blackmoon | 93d6b0f5ae6efa4e5bae7c1299bbbc45f56e6fc98e0c920d2c403ed6d1b3061f

General

Target

93d6b0f5ae6efa4e5bae7c1299bbbc45f56e6fc98e0c920d2c403ed6d1b3061fN.exe
Size

1.6MB
MD5

d65cb0200ab0c58bdac3c83727f8bb00
SHA1

418f7071f1b36c96db4573c6b477de8572af631e
SHA256

93d6b0f5ae6efa4e5bae7c1299bbbc45f56e6fc98e0c920d2c403ed6d1b3061f
SHA512

843b4fc6bc7423eb6eac4109e314f88878a483fbf370d54ce4d242297e264703fdcba060c55798ae571517c8711d5f568f531035a612d2bdd071e621f4911eb0
SSDEEP

24576:CrtSzyNr05PcgOzXQleqH7jJ34vNkzU9DbdYrN/IyX5iICqBh3SWgSklWnyu:CY60WXkTjF4veUUrN/IycI7BST1Wnyu

Score

10^/10

blackmoon banker discovery trojan

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\FNNMOFF.UGU	family_blackmoon

Executes dropped EXE 1 IoCs

Processes:

FNNMOFF.UGU

pid process

2652 FNNMOFF.UGU

pid	process
2652	FNNMOFF.UGU

Loads dropped DLL 2 IoCs

Processes:

93d6b0f5ae6efa4e5bae7c1299bbbc45f56e6fc98e0c920d2c403ed6d1b3061fN.exe

pid	process
2824	93d6b0f5ae6efa4e5bae7c1299bbbc45f56e6fc98e0c920d2c403ed6d1b3061fN.exe
2824	93d6b0f5ae6efa4e5bae7c1299bbbc45f56e6fc98e0c920d2c403ed6d1b3061fN.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

93d6b0f5ae6efa4e5bae7c1299bbbc45f56e6fc98e0c920d2c403ed6d1b3061fN.exeFNNMOFF.UGU

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	93d6b0f5ae6efa4e5bae7c1299bbbc45f56e6fc98e0c920d2c403ed6d1b3061fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FNNMOFF.UGU

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

93d6b0f5ae6efa4e5bae7c1299bbbc45f56e6fc98e0c920d2c403ed6d1b3061fN.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	93d6b0f5ae6efa4e5bae7c1299bbbc45f56e6fc98e0c920d2c403ed6d1b3061fN.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

Processes:

93d6b0f5ae6efa4e5bae7c1299bbbc45f56e6fc98e0c920d2c403ed6d1b3061fN.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "www.2345.com/?k744606640"	93d6b0f5ae6efa4e5bae7c1299bbbc45f56e6fc98e0c920d2c403ed6d1b3061fN.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

FNNMOFF.UGU

pid process

2652 FNNMOFF.UGU

pid	process
2652	FNNMOFF.UGU

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

93d6b0f5ae6efa4e5bae7c1299bbbc45f56e6fc98e0c920d2c403ed6d1b3061fN.exeFNNMOFF.UGU

description	pid	process
Token: SeDebugPrivilege	2824	93d6b0f5ae6efa4e5bae7c1299bbbc45f56e6fc98e0c920d2c403ed6d1b3061fN.exe
Token: SeDebugPrivilege	2652	FNNMOFF.UGU

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

93d6b0f5ae6efa4e5bae7c1299bbbc45f56e6fc98e0c920d2c403ed6d1b3061fN.exeFNNMOFF.UGU

pid	process
2824	93d6b0f5ae6efa4e5bae7c1299bbbc45f56e6fc98e0c920d2c403ed6d1b3061fN.exe
2824	93d6b0f5ae6efa4e5bae7c1299bbbc45f56e6fc98e0c920d2c403ed6d1b3061fN.exe
2652	FNNMOFF.UGU
2652	FNNMOFF.UGU

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

93d6b0f5ae6efa4e5bae7c1299bbbc45f56e6fc98e0c920d2c403ed6d1b3061fN.exe

description	pid	process	target process
PID 2824 wrote to memory of 2652	2824	93d6b0f5ae6efa4e5bae7c1299bbbc45f56e6fc98e0c920d2c403ed6d1b3061fN.exe	FNNMOFF.UGU
PID 2824 wrote to memory of 2652	2824	93d6b0f5ae6efa4e5bae7c1299bbbc45f56e6fc98e0c920d2c403ed6d1b3061fN.exe	FNNMOFF.UGU
PID 2824 wrote to memory of 2652	2824	93d6b0f5ae6efa4e5bae7c1299bbbc45f56e6fc98e0c920d2c403ed6d1b3061fN.exe	FNNMOFF.UGU
PID 2824 wrote to memory of 2652	2824	93d6b0f5ae6efa4e5bae7c1299bbbc45f56e6fc98e0c920d2c403ed6d1b3061fN.exe	FNNMOFF.UGU

C:\Users\Admin\AppData\Local\Temp\93d6b0f5ae6efa4e5bae7c1299bbbc45f56e6fc98e0c920d2c403ed6d1b3061fN.exe
"C:\Users\Admin\AppData\Local\Temp\93d6b0f5ae6efa4e5bae7c1299bbbc45f56e6fc98e0c920d2c403ed6d1b3061fN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Users\Admin\AppData\Local\Temp\FNNMOFF.UGU
  "C:\Users\Admin\AppData\Local\Temp\FNNMOFF.UGU"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\FNNMOFF.UGU

Filesize
1.6MB

MD5
cfab20af91a9bf185b7e5ffe5f0928dc

SHA1
13ae927af26d4d33b38c97e629b41e695beaf5cf

SHA256
c03fd756b259a7d9a735b0b35f4c81b565be2f0de8c0e72f9ccf8b5e8caa5de3

SHA512
309fdac807195ca81750f802accccf07a7699d94b6cc92a0a9b078b01aac2528d3553d743bf5a1eb602fc83b631f3577200b815844038c1b3336d0f55d18df9b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads