blackmoon | 3383dcb4e24256d7277476240fcd4c0ddab068354a593b7fa44e34747bc7ba4d | Triage

Submit
Reports

Overview

overview

Static

static

3

3383dcb4e2...4d.exe

windows7-x64

3383dcb4e2...4d.exe

windows10-2004-x64

Sharing

General

Target

3383dcb4e24256d7277476240fcd4c0ddab068354a593b7fa44e34747bc7ba4d
Size

8.5MB
Sample

250218-fnckfsxnbp
MD5

2456624627e25858a55bdb10ac4381b1
SHA1

5df9d74ad18539339fc07d66b402a8df44f7e56a
SHA256

3383dcb4e24256d7277476240fcd4c0ddab068354a593b7fa44e34747bc7ba4d
SHA512

5acc9bc8dcf2d5cd61453529485da91a15ce755904ac22733efa3d11dac3ab74f1422d3a221d972866b08ddd88e39cb7ee6432e0b5d7ce2135096523864c2043
SSDEEP

196608:u709N4/sdRcT/thkgEjn0bxB/OyAr9UPz3kjmzqd:b9N4/sdRcTlzP+03Q

Score

10^/10

blackmoon banker defense_evasion discovery persistence privilege_escalation trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

3383dcb4e24256d7277476240fcd4c0ddab068354a593b7fa44e34747bc7ba4d.exe

Resource

win7-20241010-en

blackmoon banker defense_evasion discovery persistence privilege_escalation trojan

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

3383dcb4e24256d7277476240fcd4c0ddab068354a593b7fa44e34747bc7ba4d.exe

Resource

win10v2004-20250217-en

blackmoon banker defense_evasion discovery persistence privilege_escalation trojan

windows10-2004-x64

23 signatures

150 seconds

Malware Config

Targets

- Target
  
  3383dcb4e24256d7277476240fcd4c0ddab068354a593b7fa44e34747bc7ba4d
- Size
  
  8.5MB
- MD5
  
  2456624627e25858a55bdb10ac4381b1
- SHA1
  
  5df9d74ad18539339fc07d66b402a8df44f7e56a
- SHA256
  
  3383dcb4e24256d7277476240fcd4c0ddab068354a593b7fa44e34747bc7ba4d
- SHA512
  
  5acc9bc8dcf2d5cd61453529485da91a15ce755904ac22733efa3d11dac3ab74f1422d3a221d972866b08ddd88e39cb7ee6432e0b5d7ce2135096523864c2043
- SSDEEP
  
  196608:u709N4/sdRcT/thkgEjn0bxB/OyAr9UPz3kjmzqd:b9N4/sdRcTlzP+03Q
Score

10^/10

blackmoon banker defense_evasion discovery persistence privilege_escalation trojan
- Blackmoon family
  blackmoon
- Blackmoon, KrBanker
  Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
  trojan banker blackmoon
- Detect Blackmoon payload
- Adds policy Run key to start application
  persistence
- Modifies Windows Firewall
  defense_evasion
- ACProtect 1.3x - 1.4x DLL software
  Detects file using ACProtect software.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

blackmoonbankerdefense_evasiondiscoverypersistenceprivilege_escalationtrojan

behavioral2

blackmoonbankerdefense_evasiondiscoverypersistenceprivilege_escalationtrojan

© 2018-2025

Terms | Privacy