blackmoon | a15d886922a4db1684ade756c2e8a58a5c522b6bcd45da8ec83227b991195704

General

Target

a15d886922a4db1684ade756c2e8a58a5c522b6bcd45da8ec83227b991195704.exe
Size

1.8MB
MD5

fd2d3d490ab7f425f93faacaa42bc4ed
SHA1

bcd1ba547349445839d32313a9ee0e6382eb59a4
SHA256

a15d886922a4db1684ade756c2e8a58a5c522b6bcd45da8ec83227b991195704
SHA512

d12c1c73f20814078b81e02d64028ed7776adeda7f4b7671cc9f51d52321e7a4fed311c3599ad6f1fb106abf234d5463c5f117c3a4f36eafe8d7389a27e3474a
SSDEEP

24576:ypqVQjnsmIY7sts7X0TB7CoexKY5JEABpp7fw8tThRBsyeivYqazS8d8JW:nQLIYwK0V7CoYKYDESLw81RyyedqazSi

Score

10^/10

blackmoon banker discovery trojan upx

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
behavioral1/memory/288-30-0x0000000010000000-0x00000000100BC000-memory.dmp	family_blackmoon

Deletes itself 1 IoCs

pid	Process
2780	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
288	Y709x.tmp

Loads dropped DLL 1 IoCs

pid	Process
2052	a15d886922a4db1684ade756c2e8a58a5c522b6bcd45da8ec83227b991195704.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2052-0-0x0000000000400000-0x00000000005CE000-memory.dmp	upx
behavioral1/memory/2052-6-0x0000000002290000-0x00000000024C3000-memory.dmp	upx
behavioral1/files/0x0007000000012119-7.dat	upx
behavioral1/memory/288-8-0x0000000000400000-0x0000000000633000-memory.dmp	upx
behavioral1/memory/288-11-0x0000000010000000-0x00000000100BC000-memory.dmp	upx
behavioral1/memory/2052-21-0x0000000000400000-0x00000000005CE000-memory.dmp	upx
behavioral1/files/0x0003000000003d60-23.dat	upx
behavioral1/memory/288-29-0x0000000000400000-0x0000000000633000-memory.dmp	upx
behavioral1/memory/288-30-0x0000000010000000-0x00000000100BC000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\libexdui.dll	Y709x.tmp

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a15d886922a4db1684ade756c2e8a58a5c522b6bcd45da8ec83227b991195704.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Y709x.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2308	taskkill.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2308	taskkill.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2052	a15d886922a4db1684ade756c2e8a58a5c522b6bcd45da8ec83227b991195704.exe
2052	a15d886922a4db1684ade756c2e8a58a5c522b6bcd45da8ec83227b991195704.exe
288	Y709x.tmp
288	Y709x.tmp
288	Y709x.tmp

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2052 wrote to memory of 288	2052	a15d886922a4db1684ade756c2e8a58a5c522b6bcd45da8ec83227b991195704.exe	30
PID 2052 wrote to memory of 288	2052	a15d886922a4db1684ade756c2e8a58a5c522b6bcd45da8ec83227b991195704.exe	30
PID 2052 wrote to memory of 288	2052	a15d886922a4db1684ade756c2e8a58a5c522b6bcd45da8ec83227b991195704.exe	30
PID 2052 wrote to memory of 288	2052	a15d886922a4db1684ade756c2e8a58a5c522b6bcd45da8ec83227b991195704.exe	30
PID 2052 wrote to memory of 2780	2052	a15d886922a4db1684ade756c2e8a58a5c522b6bcd45da8ec83227b991195704.exe	31
PID 2052 wrote to memory of 2780	2052	a15d886922a4db1684ade756c2e8a58a5c522b6bcd45da8ec83227b991195704.exe	31
PID 2052 wrote to memory of 2780	2052	a15d886922a4db1684ade756c2e8a58a5c522b6bcd45da8ec83227b991195704.exe	31
PID 2052 wrote to memory of 2780	2052	a15d886922a4db1684ade756c2e8a58a5c522b6bcd45da8ec83227b991195704.exe	31
PID 2780 wrote to memory of 2308	2780	cmd.exe	33
PID 2780 wrote to memory of 2308	2780	cmd.exe	33
PID 2780 wrote to memory of 2308	2780	cmd.exe	33
PID 2780 wrote to memory of 2308	2780	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\a15d886922a4db1684ade756c2e8a58a5c522b6bcd45da8ec83227b991195704.exe
"C:\Users\Admin\AppData\Local\Temp\a15d886922a4db1684ade756c2e8a58a5c522b6bcd45da8ec83227b991195704.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2052
- C:\Users\Admin\AppData\Local\Temp\Y709x.tmp
  C:\Users\Admin\AppData\Local\Temp\Y709x.tmp
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:288
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\kill.bat
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im a15d886922a4db1684ade756c2e8a58a5c522b6bcd45da8ec83227b991195704.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Y709x.tmp

Filesize
939KB

MD5
f5e6973f57e789801d61c21f79ae7557

SHA1
1d9bec01257380375342fc7c3f2b17991dc3feed

SHA256
0480a420611ea5997cc6bced486462249bdd1f7d3c98a79afe73b139acd9cc52

SHA512
69716e010afbdf9d63bf0f158cc1db901f1b678d7f1f4f9c42036cd9df1355d5e5848cc23ffbc108605319f8b66b1b352d0039b675d8e8d96ea357b8fe1fae98

Download Submit
C:\Users\Admin\AppData\Local\Temp\kill.bat

Filesize
480B

MD5
d5178f28f7ca2fde2061128922a5fb15

SHA1
f4049db5c9503091c523a44e3133737c6820ba05

SHA256
78b7382eb80fb7006f35caa6554156fe162d0969d40b9762b6fbd52f9943dae0

SHA512
0a0458b8f3b5b58bb6051ec4e77f1a90aaa94106f683af7bdb12d25c86bbd4b75ab714c95b63a41797c7bf6d36672560886c12c06d34690af800780b68746e41

Download Submit
C:\Users\Admin\AppData\Local\Temp\upmd5.tmp

Filesize
1.8MB

MD5
aca65282fcc8f96d74685ecaccee92b7

SHA1
13ac0111da0c05fe23318628d47b28baef1b97a0

SHA256
3b39ab57b801eb75108155bbaea0708b6a0c88872c7a594c8eeed866e2ce223f

SHA512
4bb2d1e2631c1f31e8d82d322999d9275ef442729b3908d049bbb10b5b1a94058731bb9e835206e07a5504455e8f689edd860990da34a66a91ac594e39e7c244

Download Submit
memory/288-26-0x0000000003780000-0x0000000003781000-memory.dmp

Filesize
4KB

Download
memory/288-11-0x0000000010000000-0x00000000100BC000-memory.dmp

Filesize
752KB

Download
memory/288-8-0x0000000000400000-0x0000000000633000-memory.dmp

Filesize
2.2MB

Download
memory/288-27-0x0000000002E30000-0x0000000002E31000-memory.dmp

Filesize
4KB

Download
memory/288-28-0x0000000002E40000-0x0000000002E41000-memory.dmp

Filesize
4KB

Download
memory/288-29-0x0000000000400000-0x0000000000633000-memory.dmp

Filesize
2.2MB

Download
memory/288-30-0x0000000010000000-0x00000000100BC000-memory.dmp

Filesize
752KB

Download
memory/2052-21-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/2052-6-0x0000000002290000-0x00000000024C3000-memory.dmp

Filesize
2.2MB

Download
memory/2052-0-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download

Analysis

Sharing