blackmoon | afd487d97fe9ced72ff2863a96065b22d8e3a63d6d541d222123780a624dc147 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

afd487d97f...7N.exe

windows7-x64

afd487d97f...7N.exe

windows10-2004-x64

Sharing

General

Target

afd487d97fe9ced72ff2863a96065b22d8e3a63d6d541d222123780a624dc147N
Size

1.8MB
Sample

241001-wxzz4stepr
MD5

260278864373e02d00d4fe2f044175a0
SHA1

543f5007aa2de1a6e5cedfc0ead26c7e6ecb1875
SHA256

afd487d97fe9ced72ff2863a96065b22d8e3a63d6d541d222123780a624dc147
SHA512

42c6b2e721007ccec31df85a491612ca624167234ba485f8d09fb5951d1e52e122ef2688211c48c816b466f615070fdb6cddebb1d7bf2646270160c58111848d
SSDEEP

24576:rr0TxazTID9UhQtRlA6Jz7kzSRciXSD3FbbBN/IyZJbOOEHqBh3SWgSklWNyU:rZzED7tRX8SWwWpNN/IyjEOBST1WNyU

Score

10^/10

blackmoon banker discovery persistence privilege_escalation trojan upx

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

afd487d97fe9ced72ff2863a96065b22d8e3a63d6d541d222123780a624dc147N.exe

Resource

win7-20240903-en

blackmoon banker discovery persistence privilege_escalation trojan upx

windows7-x64

13 signatures

120 seconds

Behavioral task

behavioral2

Sample

afd487d97fe9ced72ff2863a96065b22d8e3a63d6d541d222123780a624dc147N.exe

Resource

win10v2004-20240802-en

blackmoon banker discovery persistence privilege_escalation trojan upx

windows10-2004-x64

13 signatures

120 seconds

Malware Config

Targets

- Target
  
  afd487d97fe9ced72ff2863a96065b22d8e3a63d6d541d222123780a624dc147N
- Size
  
  1.8MB
- MD5
  
  260278864373e02d00d4fe2f044175a0
- SHA1
  
  543f5007aa2de1a6e5cedfc0ead26c7e6ecb1875
- SHA256
  
  afd487d97fe9ced72ff2863a96065b22d8e3a63d6d541d222123780a624dc147
- SHA512
  
  42c6b2e721007ccec31df85a491612ca624167234ba485f8d09fb5951d1e52e122ef2688211c48c816b466f615070fdb6cddebb1d7bf2646270160c58111848d
- SSDEEP
  
  24576:rr0TxazTID9UhQtRlA6Jz7kzSRciXSD3FbbBN/IyZJbOOEHqBh3SWgSklWNyU:rZzED7tRX8SWwWpNN/IyjEOBST1WNyU
Score

10^/10

blackmoon banker discovery persistence privilege_escalation trojan upx
- Blackmoon, KrBanker
  Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
  trojan banker blackmoon
- Detect Blackmoon payload
- ACProtect 1.3x - 1.4x DLL software
  Detects file using ACProtect software.
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

blackmoonbankerdiscoverypersistenceprivilege_escalationtrojanupx

behavioral2

blackmoonbankerdiscoverypersistenceprivilege_escalationtrojanupx

© 2018-2025

Terms | Privacy