blackmoon | f97c0223f7aaa977c35759c07610a4ce153ec259b1caeefdd53204a7e6470ffb

General

Target

f97c0223f7aaa977c35759c07610a4ce153ec259b1caeefdd53204a7e6470ffb.exe
Size

14.8MB
MD5

7c2310e2caf1397a700834035873da8e
SHA1

50c8962cccc99a846cd8fb99412d2aca4b28b0ad
SHA256

f97c0223f7aaa977c35759c07610a4ce153ec259b1caeefdd53204a7e6470ffb
SHA512

f167bf67f9c82ecb0c7da95b972895174320aa94f3c1a234493eeefd064a29ee03c2925c16e0e39818534ea9049ec6a765b56a0edc4ce73c6835e1188c6ca344
SSDEEP

393216:gPDPMlFbN6yoNBkExhHDa76y36aqcXG+A1ysSMc4:Y07Uyo/D876vaqJ16x4

Score

10^/10

blackmoon aspackv2 banker trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 8 IoCs

resource	yara_rule
behavioral2/memory/3464-2-0x0000000000400000-0x0000000000926000-memory.dmp	family_blackmoon
behavioral2/memory/3464-1-0x0000000000400000-0x0000000000926000-memory.dmp	family_blackmoon
behavioral2/memory/3464-3-0x0000000000400000-0x0000000000926000-memory.dmp	family_blackmoon
behavioral2/memory/3464-17-0x0000000000400000-0x0000000000926000-memory.dmp	family_blackmoon
behavioral2/memory/4756-19-0x0000000000400000-0x0000000000926000-memory.dmp	family_blackmoon
behavioral2/memory/4756-18-0x0000000000400000-0x0000000000926000-memory.dmp	family_blackmoon
behavioral2/memory/4756-21-0x0000000000400000-0x0000000000926000-memory.dmp	family_blackmoon
behavioral2/memory/4756-50-0x0000000000400000-0x0000000000926000-memory.dmp	family_blackmoon

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0007000000023626-14.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
4756	33277f97c0223f7aaa977c35759c07610a4ce153ec259b1caeefdd53204a7e6470ffb.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	f97c0223f7aaa977c35759c07610a4ce153ec259b1caeefdd53204a7e6470ffb.exe
File opened (read-only)	\??\H:	f97c0223f7aaa977c35759c07610a4ce153ec259b1caeefdd53204a7e6470ffb.exe
File opened (read-only)	\??\K:	f97c0223f7aaa977c35759c07610a4ce153ec259b1caeefdd53204a7e6470ffb.exe
File opened (read-only)	\??\P:	f97c0223f7aaa977c35759c07610a4ce153ec259b1caeefdd53204a7e6470ffb.exe
File opened (read-only)	\??\S:	f97c0223f7aaa977c35759c07610a4ce153ec259b1caeefdd53204a7e6470ffb.exe
File opened (read-only)	\??\V:	f97c0223f7aaa977c35759c07610a4ce153ec259b1caeefdd53204a7e6470ffb.exe
File opened (read-only)	\??\A:	f97c0223f7aaa977c35759c07610a4ce153ec259b1caeefdd53204a7e6470ffb.exe
File opened (read-only)	\??\L:	f97c0223f7aaa977c35759c07610a4ce153ec259b1caeefdd53204a7e6470ffb.exe
File opened (read-only)	\??\R:	f97c0223f7aaa977c35759c07610a4ce153ec259b1caeefdd53204a7e6470ffb.exe
File opened (read-only)	\??\U:	f97c0223f7aaa977c35759c07610a4ce153ec259b1caeefdd53204a7e6470ffb.exe
File opened (read-only)	\??\X:	f97c0223f7aaa977c35759c07610a4ce153ec259b1caeefdd53204a7e6470ffb.exe
File opened (read-only)	\??\Y:	f97c0223f7aaa977c35759c07610a4ce153ec259b1caeefdd53204a7e6470ffb.exe
File opened (read-only)	\??\Z:	f97c0223f7aaa977c35759c07610a4ce153ec259b1caeefdd53204a7e6470ffb.exe
File opened (read-only)	\??\B:	f97c0223f7aaa977c35759c07610a4ce153ec259b1caeefdd53204a7e6470ffb.exe
File opened (read-only)	\??\I:	f97c0223f7aaa977c35759c07610a4ce153ec259b1caeefdd53204a7e6470ffb.exe
File opened (read-only)	\??\J:	f97c0223f7aaa977c35759c07610a4ce153ec259b1caeefdd53204a7e6470ffb.exe
File opened (read-only)	\??\N:	f97c0223f7aaa977c35759c07610a4ce153ec259b1caeefdd53204a7e6470ffb.exe
File opened (read-only)	\??\O:	f97c0223f7aaa977c35759c07610a4ce153ec259b1caeefdd53204a7e6470ffb.exe
File opened (read-only)	\??\W:	f97c0223f7aaa977c35759c07610a4ce153ec259b1caeefdd53204a7e6470ffb.exe
File opened (read-only)	\??\E:	f97c0223f7aaa977c35759c07610a4ce153ec259b1caeefdd53204a7e6470ffb.exe
File opened (read-only)	\??\M:	f97c0223f7aaa977c35759c07610a4ce153ec259b1caeefdd53204a7e6470ffb.exe
File opened (read-only)	\??\Q:	f97c0223f7aaa977c35759c07610a4ce153ec259b1caeefdd53204a7e6470ffb.exe
File opened (read-only)	\??\T:	f97c0223f7aaa977c35759c07610a4ce153ec259b1caeefdd53204a7e6470ffb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3464	f97c0223f7aaa977c35759c07610a4ce153ec259b1caeefdd53204a7e6470ffb.exe
3464	f97c0223f7aaa977c35759c07610a4ce153ec259b1caeefdd53204a7e6470ffb.exe
3464	f97c0223f7aaa977c35759c07610a4ce153ec259b1caeefdd53204a7e6470ffb.exe
4756	33277f97c0223f7aaa977c35759c07610a4ce153ec259b1caeefdd53204a7e6470ffb.exe
4756	33277f97c0223f7aaa977c35759c07610a4ce153ec259b1caeefdd53204a7e6470ffb.exe
4756	33277f97c0223f7aaa977c35759c07610a4ce153ec259b1caeefdd53204a7e6470ffb.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3464 wrote to memory of 4756	3464	f97c0223f7aaa977c35759c07610a4ce153ec259b1caeefdd53204a7e6470ffb.exe	94
PID 3464 wrote to memory of 4756	3464	f97c0223f7aaa977c35759c07610a4ce153ec259b1caeefdd53204a7e6470ffb.exe	94
PID 3464 wrote to memory of 4756	3464	f97c0223f7aaa977c35759c07610a4ce153ec259b1caeefdd53204a7e6470ffb.exe	94

C:\Users\Admin\AppData\Local\Temp\f97c0223f7aaa977c35759c07610a4ce153ec259b1caeefdd53204a7e6470ffb.exe
"C:\Users\Admin\AppData\Local\Temp\f97c0223f7aaa977c35759c07610a4ce153ec259b1caeefdd53204a7e6470ffb.exe"
1⤵
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3464
- C:\¾ÅÖÝ´«Ææ\33277f97c0223f7aaa977c35759c07610a4ce153ec259b1caeefdd53204a7e6470ffb.exe
  C:\¾ÅÖÝ´«Ææ\33277f97c0223f7aaa977c35759c07610a4ce153ec259b1caeefdd53204a7e6470ffb.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4416,i,7869973516895866428,11647313872437892197,262144 --variations-seed-version --mojo-platform-channel-handle=3976 /prefetch:8
1⤵
PID:4160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9d0d78675db70d305aead6283207911a.txt

Filesize
12B

MD5
16d3524c8a0205605112b32c3200eb75

SHA1
320c6217513556163cbdf25393b34b21457d42b9

SHA256
596097582ce23b86fd85ea7b7afb9e8e182a24102c203035fa80f7836de95e2a

SHA512
eabb314dc41c8cad87950c51037285c1cd9676e28b38e85af5e18b282429228fa8ec146a1b3a53bcd656b4058c9cfcc91ee33cca08cd168d5123d49c440c21e3

Download Submit
C:\¾ÅÖÝ´«Ææ\33277f97c0223f7aaa977c35759c07610a4ce153ec259b1caeefdd53204a7e6470ffb.exe

Filesize
14.8MB

MD5
7c2310e2caf1397a700834035873da8e

SHA1
50c8962cccc99a846cd8fb99412d2aca4b28b0ad

SHA256
f97c0223f7aaa977c35759c07610a4ce153ec259b1caeefdd53204a7e6470ffb

SHA512
f167bf67f9c82ecb0c7da95b972895174320aa94f3c1a234493eeefd064a29ee03c2925c16e0e39818534ea9049ec6a765b56a0edc4ce73c6835e1188c6ca344

Download Submit
memory/3464-7-0x0000000003C80000-0x0000000003C81000-memory.dmp

Filesize
4KB

Download
memory/3464-3-0x0000000000400000-0x0000000000926000-memory.dmp

Filesize
5.1MB

Download
memory/3464-9-0x0000000003C90000-0x0000000003C91000-memory.dmp

Filesize
4KB

Download
memory/3464-8-0x0000000003C60000-0x0000000003C61000-memory.dmp

Filesize
4KB

Download
memory/3464-2-0x0000000000400000-0x0000000000926000-memory.dmp

Filesize
5.1MB

Download
memory/3464-0-0x0000000000400000-0x0000000000926000-memory.dmp

Filesize
5.1MB

Download
memory/3464-17-0x0000000000400000-0x0000000000926000-memory.dmp

Filesize
5.1MB

Download
memory/3464-1-0x0000000000400000-0x0000000000926000-memory.dmp

Filesize
5.1MB

Download
memory/4756-20-0x0000000000400000-0x0000000000926000-memory.dmp

Filesize
5.1MB

Download
memory/4756-19-0x0000000000400000-0x0000000000926000-memory.dmp

Filesize
5.1MB

Download
memory/4756-18-0x0000000000400000-0x0000000000926000-memory.dmp

Filesize
5.1MB

Download
memory/4756-21-0x0000000000400000-0x0000000000926000-memory.dmp

Filesize
5.1MB

Download
memory/4756-50-0x0000000000400000-0x0000000000926000-memory.dmp

Filesize
5.1MB

Download

Analysis

Sharing