blackmoon | ab19ec67d7f4c25cb3283618af92d0d41d6eadbf6559675f1de46bd453157fc3 | Triage

Submit
Reports

Overview

overview

Static

static

3

ab19ec67d7...c3.exe

windows7-x64

ab19ec67d7...c3.exe

windows10-2004-x64

Sharing

General

Target

ab19ec67d7f4c25cb3283618af92d0d41d6eadbf6559675f1de46bd453157fc3
Size

10.8MB
Sample

250218-fr76jaxmgx
MD5

ef17bc8d2e2a62dcff54a5e52120aa11
SHA1

6922ab7f37650a5a40033d21fde1e6f5bae11d4b
SHA256

ab19ec67d7f4c25cb3283618af92d0d41d6eadbf6559675f1de46bd453157fc3
SHA512

f88ecd9b197ec6f700aa70beed97fbc80776c5ca072dac1962c262356dc14750854432b756ca47155aef856678b464f28fc8db8481c136024d19696ecbf84b5c
SSDEEP

196608:KIzjaiAU8Fiml9qwXoSqyhxHCQPvLR3/g3bWewesQs/rKd81ek:/WJFiml9qwBHpLxUWeRsQsuduZ

Score

10^/10

blackmoon banker defense_evasion discovery persistence privilege_escalation trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

ab19ec67d7f4c25cb3283618af92d0d41d6eadbf6559675f1de46bd453157fc3.exe

Resource

win7-20241010-en

blackmoon banker defense_evasion discovery persistence privilege_escalation trojan

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

ab19ec67d7f4c25cb3283618af92d0d41d6eadbf6559675f1de46bd453157fc3.exe

Resource

win10v2004-20250217-en

blackmoon banker defense_evasion discovery persistence privilege_escalation trojan

windows10-2004-x64

22 signatures

150 seconds

Malware Config

Targets

- Target
  
  ab19ec67d7f4c25cb3283618af92d0d41d6eadbf6559675f1de46bd453157fc3
- Size
  
  10.8MB
- MD5
  
  ef17bc8d2e2a62dcff54a5e52120aa11
- SHA1
  
  6922ab7f37650a5a40033d21fde1e6f5bae11d4b
- SHA256
  
  ab19ec67d7f4c25cb3283618af92d0d41d6eadbf6559675f1de46bd453157fc3
- SHA512
  
  f88ecd9b197ec6f700aa70beed97fbc80776c5ca072dac1962c262356dc14750854432b756ca47155aef856678b464f28fc8db8481c136024d19696ecbf84b5c
- SSDEEP
  
  196608:KIzjaiAU8Fiml9qwXoSqyhxHCQPvLR3/g3bWewesQs/rKd81ek:/WJFiml9qwBHpLxUWeRsQsuduZ
Score

10^/10

blackmoon banker defense_evasion discovery persistence privilege_escalation trojan
- Blackmoon family
  blackmoon
- Blackmoon, KrBanker
  Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
  trojan banker blackmoon
- Detect Blackmoon payload
- Adds policy Run key to start application
  persistence
- Modifies Windows Firewall
  defense_evasion
- ACProtect 1.3x - 1.4x DLL software
  Detects file using ACProtect software.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

blackmoonbankerdefense_evasiondiscoverypersistenceprivilege_escalationtrojan

behavioral2

blackmoonbankerdefense_evasiondiscoverypersistenceprivilege_escalationtrojan

© 2018-2025

Terms | Privacy