blackmoon | c987fb55599273ea6a9a1c213d9bcb431f32f4b645bdcc3c079f6f35005d00fa

General

Target

c987fb55599273ea6a9a1c213d9bcb431f32f4b645bdcc3c079f6f35005d00fa.exe
Size

9.2MB
MD5

d5c582bc6b5df6a26042b51e4a1a49b4
SHA1

df14de77934e91fe8b2d88366eb9cffa92e16f63
SHA256

c987fb55599273ea6a9a1c213d9bcb431f32f4b645bdcc3c079f6f35005d00fa
SHA512

3b8027314d0b4bfdae8313101caeaf54d53b8ecf255e9cacdb5a48c31b7e9a71831dc547dac8b0772c05bb4902df2116a7fa1283d08c4c61daac05e46e246916
SSDEEP

196608:qQkV+lOBzFnXiMDa1x36Ir7yhs2VFMbEXE6psFkVX0+2qTV2tLUkran:q/+E3SMDWx36gV2VOEXEbFkG+2yV2W2E

Score

10^/10

blackmoon banker discovery persistence trojan

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0008000000024283-22.dat	family_blackmoon

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\3N9fae0dNh = "C:\\Users\\Admin\\AppData\\Roaming\\sbcnvhyrjchx\\0A688t2_4t1s4X5b2\\3N9fae0dNh.exe"	3N9fae0dNh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	3N9fae0dNh.exe

Executes dropped EXE 1 IoCs

pid	Process
3716	3N9fae0dNh.exe

Loads dropped DLL 2 IoCs

pid	Process
3716	3N9fae0dNh.exe
3716	3N9fae0dNh.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3N9fae0dNh.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
6096	c987fb55599273ea6a9a1c213d9bcb431f32f4b645bdcc3c079f6f35005d00fa.exe
6096	c987fb55599273ea6a9a1c213d9bcb431f32f4b645bdcc3c079f6f35005d00fa.exe
636	c987fb55599273ea6a9a1c213d9bcb431f32f4b645bdcc3c079f6f35005d00fa.exe
636	c987fb55599273ea6a9a1c213d9bcb431f32f4b645bdcc3c079f6f35005d00fa.exe
3716	3N9fae0dNh.exe
3716	3N9fae0dNh.exe
3716	3N9fae0dNh.exe
3716	3N9fae0dNh.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3716	3N9fae0dNh.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3716	3N9fae0dNh.exe
3716	3N9fae0dNh.exe
3716	3N9fae0dNh.exe
3716	3N9fae0dNh.exe
3716	3N9fae0dNh.exe
3716	3N9fae0dNh.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 6096 wrote to memory of 636	6096	c987fb55599273ea6a9a1c213d9bcb431f32f4b645bdcc3c079f6f35005d00fa.exe	86
PID 6096 wrote to memory of 636	6096	c987fb55599273ea6a9a1c213d9bcb431f32f4b645bdcc3c079f6f35005d00fa.exe	86
PID 636 wrote to memory of 3716	636	c987fb55599273ea6a9a1c213d9bcb431f32f4b645bdcc3c079f6f35005d00fa.exe	102
PID 636 wrote to memory of 3716	636	c987fb55599273ea6a9a1c213d9bcb431f32f4b645bdcc3c079f6f35005d00fa.exe	102
PID 636 wrote to memory of 3716	636	c987fb55599273ea6a9a1c213d9bcb431f32f4b645bdcc3c079f6f35005d00fa.exe	102

C:\Users\Admin\AppData\Local\Temp\c987fb55599273ea6a9a1c213d9bcb431f32f4b645bdcc3c079f6f35005d00fa.exe
"C:\Users\Admin\AppData\Local\Temp\c987fb55599273ea6a9a1c213d9bcb431f32f4b645bdcc3c079f6f35005d00fa.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:6096
- C:\Users\Admin\AppData\Local\Temp\c987fb55599273ea6a9a1c213d9bcb431f32f4b645bdcc3c079f6f35005d00fa.exe
  C:\Users\Admin\AppData\Local\Temp\c987fb55599273ea6a9a1c213d9bcb431f32f4b645bdcc3c079f6f35005d00fa.exe 410238025E02570271026702700271025E02430266026F026B026C025E0243027202720246026302760263025E0250026D0263026F026B026C0265025E027102600261026C0274026A027B027002680261026A027A025E023202430234023A023A02760230025D02360276023302710236025A023702600230025E0231024C023B02640263026702320266024C026A02--aa`
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:636
- - C:\Users\Admin\AppData\Roaming\sbcnvhyrjchx\0A688t2_4t1s4X5b2\3N9fae0dNh.exe
    "C:\Users\Admin\AppData\Roaming\sbcnvhyrjchx\0A688t2_4t1s4X5b2\3N9fae0dNh.exe"
    3⤵
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\sbcnvhyrjchx\0A688t2_4t1s4X5b2\3N9fae0dNh.exe

