blackmoon | 640d003f1a7121f56c876af1dd7c10752c0c9dfc0d3f904df040b4c0ade61434

General

Target

640d003f1a7121f56c876af1dd7c10752c0c9dfc0d3f904df040b4c0ade61434.exe
Size

1.4MB
MD5

fad7d45230c31489338a62901c686c1a
SHA1

727f07676418a9edd681ebd5eea67ba65692ae04
SHA256

640d003f1a7121f56c876af1dd7c10752c0c9dfc0d3f904df040b4c0ade61434
SHA512

4afacc3f4968cbecebf1aac694ae33d00d210847a8dafa51b105a4c290ace1666965b5372c49d26177f3e440590bddf1ba18c14b186c42473a46df1af3a5f88f
SSDEEP

24576:+4PetDoqzEVx6Qnq7NDsj1TxC0vr3fyx+/CMMF5Frw71JlG7NSze+NGzvHtpnP:l+Do1Vx7q76j1VfvTfyx+/CJTe7BoAza

Score

10^/10

blackmoon banker discovery trojan upx

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 2 IoCs

resource	yara_rule
behavioral2/memory/5636-51-0x0000000000400000-0x0000000000D52000-memory.dmp	family_blackmoon
behavioral2/memory/5636-52-0x0000000000400000-0x0000000000D52000-memory.dmp	family_blackmoon

Loads dropped DLL 1 IoCs

pid	Process
5636	640d003f1a7121f56c876af1dd7c10752c0c9dfc0d3f904df040b4c0ade61434.exe

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5636-7-0x0000000010000000-0x0000000010018000-memory.dmp	upx
behavioral2/memory/5636-8-0x0000000002AC0000-0x0000000002AFF000-memory.dmp	upx
behavioral2/memory/5636-44-0x0000000002AC0000-0x0000000002AFF000-memory.dmp	upx
behavioral2/memory/5636-48-0x0000000002AC0000-0x0000000002AFF000-memory.dmp	upx
behavioral2/memory/5636-46-0x0000000002AC0000-0x0000000002AFF000-memory.dmp	upx
behavioral2/memory/5636-42-0x0000000002AC0000-0x0000000002AFF000-memory.dmp	upx
behavioral2/memory/5636-40-0x0000000002AC0000-0x0000000002AFF000-memory.dmp	upx
behavioral2/memory/5636-38-0x0000000002AC0000-0x0000000002AFF000-memory.dmp	upx
behavioral2/memory/5636-36-0x0000000002AC0000-0x0000000002AFF000-memory.dmp	upx
behavioral2/memory/5636-34-0x0000000002AC0000-0x0000000002AFF000-memory.dmp	upx
behavioral2/memory/5636-32-0x0000000002AC0000-0x0000000002AFF000-memory.dmp	upx
behavioral2/memory/5636-30-0x0000000002AC0000-0x0000000002AFF000-memory.dmp	upx
behavioral2/memory/5636-28-0x0000000002AC0000-0x0000000002AFF000-memory.dmp	upx
behavioral2/memory/5636-50-0x0000000002AC0000-0x0000000002AFF000-memory.dmp	upx
behavioral2/memory/5636-22-0x0000000002AC0000-0x0000000002AFF000-memory.dmp	upx
behavioral2/memory/5636-16-0x0000000002AC0000-0x0000000002AFF000-memory.dmp	upx
behavioral2/memory/5636-12-0x0000000002AC0000-0x0000000002AFF000-memory.dmp	upx
behavioral2/memory/5636-26-0x0000000002AC0000-0x0000000002AFF000-memory.dmp	upx
behavioral2/memory/5636-24-0x0000000002AC0000-0x0000000002AFF000-memory.dmp	upx
behavioral2/memory/5636-20-0x0000000002AC0000-0x0000000002AFF000-memory.dmp	upx
behavioral2/memory/5636-18-0x0000000002AC0000-0x0000000002AFF000-memory.dmp	upx
behavioral2/memory/5636-14-0x0000000002AC0000-0x0000000002AFF000-memory.dmp	upx
behavioral2/memory/5636-10-0x0000000002AC0000-0x0000000002AFF000-memory.dmp	upx
behavioral2/memory/5636-9-0x0000000002AC0000-0x0000000002AFF000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	640d003f1a7121f56c876af1dd7c10752c0c9dfc0d3f904df040b4c0ade61434.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	5636	640d003f1a7121f56c876af1dd7c10752c0c9dfc0d3f904df040b4c0ade61434.exe
Token: SeLockMemoryPrivilege	5636	640d003f1a7121f56c876af1dd7c10752c0c9dfc0d3f904df040b4c0ade61434.exe
Token: SeCreateGlobalPrivilege	5636	640d003f1a7121f56c876af1dd7c10752c0c9dfc0d3f904df040b4c0ade61434.exe
Token: SeBackupPrivilege	5636	640d003f1a7121f56c876af1dd7c10752c0c9dfc0d3f904df040b4c0ade61434.exe
Token: SeRestorePrivilege	5636	640d003f1a7121f56c876af1dd7c10752c0c9dfc0d3f904df040b4c0ade61434.exe
Token: SeShutdownPrivilege	5636	640d003f1a7121f56c876af1dd7c10752c0c9dfc0d3f904df040b4c0ade61434.exe
Token: SeCreateTokenPrivilege	5636	640d003f1a7121f56c876af1dd7c10752c0c9dfc0d3f904df040b4c0ade61434.exe
Token: SeTakeOwnershipPrivilege	5636	640d003f1a7121f56c876af1dd7c10752c0c9dfc0d3f904df040b4c0ade61434.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5636	640d003f1a7121f56c876af1dd7c10752c0c9dfc0d3f904df040b4c0ade61434.exe
5636	640d003f1a7121f56c876af1dd7c10752c0c9dfc0d3f904df040b4c0ade61434.exe

C:\Users\Admin\AppData\Local\Temp\640d003f1a7121f56c876af1dd7c10752c0c9dfc0d3f904df040b4c0ade61434.exe
"C:\Users\Admin\AppData\Local\Temp\640d003f1a7121f56c876af1dd7c10752c0c9dfc0d3f904df040b4c0ade61434.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Áè¸çE±à³ÌÄ£¿é\malloc\L_mimalloc.dll

Filesize
167KB

MD5
870bf728d1b59132e45ed8cbb6b5d40f

SHA1
589ab4c0be5e06e9d8015d0e090ec4ec763df104

SHA256
2430f87cd3f8ac25bcbbb4d4690294d4c35f948362a2a6d126aa3a5fa4bad80d

SHA512
743a6e774b1e85a14543c5fd8ea9a48b9727655393e70ef4afcf57df12a1b54913b7fe5f376aad76139e78f50859d2f047294bcee30db4b76d5560414d79e818

Download Submit
memory/5636-32-0x0000000002AC0000-0x0000000002AFF000-memory.dmp

Filesize
252KB

Download
memory/5636-52-0x0000000000400000-0x0000000000D52000-memory.dmp

Filesize
9.3MB

Download
memory/5636-7-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/5636-8-0x0000000002AC0000-0x0000000002AFF000-memory.dmp

Filesize
252KB

Download
memory/5636-30-0x0000000002AC0000-0x0000000002AFF000-memory.dmp

Filesize
252KB

Download
memory/5636-48-0x0000000002AC0000-0x0000000002AFF000-memory.dmp

Filesize
252KB

Download
memory/5636-46-0x0000000002AC0000-0x0000000002AFF000-memory.dmp

Filesize
252KB

Download
memory/5636-51-0x0000000000400000-0x0000000000D52000-memory.dmp

Filesize
9.3MB

Download
memory/5636-42-0x0000000002AC0000-0x0000000002AFF000-memory.dmp

Filesize
252KB

Download
memory/5636-40-0x0000000002AC0000-0x0000000002AFF000-memory.dmp

Filesize
252KB

Download
memory/5636-38-0x0000000002AC0000-0x0000000002AFF000-memory.dmp

Filesize
252KB

Download
memory/5636-36-0x0000000002AC0000-0x0000000002AFF000-memory.dmp

Filesize
252KB

Download
memory/5636-1-0x000000000049A000-0x000000000049B000-memory.dmp

Filesize
4KB

Download
memory/5636-34-0x0000000002AC0000-0x0000000002AFF000-memory.dmp

Filesize
252KB

Download
memory/5636-44-0x0000000002AC0000-0x0000000002AFF000-memory.dmp

Filesize
252KB

Download
memory/5636-28-0x0000000002AC0000-0x0000000002AFF000-memory.dmp

Filesize
252KB

Download
memory/5636-50-0x0000000002AC0000-0x0000000002AFF000-memory.dmp

Filesize
252KB

Download
memory/5636-22-0x0000000002AC0000-0x0000000002AFF000-memory.dmp

Filesize
252KB

Download
memory/5636-16-0x0000000002AC0000-0x0000000002AFF000-memory.dmp

Filesize
252KB

Download
memory/5636-12-0x0000000002AC0000-0x0000000002AFF000-memory.dmp

Filesize
252KB

Download
memory/5636-26-0x0000000002AC0000-0x0000000002AFF000-memory.dmp

Filesize
252KB

Download
memory/5636-24-0x0000000002AC0000-0x0000000002AFF000-memory.dmp

Filesize
252KB

Download
memory/5636-20-0x0000000002AC0000-0x0000000002AFF000-memory.dmp

Filesize
252KB

Download
memory/5636-0-0x0000000000400000-0x0000000000D52000-memory.dmp

Filesize
9.3MB

Download
memory/5636-18-0x0000000002AC0000-0x0000000002AFF000-memory.dmp

Filesize
252KB

Download
memory/5636-14-0x0000000002AC0000-0x0000000002AFF000-memory.dmp

Filesize
252KB

Download
memory/5636-10-0x0000000002AC0000-0x0000000002AFF000-memory.dmp

Filesize
252KB

Download
memory/5636-9-0x0000000002AC0000-0x0000000002AFF000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing