blackmoon | 61bde78faff2f15db4a32cec6b3b9cee53de0d854fb58579c00873ed8c8aea25 | Triage

Sharing

General

Target

dab221de0cfbfa8ec9a62fb0d92a283a_JaffaCakes118
Size

11.1MB
Sample

240911-tawytszard
MD5

dab221de0cfbfa8ec9a62fb0d92a283a
SHA1

056ea1d57ee8c64387ba3ca8a565ac1d465df36e
SHA256

61bde78faff2f15db4a32cec6b3b9cee53de0d854fb58579c00873ed8c8aea25
SHA512

7181644b011a866cd4133598e6587f5456ec8e8abc82b307aadddcc3221d8d8c79980cba1106e4a219190d55eade0c6f748806828d8d9b25dfa0a129e2cb7acc
SSDEEP

196608:GdPvyiyF0MTFYM4iIWU5jxK1ubpzmhvXs0f4IEq3woCtrMBFWms0I1xyqOScCOe:GRvyiyGWMVW0H8d80wIEP1KC0IbyqDTZ

Score

10^/10

blackmoon aspackv2 banker bootkit discovery persistence trojan

Malware Config

Targets

- Target
  
  Butterfly Rome.exe
- Size
  
  896KB
- MD5
  
  6600d3aad5ae54f1c929c73ad76b1a19
- SHA1
  
  e84808a2d71e084fce9406163b0008c5e5b2fa6e
- SHA256
  
  e2c98d04803606509f4b7f2fb612c00a8b4550cce24966988ddd29168b24b6e6
- SHA512
  
  52ec4266d21e246fa04a63d14fac4c5a18c0d21b5be218c8591377c718dc738cde43835b7b5169b964df976e4548d4d38f1e660702ead7458574bf3d9922044e
- SSDEEP
  
  12288:hEN/CKPbje87uR3Deiw+nB1qjzzHxD2r770yHLe75pfY/6tMIPTohQ17rPKM6I+B:hVUb7+s+B1qTxD2zy7Yitzt1iI+X6JY
Score

10^/10

blackmoon banker discovery trojan
- Blackmoon, KrBanker
  Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
  trojan banker blackmoon
- Detect Blackmoon payload
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  Data/Rome_Run.dll
- Size
  
  72KB
- MD5
  
  cdcd522c985ea8100163d6c2089f8a88
- SHA1
  
  af7432c8e766e6abf6058f8c6b1dd3524009c3a5
- SHA256
  
  7c12fd6361c5f8056544064aa9d8e7b16b2c94aefd425d6503b422f02c747cef
- SHA512
  
  6a62ad0401e9900378b9190bce1808059580013339c40d6281d8136bba89624ede27627acd76316940a1a5d46fc9f5a0e60471cb8c236bb9e73716b16eff85d7
- SSDEEP
  
  768:EmNfLTOwkCTw6CzVYVRAGFOtTfHd8YagLnMdwiB9RVFlvzcttoan8j:E+fLTOwg6Vxy6YagYdl7ktpI
Score

3^/10

discovery
behavioral3 behavioral4
- Target
  
  Data/Rome_Win.dll
- Size
  
  656KB
- MD5
  
  ffffa4b0ace87f3c416cf679b0d0683b
- SHA1
  
  34b40a72c7d3095f2e063bcad98fe84bd7b308da
- SHA256
  
  ceb837c0597de46c2bea8f388d6c385ccb2fd6711134af6ad3a895b61c756531
- SHA512
  
  6f3888123975b06b9a36b4dbd162fe9c740b340d91b9bba90f0f371fc38906778680122111391150680e01c9b6b287d63705c36826a5e7e1641c35e00cf6a593
- SSDEEP
  
  6144:xqLTino/yo/v0iumhlL54RBZgKZqg8NsO+YV2ThHkJcK+gULjK+/S:xuEon0iumj4m+Od2FEJ5+KCS
Score

3^/10

discovery
behavioral5 behavioral6
- Target
  
  Rome_App.dll
- Size
  
  168KB
- MD5
  
  5aad9b83cc793d66751aabea4274d503
- SHA1
  
  cacbc4f7d5ac14559cc6b44e1cca8b44b49756a3
- SHA256
  
  7939a60d00701bf58e397eac4cdc95b643b5babc970ccee2d65f4a24e58cbafe
- SHA512
  
  928905fc926fbf0aa7aca87c311fb0e0a288d982712ee7c12c2edc148238504a4c479d5d8278e9fd38579bdd3e80da65bfc386dd9e39d54ec4031f4354f5403e
- SSDEEP
  
  3072:gl4nDbfagCqKZk5yY/FAnrH/RF897K+f654X8QeiUcZjdN5hxMQ78A0Z+:gl4nDWgRAkPFyrHZFRvixlthxMQ78A0E
Score

10^/10

blackmoon banker discovery trojan
- Blackmoon, KrBanker
  Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
  trojan banker blackmoon
- Detect Blackmoon payload
behavioral7 behavioral8
- Target
  
  Sbot/Data.dll
- Size
  
  38B
- MD5
  
  3d5dc22e1da9d1d9028c030f93d95652
- SHA1
  
  a2a3bae58691069c0d34bbeb3a100cd371797de9
- SHA256
  
  35faef55a5db24a511626a491765c370264b2b2fa01f03857ebadd19aab66d7c
- SHA512
  
  a881ae28cd2fc08a3945c1ec65bdc04900e50d5d3ee50ee6d9c5dda973d9a079a0d81242e12f8d7dd1c10e708c693dab7d91173dccc10293ecbd267a806e9ae2
Score

1^/10
behavioral10 behavioral9
- Target
  
  Sbot/OgreMain.dll
- Size
  
  3.0MB
- MD5
  
  177af971432091d89c66f94a7022a0f3
- SHA1
  
  93c6ef193aa4f233846c7daa6afe353b8c6d364c
- SHA256
  
  b7200270899571de9b03e2082174e7dfa7ea3e1b042741918df8cfaef0a62c38
- SHA512
  
  bcd0fd5473bf43c766fd08d859ed14d3b1e97ed3ebe516ead5cbbf65db143c68d5bfcf49153994efea5359f65245c4b7f280914a4d84caaf57744a6be875ad9c
- SSDEEP
  
  49152:J58K0zRiN21U92fdXJZDb/f7JTQMAadIdhZ:l0zC92tzf/a
Score

3^/10

discovery
behavioral11 behavioral12
- Target
  
  Sbot/RomeBotbin.exe
- Size
  
  538KB
- MD5
  
  78e148ec361dd6a40c082e90c03d8fb3
- SHA1
  
  6a3b3811e68b7f50424daa91b5d69db312b4253b
- SHA256
  
  49cb39c6522370d0f9c61d0259d2520cbe8cc3e9b77ee4046a53a14647297d35
- SHA512
  
  0d415ae92acb9cc45c39dd1a11ad8d22dcf8ac872ed45404ced7d90eb5beed228a4f94ee9fb66d5d9a9b926b5f60df989699e23f2223399fc8fbe0e4ec864c76
- SSDEEP
  
  6144:kU6klBRWK/w/YJxxugapONe9UCgRHsDL7vFEvR3cGzW5Q7ATBmRSIPG7OEhmy3yb:kU6bCzJSDpvaCgWDLE3DoQ7ATo8JW
Score

6^/10

bootkit discovery persistence
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral13 behavioral14
- Target
  
  Sbot/RomeBotdat.exe
- Size
  
  67KB
- MD5
  
  34ee972bbfc3631e733c5f84f55d939d
- SHA1
  
  b41c9cb324b3c46b0ac4ef75b3283ba2809ee9ea
- SHA256
  
  c79cbaf1814c15fa2649d66c286612847b8285d246330c7d733b1f492538c3bc
- SHA512
  
  6a4004b495ea89b64c8e4244dfd8401295a5dcfd67f4966298945a268ea13b5acb0c7cfeeb2d8cb91d53e8a771561c11f9352d1b566bcf162e39af0529248b32
- SSDEEP
  
  1536:MfaB1oVKLXy9orTFvvPJ/BnPoYZHeOMchrlGrrNbsOcxZBA:MfaB1oMXy9orT9vh/FPrHeRQl7OcxZG
Score

6^/10

bootkit discovery persistence
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral15 behavioral16
- Target
  
  Sbot/libeay32.dll
- Size
  
  993KB
- MD5
  
  c95db14994862f84df1c1825710d1a99
- SHA1
  
  a8006af9bd5590280f1d7614f146d2b01cb6cfeb
- SHA256
  
  268010e5a84440842e5e4df115c4394f20f4353e57577665d4a4ba45e58f7fec
- SHA512
  
  bbbc3473540294de9bcbd2bf1b919df68662ae950980c79ae89fa5a1ff8e6fb63a35af3020f79e02d0bf7e1806c536adda0c1359a9d80edab2ae3c88c7199f18
- SSDEEP
  
  12288:gROiZOS7d9U/m0gYToxupBwaW7awxyBtIYmPNpcs7BEgEXXzwiSV8W9pi+J0moP5:ZdToxup6xcwNOgEXXzwiYpppymoPqk
Score

3^/10

discovery
behavioral17 behavioral18
- Target
  
  Sbot/msvcp90.dll
- Size
  
  556KB
- MD5
  
  4c39358ebdd2ffcd9132a30e1ec31e16
- SHA1
  
  70ac82988285f9f7069faa9a0612aeba7fb001c4
- SHA256
  
  06918cf99ad26cd6cf106881c0d5bdb212dc0bac4549805c9f5906e3d03d152c
- SHA512
  
  eb5348d2f258767281fe954d45999bd6eb7af61411ea3a5c63fcdafc83e487cee51e1dfe2d86590243b21f6a135e0dd5116e66b0f22cf0937bd147e54a1df391
- SSDEEP
  
  12288:66FE340h3e34GVZQACkILYhUgiW6QR7t5183Ooc8SHkC2ePgAfX:66h0h3e3vgzLA83Ooc8SHkC2ePgAfX
Score

3^/10

discovery
behavioral19 behavioral20
- Target
  
  Sbot/msvcr90.dll
- Size
  
  637KB
- MD5
  
  cdbe9690cf2b8409facad94fac9479c9
- SHA1
  
  4bcdfe2c1b354645314a4ce26b55b2b1a0212db9
- SHA256
  
  8e7fe1a1f3550c479ffd86a77bc9d10686d47f8727025bb891d8f4f0259354c8
- SHA512
  
  9c84ed9a66ce20a22e14fa00c1a0db716133f7b2450a3c0d20b1dcf74e030337c4c6a4953e40e10fc94706dc607236e773ba8999b21bd6e072ab24a487e8f942
- SSDEEP
  
  12288:phr4UC+Yu/A0BI4yWkoGKJwZ9axKmhYTMAO7wFVjCUmRyybD:tYfyZFGKJjxKmhSMABnCUmRyybD
Score

3^/10

discovery
behavioral21 behavioral22
- Target
  
  Sbot/svrbase.dll
- Size
  
  1.2MB
- MD5
  
  77a69b9516fba32fc7010d2c5ca63e34
- SHA1
  
  0368e529022122be77f3645beb183ff8adf1656b
- SHA256
  
  353bb66423c33afd7fab7f044b1c4b60784112a8bb147c096bf91119fc45deb0
- SHA512
  
  a59a8c092e6e78dc3c44389608ad47714dd2e669c1b09a31a925562c67924a0be4a6c415df264a015e6918286c42b92e9deeab13b7da62c89e9378985e28f810
- SSDEEP
  
  12288:ohU4LhmB0uRJezi1OTz95BQyX3fdQ3YQTUSS8eBsNYazhM4pPLt:ozE288TS6aYQTUseB4YavDt
Score

3^/10

discovery
behavioral23 behavioral24
- Target
  
  Sbot/svrcom.dll
- Size
  
  235KB
- MD5
  
  a1db857053b218ba55bff319668d6b1d
- SHA1
  
  4e7e60c035eccbef8edc7ea6ad1a2bbb76b09d42
- SHA256
  
  86308bb0182661bab0e7fcb433862b303dff7d52a99b1e4b9053ef4adfaa4d79
- SHA512
  
  579f4c304da4b3180d96c4b165763f1afa50d5466f6d856873bfe1450636b953050ffbf460a7cd6e3bf655ef9c430e4cf52cf4c67834c192d791e7344ec18100
- SSDEEP
  
  6144:YpSGPm8z5BUrSHOgOzIARXKStGJzumOtQZgclFoHDxXLiMT7iyIcyXdNQm6OXfwy:Y0GPm8zvvOg1ma
Score

3^/10

discovery
behavioral25 behavioral26
- Target
  
  Sbot/svrfun.dll
- Size
  
  875KB
- MD5
  
  c0472b390cf0775f1738c82f85cd59ad
- SHA1
  
  69c813227d0b2d850f0fb7e2f1f9f955f67c4574
- SHA256
  
  b64a6962f1ad1f8c5633a2bffa005e167e232a3357f741aa144e055ba1d28e64
- SHA512
  
  e870f75f5901272e82aa795fd9f81d0f4072c6856f969eafd57155c021456e3ad2e82c4abe03b491dee68fc22e49bff751c5aca5c5f56c0b550e2ad12eb00397
- SSDEEP
  
  12288:HHKBBLvyDizaxb8hP+zItguy0zPm38rMn+ATUVf91c:HkBLviizaxb8hP+zuQOPm3qmFel1
Score

3^/10

discovery
behavioral27 behavioral28
- Target
  
  Updater.exe
- Size
  
  788KB
- MD5
  
  54512284079f199eb721e45750c067bf
- SHA1
  
  508804cbbb6709448d0b9d6631228df532a7039e
- SHA256
  
  0797b670fedbf272ae572e07dd6e8bcd14b32d67e4ee6c2379a70401c8a1b681
- SHA512
  
  0829d30a7cd406b0891b6752a8219d8a0227a2f15ff69025cf1ce5f2dce2d2e601a79b761ff25b070b0d59d7a443efffacf651e98ab045c66efa0912d42c612e
- SSDEEP
  
  12288:YLUeTuA3QZJ/RV6jV3VIpL8RD5OgmLhUqF:YtuaS/D6jVFNRhmtUqF
Score

3^/10

discovery
behavioral29 behavioral30

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

Bootkit

Privilege Escalation

Defense Evasion

Pre-OS Boot

Bootkit

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

blackmoonbankerdiscoverytrojan

behavioral2

blackmoonbankerdiscoverytrojan

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

blackmoonbankerdiscoverytrojan

behavioral8

blackmoonbankerdiscoverytrojan

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

bootkitdiscoverypersistence

behavioral14

bootkitdiscoverypersistence

behavioral15

bootkitdiscoverypersistence

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30