blackmoon | ecd03f2df3bce71d044a5b49a26a263570925d6a8ad5b87228c6b8b2bfbd4e2d

General

Target

534438f3e73b2a97311bce035511ae90N.exe
Size

1.7MB
MD5

534438f3e73b2a97311bce035511ae90
SHA1

91b6066c70cbd17ad67d8700b8ae34ed055eff31
SHA256

ecd03f2df3bce71d044a5b49a26a263570925d6a8ad5b87228c6b8b2bfbd4e2d
SHA512

9fe53bc3e00d48d11d18316efdc80871a8e55a3157681a7e6591a907cc7c23a539118ab0757b33a75ea31f42dab79bfcc32460af05f527bfc8336075ad7b558c
SSDEEP

49152:6+lYMoRzEVMOiMeGP0NaPNcp0sUPYu7UGHMke:RlrylGcaepMAOsk

Score

10^/10

blackmoon banker discovery trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 4 IoCs

resource	yara_rule
behavioral1/memory/2652-4-0x00000000010A0000-0x0000000001286000-memory.dmp	family_blackmoon
behavioral1/memory/2652-18-0x00000000010A0000-0x0000000001286000-memory.dmp	family_blackmoon
behavioral1/memory/2652-17-0x00000000010A0000-0x0000000001286000-memory.dmp	family_blackmoon
behavioral1/memory/2652-20-0x00000000010A0000-0x0000000001286000-memory.dmp	family_blackmoon

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x00070000000120f9-1.dat	acprotect

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WPS.lnk	534438f3e73b2a97311bce035511ae90N.exe

Loads dropped DLL 2 IoCs

pid	Process
2652	534438f3e73b2a97311bce035511ae90N.exe
2652	534438f3e73b2a97311bce035511ae90N.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00070000000120f9-1.dat	upx
behavioral1/memory/2652-11-0x0000000010000000-0x0000000010014000-memory.dmp	upx
behavioral1/memory/2652-16-0x0000000000150000-0x0000000000168000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2652	534438f3e73b2a97311bce035511ae90N.exe
2652	534438f3e73b2a97311bce035511ae90N.exe
2652	534438f3e73b2a97311bce035511ae90N.exe
2652	534438f3e73b2a97311bce035511ae90N.exe
2652	534438f3e73b2a97311bce035511ae90N.exe
2652	534438f3e73b2a97311bce035511ae90N.exe
2652	534438f3e73b2a97311bce035511ae90N.exe
2652	534438f3e73b2a97311bce035511ae90N.exe
2652	534438f3e73b2a97311bce035511ae90N.exe
2652	534438f3e73b2a97311bce035511ae90N.exe
2652	534438f3e73b2a97311bce035511ae90N.exe
2652	534438f3e73b2a97311bce035511ae90N.exe
2652	534438f3e73b2a97311bce035511ae90N.exe
2652	534438f3e73b2a97311bce035511ae90N.exe
2652	534438f3e73b2a97311bce035511ae90N.exe
2652	534438f3e73b2a97311bce035511ae90N.exe
2652	534438f3e73b2a97311bce035511ae90N.exe
2652	534438f3e73b2a97311bce035511ae90N.exe
2652	534438f3e73b2a97311bce035511ae90N.exe
2652	534438f3e73b2a97311bce035511ae90N.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2652	534438f3e73b2a97311bce035511ae90N.exe
Token: SeLockMemoryPrivilege	2652	534438f3e73b2a97311bce035511ae90N.exe
Token: SeCreateGlobalPrivilege	2652	534438f3e73b2a97311bce035511ae90N.exe
Token: SeBackupPrivilege	2652	534438f3e73b2a97311bce035511ae90N.exe
Token: SeRestorePrivilege	2652	534438f3e73b2a97311bce035511ae90N.exe
Token: SeShutdownPrivilege	2652	534438f3e73b2a97311bce035511ae90N.exe
Token: SeCreateTokenPrivilege	2652	534438f3e73b2a97311bce035511ae90N.exe
Token: SeTakeOwnershipPrivilege	2652	534438f3e73b2a97311bce035511ae90N.exe

C:\Users\Admin\AppData\Local\Temp\534438f3e73b2a97311bce035511ae90N.exe
"C:\Users\Admin\AppData\Local\Temp\534438f3e73b2a97311bce035511ae90N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\Ling\malloc\L_mimalloc.dll

Filesize
148KB

MD5
051d69a619adca3472e8d7c9b0c0eb5c

SHA1
6cc795ac90e43e408919e19ba6f5633863560459

SHA256
feefc12464985e2057a4cbd54117e9414f2e00a284106fa38b62d63052a1f7dd

SHA512
50daa3344aa4d86cdd22cf5736eec993467e6574c5e341cd0fd95757c739e167b6e76c744b29ae302d08c88d469fea0767640a9257f54f9dec2c5fbb87c23b71

Download Submit
\Users\Admin\AppData\Roaming\zlib.dll

Filesize
27KB

MD5
849e9f3e59daf750db838e885d58c6fa

SHA1
733cb105153e4b83160a52bfa2ddd95d750fb806

SHA256
f94949a6c121a525f661dd8abd917eb37a5cf582c89e3a258170a15d30cc0cc2

SHA512
3feff6db5fc5ae371a4ec60ce13a383668a5accac537a0ae56b9b5b7318a2d5bdb4b79286a519cad3610cb6d1f335a11c09a4d3165c147a00d5a7880ea23e173

Download Submit
memory/2652-3-0x00000000010F7000-0x00000000010F8000-memory.dmp

Filesize
4KB

Download
memory/2652-11-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/2652-5-0x0000000002C60000-0x0000000002D69000-memory.dmp

Filesize
1.0MB

Download
memory/2652-4-0x00000000010A0000-0x0000000001286000-memory.dmp

Filesize
1.9MB

Download
memory/2652-18-0x00000000010A0000-0x0000000001286000-memory.dmp

Filesize
1.9MB

Download
memory/2652-17-0x00000000010A0000-0x0000000001286000-memory.dmp

Filesize
1.9MB

Download
memory/2652-16-0x0000000000150000-0x0000000000168000-memory.dmp

Filesize
96KB

Download
memory/2652-19-0x0000000000250000-0x00000000002A9000-memory.dmp

Filesize
356KB

Download
memory/2652-20-0x00000000010A0000-0x0000000001286000-memory.dmp

Filesize
1.9MB

Download

Analysis

Sharing