General

  • Target

    9fbd27b1402605cb6dffc2a69e38a6d0a80dc7a6779b85c476197342c9ffd4fc

  • Size

    1.9MB

  • Sample

    240621-kmqsxatbjh

  • MD5

    3d4a82981cea0d77fcbc5b1afa3bed8e

  • SHA1

    1a00caccf9d464a90a6deffead4840b806e58811

  • SHA256

    9fbd27b1402605cb6dffc2a69e38a6d0a80dc7a6779b85c476197342c9ffd4fc

  • SHA512

    f00cb846e0366bfd58082480c6137204052e29fcb0fdb7eb9753ad4124a50575dbe81cf2059db7d3cf5b0d75efc13e1eb874931b987031dc0e2b4fcb3dcb4ec8

  • SSDEEP

    49152:PtMQjNrDnRa/O4VP0nWft3xl0nB49aXZmMA4ML5AzSyfuAYe:ltYOAPzfxW49unUL5iBHB

Malware Config

Targets

    • Target

      9fbd27b1402605cb6dffc2a69e38a6d0a80dc7a6779b85c476197342c9ffd4fc

    • Size

      1.9MB

    • MD5

      3d4a82981cea0d77fcbc5b1afa3bed8e

    • SHA1

      1a00caccf9d464a90a6deffead4840b806e58811

    • SHA256

      9fbd27b1402605cb6dffc2a69e38a6d0a80dc7a6779b85c476197342c9ffd4fc

    • SHA512

      f00cb846e0366bfd58082480c6137204052e29fcb0fdb7eb9753ad4124a50575dbe81cf2059db7d3cf5b0d75efc13e1eb874931b987031dc0e2b4fcb3dcb4ec8

    • SSDEEP

      49152:PtMQjNrDnRa/O4VP0nWft3xl0nB49aXZmMA4ML5AzSyfuAYe:ltYOAPzfxW49unUL5iBHB

    • Blackmoon, KrBanker

      Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    • Detect Blackmoon payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks for any installed AV software in registry

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks