ioc[.]one - OSINT Cyber Threat Intelligence Database

Updated Blackmoon banking Trojan stays focused on South Korean banking customers | Proofpoint

Tags

country:	South Korea
maec-delivery-vectors:	Watering Hole
attack-pattern:	Data Credentials - T1589.001 Dns - T1071.004 Dns - T1590.002 Dns Server - T1583.002 Dns Server - T1584.002 Domains - T1583.001 Domains - T1584.001 Ip Addresses - T1590.005 Javascript - T1059.007 Malware - T1587.001 Malware - T1588.001 Phishing - T1660 Phishing - T1566 Python - T1059.006 Rundll32 - T1218.011 Server - T1583.004 Server - T1584.004 Rundll32 - T1085

Show in Graph

Common Information

Type	Value
UUID	eeb39c4a-4810-4c92-84d0-e2cff033525b
Fingerprint	e4917d48a4684e8f
Analysis status	DONE
Considered CTI value	2
Text language
Published	Jan. 19, 2016, 5:15 p.m.
Added to db	Sept. 26, 2022, 9:30 a.m.
Last updated	Nov. 18, 2024, 1:38 a.m.
Headline	Updated Blackmoon banking Trojan stays focused on South Korean banking customers
Title	Updated Blackmoon banking Trojan stays focused on South Korean banking customers \| Proofpoint
Detected Hints/Tags/Attributes	58/3/82

Source URLs

	Redirection	Url
Details	Source	https://www.proofpoint.com/us/threat-insight/post/Updated-Blackmoon-Banking-Trojan

URL Provider

Details	Provider	Source level domain
Details	proofpoint.com	www.proofpoint.com

Attributes

Details	Type	#Events	Value
Details	Domain	2	lofter.com
Details	Domain	1	www.hikorea.go.kr
Details	Domain	1	grrrltraveler.com
Details	Domain	370	www.proofpoint.com
Details	File	1018	rundll32.exe
Details	File	51	ipconfig.exe
Details	File	2	zip.tmp
Details	File	1	yqkuz.dll
Details	File	1	pknqy.dll
Details	File	1	ouikm.dll
Details	File	1	uyonu.dll
Details	File	2	sa.exe
Details	File	119	smss.exe
Details	File	5	dll.exe
Details	File	1	ser.exe
Details	File	2127	cmd.exe
Details	md5	1	7e67216628d9a171be0ce18c51fda8ce
Details	md5	1	84E2D574085C77F47E801F5326E83D73
Details	md5	1	84e2d574085c77f47e801f5326e83d73
Details	md5	1	9be8a5edc5f0a57d09b733c18a3740c7
Details	md5	1	255fd48dd681058d9cb84e4c6dbd92f6
Details	md5	1	949482b0aa3ecc019d63d10a46539302
Details	md5	1	86a16809fe21cc389740866dfc73abe3
Details	md5	1	091bb8f755f7eda753e53b0b6501dcb2
Details	md5	1	80abc3ad344c4999f33948c8a241223c
Details	md5	1	3fe1d163b22c619d8e9dd865d83d9b05
Details	md5	1	c973ac06f36f1b52a08c51faf79fade2
Details	md5	1	34f4257bba25546aaf486132c27c40d5
Details	md5	1	79fee38ebc1c6db755f3da38287349f9
Details	md5	1	7d091ae970c41b85e9a281308fab6985
Details	md5	1	4f21078383c7fff2ad3dbe8b77de7f3d
Details	md5	1	dd01534e1a78913f440d30bf03d99462
Details	md5	1	fe0fca87d2a1ef1b7d0c57414dee32be
Details	md5	1	371b63fb512513c066e541a13f3ed79a
Details	md5	1	a4a2d0a47aa3c1bc4382997a197e3aeb
Details	md5	1	4c8f4bd321ebde0698576c4b1a788773
Details	md5	1	59596e9c4c94ebd7d5a692a782623560
Details	md5	1	255e5a9dfc352e9abdfe67e00e6d34ef
Details	md5	1	5fac43273dc8a7bed3a005220d32da1d
Details	md5	1	35732507edc006ce63066f59cee041b8
Details	md5	1	ab9278dbc583d4829524e68f101c0de1
Details	md5	1	25e02fe76649535abed4c3f1340ba88c
Details	md5	1	c967d619404bd371a75ba4c5ca2a650a
Details	sha256	1	ad062b7cba8f149a585018938b45f65698dde3a049a6f50fd4e355e68b562fc3
Details	sha256	1	4e94d38c1939ca7c6928da062b01e381e7a925ae4c66945f598f090c8d79a6a0
Details	sha256	1	8fbacfa948ba95cbe7e6f44a7974f621259a0c23c43a4a4c3d8e3e163604388a
Details	sha256	1	df821948e3362a5accdefc444b4bdf8e370f77af65fabbbd371cd95d1c181347
Details	sha256	1	f0dd2eeaaeb85ab98f0d2d04151b7a56fa3d0c427e9356049cbc4f41bcfabf72
Details	sha256	1	6f250727e69716776f3bb594715a7e10bea65e35556f1dc3a922b63f40611b39
Details	sha256	1	af777fe3a147a48185c65ecd750be0863caa6fbcc51a75a4fb944a651c875006
Details	sha256	1	fa2ddd90683ddcc968d5349edfd85d81dd0035daf7f0d2d7556c8c609fb78554
Details	sha256	1	c52c5dde2071754b54414fe0035d28145e212aa116917f8d2794169b5def2966
Details	sha256	1	8189b3e021be392d4a731d68c5c73d2bafb8168b70351be7475806b8978304aa
Details	sha256	1	e3ccb1c511a18b0b95f51ca54b2bde109eb689b9ef23ad9325ab7c58fd3bd857
Details	sha256	1	5881f66242ceb03f85731dafbab272e88545609bb2542a4328a2060c4ecedc85
Details	sha256	1	c5d95003eb571199ddb6f5c181ab6fc326115c55ff2637673657d946bf314f87
Details	sha256	1	8b36c161d720926a91e1d2324fe075b740b782100833d01c7905e4ccef5befc6
Details	sha256	1	43bac8196a8410b09e0ab1a2926ad9419b32ea7caa8371585db26748f09418b0
Details	sha256	1	f07d0ceb105b5454d8037283667f4103e19413b3297885d38db94031cc14c258
Details	sha256	1	b6340b9f2433bd20246719e92870e3f1ec01d42a0e22606f27ee53b7fe0adafe
Details	sha256	1	e4b8adcf2974abbe236813b02b507280bca61f8a0795e3901c8718999c661cd5
Details	sha256	1	437c8a5639149fd97943f01ee88aa96f131b9755172c77a42a57c014d0158fbe
Details	sha256	1	f8aa625dd544f3e49412f9a2acea411c8cb4b6f346e04800ff711c9cd9a45d92
Details	sha256	1	16e922193fb53d58c44e8cb012fe1d19bfba391807db964fe2c6cde06a436aa1
Details	sha256	1	8d6b2be9180972274d8111a47e0a15d5158bfd352cd5738a665d14c71a8406e9
Details	sha256	1	ada60b73629c135592fef0f7257cd1dac8e0cb4a448141b2b2e3e1bba02c5eab
Details	sha256	1	0fc932e2dae7219cc5a14a224e76385ba7e15e15fa0fb4054206efbf983cea00
Details	sha256	1	46e572338ea5c1c691ab60984abfc38007c7cfd7b6e77adf26a6bbaa22451d73
Details	sha256	1	abe2f051bc9339d2e0c29ee75027879d465d644de8a3159ada1db72412a551b8
Details	sha256	1	eb6e0e39bc2c379e18076cae7da2dbfb23233294ebd24b40a01180dc768e092e
Details	IPv4	1441	127.0.0.1
Details	IPv4	295	8.8.8.8
Details	IPv4	1	100.43.129.107
Details	IPv4	1	98.126.19.178
Details	IPv4	1	174.139.200.164
Details	IPv4	1	174.139.200.165
Details	IPv4	1	174.139.203.180
Details	Url	1	http://www.hikorea.go.kr/pt/publiccertificate_en.pt
Details	Url	1	http://grrrltraveler.com/countries/asia/korea/expat-life/online-banking-korea
Details	Url	1	http://www.proofpoint.com/us/threat-insight/post/operation-arid-viper-slithers-back-into-view
Details	Url	1	http://www.proofpoint.com/us/threat-insight/post/not-yet-dead
Details	Yara rule	1	rule BLACKMOON_BANKER { meta: author = "Proofpoint Staff" info = "blackmoon update" strings: $s1 = "BlackMoon RunTime Error:" ascii wide nocase $s2 = "\\system32\\rundll32.exe" ascii wide $s3 = "cmd.exe /c ipconfig /flushdns" ascii wide $s4 = "\\system32\\drivers\\etc\\hosts.ics" ascii wide condition: all of them }