blackmoon | c64b2ef7e5c9460dc464f682ba24aab7818c839e222178621697f9ba07b402c8

General

Target

c64b2ef7e5c9460dc464f682ba24aab7818c839e222178621697f9ba07b402c8.exe
Size

7.5MB
MD5

c88226d44adcffb4dc370b1024561c71
SHA1

44336057920c887f0497abb9db6acc5b517ae5d4
SHA256

c64b2ef7e5c9460dc464f682ba24aab7818c839e222178621697f9ba07b402c8
SHA512

4782d3d3f17c203841644a8d061f10a0448cfaae852848ea1a3bf31ba3befe859c4c09d9e0f192d22719f9c2211540f2c220807ef3f91cadd43692a78b1ea1ab
SSDEEP

98304:TPF75Ej5VK+568kTjE5D7R5z8yDB+EM181mGgKvoPc2r6GDNMs1B7X8jEExDrWMl:5+VWA5RbDBBYz6GheAE0MZCCLyUS7NXq

Score

10^/10

blackmoon banker discovery persistence trojan upx

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 16 IoCs

resource	yara_rule
behavioral1/memory/2388-3-0x0000000000400000-0x000000000198F000-memory.dmp	family_blackmoon
behavioral1/memory/2388-18-0x0000000000400000-0x000000000198F000-memory.dmp	family_blackmoon
behavioral1/memory/2388-19-0x0000000000400000-0x000000000198F000-memory.dmp	family_blackmoon
behavioral1/memory/2388-21-0x0000000000400000-0x000000000198F000-memory.dmp	family_blackmoon
behavioral1/memory/2388-103-0x0000000000400000-0x000000000198F000-memory.dmp	family_blackmoon
behavioral1/memory/2388-218-0x0000000000400000-0x000000000198F000-memory.dmp	family_blackmoon
behavioral1/memory/2388-339-0x0000000000400000-0x000000000198F000-memory.dmp	family_blackmoon
behavioral1/memory/2388-448-0x0000000000400000-0x000000000198F000-memory.dmp	family_blackmoon
behavioral1/memory/2388-569-0x0000000000400000-0x000000000198F000-memory.dmp	family_blackmoon
behavioral1/memory/2388-684-0x0000000000400000-0x000000000198F000-memory.dmp	family_blackmoon
behavioral1/memory/2388-805-0x0000000000400000-0x000000000198F000-memory.dmp	family_blackmoon
behavioral1/memory/2388-926-0x0000000000400000-0x000000000198F000-memory.dmp	family_blackmoon
behavioral1/memory/2388-1047-0x0000000000400000-0x000000000198F000-memory.dmp	family_blackmoon
behavioral1/memory/2388-1162-0x0000000000400000-0x000000000198F000-memory.dmp	family_blackmoon
behavioral1/memory/2388-1271-0x0000000000400000-0x000000000198F000-memory.dmp	family_blackmoon
behavioral1/memory/2388-1392-0x0000000000400000-0x000000000198F000-memory.dmp	family_blackmoon

Drops file in Drivers directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\HOSTS.dz	c64b2ef7e5c9460dc464f682ba24aab7818c839e222178621697f9ba07b402c8.exe
File created	C:\Windows\system32\drivers\etc\hosts.dz	c64b2ef7e5c9460dc464f682ba24aab7818c839e222178621697f9ba07b402c8.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts.dz	c64b2ef7e5c9460dc464f682ba24aab7818c839e222178621697f9ba07b402c8.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	c64b2ef7e5c9460dc464f682ba24aab7818c839e222178621697f9ba07b402c8.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\DultAbd35Abd\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\DultAbd35Abd.sys"	c64b2ef7e5c9460dc464f682ba24aab7818c839e222178621697f9ba07b402c8.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dult.dll	c64b2ef7e5c9460dc464f682ba24aab7818c839e222178621697f9ba07b402c8.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2388-4-0x0000000010000000-0x0000000010019000-memory.dmp	upx
behavioral1/memory/2388-9-0x0000000010000000-0x0000000010019000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32.exe	c64b2ef7e5c9460dc464f682ba24aab7818c839e222178621697f9ba07b402c8.exe
File opened for modification	C:\Windows\System32.exe	c64b2ef7e5c9460dc464f682ba24aab7818c839e222178621697f9ba07b402c8.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c64b2ef7e5c9460dc464f682ba24aab7818c839e222178621697f9ba07b402c8.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
476	Process not Found

