blackmoon | 699b222667bbc6d120abc8b3a01c5e38f34cf4695ad4ddfb67fa65ba88cfa8ee | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

699b222667...ee.exe

windows7-x64

699b222667...ee.exe

windows10-2004-x64

Sharing

General

Target

699b222667bbc6d120abc8b3a01c5e38f34cf4695ad4ddfb67fa65ba88cfa8ee.exe
Size

338KB
Sample

250318-e7tgmsvsdy
MD5

f27c460214d36b81e3ced4e57f5cb5a9
SHA1

6e681c3574c2ea438950f623e7dbe0682c91ce8f
SHA256

699b222667bbc6d120abc8b3a01c5e38f34cf4695ad4ddfb67fa65ba88cfa8ee
SHA512

a2683741dc79b198134f5c4985e48470a343039fe96c9483aca3c2f5e9e78cb52fb477b2d18e4229595b0ebae93f0454f248f95c04ac8fee8c2b4f53df78d960
SSDEEP

6144:b5/YZ58drqrhGcbLhmvjSN6jZhixVK/B/zkXudeh:b5/Q58drihGiLhmGNiZsx0B/zkXoeh

Score

10^/10

blackmoon qqpass banker discovery trojan

Static task

static1

blackmoon qqpass

4 signatures

Behavioral task

behavioral1

Sample

699b222667bbc6d120abc8b3a01c5e38f34cf4695ad4ddfb67fa65ba88cfa8ee.exe

Resource

win7-20240903-en

blackmoon banker discovery trojan

windows7-x64

10 signatures

300 seconds

Behavioral task

behavioral2

Sample

699b222667bbc6d120abc8b3a01c5e38f34cf4695ad4ddfb67fa65ba88cfa8ee.exe

Resource

win10v2004-20250314-en

blackmoon banker discovery trojan

windows10-2004-x64

10 signatures

300 seconds

Malware Config

Extracted

Family

qqpass

C2

http://cf.qq.com/act/a20141214luxury/?ADTAG=client.btn.detail

Attributes

url
http://i3.tietuku.com/801db876cdcaa96c.png
user_agent
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

Targets

- Target
  
  699b222667bbc6d120abc8b3a01c5e38f34cf4695ad4ddfb67fa65ba88cfa8ee.exe
- Size
  
  338KB
- MD5
  
  f27c460214d36b81e3ced4e57f5cb5a9
- SHA1
  
  6e681c3574c2ea438950f623e7dbe0682c91ce8f
- SHA256
  
  699b222667bbc6d120abc8b3a01c5e38f34cf4695ad4ddfb67fa65ba88cfa8ee
- SHA512
  
  a2683741dc79b198134f5c4985e48470a343039fe96c9483aca3c2f5e9e78cb52fb477b2d18e4229595b0ebae93f0454f248f95c04ac8fee8c2b4f53df78d960
- SSDEEP
  
  6144:b5/YZ58drqrhGcbLhmvjSN6jZhixVK/B/zkXudeh:b5/Q58drihGiLhmGNiZsx0B/zkXoeh
Score

10^/10

blackmoon banker discovery trojan
- Blackmoon family
  blackmoon
- Blackmoon, KrBanker
  Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
  trojan banker blackmoon
- Detect Blackmoon payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Subvert Trust Controls

Install Root Certificate

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

blackmoonqqpass

behavioral1

blackmoonbankerdiscoverytrojan

behavioral2

blackmoonbankerdiscoverytrojan

© 2018-2025

Terms | Privacy

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.