blackmoon | 7a5c2e1d536967f68e7a288febc3ccb8cf2b0589e453f2e77f5dd96ad37bc9b4

General

Target

7a5c2e1d536967f68e7a288febc3ccb8cf2b0589e453f2e77f5dd96ad37bc9b4N.exe
Size

2.8MB
MD5

256b36d06da4c27db2b59dbe41b9a830
SHA1

c26a7ac02aeabdb187c41eb23f9d8007a72f4683
SHA256

7a5c2e1d536967f68e7a288febc3ccb8cf2b0589e453f2e77f5dd96ad37bc9b4
SHA512

284f124b724975f83790d28ce9a48d77ef982bfcd703c6c3093785f0ade630b22e24969eb5d8b52bf01c520c4d569e1c2ff8a3f1c5ce4c85aec073713a40789e
SSDEEP

49152:YF+P9VgqrzbfDULyOPtjN/lXekpomFsEB7yOrRBST1WjyP:O+PfRELyOhN/lXe4FsNyOWWP

Score

10^/10

blackmoon banker discovery persistence privilege_escalation trojan

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3068-0-0x0000000000400000-0x000000000070F000-memory.dmp	family_blackmoon
behavioral1/files/0x00080000000120f9-2.dat	family_blackmoon
behavioral1/memory/2628-10-0x0000000000400000-0x000000000070F000-memory.dmp	family_blackmoon
behavioral1/memory/3068-11-0x0000000000400000-0x000000000070F000-memory.dmp	family_blackmoon
behavioral1/memory/2628-33-0x0000000000400000-0x000000000070F000-memory.dmp	family_blackmoon

Executes dropped EXE 1 IoCs

Processes:

XQUJRY.GMYN

pid	Process
2628	XQUJRY.GMYN

Loads dropped DLL 4 IoCs

Processes:

7a5c2e1d536967f68e7a288febc3ccb8cf2b0589e453f2e77f5dd96ad37bc9b4N.exeXQUJRY.GMYN

pid	Process
3068	7a5c2e1d536967f68e7a288febc3ccb8cf2b0589e453f2e77f5dd96ad37bc9b4N.exe
3068	7a5c2e1d536967f68e7a288febc3ccb8cf2b0589e453f2e77f5dd96ad37bc9b4N.exe
2628	XQUJRY.GMYN
2628	XQUJRY.GMYN

Drops file in System32 directory 2 IoCs

Processes:

XQUJRY.GMYN

description	ioc	Process
File created	C:\Windows\SysWOW64\ESPI11.dll	XQUJRY.GMYN
File opened for modification	C:\Windows\SysWOW64\ESPI11.dll	XQUJRY.GMYN

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

7a5c2e1d536967f68e7a288febc3ccb8cf2b0589e453f2e77f5dd96ad37bc9b4N.exeXQUJRY.GMYNnetsh.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7a5c2e1d536967f68e7a288febc3ccb8cf2b0589e453f2e77f5dd96ad37bc9b4N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XQUJRY.GMYN
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

XQUJRY.GMYN

pid	Process
2628	XQUJRY.GMYN
2628	XQUJRY.GMYN
2628	XQUJRY.GMYN
2628	XQUJRY.GMYN
2628	XQUJRY.GMYN
2628	XQUJRY.GMYN
2628	XQUJRY.GMYN
2628	XQUJRY.GMYN
2628	XQUJRY.GMYN
2628	XQUJRY.GMYN
2628	XQUJRY.GMYN
2628	XQUJRY.GMYN
2628	XQUJRY.GMYN
2628	XQUJRY.GMYN
2628	XQUJRY.GMYN
2628	XQUJRY.GMYN
2628	XQUJRY.GMYN
2628	XQUJRY.GMYN
2628	XQUJRY.GMYN
2628	XQUJRY.GMYN
2628	XQUJRY.GMYN
2628	XQUJRY.GMYN
2628	XQUJRY.GMYN
2628	XQUJRY.GMYN

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

7a5c2e1d536967f68e7a288febc3ccb8cf2b0589e453f2e77f5dd96ad37bc9b4N.exeXQUJRY.GMYN

pid	Process
3068	7a5c2e1d536967f68e7a288febc3ccb8cf2b0589e453f2e77f5dd96ad37bc9b4N.exe
3068	7a5c2e1d536967f68e7a288febc3ccb8cf2b0589e453f2e77f5dd96ad37bc9b4N.exe
2628	XQUJRY.GMYN
2628	XQUJRY.GMYN

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

7a5c2e1d536967f68e7a288febc3ccb8cf2b0589e453f2e77f5dd96ad37bc9b4N.exeXQUJRY.GMYN

description	pid	Process	procid_target
PID 3068 wrote to memory of 2628	3068	7a5c2e1d536967f68e7a288febc3ccb8cf2b0589e453f2e77f5dd96ad37bc9b4N.exe	30
PID 3068 wrote to memory of 2628	3068	7a5c2e1d536967f68e7a288febc3ccb8cf2b0589e453f2e77f5dd96ad37bc9b4N.exe	30
PID 3068 wrote to memory of 2628	3068	7a5c2e1d536967f68e7a288febc3ccb8cf2b0589e453f2e77f5dd96ad37bc9b4N.exe	30
PID 3068 wrote to memory of 2628	3068	7a5c2e1d536967f68e7a288febc3ccb8cf2b0589e453f2e77f5dd96ad37bc9b4N.exe	30
PID 2628 wrote to memory of 2676	2628	XQUJRY.GMYN	31
PID 2628 wrote to memory of 2676	2628	XQUJRY.GMYN	31
PID 2628 wrote to memory of 2676	2628	XQUJRY.GMYN	31
PID 2628 wrote to memory of 2676	2628	XQUJRY.GMYN	31

C:\Users\Admin\AppData\Local\Temp\7a5c2e1d536967f68e7a288febc3ccb8cf2b0589e453f2e77f5dd96ad37bc9b4N.exe
"C:\Users\Admin\AppData\Local\Temp\7a5c2e1d536967f68e7a288febc3ccb8cf2b0589e453f2e77f5dd96ad37bc9b4N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Users\Admin\AppData\Local\Temp\XQUJRY.GMYN
  "C:\Users\Admin\AppData\Local\Temp\XQUJRY.GMYN"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Windows\SysWOW64\netsh.exe
    netsh winsock reset
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Privilege Escalation

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\ESPI.dll

Filesize
120KB

MD5
c3adbb35a05b44bc877a895d273aa270

SHA1
8afe20d8261d217fd23ccfe53bd45ad3bec82d2d

SHA256
b2b2ea9737587313d420bde96a42063c002a83e35d9f987f8ec0d5d4d96c262c

SHA512
614dc24e3368047d68e2833ecdf9cda1f5ef290fc74287769a70df46bfa937386ce2e1332b3bada0f7e54b470ecdfe7c8bbd4ec3fa1c815f52993bb7edb93afc

Download Submit
\Users\Admin\AppData\Local\Temp\XQUJRY.GMYN

Filesize
2.8MB

MD5
6180681c47922852a8f7e5eea8a9eb94

SHA1
a7bb04bc69b0f786b8ee89218bad54836928e5fc

SHA256
1c728e43248747d62545a146ca9cf20efeff818f576ac5a55e6eaa0afee28aab

SHA512
5a7a337b86a879fdb209a29abc144ff34ef399e47120d07d03082e5a1eea14101c1eb9c1259dbad8cc510323c4137ff1a912defddb3090d8e0906cf68aa0c35a

Download Submit
memory/2628-10-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/2628-33-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/3068-0-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/3068-9-0x00000000028D0000-0x0000000002BDF000-memory.dmp

Filesize
3.1MB

Download
memory/3068-11-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads