blackmoon | c504ae3134fc2eef5dc43cbeec0b2d17bb6aa2dcd3f8d3e7f28114930625ffbc

General

Target

c504ae3134fc2eef5dc43cbeec0b2d17bb6aa2dcd3f8d3e7f28114930625ffbc.exe
Size

10.9MB
MD5

cf09dad3714cd5284f81c4480a3b3fac
SHA1

6f77f21c1a9759d55f96f4ac7fc2a50d700a6244
SHA256

c504ae3134fc2eef5dc43cbeec0b2d17bb6aa2dcd3f8d3e7f28114930625ffbc
SHA512

a80fdcb02f8b078c91157e08d5af7c6c6f16d67850c8aaa28f4c17bf6faea798716ecffd03468bd107d644d4603a10be4b15770b3ecff6735c5c06abc1c835c6
SSDEEP

196608:qznANmeshQxOC5zshnLD/gvWAulknBjo5MKap:HI1CxCyju+nB0MKU

Score

10^/10

blackmoon banker discovery trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 2 IoCs

resource	yara_rule
behavioral1/memory/2356-35-0x0000000010000000-0x00000000100B6000-memory.dmp	family_blackmoon
behavioral1/memory/2356-43-0x0000000010000000-0x00000000100B6000-memory.dmp	family_blackmoon

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0007000000018683-18.dat	acprotect
behavioral1/files/0x0003000000012000-26.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
2588	Lx_Aria2c.exe

Loads dropped DLL 5 IoCs

pid	Process
2356	c504ae3134fc2eef5dc43cbeec0b2d17bb6aa2dcd3f8d3e7f28114930625ffbc.exe
2356	c504ae3134fc2eef5dc43cbeec0b2d17bb6aa2dcd3f8d3e7f28114930625ffbc.exe
2356	c504ae3134fc2eef5dc43cbeec0b2d17bb6aa2dcd3f8d3e7f28114930625ffbc.exe
2620	Process not Found
2356	c504ae3134fc2eef5dc43cbeec0b2d17bb6aa2dcd3f8d3e7f28114930625ffbc.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000018683-18.dat	upx
behavioral1/memory/2356-22-0x0000000074140000-0x00000000743DB000-memory.dmp	upx
behavioral1/memory/2356-29-0x0000000010000000-0x00000000100B6000-memory.dmp	upx
behavioral1/files/0x0003000000012000-26.dat	upx
behavioral1/memory/2356-32-0x0000000074140000-0x00000000743DB000-memory.dmp	upx
behavioral1/memory/2356-35-0x0000000010000000-0x00000000100B6000-memory.dmp	upx
behavioral1/memory/2356-43-0x0000000010000000-0x00000000100B6000-memory.dmp	upx
behavioral1/memory/2356-66-0x0000000074140000-0x00000000743DB000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c504ae3134fc2eef5dc43cbeec0b2d17bb6aa2dcd3f8d3e7f28114930625ffbc.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2356	c504ae3134fc2eef5dc43cbeec0b2d17bb6aa2dcd3f8d3e7f28114930625ffbc.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2356	c504ae3134fc2eef5dc43cbeec0b2d17bb6aa2dcd3f8d3e7f28114930625ffbc.exe
2356	c504ae3134fc2eef5dc43cbeec0b2d17bb6aa2dcd3f8d3e7f28114930625ffbc.exe
2356	c504ae3134fc2eef5dc43cbeec0b2d17bb6aa2dcd3f8d3e7f28114930625ffbc.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 2588	2356	c504ae3134fc2eef5dc43cbeec0b2d17bb6aa2dcd3f8d3e7f28114930625ffbc.exe	31
PID 2356 wrote to memory of 2588	2356	c504ae3134fc2eef5dc43cbeec0b2d17bb6aa2dcd3f8d3e7f28114930625ffbc.exe	31
PID 2356 wrote to memory of 2588	2356	c504ae3134fc2eef5dc43cbeec0b2d17bb6aa2dcd3f8d3e7f28114930625ffbc.exe	31
PID 2356 wrote to memory of 2588	2356	c504ae3134fc2eef5dc43cbeec0b2d17bb6aa2dcd3f8d3e7f28114930625ffbc.exe	31

C:\Users\Admin\AppData\Local\Temp\c504ae3134fc2eef5dc43cbeec0b2d17bb6aa2dcd3f8d3e7f28114930625ffbc.exe
"C:\Users\Admin\AppData\Local\Temp\c504ae3134fc2eef5dc43cbeec0b2d17bb6aa2dcd3f8d3e7f28114930625ffbc.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Users\Admin\AppData\Local\Temp\Lx_Aria2c.exe
  "C:\Users\Admin\AppData\Local\Temp\Lx_Aria2c.exe" --conf-path=C:\Users\Admin\AppData\Local\Temp\aria2.conf #--save-session=C:\Users\Admin\AppData\Local\Temp\aria2.session --input-file=C:\Users\Admin\AppData\Local\Temp\aria2.session --rpc-listen-port=7022 --listen-port=7055 --dht-listen-port=7033 --enable-rpc=true --rpc-allow-origin-all=true --disable-ipv6=false --rpc-secret=123 --enable-dht=true --enable-dht6=true --dht-file-path=C:/Users/Admin/AppData/Local/Temp/dht.dat --dht-file-path6=C:/Users/Admin/AppData/Local/Temp/dht6.dat --bt-external-ip= --stop-with-process=2356
  2⤵
  - Executes dropped EXE
  PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Lx_Aria2c.exe

Filesize
7.4MB

MD5
5f21116bf47d681bd6b7204c22b1c3ae

SHA1
3ddadc7669445230992568fa1493ae648bcdd252

SHA256
eae4b5599f4575cb4d05858bd5600faf2e5fdf2804c58d374b9876bd31ab56a5

SHA512
d5585cecd5933ff3361128dbd26eb18dc216cb77a2454a72b4f102162b26ccd48d18e61d988998a93b050d991524a782cd9202f69c281c650a6b8b3fadbf7dd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\aria2.conf

Filesize
55KB

MD5
58a3f44f99122a4a7ad7f285b7cb015e

SHA1
e8eaa4a2f560dbf866476725592e9d4ca2dd8012

SHA256
b48565b171e48670e48c910ca5659361878fb527294050c93050576d664b019b

SHA512
08d3dca96eda6557fb2c1a99fc94caed672da53a645218fc858a55ae2f74939c57e1daa41acff0cc8a12fc63fae540369193c948d36b9a3faeb7697e68f1f07f

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl.dll

Filesize
1.2MB

MD5
5271aaa62f698410541480fde7a83b5c

SHA1
e064163660fba20753a31cbd8453fe7a836a4f5e

SHA256
c442b9b62eee26434b4314a03e3193389564c740d0d3ed38951875d406a7b6d3

SHA512
609880514f170acc4d7e6e433600ffc696e236f36b97c8f04355c5dddc087f0a4094cc8fcf967c393519e37ce65039e14ef01c1ae6b5a47b58075e970b18f40c

Download Submit
\Users\Admin\AppData\Local\Temp\libexdui.dll

Filesize
168KB

MD5
32ab548fc2dabe299609b0fbefb570d1

SHA1
482d3eea3a49e9c81d21bb16cba33cbadcc07f99

SHA256
cf3880791580075582d00675576350d08f2d9cde0555cf04c63ed5a8b76366fd

SHA512
ec674e133a768a80c5502392ff85db341be674d82955387c4b0cb8408f798dca27f0be010d2a0520c07f4197d00d960afd811ef3a93f6ab65feb19753ab5d72b

Download Submit
memory/2356-31-0x0000000002A80000-0x0000000002A81000-memory.dmp

Filesize
4KB

Download
memory/2356-33-0x0000000002A70000-0x0000000002A71000-memory.dmp

Filesize
4KB

Download
memory/2356-29-0x0000000010000000-0x00000000100B6000-memory.dmp

Filesize
728KB

Download
memory/2356-28-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download
memory/2356-24-0x0000000002A70000-0x0000000002A71000-memory.dmp

Filesize
4KB

Download
memory/2356-30-0x0000000004180000-0x0000000004181000-memory.dmp

Filesize
4KB

Download
memory/2356-22-0x0000000074140000-0x00000000743DB000-memory.dmp

Filesize
2.6MB

Download
memory/2356-32-0x0000000074140000-0x00000000743DB000-memory.dmp

Filesize
2.6MB

Download
memory/2356-34-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download
memory/2356-25-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download
memory/2356-35-0x0000000010000000-0x00000000100B6000-memory.dmp

Filesize
728KB

Download
memory/2356-40-0x0000000004C60000-0x0000000004C61000-memory.dmp

Filesize
4KB

Download
memory/2356-41-0x0000000004C70000-0x0000000004C71000-memory.dmp

Filesize
4KB

Download
memory/2356-66-0x0000000074140000-0x00000000743DB000-memory.dmp

Filesize
2.6MB

Download
memory/2356-39-0x0000000005610000-0x0000000005611000-memory.dmp

Filesize
4KB

Download
memory/2356-43-0x0000000010000000-0x00000000100B6000-memory.dmp

Filesize
728KB

Download
memory/2588-38-0x000000013FEB0000-0x000000014061B000-memory.dmp

Filesize
7.4MB

Download

Analysis

Sharing