Filesize
7.4MB

MD5
8af477438e5479a3a6a5475ddca93587

SHA1
bdab9cacdbd0ed4bb38329f03f6549723094758f

SHA256
5feea43c9aac17639428030969c6f49e920a94ddcf9147abe14788b5ad85cf30

SHA512
ca5ea584a092b98b3e02e87ea462a5dd9fc312a2a76d2d8c1cff1fd3f1cd0e710068ffb25c9f00003c66674b6b255fa272779937e72cbd523ee091c174404fea

Download Submit
C:\Users\Admin\AppData\Roaming\sbcnvhyrjchx\0A688t2_4t1s4X5b2\3N9fae0dNh.txt

Filesize
837B

MD5
ad335bdca51d331c4d8945eb0c544c7b

SHA1
6f63f79c748dcf860452fd0b800e4f5dcba647b2

SHA256
10a45c119feccf50bccafa7c149851fd385bc4e501981221ce4ae61563cbd1ec

SHA512
7356b8e1c52dd55872ae63ee91448235c29c0103b4d03f99be79a075ec1b9d075a9983353449e7401bdde874b0a860371923da75d2887cbfc0117c14f8ce3381

Download Submit
C:\Users\Admin\AppData\Roaming\sbcnvhyrjchx\0A688t2_4t1s4X5b2\tier0.dll

Filesize
279KB

MD5
42843e876a756582005ce00af2d72666

SHA1
d6c83ef842182461259ac89d94d2618adad53950

SHA256
4e9d1adea997c859f7b7bde241c15b7997e08035f4955cf4c64b7d661fa5b346

SHA512
ff847e615a0148bea594e2f614fec643b78ba67a94069ab8078cfbd3ca63ffa6b9d2810b6f6a7fcd82bc480aed3a2c4217b58c9b5307b27eec5607d7573a1034

Download Submit
C:\Users\Admin\AppData\Roaming\sbcnvhyrjchx\0A688t2_4t1s4X5b2\vstdlib.dll

Filesize
532KB

MD5
60579755495513c293b5bb8c5ff9d83f

SHA1
6c4895aa7148d3394921830977aa6f67af2954cb

SHA256
018c2cb427c57517cd857d0d0b8ae92756761ab574493766b94f48ebea323254

SHA512
d327dc0ad9a6f0cee2d3526a677d6beaa7b401d98c6fdfc98ed42aa5c8a772e800d24362e3260107a9fa17901885419893a208debd33524ae9a069c3fe1c300b

Download Submit
memory/636-4-0x0000000140000000-0x0000000141435000-memory.dmp

Filesize
20.2MB

Download
memory/636-6-0x0000000140000000-0x0000000141435000-memory.dmp

Filesize
20.2MB

Download
memory/636-10-0x00007FFFF1CF0000-0x00007FFFF1CF1000-memory.dmp

Filesize
4KB

Download
memory/636-13-0x0000000140000000-0x0000000141435000-memory.dmp

Filesize
20.2MB

Download
memory/636-18-0x0000000140000000-0x0000000141435000-memory.dmp

Filesize
20.2MB

Download
memory/3716-25-0x000000000E750000-0x000000000E837000-memory.dmp

Filesize
924KB

Download
memory/3716-23-0x000000000E750000-0x000000000E837000-memory.dmp

Filesize
924KB

Download
memory/3716-29-0x0000000010400000-0x00000000104EB000-memory.dmp

Filesize
940KB

Download
memory/3716-31-0x0000000010AD0000-0x0000000010C45000-memory.dmp

Filesize
1.5MB

Download
memory/3716-33-0x000000000FCE0000-0x000000000FEF1000-memory.dmp

Filesize
2.1MB

Download
memory/3716-34-0x00000000109D0000-0x0000000010A22000-memory.dmp

Filesize
328KB

Download
memory/6096-9-0x0000000140000000-0x0000000141435000-memory.dmp

Filesize
20.2MB

Download
memory/6096-1-0x0000000140000000-0x0000000141435000-memory.dmp

Filesize
20.2MB

Download
memory/6096-0-0x0000000140000000-0x0000000141435000-memory.dmp

Filesize
20.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads