{
	"id": "99b6abb8-ab57-4edc-9e70-5acfa30fd0b3",
	"created_at": "2026-04-06T00:09:27.791379Z",
	"updated_at": "2026-04-10T03:22:08.534279Z",
	"deleted_at": null,
	"sha1_hash": "2d1b57be3ea6af32573ebde9c3741cd1b6cc8698",
	"title": "Analysis of BlackMoon (Banking Trojan)'s Evolution, And The Possibility of a Latest Version Under Development",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 955863,
	"plain_text": "Analysis of BlackMoon (Banking Trojan)'s Evolution, And The\r\nPossibility of a Latest Version Under Development\r\nArchived: 2026-04-02 10:39:00 UTC\r\nBlackMoon, also known as KrBanker, is a banking trojan that mainly targets South Korea. I thought this family was dead\r\nsince time ago (around 2016), however these previous days I got a couple of rencent samples that, after unpacking them\r\nand performing a quick analysis, I noticed they were BlackMoon. Virustotal's first submission date for one of these\r\nsamples is 2018-06-18. First submission date for the other one is 2018-11-01. After digging a bit more into this malware\r\nfamily, my conclussion was that probably there is a latest version of BlackMoon that is under development. I explain it in\r\nthis post, that I hope you enjoy.\r\nOriginal Packed Sample: C38E54342CDAE1D9181EC48E94DC5C83\r\nAutomatic Generated Report: PepperMalware Report\r\nVirustotal First Submission: 2018-11-01 07:03:51\r\nUnpacked Banker Module: 4634F4EF94D9A3A0E2FCF5078151ADB2\r\nRelated links: \r\nhttps://unit42.paloaltonetworks.com/unit42-krbanker-targets-south-korea-through-adware-and-exploit-kits-2/\r\nhttps://threatpost.com/blackmoon-banking-trojan-using-new-infection-technique/125425/\r\nhttps://community.rsa.com/community/products/netwitness/blog/2017/05/19/the-blackmoon-trojan-framework\r\nhttps://www.fortinet.com/blog/threat-research/over-100-000-south-korean-users-affected-by-blackmoon-campaign.html\r\nhttps://www.fidelissecurity.com/threatgeek/threat-intelligence/blackmoon-banking-trojan-new-framework\r\n1. Loader\r\n2.1. Packer\r\n2.2. Process Injection\r\n2. Main Module\r\n2.1. Persistence\r\n2.2. Encrypted Strings\r\n3. Evolution\r\n3.1. Encrypted Strings Evolution\r\n3.2. BlackMoon Versions: Latest Version Under Development?\r\n3.3. BinDiff\r\n3.3.1. 2016-03-03 -\u003e 2016-05-05 Statistics\r\n3.3.2. 2016-05-05 -\u003e 2018-06-18 Statistics\r\n3.3.3. 2018-06-18 -\u003e 2018-11-01 Statistics\r\n3.3.4. 2016-03-03 -\u003e 2016-05-05 Differences\r\n3.3.5. 2016-05-05 -\u003e 2018-06-18 Differences\r\n3.3.5. 2018-06-18 -\u003e 2018-11-01 Differences\r\n4. Conclusions\r\n5. Yara Rules and Scripts\r\nhttps://www.peppermalware.com/2019/03/analysis-of-blackmoon-banking-trojans.html\r\nPage 1 of 16\n\n5.1. BlackMoon Yara Rule\r\n5.2. Script to Extract BlackMoon Encrypted Strings\r\n6. Other notes\r\n6.1. Another sample dated 2018 suspicious of being BlackMoon\r\n1. Loader\r\n1.1. Packer\r\nMost of the analyzed samples's packers are wellknown packers such as PeCompact, Aspack, Fsg or Nspack:\r\nSample  FirstSeen   Packer \r\n 09beec989993806345254ca9adcdb034f8649d8a9633bbe8933a52f5093e8be1  2018-11-01  PeCompact \r\n 80ea86d195bbc4384a1b9a77a2d477e2c4e6dc6d48f3f80447877dbbe41a4e40  2018-06-18  Aspack\r\n2de1e47c650c0a8865ecc7e7b68379ca071062c0873f46a4addb1aa13b8d48dc 2016-03-03  Fsg\r\n5f17cf9aee107458995c434d21263528132b5d0ab8a20121d3de48478ec6c467 2016-02-28  PeCompact\r\n47434c9c2e887ba6f47a31e757b4ac0c0e648dfee9f93e38bd49e1c17f660dcf 2016-03-05  PeCompact\r\n2012486d87dcc3362745c6f8f178b9be5417c595e79c452a20729d2e60ec814b 2016-03-08  Aspack\r\n05afd7bbf6efa14102f72bad0e3a0686af6522b25228ab760ef57e8d6df36ed1 2016-03-05  Fsg\r\n5e1ca094e11b2dcfdd4c729e2eaf1bdfd0ec84067a39f1c3a233bfff1ff6dcb5 2016-03-20  PeCompact\r\n406c50ed0333d2023de55ce798a4e7d5fa6e45df65c16733ef48961e94277807 2016-04-08  Aspack\r\n4844e92d76b2158be2b5468b70e2d0898f9ba2287a02b2b0aa7af2a2113d4970 2016-03-02  PeCompact\r\n7351373a50acbaa4bb3fa622b0573f473289d745ba717551c82abbe398c1c1ff 2016-03-10  Nspack\r\n09a5dc4f9544f7bbc898d205f1e14518606e158f4a7c7126d7eb604ec9ec5c74 2016-04-09  PeCompact\r\n224ead790d3bab7ede11252728d47e21f0d0274767aa3e6a16628e8970a0149f 2016-02-28  PeCompact\r\n00eae37eaaee93b8155e6bad95564c3d95d71e7397653ffcbae4f95614ffa723 2016-05-05  PeCompact\r\n1.2. Process Injection\r\nMost of the analyzed samples follow the same strategy, they launch an executable (I think it is choosen randomly) from\r\n%system32% folder and they inject the new process (hollow process). The unpacked code will be executed in the context\r\nof the new process. Some of the executables that we have seen the malware launchs are: wmiprvse.exe, dwwin.exe,\r\ncomp.exe, cacls.exe, etc...\r\nSample  FirstSeen  Hollowed Process\r\nhttps://www.peppermalware.com/2019/03/analysis-of-blackmoon-banking-trojans.html\r\nPage 2 of 16\n\n09beec989993806345254ca9adcdb034f8649d8a9633bbe8933a52f5093e8be1 \r\n2018-11-\r\n01\r\nsystem32\\wmiprvse.exe\r\n 80ea86d195bbc4384a1b9a77a2d477e2c4e6dc6d48f3f80447877dbbe41a4e40 \r\n2018-06-\r\n18\r\nsystem32\\wmiprvse.exe\r\n2de1e47c650c0a8865ecc7e7b68379ca071062c0873f46a4addb1aa13b8d48dc\r\n2016-03-\r\n03\r\nsystem32\\dwwin.exe\r\n5f17cf9aee107458995c434d21263528132b5d0ab8a20121d3de48478ec6c467\r\n2016-02-\r\n28\r\nsystem32\\comp.exe\r\n47434c9c2e887ba6f47a31e757b4ac0c0e648dfee9f93e38bd49e1c17f660dcf\r\n2016-03-\r\n05\r\nsystem32\\comp.exe\r\n2012486d87dcc3362745c6f8f178b9be5417c595e79c452a20729d2e60ec814b\r\n2016-03-\r\n08\r\nsystem32\\cacls.exe\r\n05afd7bbf6efa14102f72bad0e3a0686af6522b25228ab760ef57e8d6df36ed1\r\n2016-03-\r\n05\r\nsystem32\\cacls.exe\r\n5e1ca094e11b2dcfdd4c729e2eaf1bdfd0ec84067a39f1c3a233bfff1ff6dcb5\r\n2016-03-\r\n20\r\nsystem32\\cacls.exe\r\n406c50ed0333d2023de55ce798a4e7d5fa6e45df65c16733ef48961e94277807\r\n2016-04-\r\n08\r\nsystem32\\cacls.exe\r\n4844e92d76b2158be2b5468b70e2d0898f9ba2287a02b2b0aa7af2a2113d4970\r\n2016-03-\r\n02\r\nsystem32\\comp.exe\r\n7351373a50acbaa4bb3fa622b0573f473289d745ba717551c82abbe398c1c1ff\r\n2016-03-\r\n10\r\nsystem32\\cacls.exe\r\n09a5dc4f9544f7bbc898d205f1e14518606e158f4a7c7126d7eb604ec9ec5c74\r\n2016-04-\r\n09\r\nsystem32\\cacls.exe\r\n224ead790d3bab7ede11252728d47e21f0d0274767aa3e6a16628e8970a0149f\r\n2016-02-\r\n28\r\nsystem32\\comp.exe\r\n2. Main Module\r\n2.1. Persistence\r\nThe malware installs itself under a HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run's subkey. For most of\r\nthe older samples, the run subkey is a 8-length combination of lowercase and uppercase letters and numbers. However the\r\nanalyzed samples that date 2018, install themself in the subkey with fixed name 000C29FC2AB3.\r\nhttps://www.peppermalware.com/2019/03/analysis-of-blackmoon-banking-trojans.html\r\nPage 3 of 16\n\nSample First Seen Run Subkey\r\n09beec989993806345254ca9adcdb034f8649d8a9633bbe8933a52f5093e8be1 2018-11-01 000C29FC2AB3\r\n80ea86d195bbc4384a1b9a77a2d477e2c4e6dc6d48f3f80447877dbbe41a4e40 2018-06-18 000C29FC2AB3\r\n2de1e47c650c0a8865ecc7e7b68379ca071062c0873f46a4addb1aa13b8d48dc 2016-03-03 06iSwa6C\r\n5f17cf9aee107458995c434d21263528132b5d0ab8a20121d3de48478ec6c467 2016-02-28 kC6MOsu8\r\n47434c9c2e887ba6f47a31e757b4ac0c0e648dfee9f93e38bd49e1c17f660dcf 2016-03-05 R3tP5nj1\r\n2012486d87dcc3362745c6f8f178b9be5417c595e79c452a20729d2e60ec814b 2016-03-08 66qscw4Q\r\n05afd7bbf6efa14102f72bad0e3a0686af6522b25228ab760ef57e8d6df36ed1 2016-03-05 W60u80qO\r\n5e1ca094e11b2dcfdd4c729e2eaf1bdfd0ec84067a39f1c3a233bfff1ff6dcb5 2016-03-20 uki4Kk2o\r\n406c50ed0333d2023de55ce798a4e7d5fa6e45df65c16733ef48961e94277807 2016-04-08 35V5Bj9b\r\n4844e92d76b2158be2b5468b70e2d0898f9ba2287a02b2b0aa7af2a2113d4970 2016-03-02 AAAC2kY8\r\n7351373a50acbaa4bb3fa622b0573f473289d745ba717551c82abbe398c1c1ff 2016-03-10 1Lf9Tn7B\r\n09a5dc4f9544f7bbc898d205f1e14518606e158f4a7c7126d7eb604ec9ec5c74 2016-04-09 5jNh7p11\r\n224ead790d3bab7ede11252728d47e21f0d0274767aa3e6a16628e8970a0149f 2016-02-28 j3pVbRJ5\r\n00eae37eaaee93b8155e6bad95564c3d95d71e7397653ffcbae4f95614ffa723 2016-05-05 000C29FC2AB3\r\nCuriously, the sample 00eae37eaaee93b8155e6bad95564c3d95d71e7397653ffcbae4f95614ffa723 that dates 2016-05-05\r\n(from the older samples, one of the newest), installs itself under the same subkey 000C29FC2AB3.\r\nIn addition, these samples that create the subkey with name 000C29FC2AB3, they create a mutex named M_Test too\r\n(the other samples don't create this mutex).\r\n2.2. Encrypted Strings\r\nMost of the important strings of BlackMoon are encrypted.\r\nHere is a capture of the code responsible for decrypting the strings from the\r\nsample 09beec989993806345254ca9adcdb034f8649d8a9633bbe8933a52f5093e8be1:\r\nhttps://www.peppermalware.com/2019/03/analysis-of-blackmoon-banking-trojans.html\r\nPage 4 of 16\n\nTo compose the definitive key that the malware uses to decrypt the strings, it carries an string that is the first part of the\r\nkey, and then it appends 6 additional characters to that first part of the key. In the capture, the definitive key to be used\r\nwould be \"7ac13b3aa82136afa3090c5137B8a195\".\r\nEncrypted strings are like this:\r\nThe algorithm used to decrypt each string is rc4(unhexlify(rc4(unhexlify(encrypted_string), key)), key):\r\nhttps://www.peppermalware.com/2019/03/analysis-of-blackmoon-banking-trojans.html\r\nPage 5 of 16\n\n3. Evolution\r\n3.1. Encrypted Strings Evolution\r\nWe have extracted the strings from samples from different dates, to compare them:\r\nDate 2016-02-28:\r\nSample 5f17cf9aee107458995c434d21263528132b5d0ab8a20121d3de48478ec6c467:\r\nDate 2016-03-03:\r\nSample 2de1e47c650c0a8865ecc7e7b68379ca071062c0873f46a4addb1aa13b8d48dc:\r\n \r\nDate 2016-05-05:\r\nSample 00eae37eaaee93b8155e6bad95564c3d95d71e7397653ffcbae4f95614ffa723:\r\nDate 2018-06-18:\r\nSample 80ea86d195bbc4384a1b9a77a2d477e2c4e6dc6d48f3f80447877dbbe41a:\r\nDate 2018-11-01:\r\nSample 09beec989993806345254ca9adcdb034f8649d8a9633bbe8933a52f5093e:\r\nIn the section 2.1 (about persistence), we had already noticed that most of the samples from 2016 create a 8 bytes length\r\nsubkey under the registry \\Run key, with a combination of lowercase and uppercase letters and numbers. \r\nHowever a sample dated 2016-05-05 and the newer samples dated 2018 create a subkey under \\Run with\r\nname 000C29FC2AB3. In addition these samples create a mutex with name M_Test (this mutex is not created by the\r\n2016's samples).\r\nIf we take a look at the lists of strings, the sample dated 2016-05-05 and the samples dated 2018, all of them have similar\r\nlists of encrypted strings, where strings are ordered in similar order (thought they are not totally identicals).\r\nThe other samples dated 2016 contain another lists of strings, identical between them, but different from the lists of the\r\nsamples dated 2018.\r\nhttps://www.peppermalware.com/2019/03/analysis-of-blackmoon-banking-trojans.html\r\nPage 6 of 16\n\n3.2. BlackMoon Versions: Latest Version Under Development?\r\nHaving in mind the IoCs collected in the previous sections, we can conclude that there is a first version of BlackMoon\r\nmalware, whose samples are dated around 2016, and other version that could be under development, whose samples we\r\nhave one of them dated 2016-05-05, and other two dated 2018-06 and 2018-11.\r\nVersion 1:\r\nPersistence: 8 bytes length subkey under registry \\Run key, with a combination of lowercase and uppercase letters\r\nand numbers\r\nEncrypted strings: \"http://\", \"/ca.php\", \"?m=\", \"\u0026h;=\", \"GET\", \"?p\", \"POST\", \"users.qzone.qq.com\", \"GET /fcg-bin/cgi_get_portrait.fcg?uins=\", etc...\r\nSamples dated 2016\r\nVersion 2 - probably under development version:\r\nPersistence: subkey under \\Run with name 000C29FC2AB3\r\nMutex: M_Test\r\nEncrypted strings: \"ScriptControl\", \"Language\", \"VBScript\", \"ExecuteStatement\", \"Function MACAddress()\",\r\n\"Dim mc,mo\", \"Set mc=GetObject(\\\"Winmgmts:\\\").InstancesOf(\\\"Win32_NetworkAdapterConfiguration\\\"), \"For\r\nEach mo In mc\", etc...\r\nA sample dated 2016-05-05, other 2 samples dated 2018\r\nWe have only 3 samples that we have classified as version 2. Probably they are quite similar, but we must have in mind\r\nthat the lists of encrypted strings for these samples are not totally identical. However, the Run key 000C29FC2AB3 and\r\nthe mutex M_Test, make us to think these 3 samples are the same version.\r\nFrom my point of view, these 3 newer samples could be a version that is under development. Because of that, each\r\nversion 2's sample is a bit different from the others. And because of that, the name M_Test for the mutex and the non-random name for the \\Run subkey.\r\n3.3. BinDiff\r\nLets compare with BinDiff the following samples (once they are already unpacked) trying to understand the evolution of\r\nthis malware:\r\nVersion1:\r\n2de1e47c650c0a8865ecc7e7b68379ca071062c0873f46a4addb1aa13b8d48dc\r\n2016-03-03\r\nOriginal sample packed with Fsg\r\nVersion2:\r\n00eae37eaaee93b8155e6bad95564c3d95d71e7397653ffcbae4f95614ffa723\r\n2016-05-05\r\nOriginal sample packed with PeCompact\r\nhttps://www.peppermalware.com/2019/03/analysis-of-blackmoon-banking-trojans.html\r\nPage 7 of 16\n\nVersion2:\r\n80ea86d195bbc4384a1b9a77a2d477e2c4e6dc6d48f3f80447877dbbe41a\r\n2018-06-18\r\nOriginal sample packed with AsPack\r\nVersion2:\r\n09beec989993806345254ca9adcdb034f8649d8a9633bbe8933a52f5093e\r\n2018-11-01\r\nOriginal sample packed with PeCompact\r\n3.3.1. 2016-03-03 -\u003e 2016-05-05 Statistics: 345 matching functions\r\n3.3.2. 2016-05-05 -\u003e 2018-06-18 Statistics: 591 matching functions\r\n3.3.3. 2018-06-18 -\u003e 2018-11-01 Statistics: 1743 matching functions\r\nhttps://www.peppermalware.com/2019/03/analysis-of-blackmoon-banking-trojans.html\r\nPage 8 of 16\n\nI think the most interesting indicator about similarity, at least in this case, is the number of matching functions because\r\nthe unpacked modules were dumped with Volatility's procdump command, with --memory --unsafe modificators.\r\nProbably most of the primary and secondary unmatched functions are due to residual parts of the code of the packer in\r\nmemory and maybe due to recompilations of the code with newer versions of the runtime.\r\nIf we compare the paired functions, we find that most of the changes between versions are due to ligth modifications,\r\nsmall fixes, etc... as we will see in the following sections.\r\n3.3.4. 2016-03-03 -\u003e 2016-05-05 Differences:\r\nFor example, here is a function from the sample dated 2016-03-03 compared to the same function from the sample dated\r\n2016-05-05, where we can see that small changes were done in this function: \r\nAnother function. In this case a larger part of code was removed from the function in the newer version:\r\nhttps://www.peppermalware.com/2019/03/analysis-of-blackmoon-banking-trojans.html\r\nPage 9 of 16\n\nBtw, in the case of 2016-03-03 -\u003e 2016-05-05, most of the matching functions are ubicated in totally different addresses:\r\nhttps://www.peppermalware.com/2019/03/analysis-of-blackmoon-banking-trojans.html\r\nPage 10 of 16\n\nProbably, in spite of the fact that the code doesn't change a lot and there are a lot of matching functions, a code\r\nrefactorization was done from version 1 to the first samples of version 2 (around 2016-05).\r\n3.3.5. 2016-05-05 -\u003e 2018-06-18 Differences:\r\nIn this case, in addition to the similarity between functions pairs, lot of the matching functions are ubicated in the same\r\noffset into the unpacked sample:\r\nThis makes us to think both binaries are quite similiar, in spite of the fact that we find minimal changes like in this\r\nfunction:\r\nHowever, there are other functions with more important changes that make us to think that there have been at least a\r\nminimal development between both samples (manual modifications on the code: improvements or fixes, not only\r\nrecompilation + repacking):\r\nhttps://www.peppermalware.com/2019/03/analysis-of-blackmoon-banking-trojans.html\r\nPage 11 of 16\n\n3.3.5. 2018-06-18 -\u003e 2018-11-01 Differences:\r\nAgain, lot of the matching functions ubicated in the same offset, and minimal changes between paired functions. And\r\nagain, some parts of the code with more important changes that suggest a minimal development by the authors between\r\nthe first and the second sample:\r\n4. Conclusions\r\nFrom my point of view, there are two main versions of BlackMoon family.\r\nSamples from the first version date first half-year of 2016.\r\nAround May-2016, a new version was started. In the sample that dates 2016-05-05 we can appreciate a code\r\nrefactorization and more important changes in the code. In addition, we can find changes in the behavior, such as the\r\nnon-random subkey under the \\Run registry key, named 000C29FC2AB3, and the non-random mutex created by\r\nthe malware with name M_Test.