blackmoon | 7db241aebcab9d3eb19c100dcee414556a6b81636e60bf3a16246743d2880aef

General

Target

7db241aebcab9d3eb19c100dcee414556a6b81636e60bf3a16246743d2880aef.exe
Size

2.4MB
MD5

db2b3de7653289b73daceea82f7a9885
SHA1

e1ea2c66b43cce3f5041518154c6d5845cd5f8fe
SHA256

7db241aebcab9d3eb19c100dcee414556a6b81636e60bf3a16246743d2880aef
SHA512

7d1381402a16b47b6b4777e2584864a1aa9aff895b97d61728752bf013b7423d44f534d909693df348a829b397dd42ae3323c9a07e3b968e44a199a1fddd84e2
SSDEEP

49152:q7jJjnl9vGhxehGbzzHsPl4/P69BTnh6F8sDGBv4zgoIuVMy:SjJrDvUHst7BTh6F8iGBYgbuV/

Score

10^/10

blackmoon banker discovery trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 2 IoCs

resource	yara_rule
behavioral2/memory/3944-50-0x0000000000400000-0x00000000008AD000-memory.dmp	family_blackmoon
behavioral2/memory/3944-55-0x0000000000400000-0x00000000008AD000-memory.dmp	family_blackmoon

UPX packed file 29 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3944-0-0x0000000000400000-0x00000000008AD000-memory.dmp	upx
behavioral2/memory/3944-1-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3944-27-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3944-37-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3944-48-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3944-47-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3944-46-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3944-41-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3944-36-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3944-34-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3944-31-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3944-29-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3944-25-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3944-23-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3944-19-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3944-17-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3944-15-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3944-9-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3944-5-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3944-43-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3944-39-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3944-21-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3944-13-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3944-11-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3944-7-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3944-3-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3944-50-0x0000000000400000-0x00000000008AD000-memory.dmp	upx
behavioral2/memory/3944-51-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3944-55-0x0000000000400000-0x00000000008AD000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7db241aebcab9d3eb19c100dcee414556a6b81636e60bf3a16246743d2880aef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NETSTAT.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe

System Network Connections Discovery 1 TTPs 2 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
4136	NETSTAT.EXE
2308	cmd.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4136	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3944	7db241aebcab9d3eb19c100dcee414556a6b81636e60bf3a16246743d2880aef.exe
3944	7db241aebcab9d3eb19c100dcee414556a6b81636e60bf3a16246743d2880aef.exe
3944	7db241aebcab9d3eb19c100dcee414556a6b81636e60bf3a16246743d2880aef.exe
3944	7db241aebcab9d3eb19c100dcee414556a6b81636e60bf3a16246743d2880aef.exe
3944	7db241aebcab9d3eb19c100dcee414556a6b81636e60bf3a16246743d2880aef.exe
3944	7db241aebcab9d3eb19c100dcee414556a6b81636e60bf3a16246743d2880aef.exe
3944	7db241aebcab9d3eb19c100dcee414556a6b81636e60bf3a16246743d2880aef.exe
3944	7db241aebcab9d3eb19c100dcee414556a6b81636e60bf3a16246743d2880aef.exe
3944	7db241aebcab9d3eb19c100dcee414556a6b81636e60bf3a16246743d2880aef.exe
3944	7db241aebcab9d3eb19c100dcee414556a6b81636e60bf3a16246743d2880aef.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3944	7db241aebcab9d3eb19c100dcee414556a6b81636e60bf3a16246743d2880aef.exe
Token: SeDebugPrivilege	3944	7db241aebcab9d3eb19c100dcee414556a6b81636e60bf3a16246743d2880aef.exe
Token: SeDebugPrivilege	3944	7db241aebcab9d3eb19c100dcee414556a6b81636e60bf3a16246743d2880aef.exe
Token: SeDebugPrivilege	4136	NETSTAT.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3944	7db241aebcab9d3eb19c100dcee414556a6b81636e60bf3a16246743d2880aef.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3944 wrote to memory of 2308	3944	7db241aebcab9d3eb19c100dcee414556a6b81636e60bf3a16246743d2880aef.exe	86
PID 3944 wrote to memory of 2308	3944	7db241aebcab9d3eb19c100dcee414556a6b81636e60bf3a16246743d2880aef.exe	86
PID 3944 wrote to memory of 2308	3944	7db241aebcab9d3eb19c100dcee414556a6b81636e60bf3a16246743d2880aef.exe	86
PID 2308 wrote to memory of 4136	2308	cmd.exe	88
PID 2308 wrote to memory of 4136	2308	cmd.exe	88
PID 2308 wrote to memory of 4136	2308	cmd.exe	88
PID 2308 wrote to memory of 2368	2308	cmd.exe	89
PID 2308 wrote to memory of 2368	2308	cmd.exe	89
PID 2308 wrote to memory of 2368	2308	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\7db241aebcab9d3eb19c100dcee414556a6b81636e60bf3a16246743d2880aef.exe
"C:\Users\Admin\AppData\Local\Temp\7db241aebcab9d3eb19c100dcee414556a6b81636e60bf3a16246743d2880aef.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3944
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c netstat -ano | findstr "430"
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Connections Discovery
  - Suspicious use of WriteProcessMemory
  PID:2308
- - C:\Windows\SysWOW64\NETSTAT.EXE
    netstat -ano
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Connections Discovery
    - Gathers network information
    - Suspicious use of AdjustPrivilegeToken
    PID:4136
- - C:\Windows\SysWOW64\findstr.exe
    findstr "430"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Connections Discovery

1

T1049

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3944-0-0x0000000000400000-0x00000000008AD000-memory.dmp

Filesize
4.7MB

Download
memory/3944-1-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3944-27-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3944-37-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3944-48-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3944-49-0x0000000002B90000-0x0000000002D98000-memory.dmp

Filesize
2.0MB

Download
memory/3944-47-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3944-46-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3944-41-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3944-36-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3944-34-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3944-31-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3944-29-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3944-25-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3944-23-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3944-19-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3944-17-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3944-15-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3944-9-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3944-5-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3944-43-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3944-39-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3944-21-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3944-13-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3944-11-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3944-7-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3944-3-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3944-50-0x0000000000400000-0x00000000008AD000-memory.dmp

Filesize
4.7MB

Download
memory/3944-51-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3944-53-0x0000000002B90000-0x0000000002D98000-memory.dmp

Filesize
2.0MB

Download
memory/3944-55-0x0000000000400000-0x00000000008AD000-memory.dmp

Filesize
4.7MB

Download

Analysis

Sharing