blackmoon | 784f0119c4fdeaf13267c53e3a7f124644b3dbe79b335d48a7f32ec132d14df4

General

Target

784f0119c4fdeaf13267c53e3a7f124644b3dbe79b335d48a7f32ec132d14df4.exe
Size

4.0MB
MD5

40e741054de924186fc92ca28e367f1f
SHA1

0181be7e0a4f6354fed8c7438ee42528945bedac
SHA256

784f0119c4fdeaf13267c53e3a7f124644b3dbe79b335d48a7f32ec132d14df4
SHA512

e267b4fd931c2b3efd63d1dcfd21d0f8681d5cead8ae8865b167cab73772eb9e3eadd5a88eb1b4bf768696266c57cbd11ca5b3d8164a818821e0f4e3fc538127
SSDEEP

98304:GczGF9E+wSReWIjp3tcb9YI/LsoayFPVdBOxt1bDkMBr:GczGPERuQjdtc5vzsoaMPVdMt1bDkMBr

Score

10^/10

blackmoon joker banker infostealer trojan upx

Malware Config

Extracted

Family

joker

C2

https://htuzi.oss-cn-shanghai.aliyuncs.com

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 4 IoCs

resource	yara_rule
behavioral2/memory/1560-133-0x0000000000400000-0x00000000010A2000-memory.dmp	family_blackmoon
behavioral2/memory/1560-134-0x0000000000400000-0x00000000010A2000-memory.dmp	family_blackmoon
behavioral2/memory/1560-135-0x0000000000400000-0x00000000010A2000-memory.dmp	family_blackmoon
behavioral2/memory/1560-151-0x0000000000400000-0x00000000010A2000-memory.dmp	family_blackmoon

joker
Joker is an Android malware that targets billing and SMS fraud.
infostealer trojan joker

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1560-136-0x0000000010000000-0x00000000100BE000-memory.dmp	upx
behavioral2/memory/1560-138-0x0000000010000000-0x00000000100BE000-memory.dmp	upx
behavioral2/memory/1560-139-0x0000000010000000-0x00000000100BE000-memory.dmp	upx
behavioral2/memory/1560-140-0x0000000010000000-0x00000000100BE000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1560 set thread context of 4560	1560	784f0119c4fdeaf13267c53e3a7f124644b3dbe79b335d48a7f32ec132d14df4.exe	83

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1560	784f0119c4fdeaf13267c53e3a7f124644b3dbe79b335d48a7f32ec132d14df4.exe
1560	784f0119c4fdeaf13267c53e3a7f124644b3dbe79b335d48a7f32ec132d14df4.exe
4560	RdpSaUacHelper.exe
4560	RdpSaUacHelper.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1560	784f0119c4fdeaf13267c53e3a7f124644b3dbe79b335d48a7f32ec132d14df4.exe
1560	784f0119c4fdeaf13267c53e3a7f124644b3dbe79b335d48a7f32ec132d14df4.exe
1560	784f0119c4fdeaf13267c53e3a7f124644b3dbe79b335d48a7f32ec132d14df4.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1560	784f0119c4fdeaf13267c53e3a7f124644b3dbe79b335d48a7f32ec132d14df4.exe
1560	784f0119c4fdeaf13267c53e3a7f124644b3dbe79b335d48a7f32ec132d14df4.exe
1560	784f0119c4fdeaf13267c53e3a7f124644b3dbe79b335d48a7f32ec132d14df4.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1560	784f0119c4fdeaf13267c53e3a7f124644b3dbe79b335d48a7f32ec132d14df4.exe
1560	784f0119c4fdeaf13267c53e3a7f124644b3dbe79b335d48a7f32ec132d14df4.exe
4560	RdpSaUacHelper.exe
4560	RdpSaUacHelper.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1560 wrote to memory of 4560	1560	784f0119c4fdeaf13267c53e3a7f124644b3dbe79b335d48a7f32ec132d14df4.exe	83
PID 1560 wrote to memory of 4560	1560	784f0119c4fdeaf13267c53e3a7f124644b3dbe79b335d48a7f32ec132d14df4.exe	83
PID 1560 wrote to memory of 4560	1560	784f0119c4fdeaf13267c53e3a7f124644b3dbe79b335d48a7f32ec132d14df4.exe	83
PID 1560 wrote to memory of 4560	1560	784f0119c4fdeaf13267c53e3a7f124644b3dbe79b335d48a7f32ec132d14df4.exe	83
PID 1560 wrote to memory of 4560	1560	784f0119c4fdeaf13267c53e3a7f124644b3dbe79b335d48a7f32ec132d14df4.exe	83
PID 1560 wrote to memory of 4560	1560	784f0119c4fdeaf13267c53e3a7f124644b3dbe79b335d48a7f32ec132d14df4.exe	83
PID 1560 wrote to memory of 4560	1560	784f0119c4fdeaf13267c53e3a7f124644b3dbe79b335d48a7f32ec132d14df4.exe	83
PID 1560 wrote to memory of 4560	1560	784f0119c4fdeaf13267c53e3a7f124644b3dbe79b335d48a7f32ec132d14df4.exe	83
PID 1560 wrote to memory of 4560	1560	784f0119c4fdeaf13267c53e3a7f124644b3dbe79b335d48a7f32ec132d14df4.exe	83

C:\Users\Admin\AppData\Local\Temp\784f0119c4fdeaf13267c53e3a7f124644b3dbe79b335d48a7f32ec132d14df4.exe
"C:\Users\Admin\AppData\Local\Temp\784f0119c4fdeaf13267c53e3a7f124644b3dbe79b335d48a7f32ec132d14df4.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1560
- C:\Windows\SysWOW64\RdpSaUacHelper.exe
  C:\Windows\SysWOW64\RdpSaUacHelper.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4560

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\EasySkin.ini

Filesize
166B

MD5
e799fcc4714ecf1f71e0659a99d426a2

SHA1
74e7bc58258fa462f4bce2ad1422c997b4665f8b

SHA256
7641e6fff5ba27b6de35766d3d875e945c0883ad87caf79d6b607fdbd58d9949

SHA512
f58844bd81af85e7626f7ceb3306d0036217cf9a375a3583b4171732a4b9169633c09c186f20515822e6c9ca218adf39b1afba6d31b7a173f025f0457268d427

Download Submit
C:\Users\Admin\AppData\Local\Temp\1560_update\7z.7z

Filesize
4.0MB

MD5
f88236ac58d508dd747da0bfca466c72

SHA1
cd16259c208e83a6329dc02bfbee3c2e7a52b995

SHA256
3f40f4868be1627095fa4c91825c2f4aea63240a4e0f63bb09b97e3b1a6b37e0

SHA512
e7104a1e4f817b964c1f4c44481943fd98dcbb12523e99ea90edc62aaf7589d4a0b510a8f9e649c5cc8df4d7f719288412a6b31f17c565adfa136fceb074a3cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1560_update\data.ini

Filesize
165B

MD5
54751bf3cf9dd462019f1b5602ddbd1a

SHA1
480139bf91e02ce4ff820df8407cc26a2120b4ca

SHA256
35e1672ca00e78ebd784d4bbf1f38a3fe612c985e08e64c0b35fc5ca76c9f704

SHA512
6e8b1f626d9042d6c34c3836d2cf997d85f3f795c4474bdbdd045089f3820696531b8242846d4eefe22ba90a366f9acf497cc8de7464b0816b6a979496b7c2e5

Download Submit
memory/1560-133-0x0000000000400000-0x00000000010A2000-memory.dmp

Filesize
12.6MB

Download
memory/1560-134-0x0000000000400000-0x00000000010A2000-memory.dmp

Filesize
12.6MB

Download
memory/1560-135-0x0000000000400000-0x00000000010A2000-memory.dmp

Filesize
12.6MB

Download
memory/1560-136-0x0000000010000000-0x00000000100BE000-memory.dmp

Filesize
760KB

Download
memory/1560-138-0x0000000010000000-0x00000000100BE000-memory.dmp

Filesize
760KB

Download
memory/1560-139-0x0000000010000000-0x00000000100BE000-memory.dmp

Filesize
760KB

Download
memory/1560-140-0x0000000010000000-0x00000000100BE000-memory.dmp

Filesize
760KB

Download
memory/1560-132-0x0000000000400000-0x00000000010A2000-memory.dmp

Filesize
12.6MB

Download
memory/1560-151-0x0000000000400000-0x00000000010A2000-memory.dmp

Filesize
12.6MB

Download
memory/4560-147-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/4560-145-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/4560-144-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/4560-143-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/4560-142-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing