blackmoon | 3a15890bedd42d2f1212ace0369dce19f30f85ac65faf3f094933b3be7a6372b | Triage

Resubmissions

24/06/2024, 08:15

240624-j5zm4asera 10

10/06/2024, 16:22

240610-tvfscatcnn 10

Sharing

General

Target

样本.zip
Size

180.3MB
Sample

240624-j5zm4asera
MD5

c37be047c0949b4f349ef99528f0d684
SHA1

8c40dd0b8585a2390271ecb7bb5513f779a0f123
SHA256

3a15890bedd42d2f1212ace0369dce19f30f85ac65faf3f094933b3be7a6372b
SHA512

935189eb061ae8b7d585df0873a0bcc6ffff84a0a49377c6c4313886345be57123ca930f783514d33cc09ae117003fe10d14845ac8c08fbe3a09794777ae9434
SSDEEP

3145728:hf1T1l+QtfwiI/ioad7Gq2DEq040HfnRAXHLfHBdSsDhHAnITNp:vhPI6oadN2wql0/nRwhDPTP

Score

10^/10

blackmoon banker discovery trojan upx

Malware Config

Targets

- Target
  
  ??/8???Ukey????? (1).msi
- Size
  
  1.9MB
- MD5
  
  269e05f516852a7baa5d168905b53917
- SHA1
  
  986a2a3649944755e675707a230b20c21c6ba2f0
- SHA256
  
  20d9e6fe87c8c9660e3bcb8b9413b8fd2464f242d2808b326a86bfc8289525b0
- SHA512
  
  4a6093525dc6274ccf9a5a06adc04507dcbfa172cf533fa68033c2a96c9683d2dc333fe21da14d74b47160d44635252f6e368cd3e6c5181401edaca36faed2cf
- SSDEEP
  
  49152:EJmYm2OgKO5qcIZ4Yh8teZKumZrCA7512QzwcZDrFL:nYFOgj5qc4KGAt12Qzw
Score

6^/10
- Blocklisted process makes network request
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1 behavioral2
- Target
  
  9jRa0z93.exe
- Size
  
  25.5MB
- MD5
  
  c42a1742a8c1a69b5a9ec263f173daef
- SHA1
  
  11ffc34f7f0488ec7ffa6be74f3a8ece49bed3e6
- SHA256
  
  1c2d3ae570f73106e508a7c4892e11aec77d54012bd17dcf81d17ea6f100e34d
- SHA512
  
  8dc57f80b117f9125e5bf9a834801eb5b7e3ee6899f4eb719be3bcade533084efef803fbacc58e53c94efcbbee2901903d78c8d1e92891e4560bb4eb0e6c36c4
- SSDEEP
  
  786432:V6di1BEnvQu7vja8IDKrZMu4GwjSB6QJekq/b4S0tF:VsCu7v2jKrWuPwjq6gVftF
Score

10^/10

blackmoon banker discovery trojan upx
- Blackmoon, KrBanker
  Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
  trojan banker blackmoon
- Detect Blackmoon payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral3 behavioral4
- Target
  
  ??/output_64.bin
- Size
  
  127KB
- MD5
  
  558d20b6f765fed74bde50a91fe61ef4
- SHA1
  
  241955c138dc478da65a95e94c494e4b0be0eeff
- SHA256
  
  46a1dd08480c28c79cda7858703e289d789d2b55c3ee804a1822e0ec4eae3221
- SHA512
  
  74dc8ddeeb03e08dcae7089cbd4eef765a0cf706f7e215e5d706996819cfebb8fcaab862b870fc03381b6fff54701a9329b6a8cd36eb37fa0d7447bebb3c08f5
- SSDEEP
  
  3072:xeaPmKcYQaVlrejcIT+E8EKhCfSLc1Ch4HDnIPUYk8DGKe:saPyYLHSjlTfKhCKo1Ck65le
Score

1^/10
behavioral5 behavioral6
- Target
  
  ??/output_86.bin
- Size
  
  2KB
- MD5
  
  afd7b0a2c088191a757d7c2eda73628b
- SHA1
  
  21f55b70f07322f5c05dec1f1578db697187e3bc
- SHA256
  
  1686c1823ff14386392ace11a0d190b693e945224ab02219f76b16c523d47b13
- SHA512
  
  aee4a308938ed8c487b7ba24ac278aebcc0c628efbbad5f2c9724ab4c2c809bcbc95456b20999bdaaa6d0b1920aa2298f29b76d3d958f5939bf3b7f6ad411a2a
Score

3^/10
behavioral7 behavioral8

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

behavioral3

blackmoonbankerdiscoverytrojanupx

behavioral4

blackmoonbankertrojanupx

behavioral5

behavioral6

behavioral7

behavioral8