blackmoon | a15d886922a4db1684ade756c2e8a58a5c522b6bcd45da8ec83227b991195704

General

Target

a15d886922a4db1684ade756c2e8a58a5c522b6bcd45da8ec83227b991195704.exe
Size

1.8MB
MD5

fd2d3d490ab7f425f93faacaa42bc4ed
SHA1

bcd1ba547349445839d32313a9ee0e6382eb59a4
SHA256

a15d886922a4db1684ade756c2e8a58a5c522b6bcd45da8ec83227b991195704
SHA512

d12c1c73f20814078b81e02d64028ed7776adeda7f4b7671cc9f51d52321e7a4fed311c3599ad6f1fb106abf234d5463c5f117c3a4f36eafe8d7389a27e3474a
SSDEEP

24576:ypqVQjnsmIY7sts7X0TB7CoexKY5JEABpp7fw8tThRBsyeivYqazS8d8JW:nQLIYwK0V7CoYKYDESLw81RyyedqazSi

Score

10^/10

blackmoon banker discovery trojan upx

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
behavioral2/memory/4852-25-0x0000000010000000-0x00000000100BC000-memory.dmp	family_blackmoon

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x00050000000006ed-9.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
4852	8Gz7g.tmp

Loads dropped DLL 1 IoCs

pid	Process
4852	8Gz7g.tmp

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/780-0-0x0000000000400000-0x00000000005CE000-memory.dmp	upx
behavioral2/files/0x0008000000023cbe-4.dat	upx
behavioral2/memory/4852-6-0x0000000000400000-0x0000000000633000-memory.dmp	upx
behavioral2/files/0x00050000000006ed-9.dat	upx
behavioral2/memory/4852-12-0x0000000010000000-0x00000000100BC000-memory.dmp	upx
behavioral2/memory/780-16-0x0000000000400000-0x00000000005CE000-memory.dmp	upx
behavioral2/files/0x0003000000000719-21.dat	upx
behavioral2/memory/4852-24-0x0000000000400000-0x0000000000633000-memory.dmp	upx
behavioral2/memory/4852-25-0x0000000010000000-0x00000000100BC000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\libexdui.dll	8Gz7g.tmp

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a15d886922a4db1684ade756c2e8a58a5c522b6bcd45da8ec83227b991195704.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8Gz7g.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1984	taskkill.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1984	taskkill.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
780	a15d886922a4db1684ade756c2e8a58a5c522b6bcd45da8ec83227b991195704.exe
780	a15d886922a4db1684ade756c2e8a58a5c522b6bcd45da8ec83227b991195704.exe
4852	8Gz7g.tmp
4852	8Gz7g.tmp
4852	8Gz7g.tmp

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 780 wrote to memory of 4852	780	a15d886922a4db1684ade756c2e8a58a5c522b6bcd45da8ec83227b991195704.exe	85
PID 780 wrote to memory of 4852	780	a15d886922a4db1684ade756c2e8a58a5c522b6bcd45da8ec83227b991195704.exe	85
PID 780 wrote to memory of 4852	780	a15d886922a4db1684ade756c2e8a58a5c522b6bcd45da8ec83227b991195704.exe	85
PID 780 wrote to memory of 3004	780	a15d886922a4db1684ade756c2e8a58a5c522b6bcd45da8ec83227b991195704.exe	86
PID 780 wrote to memory of 3004	780	a15d886922a4db1684ade756c2e8a58a5c522b6bcd45da8ec83227b991195704.exe	86
PID 780 wrote to memory of 3004	780	a15d886922a4db1684ade756c2e8a58a5c522b6bcd45da8ec83227b991195704.exe	86
PID 3004 wrote to memory of 1984	3004	cmd.exe	88
PID 3004 wrote to memory of 1984	3004	cmd.exe	88
PID 3004 wrote to memory of 1984	3004	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\a15d886922a4db1684ade756c2e8a58a5c522b6bcd45da8ec83227b991195704.exe
"C:\Users\Admin\AppData\Local\Temp\a15d886922a4db1684ade756c2e8a58a5c522b6bcd45da8ec83227b991195704.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:780
- C:\Users\Admin\AppData\Local\Temp\8Gz7g.tmp
  C:\Users\Admin\AppData\Local\Temp\8Gz7g.tmp
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4852
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kill.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im a15d886922a4db1684ade756c2e8a58a5c522b6bcd45da8ec83227b991195704.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8Gz7g.tmp

Filesize
939KB

MD5
852f6f0410daafbfa6842863fbeb2ae0

SHA1
68add309340b6a1c69001dafe832526fc17917ad

SHA256
0ef9f9ff3420a7d37540a1dd21ebb1c7ccdb9dac9155183071f886f6047b3303

SHA512
eb97639fc8a72ae5dfd08743c5d8c075b6dab54a3a4dd343db23e2a6c82926948be54c20af4222f11fcc9c591a7447d30a5f5ce22d9dfb52e6455ae2ecbf2b8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\kill.bat

Filesize
480B

MD5
d5178f28f7ca2fde2061128922a5fb15

SHA1
f4049db5c9503091c523a44e3133737c6820ba05

SHA256
78b7382eb80fb7006f35caa6554156fe162d0969d40b9762b6fbd52f9943dae0

SHA512
0a0458b8f3b5b58bb6051ec4e77f1a90aaa94106f683af7bdb12d25c86bbd4b75ab714c95b63a41797c7bf6d36672560886c12c06d34690af800780b68746e41

Download Submit
C:\Users\Admin\AppData\Local\Temp\upmd5.tmp

Filesize
1.8MB

MD5
7787445a3e6ef9372423095643e387b4

SHA1
5791ad3d62299e7c2718148820a9081e238bfc04

SHA256
3393f6d18d5444ff1eb46079a403bb5f9578af9ff044d0a85e2cefd5571a024f

SHA512
20fc4a2d8a534180706470cd66c265e6e37dfde29ea69a1ddc3e7ac5a0ce93ed77841915b9540c07da6553aedef6b8c1ccc849f0e021b6c461586d6c7f71deb0

Download Submit
C:\Windows\libexdui.dll

Filesize
161KB

MD5
4ff2e96ff2a244e7bd637721ed7cd09e

SHA1
252c08bae6706e7e49a92d4b0ab5178c135d73eb

SHA256
3d01a0256d8d78d72f5bc474df68b201ccaaa3eee23f3378cdac1e9f8a6798d9

SHA512
9bfe22bbaa170d577f1e906628858f08d01a0b812e7eae9610ca4e635a4b280d507175863b2596ae61bbbc553cea8c346a7a4eae632ad4d13845aa1a07608d6c

Download Submit
memory/780-16-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/780-0-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/4852-12-0x0000000010000000-0x00000000100BC000-memory.dmp

Filesize
752KB

Download
memory/4852-18-0x00000000060A0000-0x00000000060A1000-memory.dmp

Filesize
4KB

Download
memory/4852-19-0x0000000003440000-0x0000000003441000-memory.dmp

Filesize
4KB

Download
memory/4852-20-0x00000000055A0000-0x00000000055A1000-memory.dmp

Filesize
4KB

Download
memory/4852-6-0x0000000000400000-0x0000000000633000-memory.dmp

Filesize
2.2MB

Download
memory/4852-24-0x0000000000400000-0x0000000000633000-memory.dmp

Filesize
2.2MB

Download
memory/4852-25-0x0000000010000000-0x00000000100BC000-memory.dmp

Filesize
752KB

Download

Analysis

Sharing