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2388	c64b2ef7e5c9460dc464f682ba24aab7818c839e222178621697f9ba07b402c8.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2388	c64b2ef7e5c9460dc464f682ba24aab7818c839e222178621697f9ba07b402c8.exe
Token: SeDebugPrivilege	2388	c64b2ef7e5c9460dc464f682ba24aab7818c839e222178621697f9ba07b402c8.exe
Token: SeDebugPrivilege	2388	c64b2ef7e5c9460dc464f682ba24aab7818c839e222178621697f9ba07b402c8.exe
Token: SeDebugPrivilege	2388	c64b2ef7e5c9460dc464f682ba24aab7818c839e222178621697f9ba07b402c8.exe
Token: 1	2388	c64b2ef7e5c9460dc464f682ba24aab7818c839e222178621697f9ba07b402c8.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2388	c64b2ef7e5c9460dc464f682ba24aab7818c839e222178621697f9ba07b402c8.exe
2388	c64b2ef7e5c9460dc464f682ba24aab7818c839e222178621697f9ba07b402c8.exe

C:\Users\Admin\AppData\Local\Temp\c64b2ef7e5c9460dc464f682ba24aab7818c839e222178621697f9ba07b402c8.exe
"C:\Users\Admin\AppData\Local\Temp\c64b2ef7e5c9460dc464f682ba24aab7818c839e222178621697f9ba07b402c8.exe"
1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\drivers\etc\hosts.dz

Filesize
114B

MD5
40f9e0ee8fe9d23ab654fae5754cb9a6

SHA1
dccae241c87fffe78a4ac7263e68cfcfb1997649

SHA256
3f7907656b67120c440f9eab5fdeb4ec601c1a3cb42165552aa964f87e71619f

SHA512
696b649b518cbd04330216e4f2ed7f37909a4250539c5e78a5a0e3cc038c25880eb105f8500e63ccf92180b1b96e983426b46d566f31386a2857945df2789553

Download Submit
memory/2388-9-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2388-218-0x0000000000400000-0x000000000198F000-memory.dmp

Filesize
21.6MB

Download
memory/2388-4-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2388-10-0x00000000004B5000-0x00000000004B6000-memory.dmp

Filesize
4KB

Download
memory/2388-1-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2388-18-0x0000000000400000-0x000000000198F000-memory.dmp

Filesize
21.6MB

Download
memory/2388-19-0x0000000000400000-0x000000000198F000-memory.dmp

Filesize
21.6MB

Download
memory/2388-21-0x0000000000400000-0x000000000198F000-memory.dmp

Filesize
21.6MB

Download
memory/2388-22-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2388-339-0x0000000000400000-0x000000000198F000-memory.dmp

Filesize
21.6MB

Download
memory/2388-3-0x0000000000400000-0x000000000198F000-memory.dmp

Filesize
21.6MB

Download
memory/2388-103-0x0000000000400000-0x000000000198F000-memory.dmp

Filesize
21.6MB

Download
memory/2388-0-0x0000000000400000-0x000000000198F000-memory.dmp

Filesize
21.6MB

Download
memory/2388-448-0x0000000000400000-0x000000000198F000-memory.dmp

Filesize
21.6MB

Download
memory/2388-569-0x0000000000400000-0x000000000198F000-memory.dmp

Filesize
21.6MB

Download
memory/2388-684-0x0000000000400000-0x000000000198F000-memory.dmp

Filesize
21.6MB

Download
memory/2388-805-0x0000000000400000-0x000000000198F000-memory.dmp

Filesize
21.6MB

Download
memory/2388-926-0x0000000000400000-0x000000000198F000-memory.dmp

Filesize
21.6MB

Download
memory/2388-1047-0x0000000000400000-0x000000000198F000-memory.dmp

Filesize
21.6MB

Download
memory/2388-1162-0x0000000000400000-0x000000000198F000-memory.dmp

Filesize
21.6MB

Download
memory/2388-1271-0x0000000000400000-0x000000000198F000-memory.dmp

Filesize
21.6MB

Download
memory/2388-1392-0x0000000000400000-0x000000000198F000-memory.dmp

Filesize
21.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads