blackmoon | 784f0119c4fdeaf13267c53e3a7f124644b3dbe79b335d48a7f32ec132d14df4

General

Target

784f0119c4fdeaf13267c53e3a7f124644b3dbe79b335d48a7f32ec132d14df4.exe
Size

4.0MB
MD5

40e741054de924186fc92ca28e367f1f
SHA1

0181be7e0a4f6354fed8c7438ee42528945bedac
SHA256

784f0119c4fdeaf13267c53e3a7f124644b3dbe79b335d48a7f32ec132d14df4
SHA512

e267b4fd931c2b3efd63d1dcfd21d0f8681d5cead8ae8865b167cab73772eb9e3eadd5a88eb1b4bf768696266c57cbd11ca5b3d8164a818821e0f4e3fc538127
SSDEEP

98304:GczGF9E+wSReWIjp3tcb9YI/LsoayFPVdBOxt1bDkMBr:GczGPERuQjdtc5vzsoaMPVdMt1bDkMBr

Score

10^/10

blackmoon joker banker infostealer trojan

Malware Config

Extracted

Family

joker

C2

https://htuzi.oss-cn-shanghai.aliyuncs.com

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 4 IoCs

resource	yara_rule
behavioral1/memory/948-55-0x0000000000400000-0x00000000010A2000-memory.dmp	family_blackmoon
behavioral1/memory/948-56-0x0000000000400000-0x00000000010A2000-memory.dmp	family_blackmoon
behavioral1/memory/948-57-0x0000000000400000-0x00000000010A2000-memory.dmp	family_blackmoon
behavioral1/memory/948-75-0x0000000000400000-0x00000000010A2000-memory.dmp	family_blackmoon

joker
Joker is an Android malware that targets billing and SMS fraud.
infostealer trojan joker

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 948 set thread context of 1084	948	784f0119c4fdeaf13267c53e3a7f124644b3dbe79b335d48a7f32ec132d14df4.exe	30

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	784f0119c4fdeaf13267c53e3a7f124644b3dbe79b335d48a7f32ec132d14df4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	784f0119c4fdeaf13267c53e3a7f124644b3dbe79b335d48a7f32ec132d14df4.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
948	784f0119c4fdeaf13267c53e3a7f124644b3dbe79b335d48a7f32ec132d14df4.exe
1084	regini.exe
1084	regini.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
948	784f0119c4fdeaf13267c53e3a7f124644b3dbe79b335d48a7f32ec132d14df4.exe
948	784f0119c4fdeaf13267c53e3a7f124644b3dbe79b335d48a7f32ec132d14df4.exe
948	784f0119c4fdeaf13267c53e3a7f124644b3dbe79b335d48a7f32ec132d14df4.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
948	784f0119c4fdeaf13267c53e3a7f124644b3dbe79b335d48a7f32ec132d14df4.exe
948	784f0119c4fdeaf13267c53e3a7f124644b3dbe79b335d48a7f32ec132d14df4.exe
948	784f0119c4fdeaf13267c53e3a7f124644b3dbe79b335d48a7f32ec132d14df4.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
948	784f0119c4fdeaf13267c53e3a7f124644b3dbe79b335d48a7f32ec132d14df4.exe
948	784f0119c4fdeaf13267c53e3a7f124644b3dbe79b335d48a7f32ec132d14df4.exe
1084	regini.exe
1084	regini.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 948 wrote to memory of 1084	948	784f0119c4fdeaf13267c53e3a7f124644b3dbe79b335d48a7f32ec132d14df4.exe	30
PID 948 wrote to memory of 1084	948	784f0119c4fdeaf13267c53e3a7f124644b3dbe79b335d48a7f32ec132d14df4.exe	30
PID 948 wrote to memory of 1084	948	784f0119c4fdeaf13267c53e3a7f124644b3dbe79b335d48a7f32ec132d14df4.exe	30
PID 948 wrote to memory of 1084	948	784f0119c4fdeaf13267c53e3a7f124644b3dbe79b335d48a7f32ec132d14df4.exe	30
PID 948 wrote to memory of 1084	948	784f0119c4fdeaf13267c53e3a7f124644b3dbe79b335d48a7f32ec132d14df4.exe	30
PID 948 wrote to memory of 1084	948	784f0119c4fdeaf13267c53e3a7f124644b3dbe79b335d48a7f32ec132d14df4.exe	30
PID 948 wrote to memory of 1084	948	784f0119c4fdeaf13267c53e3a7f124644b3dbe79b335d48a7f32ec132d14df4.exe	30
PID 948 wrote to memory of 1084	948	784f0119c4fdeaf13267c53e3a7f124644b3dbe79b335d48a7f32ec132d14df4.exe	30
PID 948 wrote to memory of 1084	948	784f0119c4fdeaf13267c53e3a7f124644b3dbe79b335d48a7f32ec132d14df4.exe	30
PID 948 wrote to memory of 1084	948	784f0119c4fdeaf13267c53e3a7f124644b3dbe79b335d48a7f32ec132d14df4.exe	30

C:\Users\Admin\AppData\Local\Temp\784f0119c4fdeaf13267c53e3a7f124644b3dbe79b335d48a7f32ec132d14df4.exe
"C:\Users\Admin\AppData\Local\Temp\784f0119c4fdeaf13267c53e3a7f124644b3dbe79b335d48a7f32ec132d14df4.exe"
1⤵
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:948
- C:\Windows\SysWOW64\regini.exe
  C:\Windows\SysWOW64\regini.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1084

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\EasySkin.ini

Filesize
129B

MD5
78d89536fa344a82364f1dda81d78f3a

SHA1
e866b4f7713f3b6718c2b4b836937c8b35ff7c31

SHA256
32c064c7c56cae4ea4ee32cf8ee2f110f2f715ed064c28c1a5e5b4b384439fa5

SHA512
2a04d9ea26e8617c60f5af189f2fce74baf151bb414390aa617adf140bce277d492764dc7a34671d0a09c61edebbd0b9f8d3ce591a2d6d54f66495f53cce6d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\948_update\7z.7z

Filesize
4.0MB

MD5
f88236ac58d508dd747da0bfca466c72

SHA1
cd16259c208e83a6329dc02bfbee3c2e7a52b995

SHA256
3f40f4868be1627095fa4c91825c2f4aea63240a4e0f63bb09b97e3b1a6b37e0

SHA512
e7104a1e4f817b964c1f4c44481943fd98dcbb12523e99ea90edc62aaf7589d4a0b510a8f9e649c5cc8df4d7f719288412a6b31f17c565adfa136fceb074a3cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\948_update\data.ini

Filesize
165B

MD5
54751bf3cf9dd462019f1b5602ddbd1a

SHA1
480139bf91e02ce4ff820df8407cc26a2120b4ca

SHA256
35e1672ca00e78ebd784d4bbf1f38a3fe612c985e08e64c0b35fc5ca76c9f704

SHA512
6e8b1f626d9042d6c34c3836d2cf997d85f3f795c4474bdbdd045089f3820696531b8242846d4eefe22ba90a366f9acf497cc8de7464b0816b6a979496b7c2e5

Download Submit
memory/948-75-0x0000000000400000-0x00000000010A2000-memory.dmp

Filesize
12.6MB

Download
memory/948-58-0x000000001006C000-0x00000000100AC000-memory.dmp

Filesize
256KB

Download
memory/948-55-0x0000000000400000-0x00000000010A2000-memory.dmp

Filesize
12.6MB

Download
memory/948-56-0x0000000000400000-0x00000000010A2000-memory.dmp

Filesize
12.6MB

Download
memory/948-57-0x0000000000400000-0x00000000010A2000-memory.dmp

Filesize
12.6MB

Download
memory/948-54-0x0000000074AB1000-0x0000000074AB3000-memory.dmp

Filesize
8KB

Download
memory/1084-71-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/1084-68-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/1084-65-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/1084-76-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/1084-62-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/1084-60-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/1084-59-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing