blackmoon | dd847b7624e96514b2ee1c6b942867b69e1281d76802244917cda997776d8a2e | Triage

Submit
Reports

Overview

overview

Static

static

1

YH.msi

windows10-ltsc_2021-x64

Sharing

General

Target

YH.msi
Size

13.4MB
Sample

250321-a6y9aa1va1
MD5

e41527007d14c7f084a0b702b283e1e5
SHA1

e51d10f9918816e9f7abbf289ff4f9a271d4f1af
SHA256

dd847b7624e96514b2ee1c6b942867b69e1281d76802244917cda997776d8a2e
SHA512

1aaafc3992bc6a0e57c6316288cf6fbc0ecdb11f78c8eb38cf99a77fd33f834a79727d1cad1eb48be938b0a1733c1b5251430b564968022eac15d9d5979ce999
SSDEEP

196608:pBfMDJ9/wXYZUpMqJsfvgfKJ10PlJc3DN2ZlcLB0kS731:pBfMDJ9+pMq4vcKPElJmZ2/c9A

Score

10^/10

blackmoon fatalrat banker discovery infostealer persistence privilege_escalation rat stealer trojan vmprotect

Static task

static1

Behavioral task

behavioral1

Sample

YH.msi

Resource

win10ltsc2021-20250314-en

blackmoon fatalrat banker discovery infostealer persistence privilege_escalation rat stealer trojan vmprotect

windows10-ltsc_2021-x64

24 signatures

150 seconds

Malware Config

Targets

- Target
  
  YH.msi
- Size
  
  13.4MB
- MD5
  
  e41527007d14c7f084a0b702b283e1e5
- SHA1
  
  e51d10f9918816e9f7abbf289ff4f9a271d4f1af
- SHA256
  
  dd847b7624e96514b2ee1c6b942867b69e1281d76802244917cda997776d8a2e
- SHA512
  
  1aaafc3992bc6a0e57c6316288cf6fbc0ecdb11f78c8eb38cf99a77fd33f834a79727d1cad1eb48be938b0a1733c1b5251430b564968022eac15d9d5979ce999
- SSDEEP
  
  196608:pBfMDJ9/wXYZUpMqJsfvgfKJ10PlJc3DN2ZlcLB0kS731:pBfMDJ9+pMq4vcKPElJmZ2/c9A
Score

10^/10

blackmoon fatalrat banker discovery infostealer persistence privilege_escalation rat stealer trojan vmprotect
- Blackmoon family
  blackmoon
- Blackmoon, KrBanker
  Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
  trojan banker blackmoon
- Detect Blackmoon payload
- FatalRat
  FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
  stealer trojan fatalrat
- Fatalrat family
  fatalrat
- Fatal Rat payload
  rat infostealer
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

Installer Packages

Privilege Escalation

Event Triggered Execution

Installer Packages

Defense Evasion

System Binary Proxy Execution

Msiexec

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

blackmoonfatalratbankerdiscoveryinfostealerpersistenceprivilege_escalationratstealertrojanvmprotect

© 2018-2025

Terms | Privacy