blackmoon | c15317f780b0f408415f2e0a9a7811737068964ebe96927fd58552727fe00b83

General

Target

c15317f780b0f408415f2e0a9a7811737068964ebe96927fd58552727fe00b83.exe
Size

4.0MB
MD5

9058fa47d074205aac12d95fb79bd53b
SHA1

18415a9d6ebd25910e6be70e7d4ce5f9ec653120
SHA256

c15317f780b0f408415f2e0a9a7811737068964ebe96927fd58552727fe00b83
SHA512

2ab810d0ee3586230071e8f57216aa60002061420c46a0b4addf90dfe547d184cd80f1b00f17816b652db9463a28c90d8d0a14bd82b71f90769d92ce31b1d51c
SSDEEP

98304:FPUpwKFQhvFGd6toOUVuwXWxiTsFtJ3L1ifCGJ:FPwT2FGGAVLXAT3RifCGJ

Score

10^/10

blackmoon joker banker infostealer trojan upx

Malware Config

Extracted

Family

joker

C2

https://htuzi.oss-cn-shanghai.aliyuncs.com

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 4 IoCs

resource	yara_rule
behavioral2/memory/1760-133-0x0000000000400000-0x00000000010A1000-memory.dmp	family_blackmoon
behavioral2/memory/1760-134-0x0000000000400000-0x00000000010A1000-memory.dmp	family_blackmoon
behavioral2/memory/1760-135-0x0000000000400000-0x00000000010A1000-memory.dmp	family_blackmoon
behavioral2/memory/1760-151-0x0000000000400000-0x00000000010A1000-memory.dmp	family_blackmoon

joker
Joker is an Android malware that targets billing and SMS fraud.
infostealer trojan joker

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1760-136-0x0000000010000000-0x00000000100BE000-memory.dmp	upx
behavioral2/memory/1760-139-0x0000000010000000-0x00000000100BE000-memory.dmp	upx
behavioral2/memory/1760-138-0x0000000010000000-0x00000000100BE000-memory.dmp	upx
behavioral2/memory/1760-140-0x0000000010000000-0x00000000100BE000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1760 set thread context of 4648	1760	c15317f780b0f408415f2e0a9a7811737068964ebe96927fd58552727fe00b83.exe	91

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1760	c15317f780b0f408415f2e0a9a7811737068964ebe96927fd58552727fe00b83.exe
1760	c15317f780b0f408415f2e0a9a7811737068964ebe96927fd58552727fe00b83.exe
4648	TapiUnattend.exe
4648	TapiUnattend.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1760	c15317f780b0f408415f2e0a9a7811737068964ebe96927fd58552727fe00b83.exe
1760	c15317f780b0f408415f2e0a9a7811737068964ebe96927fd58552727fe00b83.exe
1760	c15317f780b0f408415f2e0a9a7811737068964ebe96927fd58552727fe00b83.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1760	c15317f780b0f408415f2e0a9a7811737068964ebe96927fd58552727fe00b83.exe
1760	c15317f780b0f408415f2e0a9a7811737068964ebe96927fd58552727fe00b83.exe
1760	c15317f780b0f408415f2e0a9a7811737068964ebe96927fd58552727fe00b83.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1760	c15317f780b0f408415f2e0a9a7811737068964ebe96927fd58552727fe00b83.exe
1760	c15317f780b0f408415f2e0a9a7811737068964ebe96927fd58552727fe00b83.exe
4648	TapiUnattend.exe
4648	TapiUnattend.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1760 wrote to memory of 4648	1760	c15317f780b0f408415f2e0a9a7811737068964ebe96927fd58552727fe00b83.exe	91
PID 1760 wrote to memory of 4648	1760	c15317f780b0f408415f2e0a9a7811737068964ebe96927fd58552727fe00b83.exe	91
PID 1760 wrote to memory of 4648	1760	c15317f780b0f408415f2e0a9a7811737068964ebe96927fd58552727fe00b83.exe	91
PID 1760 wrote to memory of 4648	1760	c15317f780b0f408415f2e0a9a7811737068964ebe96927fd58552727fe00b83.exe	91
PID 1760 wrote to memory of 4648	1760	c15317f780b0f408415f2e0a9a7811737068964ebe96927fd58552727fe00b83.exe	91
PID 1760 wrote to memory of 4648	1760	c15317f780b0f408415f2e0a9a7811737068964ebe96927fd58552727fe00b83.exe	91
PID 1760 wrote to memory of 4648	1760	c15317f780b0f408415f2e0a9a7811737068964ebe96927fd58552727fe00b83.exe	91
PID 1760 wrote to memory of 4648	1760	c15317f780b0f408415f2e0a9a7811737068964ebe96927fd58552727fe00b83.exe	91
PID 1760 wrote to memory of 4648	1760	c15317f780b0f408415f2e0a9a7811737068964ebe96927fd58552727fe00b83.exe	91

C:\Users\Admin\AppData\Local\Temp\c15317f780b0f408415f2e0a9a7811737068964ebe96927fd58552727fe00b83.exe
"C:\Users\Admin\AppData\Local\Temp\c15317f780b0f408415f2e0a9a7811737068964ebe96927fd58552727fe00b83.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Windows\SysWOW64\TapiUnattend.exe
  C:\Windows\SysWOW64\TapiUnattend.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4648

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\EasySkin.ini

Filesize
129B

MD5
78d89536fa344a82364f1dda81d78f3a

SHA1
e866b4f7713f3b6718c2b4b836937c8b35ff7c31

SHA256
32c064c7c56cae4ea4ee32cf8ee2f110f2f715ed064c28c1a5e5b4b384439fa5

SHA512
2a04d9ea26e8617c60f5af189f2fce74baf151bb414390aa617adf140bce277d492764dc7a34671d0a09c61edebbd0b9f8d3ce591a2d6d54f66495f53cce6d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\1760_update\7z.7z

Filesize
4.0MB

MD5
a49c160682e6667d0243c3818fccaaea

SHA1
82238557e989fc15caab6bf9a2ec37fb89c00896

SHA256
c0339141897dbcdd4766497d95f7d797145255613ade154c0731a4b45d34f08a

SHA512
45b463a6f3245d9c384ae7b6f2a63f76228784960a1aced1221e5d060f6a41dcbbc3efd4ca0e4d5997deabfda88a468c76faccad4e105da3d7ce650ddef5a939

Download Submit
C:\Users\Admin\AppData\Local\Temp\1760_update\data.ini

Filesize
164B

MD5
2023b841c1579e612cf826e8187dbe4d

SHA1
3134dc512f0f6707e4fe51f73b632df5ee417823

SHA256
2732e020f4f1e54cf02b897b70a36e78be7cd59aa8e6ed640476ba16bb6c9ac5

SHA512
3c98ff8c397e4677fa506b566a9a05b0ef3577f1b197bf430a41792235176109b57e1755823e497a359f982348aac7c267a03960fd9018ec4d293082859884b7

Download Submit
memory/1760-133-0x0000000000400000-0x00000000010A1000-memory.dmp

Filesize
12.6MB

Download
memory/1760-134-0x0000000000400000-0x00000000010A1000-memory.dmp

Filesize
12.6MB

Download
memory/1760-135-0x0000000000400000-0x00000000010A1000-memory.dmp

Filesize
12.6MB

Download
memory/1760-136-0x0000000010000000-0x00000000100BE000-memory.dmp

Filesize
760KB

Download
memory/1760-139-0x0000000010000000-0x00000000100BE000-memory.dmp

Filesize
760KB

Download
memory/1760-138-0x0000000010000000-0x00000000100BE000-memory.dmp

Filesize
760KB

Download
memory/1760-140-0x0000000010000000-0x00000000100BE000-memory.dmp

Filesize
760KB

Download
memory/1760-132-0x0000000000400000-0x00000000010A1000-memory.dmp

Filesize
12.6MB

Download
memory/1760-151-0x0000000000400000-0x00000000010A1000-memory.dmp

Filesize
12.6MB

Download
memory/4648-147-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/4648-145-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/4648-144-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/4648-143-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/4648-142-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing