blackmoon | 3198e481262bb4723ca43dd6740240b40429b44bdb775195f94342aff17dc768

General

Target

3198e481262bb4723ca43dd6740240b40429b44bdb775195f94342aff17dc768.exe
Size

13.0MB
MD5

49a208ed1a98ec041de65f882163f62b
SHA1

9f9790c7d3856820bccc916a0cf9285ef3abf6b0
SHA256

3198e481262bb4723ca43dd6740240b40429b44bdb775195f94342aff17dc768
SHA512

8516d04f526c9064ee3e425d8b8be44f1d535716c0315ba225fcbdb7c5225f58e0bbd7aa65deebb258bf0cfdb822f570ae0c4458f5397a1e8b4e96ec1364d9d3
SSDEEP

393216:iOzlFbN6yWADGyULN7HCP4kvfTSUa1/Lt:1z7UyWAa7L9shT1a1zt

Score

10^/10

blackmoon banker trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 8 IoCs

resource	yara_rule
behavioral1/memory/2500-6-0x0000000000400000-0x00000000009FA000-memory.dmp	family_blackmoon
behavioral1/memory/2500-7-0x0000000000400000-0x00000000009FA000-memory.dmp	family_blackmoon
behavioral1/memory/2500-8-0x0000000000400000-0x00000000009FA000-memory.dmp	family_blackmoon
behavioral1/memory/2500-9-0x0000000000400000-0x00000000009FA000-memory.dmp	family_blackmoon
behavioral1/memory/2500-10-0x0000000000400000-0x00000000009FA000-memory.dmp	family_blackmoon
behavioral1/memory/2500-43-0x0000000000400000-0x00000000009FA000-memory.dmp	family_blackmoon
behavioral1/memory/2748-74-0x0000000000400000-0x00000000009FA000-memory.dmp	family_blackmoon
behavioral1/memory/2748-76-0x0000000000400000-0x00000000009FA000-memory.dmp	family_blackmoon

Executes dropped EXE 1 IoCs

pid	Process
2748	193593198e481262bb4723ca43dd6740240b40429b44bdb775195f94342aff17dc768.exe

Loads dropped DLL 1 IoCs

pid	Process
2500	3198e481262bb4723ca43dd6740240b40429b44bdb775195f94342aff17dc768.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	3198e481262bb4723ca43dd6740240b40429b44bdb775195f94342aff17dc768.exe
File opened (read-only)	\??\U:	3198e481262bb4723ca43dd6740240b40429b44bdb775195f94342aff17dc768.exe
File opened (read-only)	\??\Z:	3198e481262bb4723ca43dd6740240b40429b44bdb775195f94342aff17dc768.exe
File opened (read-only)	\??\N:	3198e481262bb4723ca43dd6740240b40429b44bdb775195f94342aff17dc768.exe
File opened (read-only)	\??\P:	3198e481262bb4723ca43dd6740240b40429b44bdb775195f94342aff17dc768.exe
File opened (read-only)	\??\R:	3198e481262bb4723ca43dd6740240b40429b44bdb775195f94342aff17dc768.exe
File opened (read-only)	\??\S:	3198e481262bb4723ca43dd6740240b40429b44bdb775195f94342aff17dc768.exe
File opened (read-only)	\??\B:	3198e481262bb4723ca43dd6740240b40429b44bdb775195f94342aff17dc768.exe
File opened (read-only)	\??\G:	3198e481262bb4723ca43dd6740240b40429b44bdb775195f94342aff17dc768.exe
File opened (read-only)	\??\H:	3198e481262bb4723ca43dd6740240b40429b44bdb775195f94342aff17dc768.exe
File opened (read-only)	\??\L:	3198e481262bb4723ca43dd6740240b40429b44bdb775195f94342aff17dc768.exe
File opened (read-only)	\??\X:	3198e481262bb4723ca43dd6740240b40429b44bdb775195f94342aff17dc768.exe
File opened (read-only)	\??\Y:	3198e481262bb4723ca43dd6740240b40429b44bdb775195f94342aff17dc768.exe
File opened (read-only)	\??\A:	3198e481262bb4723ca43dd6740240b40429b44bdb775195f94342aff17dc768.exe
File opened (read-only)	\??\I:	3198e481262bb4723ca43dd6740240b40429b44bdb775195f94342aff17dc768.exe
File opened (read-only)	\??\K:	3198e481262bb4723ca43dd6740240b40429b44bdb775195f94342aff17dc768.exe
File opened (read-only)	\??\V:	3198e481262bb4723ca43dd6740240b40429b44bdb775195f94342aff17dc768.exe
File opened (read-only)	\??\Q:	3198e481262bb4723ca43dd6740240b40429b44bdb775195f94342aff17dc768.exe
File opened (read-only)	\??\W:	3198e481262bb4723ca43dd6740240b40429b44bdb775195f94342aff17dc768.exe
File opened (read-only)	\??\E:	3198e481262bb4723ca43dd6740240b40429b44bdb775195f94342aff17dc768.exe
File opened (read-only)	\??\J:	3198e481262bb4723ca43dd6740240b40429b44bdb775195f94342aff17dc768.exe
File opened (read-only)	\??\M:	3198e481262bb4723ca43dd6740240b40429b44bdb775195f94342aff17dc768.exe
File opened (read-only)	\??\O:	3198e481262bb4723ca43dd6740240b40429b44bdb775195f94342aff17dc768.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main	193593198e481262bb4723ca43dd6740240b40429b44bdb775195f94342aff17dc768.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main	3198e481262bb4723ca43dd6740240b40429b44bdb775195f94342aff17dc768.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2500	3198e481262bb4723ca43dd6740240b40429b44bdb775195f94342aff17dc768.exe
2500	3198e481262bb4723ca43dd6740240b40429b44bdb775195f94342aff17dc768.exe
2500	3198e481262bb4723ca43dd6740240b40429b44bdb775195f94342aff17dc768.exe
2748	193593198e481262bb4723ca43dd6740240b40429b44bdb775195f94342aff17dc768.exe
2748	193593198e481262bb4723ca43dd6740240b40429b44bdb775195f94342aff17dc768.exe
2748	193593198e481262bb4723ca43dd6740240b40429b44bdb775195f94342aff17dc768.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2500 wrote to memory of 2748	2500	3198e481262bb4723ca43dd6740240b40429b44bdb775195f94342aff17dc768.exe	28
PID 2500 wrote to memory of 2748	2500	3198e481262bb4723ca43dd6740240b40429b44bdb775195f94342aff17dc768.exe	28
PID 2500 wrote to memory of 2748	2500	3198e481262bb4723ca43dd6740240b40429b44bdb775195f94342aff17dc768.exe	28
PID 2500 wrote to memory of 2748	2500	3198e481262bb4723ca43dd6740240b40429b44bdb775195f94342aff17dc768.exe	28

C:\Users\Admin\AppData\Local\Temp\3198e481262bb4723ca43dd6740240b40429b44bdb775195f94342aff17dc768.exe
"C:\Users\Admin\AppData\Local\Temp\3198e481262bb4723ca43dd6740240b40429b44bdb775195f94342aff17dc768.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2500
- C:\ìiýˆ¤£[×¨Êô]\193593198e481262bb4723ca43dd6740240b40429b44bdb775195f94342aff17dc768.exe
  C:\ìiýˆ¤£[×¨Êô]\193593198e481262bb4723ca43dd6740240b40429b44bdb775195f94342aff17dc768.exe
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6F0O117Z\errorPageStrings[1]

Filesize
2KB

MD5
e3e4a98353f119b80b323302f26b78fa

SHA1
20ee35a370cdd3a8a7d04b506410300fd0a6a864

SHA256
9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66

SHA512
d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6F0O117Z\httpErrorPagesScripts[1]

Filesize
8KB

MD5
3f57b781cb3ef114dd0b665151571b7b

SHA1
ce6a63f996df3a1cccb81720e21204b825e0238c

SHA256
46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad

SHA512
8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\51ba5ce08ce7f251dbe5e62856b62c9c.txt

Filesize
16B

MD5
b8b58d71b6bc52fbb90a6e40822bc040

SHA1
2b4c17ca0ff4afbbdc2f767c55e712daed280e7d

SHA256
5086c8342e3a6bfd4f5446a3ef599ab4191f604d7eafd1f74af77278d0bd15da

SHA512
1a267ed99fabc69eb4a6c63d21567b5f38420705f2a10bf44e3c85b52d594cb45b2c4fbe2a5b14b3e544496dc4dbd7a5cbc3c1138e59a78fbd4a61c515078ba7

Download Submit
\ìiýˆ¤£[×¨Êô]\193593198e481262bb4723ca43dd6740240b40429b44bdb775195f94342aff17dc768.exe

Filesize
13.0MB

MD5
49a208ed1a98ec041de65f882163f62b

SHA1
9f9790c7d3856820bccc916a0cf9285ef3abf6b0

SHA256
3198e481262bb4723ca43dd6740240b40429b44bdb775195f94342aff17dc768

SHA512
8516d04f526c9064ee3e425d8b8be44f1d535716c0315ba225fcbdb7c5225f58e0bbd7aa65deebb258bf0cfdb822f570ae0c4458f5397a1e8b4e96ec1364d9d3

Download Submit
memory/2500-7-0x0000000000400000-0x00000000009FA000-memory.dmp

Filesize
6.0MB

Download
memory/2500-42-0x0000000000230000-0x0000000000233000-memory.dmp

Filesize
12KB

Download
memory/2500-9-0x0000000000400000-0x00000000009FA000-memory.dmp

Filesize
6.0MB

Download
memory/2500-10-0x0000000000400000-0x00000000009FA000-memory.dmp

Filesize
6.0MB

Download
memory/2500-0-0x0000000000400000-0x00000000009FA000-memory.dmp

Filesize
6.0MB

Download
memory/2500-43-0x0000000000400000-0x00000000009FA000-memory.dmp

Filesize
6.0MB

Download
memory/2500-1-0x0000000000230000-0x0000000000233000-memory.dmp

Filesize
12KB

Download
memory/2500-8-0x0000000000400000-0x00000000009FA000-memory.dmp

Filesize
6.0MB

Download
memory/2500-46-0x000000000CED0000-0x000000000D4CA000-memory.dmp

Filesize
6.0MB

Download
memory/2500-6-0x0000000000400000-0x00000000009FA000-memory.dmp

Filesize
6.0MB

Download
memory/2500-5-0x00000000004FF000-0x0000000000500000-memory.dmp

Filesize
4KB

Download
memory/2748-45-0x0000000000400000-0x00000000009FA000-memory.dmp

Filesize
6.0MB

Download
memory/2748-74-0x0000000000400000-0x00000000009FA000-memory.dmp

Filesize
6.0MB

Download
memory/2748-76-0x0000000000400000-0x00000000009FA000-memory.dmp

Filesize
6.0MB

Download

Analysis

Sharing