blackmoon | ddc71e96a8aa5f9bcd2d73eba01b7573faa46a9ccc3c4cb90289fc006e9346be

General

Target

ddc71e96a8aa5f9bcd2d73eba01b7573faa46a9ccc3c4cb90289fc006e9346beN.exe
Size

9.3MB
Sample

241218-hr45zsyjez
MD5

c65e01412858c22d393532d0395fbab0
SHA1

b491abf5b13c5c76b17be974058cbfce126fda64
SHA256

ddc71e96a8aa5f9bcd2d73eba01b7573faa46a9ccc3c4cb90289fc006e9346be
SHA512

10675ca4a9b09817790141743a1ec3f1987b88ae200c700573217245548dc34557aa8be0813887f681dc9c716c1aa3028e99a22933e32fff6045855c89ed92d4
SSDEEP

196608:K2c1uwl1CPwDv3uFhi43v13uFnCPws8S/VW08Sr8lQeY3YgOFmknGzwHIPHd9DPK:KnEwl1CPwDv3uFY43v13uFnCPwa/VW0E

Score

10^/10

Malware Config

Targets

- Target
  
  ddc71e96a8aa5f9bcd2d73eba01b7573faa46a9ccc3c4cb90289fc006e9346beN.exe
- Size
  
  9.3MB
- MD5
  
  c65e01412858c22d393532d0395fbab0
- SHA1
  
  b491abf5b13c5c76b17be974058cbfce126fda64
- SHA256
  
  ddc71e96a8aa5f9bcd2d73eba01b7573faa46a9ccc3c4cb90289fc006e9346be
- SHA512
  
  10675ca4a9b09817790141743a1ec3f1987b88ae200c700573217245548dc34557aa8be0813887f681dc9c716c1aa3028e99a22933e32fff6045855c89ed92d4
- SSDEEP
  
  196608:K2c1uwl1CPwDv3uFhi43v13uFnCPws8S/VW08Sr8lQeY3YgOFmknGzwHIPHd9DPK:KnEwl1CPwDv3uFY43v13uFnCPwa/VW0E
Score

10^/10

blackmoon mimikatz banker defense_evasion discovery evasion execution persistence privilege_escalation trojan upx
- Blackmoon family
  blackmoon
- Blackmoon, KrBanker
  Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
  trojan banker blackmoon
- Detect Blackmoon payload
- Disables service(s)
  evasion execution
- Mimikatz
  mimikatz is an open source tool to dump credentials on Windows.
  mimikatz
- Mimikatz family
  mimikatz
- mimikatz is an open source tool to dump credentials on Windows
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
  persistence
- Modifies Windows Firewall
  evasion
- Executes dropped EXE
- Loads dropped DLL
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Indicator Removal: Clear Persistence
  remove IFEO.
  defense_evasion
- Network Share Discovery
  Attempt to gather information on host network.
  discovery
- Creates a Windows Service
  persistence
- Drops file in System32 directory
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2