blackmoon | db43781864256c6d4ef0b05ae6139da25dd605288f8c5d6aff761cb892f52851

General

Target

db43781864256c6d4ef0b05ae6139da25dd605288f8c5d6aff761cb892f52851.exe
Size

9.5MB
MD5

8102e8dca3cbac91aad743b664e7d351
SHA1

4c513c2122fdc2f92f0bd80bb4b5fd3e2283dcca
SHA256

db43781864256c6d4ef0b05ae6139da25dd605288f8c5d6aff761cb892f52851
SHA512

a49e8eb8c4f90281b1dca5935a3df99e594650165dce9694f703f1ba399ac0358b8df8134011d86846d4553ebc73d50559bb2e11be21904b2f549125326a4322
SSDEEP

196608:JuoJcDKlFBqZcPzFwDxURK8vyqByLdlf3hRQIgLKNj:JJODKlFBqauayOclfhRQIG2j

Score

10^/10

blackmoon banker spyware stealer trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000700000002341b-5.dat	family_blackmoon
behavioral2/files/0x000d00000002337a-11.dat	family_blackmoon

Executes dropped EXE 2 IoCs

pid	Process
2916	db43781864256c6d4ef0b05ae6139da25dd605288f8c5d6aff761cb892f52851.exe
2780	E6B97C29494CFAF6446691A8772ABE7C.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2428	db43781864256c6d4ef0b05ae6139da25dd605288f8c5d6aff761cb892f52851.exe
Token: SeDebugPrivilege	2428	db43781864256c6d4ef0b05ae6139da25dd605288f8c5d6aff761cb892f52851.exe
Token: SeDebugPrivilege	2916	db43781864256c6d4ef0b05ae6139da25dd605288f8c5d6aff761cb892f52851.exe
Token: SeDebugPrivilege	2916	db43781864256c6d4ef0b05ae6139da25dd605288f8c5d6aff761cb892f52851.exe
Token: SeDebugPrivilege	2916	db43781864256c6d4ef0b05ae6139da25dd605288f8c5d6aff761cb892f52851.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2916	db43781864256c6d4ef0b05ae6139da25dd605288f8c5d6aff761cb892f52851.exe
2428	db43781864256c6d4ef0b05ae6139da25dd605288f8c5d6aff761cb892f52851.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2916	db43781864256c6d4ef0b05ae6139da25dd605288f8c5d6aff761cb892f52851.exe
2428	db43781864256c6d4ef0b05ae6139da25dd605288f8c5d6aff761cb892f52851.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2428	db43781864256c6d4ef0b05ae6139da25dd605288f8c5d6aff761cb892f52851.exe
2916	db43781864256c6d4ef0b05ae6139da25dd605288f8c5d6aff761cb892f52851.exe
2780	E6B97C29494CFAF6446691A8772ABE7C.exe
2780	E6B97C29494CFAF6446691A8772ABE7C.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2428 wrote to memory of 2916	2428	db43781864256c6d4ef0b05ae6139da25dd605288f8c5d6aff761cb892f52851.exe	82
PID 2428 wrote to memory of 2916	2428	db43781864256c6d4ef0b05ae6139da25dd605288f8c5d6aff761cb892f52851.exe	82
PID 2428 wrote to memory of 2916	2428	db43781864256c6d4ef0b05ae6139da25dd605288f8c5d6aff761cb892f52851.exe	82
PID 2916 wrote to memory of 2780	2916	db43781864256c6d4ef0b05ae6139da25dd605288f8c5d6aff761cb892f52851.exe	87
PID 2916 wrote to memory of 2780	2916	db43781864256c6d4ef0b05ae6139da25dd605288f8c5d6aff761cb892f52851.exe	87
PID 2916 wrote to memory of 2780	2916	db43781864256c6d4ef0b05ae6139da25dd605288f8c5d6aff761cb892f52851.exe	87

C:\Users\Admin\AppData\Local\Temp\db43781864256c6d4ef0b05ae6139da25dd605288f8c5d6aff761cb892f52851.exe
"C:\Users\Admin\AppData\Local\Temp\db43781864256c6d4ef0b05ae6139da25dd605288f8c5d6aff761cb892f52851.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Users\Admin\AppData\Roaming\68Æ·ÅÆ\db43781864256c6d4ef0b05ae6139da25dd605288f8c5d6aff761cb892f52851.exe
  "C:\Users\Admin\AppData\Roaming\68Æ·ÅÆ\db43781864256c6d4ef0b05ae6139da25dd605288f8c5d6aff761cb892f52851.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Users\Admin\AppData\Roaming\68Æ·ÅÆ\E6B97C29494CFAF6446691A8772ABE7C.exe
    "C:\Users\Admin\AppData\Roaming\68Æ·ÅÆ\E6B97C29494CFAF6446691A8772ABE7C.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\68Æ·ÅÆ\E6B97C29494CFAF6446691A8772ABE7C.exe

Filesize
9.0MB

MD5
ea58dfc72d3690e972e84deace9371c4

SHA1
7f2c4fc6a5110a5afc13332850045c54dea5ddd7

SHA256
a6bc7bdafd8acd1bc5c6ce40104741d286daeb56bd25cf7e3d364ca65601c0ba

SHA512
dc6e87fd85e058190f4943649775f55bd52cb5eddfec154b31563677df8e0f8ae16977a31495d92a1d3b4596dfc9e263a6357efa03c342f3af70296c374578a1

Download Submit
C:\Users\Admin\AppData\Roaming\68Æ·ÅÆ\db43781864256c6d4ef0b05ae6139da25dd605288f8c5d6aff761cb892f52851.exe

Filesize
9.5MB

MD5
8102e8dca3cbac91aad743b664e7d351

SHA1
4c513c2122fdc2f92f0bd80bb4b5fd3e2283dcca

SHA256
db43781864256c6d4ef0b05ae6139da25dd605288f8c5d6aff761cb892f52851

SHA512
a49e8eb8c4f90281b1dca5935a3df99e594650165dce9694f703f1ba399ac0358b8df8134011d86846d4553ebc73d50559bb2e11be21904b2f549125326a4322

Download Submit
C:\Users\Admin\Desktop\68Æ·ÅÆ.lnk

Filesize
1KB

MD5
cf3018b156fd902511b5be00ecbce486

SHA1
4208429d1de48e964a42ec88f9ba9eb9821b0558

SHA256
3207248eba78cffc0e353a6a417cc2f01e3ae07257403b702432a684d444d676

SHA512
b1a00c63c12359f50feacdb94daf9230dbea7d8ddea46003770923cace6211980302589d00407489f121e89723d585d5fa66cb2c75bcc7d991f2a394581911a0

Download Submit

Analysis

Sharing