f5ab02d1c6820e832823044816f1974ebc7d1.exe	94
PID 4008 wrote to memory of 1840	4008	f6181f9e5f4c319804561999c27f5ab02d1c6820e832823044816f1974ebc7d1.exe	94
PID 4008 wrote to memory of 1840	4008	f6181f9e5f4c319804561999c27f5ab02d1c6820e832823044816f1974ebc7d1.exe	94

C:\Users\Admin\AppData\Local\Temp\f6181f9e5f4c319804561999c27f5ab02d1c6820e832823044816f1974ebc7d1.exe
"C:\Users\Admin\AppData\Local\Temp\f6181f9e5f4c319804561999c27f5ab02d1c6820e832823044816f1974ebc7d1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3732
- C:\Users\Admin\AppData\Local\Temp\f6181f9e5f4c319804561999c27f5ab02d1c6820e832823044816f1974ebc7d1.exe
  C:\Users\Admin\AppData\Local\Temp\f6181f9e5f4c319804561999c27f5ab02d1c6820e832823044816f1974ebc7d1.exe 45063C065A065606740669066106740667066B0642066706720667065A0647066F0665066F06650667065A067D067606340634066A063506350675067C06300653066F06330671067E0636063F067B065A0677064A066506310669067506320631066A06--365
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4008
- - C:\ProgramData\Aicica\{p22l33sz6Ui5wx09}\qLc7os47l.exe
    "C:\ProgramData\Aicica\{p22l33sz6Ui5wx09}\qLc7os47l.exe"
    3⤵
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Aicica\{p22l33sz6Ui5wx09}\qLc7os47l.exe

Filesize
41KB

MD5
90f1cbf523b201c20adf2e6cb5a91e2d

SHA1
e485907216de02d71a127623d6d8b155fa25aafa

SHA256
84ef8cba9b668bf3c2f47cfe2efc6fb4821fada314959a36419443efe41967d2

SHA512
6d121b48dba3a48d7dceb0baad629b7ad195b7f47d267f8f3295cead8940836ced45abac716fd54504b603ad9d3eb57ffd2a36f2c3e183d65df051ceba694521

Download Submit
C:\ProgramData\Aicica\{p22l33sz6Ui5wx09}\qLc7os47l.txt

Filesize
369B

MD5
4e30f5f935e911d761695dc7cbafc7df

SHA1
75d6e98a53276fa4a746e998b53fa0a0795c0023

SHA256
617cc5c99b2445b4c66e437de26214d559c04f94b301d306d4a222ed75b62af0

SHA512
8bc18bfe4fd9a844fa8c7c9a3a8a3006f802047fcaf1c3c3ab38061f64183cdc5b77ece0441ea7d9d7c87e864dc291c270734eea834fc5b77bb508847dfe99aa

Download Submit
C:\ProgramData\Aicica\{p22l33sz6Ui5wx09}\winfsp-x86.dll

Filesize
4.5MB

MD5
ba1443306d4b071b8be748ce6b643615

SHA1
30b0541cc9da303e0d79ab1a2c9549253a8290e3

SHA256
cf0887a6af4acbb23090700e13600ad62b1fb93ecca7994c1c6a5a1d439d3d72

SHA512
c9faab1fd7d9b646547e829fc0082efa5a234900eebb4bd75d57ad859d3d1ac3ef691613cfcfff9d38a789f95d66ec5f727c8c54e83816fb647cd8f6763cca51

Download Submit
memory/1840-36-0x0000000004A30000-0x0000000004A82000-memory.dmp

Filesize
328KB

Download
memory/1840-19-0x0000000002940000-0x0000000002941000-memory.dmp

Filesize
4KB

Download
memory/1840-37-0x0000000004120000-0x0000000004121000-memory.dmp

Filesize
4KB

Download
memory/1840-21-0x0000000002D40000-0x0000000002E27000-memory.dmp

Filesize
924KB

Download
memory/1840-38-0x0000000003ED0000-0x00000000040E1000-memory.dmp

Filesize
2.1MB

Download
memory/1840-23-0x0000000002D40000-0x0000000002E27000-memory.dmp

Filesize
924KB

Download
memory/1840-24-0x0000000003ED0000-0x00000000040E1000-memory.dmp

Filesize
2.1MB

Download
memory/1840-29-0x00000000041A0000-0x00000000041F6000-memory.dmp

Filesize
344KB

Download
memory/1840-28-0x0000000004550000-0x000000000463B000-memory.dmp

Filesize
940KB

Download
memory/1840-33-0x0000000004640000-0x00000000046D9000-memory.dmp

Filesize
612KB

Download
memory/1840-34-0x0000000004BF0000-0x0000000004D65000-memory.dmp

Filesize
1.5MB

Download
memory/1840-39-0x0000000004A30000-0x0000000004A82000-memory.dmp

Filesize
328KB

Download
memory/1840-31-0x0000000004550000-0x000000000463B000-memory.dmp

Filesize
940KB

Download
memory/1840-17-0x0000000002930000-0x0000000002931000-memory.dmp

Filesize
4KB

Download
memory/1840-20-0x0000000002D40000-0x0000000002E27000-memory.dmp

Filesize
924KB

Download
memory/1840-18-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/1840-32-0x0000000004BF0000-0x0000000004D65000-memory.dmp

Filesize
1.5MB

Download
memory/1840-40-0x0000000004BB0000-0x0000000004BB1000-memory.dmp

Filesize
4KB

Download
memory/1840-41-0x00000000028F0000-0x0000000002910000-memory.dmp

Filesize
128KB

Download
memory/1840-42-0x0000000002D40000-0x0000000002E27000-memory.dmp

Filesize
924KB

Download
memory/1840-46-0x0000000004550000-0x000000000463B000-memory.dmp

Filesize
940KB

Download
memory/1840-45-0x0000000003ED0000-0x00000000040E1000-memory.dmp

Filesize
2.1MB

Download
memory/1840-44-0x0000000004E80000-0x0000000004E81000-memory.dmp

Filesize
4KB

Download
memory/1840-43-0x0000000005950000-0x0000000005A4C000-memory.dmp

Filesize
1008KB

Download
memory/1840-47-0x0000000004BF0000-0x0000000004D65000-memory.dmp

Filesize
1.5MB

Download
memory/1840-48-0x0000000005C30000-0x0000000005C50000-memory.dmp

Filesize
128KB

Download
memory/1840-49-0x0000000004640000-0x00000000046D9000-memory.dmp

Filesize
612KB

Download
memory/1840-50-0x0000000004A30000-0x0000000004A82000-memory.dmp

Filesize
328KB

Download
memory/1840-51-0x0000000005950000-0x0000000005A4C000-memory.dmp

Filesize
1008KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads