blackmoon | 3b8f70eaccbdb1cf69ac5b5f1b7c5dc72631ab2e740e76f76e0df998d50ba2cf

General

Target

3b8f70eaccbdb1cf69ac5b5f1b7c5dc72631ab2e740e76f76e0df998d50ba2cf.exe
Size

4.0MB
MD5

9db55640696bc0fd1cb08568c42f5d5b
SHA1

89f1105462ee2003bcc44a70d9ddd00d21bb5938
SHA256

3b8f70eaccbdb1cf69ac5b5f1b7c5dc72631ab2e740e76f76e0df998d50ba2cf
SHA512

7a9543e7bbb8d26fb35450580e7dac37cd410bc273214421a62465456365cb8ce3e780b88938927e9d3deb3f13de11b7310ea3f6424b17a41c4cf612358fd812
SSDEEP

98304:FPUpwKFQhvFGd6toOUVuwXWxiTsFtJ3L1ifCGW:FPwT2FGGAVLXAT3RifCGW

Score

10^/10

blackmoon joker banker infostealer trojan upx

Malware Config

Extracted

Family

joker

C2

https://htuzi.oss-cn-shanghai.aliyuncs.com

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 4 IoCs

resource	yara_rule
behavioral2/memory/2300-133-0x0000000000400000-0x00000000010A1000-memory.dmp	family_blackmoon
behavioral2/memory/2300-134-0x0000000000400000-0x00000000010A1000-memory.dmp	family_blackmoon
behavioral2/memory/2300-135-0x0000000000400000-0x00000000010A1000-memory.dmp	family_blackmoon
behavioral2/memory/2300-151-0x0000000000400000-0x00000000010A1000-memory.dmp	family_blackmoon

joker
Joker is an Android malware that targets billing and SMS fraud.
infostealer trojan joker

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2300-136-0x0000000010000000-0x00000000100BE000-memory.dmp	upx
behavioral2/memory/2300-138-0x0000000010000000-0x00000000100BE000-memory.dmp	upx
behavioral2/memory/2300-139-0x0000000010000000-0x00000000100BE000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2300 set thread context of 1296	2300	3b8f70eaccbdb1cf69ac5b5f1b7c5dc72631ab2e740e76f76e0df998d50ba2cf.exe	83

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2300	3b8f70eaccbdb1cf69ac5b5f1b7c5dc72631ab2e740e76f76e0df998d50ba2cf.exe
2300	3b8f70eaccbdb1cf69ac5b5f1b7c5dc72631ab2e740e76f76e0df998d50ba2cf.exe
1296	ROUTE.EXE
1296	ROUTE.EXE

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2300	3b8f70eaccbdb1cf69ac5b5f1b7c5dc72631ab2e740e76f76e0df998d50ba2cf.exe
2300	3b8f70eaccbdb1cf69ac5b5f1b7c5dc72631ab2e740e76f76e0df998d50ba2cf.exe
2300	3b8f70eaccbdb1cf69ac5b5f1b7c5dc72631ab2e740e76f76e0df998d50ba2cf.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2300	3b8f70eaccbdb1cf69ac5b5f1b7c5dc72631ab2e740e76f76e0df998d50ba2cf.exe
2300	3b8f70eaccbdb1cf69ac5b5f1b7c5dc72631ab2e740e76f76e0df998d50ba2cf.exe
2300	3b8f70eaccbdb1cf69ac5b5f1b7c5dc72631ab2e740e76f76e0df998d50ba2cf.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2300	3b8f70eaccbdb1cf69ac5b5f1b7c5dc72631ab2e740e76f76e0df998d50ba2cf.exe
2300	3b8f70eaccbdb1cf69ac5b5f1b7c5dc72631ab2e740e76f76e0df998d50ba2cf.exe
1296	ROUTE.EXE
1296	ROUTE.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 1296	2300	3b8f70eaccbdb1cf69ac5b5f1b7c5dc72631ab2e740e76f76e0df998d50ba2cf.exe	83
PID 2300 wrote to memory of 1296	2300	3b8f70eaccbdb1cf69ac5b5f1b7c5dc72631ab2e740e76f76e0df998d50ba2cf.exe	83
PID 2300 wrote to memory of 1296	2300	3b8f70eaccbdb1cf69ac5b5f1b7c5dc72631ab2e740e76f76e0df998d50ba2cf.exe	83
PID 2300 wrote to memory of 1296	2300	3b8f70eaccbdb1cf69ac5b5f1b7c5dc72631ab2e740e76f76e0df998d50ba2cf.exe	83
PID 2300 wrote to memory of 1296	2300	3b8f70eaccbdb1cf69ac5b5f1b7c5dc72631ab2e740e76f76e0df998d50ba2cf.exe	83
PID 2300 wrote to memory of 1296	2300	3b8f70eaccbdb1cf69ac5b5f1b7c5dc72631ab2e740e76f76e0df998d50ba2cf.exe	83
PID 2300 wrote to memory of 1296	2300	3b8f70eaccbdb1cf69ac5b5f1b7c5dc72631ab2e740e76f76e0df998d50ba2cf.exe	83
PID 2300 wrote to memory of 1296	2300	3b8f70eaccbdb1cf69ac5b5f1b7c5dc72631ab2e740e76f76e0df998d50ba2cf.exe	83
PID 2300 wrote to memory of 1296	2300	3b8f70eaccbdb1cf69ac5b5f1b7c5dc72631ab2e740e76f76e0df998d50ba2cf.exe	83

C:\Users\Admin\AppData\Local\Temp\3b8f70eaccbdb1cf69ac5b5f1b7c5dc72631ab2e740e76f76e0df998d50ba2cf.exe
"C:\Users\Admin\AppData\Local\Temp\3b8f70eaccbdb1cf69ac5b5f1b7c5dc72631ab2e740e76f76e0df998d50ba2cf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Windows\SysWOW64\ROUTE.EXE
  C:\Windows\SysWOW64\ROUTE.EXE
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1296

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\EasySkin.ini

Filesize
129B

MD5
78d89536fa344a82364f1dda81d78f3a

SHA1
e866b4f7713f3b6718c2b4b836937c8b35ff7c31

SHA256
32c064c7c56cae4ea4ee32cf8ee2f110f2f715ed064c28c1a5e5b4b384439fa5

SHA512
2a04d9ea26e8617c60f5af189f2fce74baf151bb414390aa617adf140bce277d492764dc7a34671d0a09c61edebbd0b9f8d3ce591a2d6d54f66495f53cce6d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\2300_update\7z.7z

Filesize
4.0MB

MD5
a49c160682e6667d0243c3818fccaaea

SHA1
82238557e989fc15caab6bf9a2ec37fb89c00896

SHA256
c0339141897dbcdd4766497d95f7d797145255613ade154c0731a4b45d34f08a

SHA512
45b463a6f3245d9c384ae7b6f2a63f76228784960a1aced1221e5d060f6a41dcbbc3efd4ca0e4d5997deabfda88a468c76faccad4e105da3d7ce650ddef5a939

Download Submit
C:\Users\Admin\AppData\Local\Temp\2300_update\data.ini

Filesize
164B

MD5
1f034699b96dee292599157f215bf428

SHA1
d8883a728e927bf9002bb6ab3c11623b0b862d8e

SHA256
622832593f7417a0d712ef800a840b90f5cff26fd6d93add2627b7d6b81d33f1

SHA512
2204823fd2e7fd09418a1ec8f5acc7b0cdc3371aa7a9f60b773fb7fae25804c3e3f537bafa8d449e8fee5bf2ef45c6cc5e90bf1116de75cfccbb2095cf3565f0

Download Submit
memory/1296-142-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/1296-144-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/1296-147-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/1296-145-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/1296-141-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/2300-143-0x0000000010000000-0x00000000100BE000-memory.dmp

Filesize
760KB

Download
memory/2300-136-0x0000000010000000-0x00000000100BE000-memory.dmp

Filesize
760KB

Download
memory/2300-139-0x0000000010000000-0x00000000100BE000-memory.dmp

Filesize
760KB

Download
memory/2300-132-0x0000000000400000-0x00000000010A1000-memory.dmp

Filesize
12.6MB

Download
memory/2300-138-0x0000000010000000-0x00000000100BE000-memory.dmp

Filesize
760KB

Download
memory/2300-135-0x0000000000400000-0x00000000010A1000-memory.dmp

Filesize
12.6MB

Download
memory/2300-134-0x0000000000400000-0x00000000010A1000-memory.dmp

Filesize
12.6MB

Download
memory/2300-133-0x0000000000400000-0x00000000010A1000-memory.dmp

Filesize
12.6MB

Download
memory/2300-151-0x0000000000400000-0x00000000010A1000-memory.dmp

Filesize
12.6MB

Download

Analysis

Sharing