blackmoon | fb0914093b967639a4935a70c9130a12fa469098b5d28f7d1dee9feb1c166b47

General

Target

fb0914093b967639a4935a70c9130a12fa469098b5d28f7d1dee9feb1c166b47.exe
Size

1.8MB
MD5

11ddb98b97d1a9aaf69085b5961eca69
SHA1

2375082d7f97b5b6088a32e4197a0a0dd97286bc
SHA256

fb0914093b967639a4935a70c9130a12fa469098b5d28f7d1dee9feb1c166b47
SHA512

50219b63433f3da06f6f1896c8aa65f196130deb773c31b5bc40706dc402eeadc546c3012f7535324dabd4164ea2f649b1c6674dc5eb2652b5b40648c63fba09
SSDEEP

24576:HfqMeY3QBhoWYJgIDWAeTkzZ+RkFN/yKBUZZAFDrrqBh3SWgSklWXKBUZd:HneXoWS5ZRN/yKiZEDrKBST1WXKiZd

Score

10^/10

blackmoon banker discovery persistence privilege_escalation trojan

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 4 IoCs

resource	yara_rule
behavioral2/memory/4664-0-0x0000000000400000-0x0000000000602000-memory.dmp	family_blackmoon
behavioral2/files/0x000a000000023c0f-3.dat	family_blackmoon
behavioral2/memory/4664-5-0x0000000000400000-0x0000000000602000-memory.dmp	family_blackmoon
behavioral2/memory/2664-20-0x0000000000400000-0x0000000000602000-memory.dmp	family_blackmoon

Executes dropped EXE 1 IoCs

pid	Process
2664	XXIT.HSG

Loads dropped DLL 2 IoCs

pid	Process
2664	XXIT.HSG
2664	XXIT.HSG

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ESPI11.dll	XXIT.HSG
File opened for modification	C:\Windows\SysWOW64\ESPI11.dll	XXIT.HSG

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fb0914093b967639a4935a70c9130a12fa469098b5d28f7d1dee9feb1c166b47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XXIT.HSG

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2664	XXIT.HSG
2664	XXIT.HSG
2664	XXIT.HSG
2664	XXIT.HSG
2664	XXIT.HSG
2664	XXIT.HSG
2664	XXIT.HSG
2664	XXIT.HSG

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4664	fb0914093b967639a4935a70c9130a12fa469098b5d28f7d1dee9feb1c166b47.exe
4664	fb0914093b967639a4935a70c9130a12fa469098b5d28f7d1dee9feb1c166b47.exe
2664	XXIT.HSG
2664	XXIT.HSG

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4664 wrote to memory of 2664	4664	fb0914093b967639a4935a70c9130a12fa469098b5d28f7d1dee9feb1c166b47.exe	82
PID 4664 wrote to memory of 2664	4664	fb0914093b967639a4935a70c9130a12fa469098b5d28f7d1dee9feb1c166b47.exe	82
PID 4664 wrote to memory of 2664	4664	fb0914093b967639a4935a70c9130a12fa469098b5d28f7d1dee9feb1c166b47.exe	82
PID 2664 wrote to memory of 2968	2664	XXIT.HSG	83
PID 2664 wrote to memory of 2968	2664	XXIT.HSG	83
PID 2664 wrote to memory of 2968	2664	XXIT.HSG	83

C:\Users\Admin\AppData\Local\Temp\fb0914093b967639a4935a70c9130a12fa469098b5d28f7d1dee9feb1c166b47.exe
"C:\Users\Admin\AppData\Local\Temp\fb0914093b967639a4935a70c9130a12fa469098b5d28f7d1dee9feb1c166b47.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4664
- C:\Users\Admin\AppData\Local\Temp\XXIT.HSG
  "C:\Users\Admin\AppData\Local\Temp\XXIT.HSG"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Windows\SysWOW64\netsh.exe
    netsh winsock reset
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:2968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Privilege Escalation

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ESPI.dll

Filesize
120KB

MD5
c3adbb35a05b44bc877a895d273aa270

SHA1
8afe20d8261d217fd23ccfe53bd45ad3bec82d2d

SHA256
b2b2ea9737587313d420bde96a42063c002a83e35d9f987f8ec0d5d4d96c262c

SHA512
614dc24e3368047d68e2833ecdf9cda1f5ef290fc74287769a70df46bfa937386ce2e1332b3bada0f7e54b470ecdfe7c8bbd4ec3fa1c815f52993bb7edb93afc

Download Submit
C:\Users\Admin\AppData\Local\Temp\XXIT.HSG

Filesize
1.8MB

MD5
c035e1e4ff574ed99f106d870ef9cdc8

SHA1
facdb6676198973741526172c9a79539ffd64762

SHA256
12334fa25df4e5edea31fa81df0892516e2109164551847e5cb623f17453fe33

SHA512
9a76dcbf20b6745c275eac6795071932b5cd05370ef077940df5d5b95a779fa1ff87e87b49cb36d3cd0381030481de20d65bfdda8b65062ce0835ba3c3297a90

Download Submit
memory/2664-20-0x0000000000400000-0x0000000000602000-memory.dmp

Filesize
2.0MB

Download
memory/4664-0-0x0000000000400000-0x0000000000602000-memory.dmp

Filesize
2.0MB

Download
memory/4664-5-0x0000000000400000-0x0000000000602000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads