blackmoon | 3b6750eab360b19f9a9bbb8360bc397fcdb9a46444aa6e8cc986dad5da0a13d9

Analysis

max time kernel
117s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
14/06/2024, 07:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3b6750eab360b19f9a9bbb8360bc397fcdb9a46444aa6e8cc986dad5da0a13d9.exe
Size

9.3MB
MD5

5b02f6d948d85f35f0f692a34de000ae
SHA1

4bb7842f56a88b5e8faae634c93616dca73f2c49
SHA256

3b6750eab360b19f9a9bbb8360bc397fcdb9a46444aa6e8cc986dad5da0a13d9
SHA512

c56967927fa4e02e75392cb49e2bc987df87b7a1f1f7bb8f557a71e1a2daa28ded5e49707bd4f8017035fbf8dc5cd4574f90d45fd6f36b92df9d9534b6e70f83
SSDEEP

196608:UgAsERL1mypI99w7oCo+LI0efVt5XunaKzVFNPTMc:USERLPpI99uo46fVtcRzVzn

Score

10^/10

blackmoon banker bootkit persistence trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 4 IoCs

resource	yara_rule
behavioral1/memory/1644-1-0x0000000000400000-0x00000000014BA000-memory.dmp	family_blackmoon
behavioral1/memory/1644-45-0x0000000000400000-0x00000000014BA000-memory.dmp	family_blackmoon
behavioral1/memory/1644-46-0x0000000000400000-0x00000000014BA000-memory.dmp	family_blackmoon
behavioral1/memory/1644-48-0x0000000000400000-0x00000000014BA000-memory.dmp	family_blackmoon

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	3b6750eab360b19f9a9bbb8360bc397fcdb9a46444aa6e8cc986dad5da0a13d9.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1644	3b6750eab360b19f9a9bbb8360bc397fcdb9a46444aa6e8cc986dad5da0a13d9.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1644	3b6750eab360b19f9a9bbb8360bc397fcdb9a46444aa6e8cc986dad5da0a13d9.exe
1644	3b6750eab360b19f9a9bbb8360bc397fcdb9a46444aa6e8cc986dad5da0a13d9.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
472	Process not Found

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1644	3b6750eab360b19f9a9bbb8360bc397fcdb9a46444aa6e8cc986dad5da0a13d9.exe
1644	3b6750eab360b19f9a9bbb8360bc397fcdb9a46444aa6e8cc986dad5da0a13d9.exe

C:\Users\Admin\AppData\Local\Temp\3b6750eab360b19f9a9bbb8360bc397fcdb9a46444aa6e8cc986dad5da0a13d9.exe
"C:\Users\Admin\AppData\Local\Temp\3b6750eab360b19f9a9bbb8360bc397fcdb9a46444aa6e8cc986dad5da0a13d9.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1644-0-0x0000000000708000-0x0000000000C1F000-memory.dmp

Filesize
5.1MB

Download
memory/1644-1-0x0000000000400000-0x00000000014BA000-memory.dmp

Filesize
16.7MB

Download
memory/1644-4-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1644-14-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1644-41-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/1644-39-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/1644-37-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/1644-36-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1644-34-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1644-32-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1644-31-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1644-29-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1644-26-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1644-45-0x0000000000400000-0x00000000014BA000-memory.dmp

Filesize
16.7MB

Download
memory/1644-24-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1644-21-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1644-19-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1644-16-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1644-11-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1644-9-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1644-7-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1644-6-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1644-2-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1644-46-0x0000000000400000-0x00000000014BA000-memory.dmp

Filesize
16.7MB

Download
memory/1644-47-0x0000000000708000-0x0000000000C1F000-memory.dmp

Filesize
5.1MB

Download
memory/1644-48-0x0000000000400000-0x00000000014BA000-memory.dmp

Filesize
16.7MB

Download