\r\nhttps://www.peppermalware.com/2019/03/analysis-of-blackmoon-banking-trojans.html\r\nPage 12 of 16\n\nThere are minimal changes between the sample that dates 2018-06-18 and the samples that dates 2016-05-05, and again\r\nminimal changes between the samples that dates 2016-11-01 and the sample that dates 2018-06-18. However, there are\r\nenough changes between these version 2's samples to appreciate that a development was done by the authors, there\r\nmust be modifications of the source code between them (not only recompilation + repacking).\r\nMy conclussion is, there is a version of the BlackMoon that is under development. We can find quite recent samples\r\n(based on the VirusTotal first seen date) of this version under development. I can't say totally sure if the code of that\r\nrecent samples were modified and compiled in 2018 or previously (in spite of the fact that I think the code was\r\nrecently modified and it is currently evolving, maybe that samples were only repacked or their bytes lightly modified, or\r\nmaybe VirusTotal didn't see these samples before).\r\nIn addition to the larger changes from the first version to the second version, we can appreciate an evolution of the code\r\nof the second version: from the sample 00eae37eaaee93b8155e6bad95564c3d95d71e7397653ffcbae4f95614ffa723 (May-2016), to the sample 80ea86d195bbc4384a1b9a77a2d477e2c4e6dc6d48f3f80447877dbbe41a (June-2018), and to the\r\nsample 09beec989993806345254ca9adcdb034f8649d8a9633bbe8933a52f5093e (November-2018). So, from my point of\r\nview, it seems there are enough evidences to think that there is a BlackMoon version that is under development\r\nand currently evolving.\r\n5. Yara Rules and Scripts\r\n5.1. BlackMoon Yara Rule\r\nUnpacked module:\r\n \r\nrule blackmoon_unpacked {\r\nstrings:\r\n $code1 = { 89 45 ?? 68 01 01 00 80 6A 00 68 ?? 00 00 00 68 01 00 00 00 BB ?? ?? 00 00 E8 ?? ?? ?? ?? 83 C4 10 }\r\n $code2 = { FF 75 ?? FF 75 ?? FF 75 ?? FF 75 ?? FF 75 ?? FF 75 ?? FF 75 ?? B9 ?? ?? 00 00 E8 }\r\ncondition:\r\n (all of them)\r\n}\r\n5.2. Script to Extract BlackMoon Encrypted Strings\r\nThe following script extracts and decrypts the encrypted strings from a BlackMoon unpacked sample:\r\npython strings_decryptor.py \u003cpath to unpacked blackmoon\u003e\r\n \r\nimport os\r\nimport sys\r\nimport binascii\r\nhttps://www.peppermalware.com/2019/03/analysis-of-blackmoon-banking-trojans.html\r\nPage 13 of 16\n\nimport traceback\r\n#################################################\r\ndef rc4(data, key):\r\n x = 0\r\n box = range(256)\r\n for i in range(256):\r\n x = (x + box[i] + ord(key[i % len(key)])) % 256\r\n box[i], box[x] = box[x], box[i]\r\n x = 0\r\n y = 0\r\n out = []\r\n for char in data:\r\n x = (x + 1) % 256\r\n y = (y + box[x]) % 256\r\n box[x], box[y] = box[y], box[x]\r\n out.append(chr(ord(char) ^ box[(box[x] + box[y]) % 256]))\r\n return ''.join(out)\r\n#################################################\r\ndef findencstrings(s):\r\n l = []\r\n laststr = \"\"\r\n for i in range(0, len(s)):\r\n if s[i] in \"0123456789ABCDEF\":\r\n laststr += s[i]\r\n else:\r\n if ord(s[i])==0 and len(laststr)\u003e=6: l.append(laststr)\r\n laststr = \"\"\r\n return l\r\n#################################################\r\ndef decstr(s, k, k2):\r\n sorig=s\r\n try:\r\n if len(s)%2: s = s[0:-1]\r\n s = binascii.unhexlify(s)\r\n s = rc4(s, k+k2)\r\n step1 = s\r\n if len(s)%2: s = s[0:-1]\r\n s = binascii.unhexlify(s)\r\n s = rc4(s, k+k2)\r\n return True, s\r\n except Exception as e:\r\n return False, \"ERROR:\" + repr(e) + \", string:\" + sorig\r\n#################################################\r\nhttps://www.peppermalware.com/2019/03/analysis-of-blackmoon-banking-trojans.html\r\nPage 14 of 16\n\ndef findkey1(s):\r\n l = []\r\n laststr = \"\"\r\n for i in range(0, len(s)):\r\n if s[i] in \"0123456789abcdefABCDEF\":\r\n laststr += s[i]\r\n else:\r\n if ord(s[i])==0 and len(laststr)\u003e=20 and len(laststr)\u003c=30 and not len(laststr)%2 and laststr not in l: l.ap\r\n laststr = \"\"\r\n if len(l): return l\r\n return None\r\n#################################################\r\ndef findkey2(s):\r\n key=\"\"\r\n for i in range(0x0, len(s)-0x100):\r\n if s[i:i+8]==\"\\x68\\x01\\x01\\x00\\x80\\x6a\\x00\\x68\" and s[i+8] in \"0123456789abcdefABCDEF\" and s[i+9:i+12]==\"\\x00\\x\r\n key+=s[i+8]\r\n return key\r\n#################################################\r\ndef get_strings_from_pe(s):\r\n ldecs = []\r\n lenc = findencstrings(s)\r\n lk1 = findkey1(s)\r\n k2 = findkey2(s)\r\n if lk1 and k2 and lenc:\r\n for k1 in lk1:\r\n for i in range(0,len(k2)-6):\r\n for senc in lenc:\r\n decs = decstr(senc, k1, k2[i:i+6])\r\n if decs[0]: ldecs.append(decs[1])\r\n return ldecs\r\n#################################################\r\ndef analexe(s):\r\n decrypted_string_list = []\r\n try: decrypted_string_list = get_strings_from_pe(s)\r\n except Exception as e:\r\n print \"blackmoon exception in get_strings_from_pe\"\r\n print traceback.format_exc()\r\n for e in decrypted_string_list:\r\n print \"blackmoon decrypted string:\", e\r\n#################################################\r\nhttps://www.peppermalware.com/2019/03/analysis-of-blackmoon-banking-trojans.html\r\nPage 15 of 16\n\nif __name__ == \"__main__\":\r\n if os.path.exists(sys.argv[1]):\r\n f = open(sys.argv[1], \"rb\")\r\n s = f.read()\r\n f.close()\r\n analexe(s)\r\n else:\r\n print \"Incorrect path\"\r\n6. Other Notes\r\n6.1. Another sample dated 2018 suspicious of being BlackMoon\r\nOnce I started to investigate a bit more and to search information about BlackMoon family, I found a tweet talking about\r\nanother sample that could be BlackMoon and whose first submission is 2018-08-08. \r\nSource: https://www.peppermalware.com/2019/03/analysis-of-blackmoon-banking-trojans.html\r\nhttps://www.peppermalware.com/2019/03/analysis-of-blackmoon-banking-trojans.html\r\nPage 16 of 16\n\n  https://www.peppermalware.com/2019/03/analysis-of-blackmoon-banking-trojans.html    \nBtw, in the case of 2016-03-03 -\u003e 2016-05-05, most of the matching functions are ubicated in totally different addresses:\n   Page 10 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://www.peppermalware.com/2019/03/analysis-of-blackmoon-banking-trojans.html"
	],
	"report_names": [
		"analysis-of-blackmoon-banking-trojans.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434167,
	"ts_updated_at": 1775791328,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2d1b57be3ea6af32573ebde9c3741cd1b6cc8698.pdf",
		"text": "https://archive.orkl.eu/2d1b57be3ea6af32573ebde9c3741cd1b6cc8698.txt",
		"img": "https://archive.orkl.eu/2d1b57be3ea6af32573ebde9c3741cd1b6cc8698.jpg"
	}
}