blackmoon | 44609ee456529c19b6193f5a12d0bff9bad6df4305c5c2a4b92aa2a314b9cfa2

General

Target

合同.exe
Size

22.7MB
MD5

0185d2869f57f204f9a6900fd64d03ae
SHA1

0b8f9dfa134a601ad9e3a24b520e567ad530a06f
SHA256

44609ee456529c19b6193f5a12d0bff9bad6df4305c5c2a4b92aa2a314b9cfa2
SHA512

3740aa9f17de48dd882b4be921d3fb848ec89bc07d3f395506d81cd5232c7735d42306c88d9db5c77714d95330232c62e073c927870e2f61dd736590040636f0
SSDEEP

196608:qEYpB1oNKPLCuSJlCuA5GLAlyFzG/ArV/fT/Tn82QDZE7N1YA:pQyNKPLCuS3CD/k1T7B7AA

Score

10^/10

blackmoon banker discovery trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 6 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023404-8.dat	family_blackmoon
behavioral2/memory/4328-27-0x0000000000B10000-0x0000000000CCB000-memory.dmp	family_blackmoon
behavioral2/memory/4328-26-0x0000000000B10000-0x0000000000CCB000-memory.dmp	family_blackmoon
behavioral2/memory/4328-25-0x0000000000B10000-0x0000000000CCB000-memory.dmp	family_blackmoon
behavioral2/memory/4328-23-0x0000000000B10000-0x0000000000CCB000-memory.dmp	family_blackmoon
behavioral2/memory/4328-32-0x0000000000B10000-0x0000000000CCB000-memory.dmp	family_blackmoon

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	合同.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WPS.lnk	Tomcat.exe

Executes dropped EXE 1 IoCs

pid	Process
4328	Tomcat.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2720-2-0x0000000010000000-0x0000000010014000-memory.dmp	upx
behavioral2/memory/2720-3-0x0000000010000000-0x0000000010014000-memory.dmp	upx
behavioral2/memory/4328-20-0x0000000002530000-0x0000000002548000-memory.dmp	upx
behavioral2/memory/4328-33-0x0000000002530000-0x0000000002548000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2720	合同.exe
2720	合同.exe
2720	合同.exe
2720	合同.exe
4328	Tomcat.exe
4328	Tomcat.exe
4328	Tomcat.exe
4328	Tomcat.exe
4328	Tomcat.exe
4328	Tomcat.exe
4328	Tomcat.exe
4328	Tomcat.exe
4328	Tomcat.exe
4328	Tomcat.exe
4328	Tomcat.exe
4328	Tomcat.exe
4328	Tomcat.exe
4328	Tomcat.exe
4328	Tomcat.exe
4328	Tomcat.exe
4328	Tomcat.exe
4328	Tomcat.exe
4328	Tomcat.exe
4328	Tomcat.exe
4328	Tomcat.exe
4328	Tomcat.exe
4328	Tomcat.exe
4328	Tomcat.exe
4328	Tomcat.exe
4328	Tomcat.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	4328	Tomcat.exe
Token: SeLockMemoryPrivilege	4328	Tomcat.exe
Token: SeCreateGlobalPrivilege	4328	Tomcat.exe
Token: SeBackupPrivilege	4328	Tomcat.exe
Token: SeRestorePrivilege	4328	Tomcat.exe
Token: SeShutdownPrivilege	4328	Tomcat.exe
Token: SeCreateTokenPrivilege	4328	Tomcat.exe
Token: SeTakeOwnershipPrivilege	4328	Tomcat.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2720	合同.exe
2720	合同.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2720 wrote to memory of 4328	2720	合同.exe	81
PID 2720 wrote to memory of 4328	2720	合同.exe	81
PID 2720 wrote to memory of 4328	2720	合同.exe	81

C:\Users\Admin\AppData\Local\Temp\合同.exe
"C:\Users\Admin\AppData\Local\Temp\合同.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Users\Admin\Documents\Tomcat.exe
  "C:\Users\Admin\Documents\Tomcat.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\Tomcat.exe

Filesize
1.6MB

MD5
915a23beb4886796c9629f3622cf0a8d

SHA1
4ba8b90473d1f46c08e779dfe6a241e5a82982fd

SHA256
87a65cb469d7a4fa14dc4e1ad4af5325f5e792692929a37907a1e281ef89b865

SHA512
dc0fcc44b9e7c5e2d6a05ab47e8c93a79416168fa63f0abbd5349346cda7c7df2c1b27710c06b99454ef50e56833ed7e2e9d1a0744d08d7cf5c7d41eb8ba719e

Download Submit
C:\Users\Admin\Documents\conf.ini

Filesize
98B

MD5
43d321644c9d7ee72ab205009d64bc77

SHA1
d3667be512967885aea7f03f7b5cc1e5a150066c

SHA256
1eb4a00edca2d0db22abeb8597b9cb51a6f347edf756b1e22918db1c4be6ad84

SHA512
42523cb3e4366bd4dc4d823f5b5f3df6f31429d7a4a8667a4414168252a8cfef4b1c32099f230666b980044ccf8329a5bcbc3e01c08182228272f4a1d7c6309a

Download Submit
memory/2720-1-0x0000000006D90000-0x0000000006DB7000-memory.dmp

Filesize
156KB

Download
memory/2720-2-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/2720-3-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/4328-26-0x0000000000B10000-0x0000000000CCB000-memory.dmp

Filesize
1.7MB

Download
memory/4328-21-0x0000000000B6B000-0x0000000000B6C000-memory.dmp

Filesize
4KB

Download
memory/4328-27-0x0000000000B10000-0x0000000000CCB000-memory.dmp

Filesize
1.7MB

Download
memory/4328-18-0x0000000002480000-0x00000000024AB000-memory.dmp

Filesize
172KB

Download
memory/4328-25-0x0000000000B10000-0x0000000000CCB000-memory.dmp

Filesize
1.7MB

Download
memory/4328-23-0x0000000000B10000-0x0000000000CCB000-memory.dmp

Filesize
1.7MB

Download
memory/4328-12-0x0000000010000000-0x0000000010109000-memory.dmp

Filesize
1.0MB

Download
memory/4328-24-0x0000000002CF0000-0x0000000002D49000-memory.dmp

Filesize
356KB

Download
memory/4328-20-0x0000000002530000-0x0000000002548000-memory.dmp

Filesize
96KB

Download
memory/4328-30-0x0000000002CF0000-0x0000000002D49000-memory.dmp

Filesize
356KB

Download
memory/4328-33-0x0000000002530000-0x0000000002548000-memory.dmp

Filesize
96KB

Download
memory/4328-32-0x0000000000B10000-0x0000000000CCB000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing