blackmoon | 9a0ada1a757cbb8e6fd982ff45c32bbc90cb223c0237c63a8236eea42c7816a4 | Triage

Submit
Reports

Overview

overview

Static

static

3

9a0ada1a75...a4.exe

windows7-x64

9a0ada1a75...a4.exe

windows10-2004-x64

Sharing

General

Target

9a0ada1a757cbb8e6fd982ff45c32bbc90cb223c0237c63a8236eea42c7816a4
Size

5.7MB
Sample

241220-ztv4javjek
MD5

edba0477f72a054338d81949605d7a29
SHA1

2918a4571fd29eec985a84a5cc75b4e767b3cd7a
SHA256

9a0ada1a757cbb8e6fd982ff45c32bbc90cb223c0237c63a8236eea42c7816a4
SHA512

22c059fc8943eac86c951cdeb7024fe73c78eb67ca08d8dffb1e83a4ce6dcd8132cb1e77631c7c127ee5244cb1430f3d35ae7cf4097f31c1186d4f59ec8850aa
SSDEEP

98304:CIQUKox9wcSXna773xHf+c9dI6ta680w1KO5dszYE4aJUgFs28lCNs:RxlWna5fPxaiO5ZE1JUv284

Score

10^/10

blackmoon banker bootkit discovery evasion persistence trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

9a0ada1a757cbb8e6fd982ff45c32bbc90cb223c0237c63a8236eea42c7816a4.exe

Resource

win7-20240903-en

blackmoon banker bootkit discovery evasion persistence trojan

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

9a0ada1a757cbb8e6fd982ff45c32bbc90cb223c0237c63a8236eea42c7816a4.exe

Resource

win10v2004-20241007-en

blackmoon banker bootkit discovery evasion persistence trojan

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Targets

- Target
  
  9a0ada1a757cbb8e6fd982ff45c32bbc90cb223c0237c63a8236eea42c7816a4
- Size
  
  5.7MB
- MD5
  
  edba0477f72a054338d81949605d7a29
- SHA1
  
  2918a4571fd29eec985a84a5cc75b4e767b3cd7a
- SHA256
  
  9a0ada1a757cbb8e6fd982ff45c32bbc90cb223c0237c63a8236eea42c7816a4
- SHA512
  
  22c059fc8943eac86c951cdeb7024fe73c78eb67ca08d8dffb1e83a4ce6dcd8132cb1e77631c7c127ee5244cb1430f3d35ae7cf4097f31c1186d4f59ec8850aa
- SSDEEP
  
  98304:CIQUKox9wcSXna773xHf+c9dI6ta680w1KO5dszYE4aJUgFs28lCNs:RxlWna5fPxaiO5ZE1JUv284
Score

10^/10

blackmoon banker bootkit discovery evasion persistence trojan
- Blackmoon family
  blackmoon
- Blackmoon, KrBanker
  Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
  trojan banker blackmoon
- Detect Blackmoon payload
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

Bootkit

Privilege Escalation

Defense Evasion

Pre-OS Boot

Bootkit

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

blackmoonbankerbootkitdiscoveryevasionpersistencetrojan

behavioral2

blackmoonbankerbootkitdiscoveryevasionpersistencetrojan

© 2018-2025

Terms | Privacy