blackmoon | b0ae3cd0ab2497282cc17a2d386775e827510bf6dc257d773d08afdd100c7690

General

Target

b0ae3cd0ab2497282cc17a2d386775e827510bf6dc257d773d08afdd100c7690.exe
Size

13.2MB
MD5

b6e081ba084c6b4cc7840554729e9c84
SHA1

699f38e2a7503242d1329726fb9133e196d8bec4
SHA256

b0ae3cd0ab2497282cc17a2d386775e827510bf6dc257d773d08afdd100c7690
SHA512

8a42b7ffd3c75273eff9172a1b149cb6988883948bd71a0f11e53d45c3f5f841cdaf4fffae28cbe761c24214114d1b4924e0bcc28b37ca2c7a5521885d4377fe
SSDEEP

196608:W2TEKrPk/nY2L73dUXnEK9KW9J/Rn8ZbEvtmImY0jjhyq0ShCoWJSB:Pz2pX32Xn7kW93CuNr0HysgM

Score

10^/10

blackmoon banker trojan upx vmprotect

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
behavioral2/memory/3164-27-0x0000000010000000-0x00000000111C3000-memory.dmp	family_blackmoon

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3164-30-0x0000000006380000-0x000000000640A000-memory.dmp	upx

VMProtect packed file 9 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/3164-11-0x0000000000400000-0x0000000001D3D000-memory.dmp	vmprotect
behavioral2/memory/3164-12-0x0000000000400000-0x0000000001D3D000-memory.dmp	vmprotect
behavioral2/memory/3164-17-0x0000000010000000-0x00000000111C3000-memory.dmp	vmprotect
behavioral2/memory/3164-20-0x0000000000400000-0x0000000001D3D000-memory.dmp	vmprotect
behavioral2/memory/3164-27-0x0000000010000000-0x00000000111C3000-memory.dmp	vmprotect
behavioral2/memory/3164-33-0x0000000000400000-0x0000000001D3D000-memory.dmp	vmprotect
behavioral2/memory/3164-34-0x0000000000400000-0x0000000001D3D000-memory.dmp	vmprotect
behavioral2/memory/3164-35-0x0000000000400000-0x0000000001D3D000-memory.dmp	vmprotect
behavioral2/memory/3164-37-0x0000000000400000-0x0000000001D3D000-memory.dmp	vmprotect

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
3164	b0ae3cd0ab2497282cc17a2d386775e827510bf6dc257d773d08afdd100c7690.exe
3164	b0ae3cd0ab2497282cc17a2d386775e827510bf6dc257d773d08afdd100c7690.exe
3164	b0ae3cd0ab2497282cc17a2d386775e827510bf6dc257d773d08afdd100c7690.exe
3164	b0ae3cd0ab2497282cc17a2d386775e827510bf6dc257d773d08afdd100c7690.exe
3164	b0ae3cd0ab2497282cc17a2d386775e827510bf6dc257d773d08afdd100c7690.exe
3164	b0ae3cd0ab2497282cc17a2d386775e827510bf6dc257d773d08afdd100c7690.exe
3164	b0ae3cd0ab2497282cc17a2d386775e827510bf6dc257d773d08afdd100c7690.exe
3164	b0ae3cd0ab2497282cc17a2d386775e827510bf6dc257d773d08afdd100c7690.exe
3164	b0ae3cd0ab2497282cc17a2d386775e827510bf6dc257d773d08afdd100c7690.exe
3164	b0ae3cd0ab2497282cc17a2d386775e827510bf6dc257d773d08afdd100c7690.exe
3164	b0ae3cd0ab2497282cc17a2d386775e827510bf6dc257d773d08afdd100c7690.exe
3164	b0ae3cd0ab2497282cc17a2d386775e827510bf6dc257d773d08afdd100c7690.exe
3164	b0ae3cd0ab2497282cc17a2d386775e827510bf6dc257d773d08afdd100c7690.exe
3164	b0ae3cd0ab2497282cc17a2d386775e827510bf6dc257d773d08afdd100c7690.exe
3164	b0ae3cd0ab2497282cc17a2d386775e827510bf6dc257d773d08afdd100c7690.exe
3164	b0ae3cd0ab2497282cc17a2d386775e827510bf6dc257d773d08afdd100c7690.exe
3164	b0ae3cd0ab2497282cc17a2d386775e827510bf6dc257d773d08afdd100c7690.exe
3164	b0ae3cd0ab2497282cc17a2d386775e827510bf6dc257d773d08afdd100c7690.exe
3164	b0ae3cd0ab2497282cc17a2d386775e827510bf6dc257d773d08afdd100c7690.exe
3164	b0ae3cd0ab2497282cc17a2d386775e827510bf6dc257d773d08afdd100c7690.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3164	b0ae3cd0ab2497282cc17a2d386775e827510bf6dc257d773d08afdd100c7690.exe
Token: SeDebugPrivilege	3164	b0ae3cd0ab2497282cc17a2d386775e827510bf6dc257d773d08afdd100c7690.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3164	b0ae3cd0ab2497282cc17a2d386775e827510bf6dc257d773d08afdd100c7690.exe
3164	b0ae3cd0ab2497282cc17a2d386775e827510bf6dc257d773d08afdd100c7690.exe
3164	b0ae3cd0ab2497282cc17a2d386775e827510bf6dc257d773d08afdd100c7690.exe

C:\Users\Admin\AppData\Local\Temp\b0ae3cd0ab2497282cc17a2d386775e827510bf6dc257d773d08afdd100c7690.exe
"C:\Users\Admin\AppData\Local\Temp\b0ae3cd0ab2497282cc17a2d386775e827510bf6dc257d773d08afdd100c7690.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3164

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3164-7-0x0000000002490000-0x0000000002491000-memory.dmp

Filesize
4KB

Download
memory/3164-6-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/3164-5-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/3164-4-0x0000000000CCC000-0x0000000001007000-memory.dmp

Filesize
3.2MB

Download
memory/3164-3-0x0000000002350000-0x0000000002351000-memory.dmp

Filesize
4KB

Download
memory/3164-0-0x0000000001D90000-0x0000000001D91000-memory.dmp

Filesize
4KB

Download
memory/3164-1-0x0000000001EB0000-0x0000000001EB1000-memory.dmp

Filesize
4KB

Download
memory/3164-2-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download
memory/3164-11-0x0000000000400000-0x0000000001D3D000-memory.dmp

Filesize
25.2MB

Download
memory/3164-12-0x0000000000400000-0x0000000001D3D000-memory.dmp

Filesize
25.2MB

Download
memory/3164-17-0x0000000010000000-0x00000000111C3000-memory.dmp

Filesize
17.8MB

Download
memory/3164-20-0x0000000000400000-0x0000000001D3D000-memory.dmp

Filesize
25.2MB

Download
memory/3164-26-0x00000000042A0000-0x00000000042A1000-memory.dmp

Filesize
4KB

Download
memory/3164-25-0x0000000004290000-0x0000000004291000-memory.dmp

Filesize
4KB

Download
memory/3164-27-0x0000000010000000-0x00000000111C3000-memory.dmp

Filesize
17.8MB

Download
memory/3164-24-0x0000000004280000-0x0000000004281000-memory.dmp

Filesize
4KB

Download
memory/3164-23-0x0000000003ED0000-0x0000000003ED1000-memory.dmp

Filesize
4KB

Download
memory/3164-22-0x0000000003EC0000-0x0000000003EC1000-memory.dmp

Filesize
4KB

Download
memory/3164-21-0x0000000003EB0000-0x0000000003EB1000-memory.dmp

Filesize
4KB

Download
memory/3164-30-0x0000000006380000-0x000000000640A000-memory.dmp

Filesize
552KB

Download
memory/3164-33-0x0000000000400000-0x0000000001D3D000-memory.dmp

Filesize
25.2MB

Download
memory/3164-34-0x0000000000400000-0x0000000001D3D000-memory.dmp

Filesize
25.2MB

Download
memory/3164-35-0x0000000000400000-0x0000000001D3D000-memory.dmp

Filesize
25.2MB

Download
memory/3164-36-0x0000000000CCC000-0x0000000001007000-memory.dmp

Filesize
3.2MB

Download
memory/3164-37-0x0000000000400000-0x0000000001D3D000-memory.dmp

Filesize
25.2MB

Download

Analysis

Sharing