blackmoon | 0dc1ae70ada3fb95f855a2eaed441d5f5200ea675f18270b81eab10a2a5fb91b

General

Target

0dc1ae70ada3fb95f855a2eaed441d5f5200ea675f18270b81eab10a2a5fb91b.exe
Size

4.0MB
MD5

d571f25c248e52c07a5343ceb7d9a4c2
SHA1

7d00e4385dee328a7f486dc81ac8696a7d9e535b
SHA256

0dc1ae70ada3fb95f855a2eaed441d5f5200ea675f18270b81eab10a2a5fb91b
SHA512

983fbac794e65d1f391dcff37ddca5f56b8ab221611bc823be08ff9bb5b249007b75e6d7e0c4e4edd09d5edc629d7d010a2e402422154ca800fb867788f825c9
SSDEEP

98304:GczGF9E+wSReWIjp3tcb9YI/LsoayFPVdBOxt1bDkMBN:GczGPERuQjdtc5vzsoaMPVdMt1bDkMBN

Score

10^/10

blackmoon joker banker infostealer trojan

Malware Config

Extracted

Family

joker

C2

https://htuzi.oss-cn-shanghai.aliyuncs.com

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 5 IoCs

resource	yara_rule
behavioral1/memory/1460-55-0x0000000000400000-0x00000000010A2000-memory.dmp	family_blackmoon
behavioral1/memory/1460-56-0x0000000000400000-0x00000000010A2000-memory.dmp	family_blackmoon
behavioral1/memory/1460-57-0x0000000000400000-0x00000000010A2000-memory.dmp	family_blackmoon
behavioral1/memory/1460-58-0x0000000000400000-0x00000000010A2000-memory.dmp	family_blackmoon
behavioral1/memory/1460-77-0x0000000000400000-0x00000000010A2000-memory.dmp	family_blackmoon

joker
Joker is an Android malware that targets billing and SMS fraud.
infostealer trojan joker

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1460 set thread context of 1048	1460	0dc1ae70ada3fb95f855a2eaed441d5f5200ea675f18270b81eab10a2a5fb91b.exe	30

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	0dc1ae70ada3fb95f855a2eaed441d5f5200ea675f18270b81eab10a2a5fb91b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	0dc1ae70ada3fb95f855a2eaed441d5f5200ea675f18270b81eab10a2a5fb91b.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1460	0dc1ae70ada3fb95f855a2eaed441d5f5200ea675f18270b81eab10a2a5fb91b.exe
1048	systray.exe
1048	systray.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1460	0dc1ae70ada3fb95f855a2eaed441d5f5200ea675f18270b81eab10a2a5fb91b.exe
1460	0dc1ae70ada3fb95f855a2eaed441d5f5200ea675f18270b81eab10a2a5fb91b.exe
1460	0dc1ae70ada3fb95f855a2eaed441d5f5200ea675f18270b81eab10a2a5fb91b.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1460	0dc1ae70ada3fb95f855a2eaed441d5f5200ea675f18270b81eab10a2a5fb91b.exe
1460	0dc1ae70ada3fb95f855a2eaed441d5f5200ea675f18270b81eab10a2a5fb91b.exe
1460	0dc1ae70ada3fb95f855a2eaed441d5f5200ea675f18270b81eab10a2a5fb91b.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1460	0dc1ae70ada3fb95f855a2eaed441d5f5200ea675f18270b81eab10a2a5fb91b.exe
1460	0dc1ae70ada3fb95f855a2eaed441d5f5200ea675f18270b81eab10a2a5fb91b.exe
1048	systray.exe
1048	systray.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1460 wrote to memory of 1048	1460	0dc1ae70ada3fb95f855a2eaed441d5f5200ea675f18270b81eab10a2a5fb91b.exe	30
PID 1460 wrote to memory of 1048	1460	0dc1ae70ada3fb95f855a2eaed441d5f5200ea675f18270b81eab10a2a5fb91b.exe	30
PID 1460 wrote to memory of 1048	1460	0dc1ae70ada3fb95f855a2eaed441d5f5200ea675f18270b81eab10a2a5fb91b.exe	30
PID 1460 wrote to memory of 1048	1460	0dc1ae70ada3fb95f855a2eaed441d5f5200ea675f18270b81eab10a2a5fb91b.exe	30
PID 1460 wrote to memory of 1048	1460	0dc1ae70ada3fb95f855a2eaed441d5f5200ea675f18270b81eab10a2a5fb91b.exe	30
PID 1460 wrote to memory of 1048	1460	0dc1ae70ada3fb95f855a2eaed441d5f5200ea675f18270b81eab10a2a5fb91b.exe	30
PID 1460 wrote to memory of 1048	1460	0dc1ae70ada3fb95f855a2eaed441d5f5200ea675f18270b81eab10a2a5fb91b.exe	30
PID 1460 wrote to memory of 1048	1460	0dc1ae70ada3fb95f855a2eaed441d5f5200ea675f18270b81eab10a2a5fb91b.exe	30
PID 1460 wrote to memory of 1048	1460	0dc1ae70ada3fb95f855a2eaed441d5f5200ea675f18270b81eab10a2a5fb91b.exe	30
PID 1460 wrote to memory of 1048	1460	0dc1ae70ada3fb95f855a2eaed441d5f5200ea675f18270b81eab10a2a5fb91b.exe	30

C:\Users\Admin\AppData\Local\Temp\0dc1ae70ada3fb95f855a2eaed441d5f5200ea675f18270b81eab10a2a5fb91b.exe
"C:\Users\Admin\AppData\Local\Temp\0dc1ae70ada3fb95f855a2eaed441d5f5200ea675f18270b81eab10a2a5fb91b.exe"
1⤵
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1460
- C:\Windows\SysWOW64\systray.exe
  C:\Windows\SysWOW64\systray.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1048

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\EasySkin.ini

Filesize
129B

MD5
78d89536fa344a82364f1dda81d78f3a

SHA1
e866b4f7713f3b6718c2b4b836937c8b35ff7c31

SHA256
32c064c7c56cae4ea4ee32cf8ee2f110f2f715ed064c28c1a5e5b4b384439fa5

SHA512
2a04d9ea26e8617c60f5af189f2fce74baf151bb414390aa617adf140bce277d492764dc7a34671d0a09c61edebbd0b9f8d3ce591a2d6d54f66495f53cce6d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\1460_update\7z.7z

Filesize
4.0MB

MD5
f88236ac58d508dd747da0bfca466c72

SHA1
cd16259c208e83a6329dc02bfbee3c2e7a52b995

SHA256
3f40f4868be1627095fa4c91825c2f4aea63240a4e0f63bb09b97e3b1a6b37e0

SHA512
e7104a1e4f817b964c1f4c44481943fd98dcbb12523e99ea90edc62aaf7589d4a0b510a8f9e649c5cc8df4d7f719288412a6b31f17c565adfa136fceb074a3cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1460_update\data.ini

Filesize
165B

MD5
c25ed0c30d7ec0cbc4913ab0146c7c2f

SHA1
68de7a1efcc8dafd05c59d4253d1e3e7285bd6db

SHA256
632a9c1446784a43c06b57da9e6ecf572ed1a27649c7de200788aa707086efb7

SHA512
6742fbc3820129cd680abdaa84351d4254dc163910516cadb244b735f913d0d72f681ce08d139eed028366ab600d905e0324b951a067d3ab44237a2bdc46767a

Download Submit
memory/1048-69-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/1048-76-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/1048-61-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/1048-63-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/1048-60-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/1048-66-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/1048-72-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/1460-58-0x0000000000400000-0x00000000010A2000-memory.dmp

Filesize
12.6MB

Download
memory/1460-54-0x0000000075FE1000-0x0000000075FE3000-memory.dmp

Filesize
8KB

Download
memory/1460-59-0x000000001006C000-0x00000000100AC000-memory.dmp

Filesize
256KB

Download
memory/1460-77-0x0000000000400000-0x00000000010A2000-memory.dmp

Filesize
12.6MB

Download
memory/1460-57-0x0000000000400000-0x00000000010A2000-memory.dmp

Filesize
12.6MB

Download
memory/1460-56-0x0000000000400000-0x00000000010A2000-memory.dmp

Filesize
12.6MB

Download
memory/1460-55-0x0000000000400000-0x00000000010A2000-memory.dmp

Filesize
12.6MB

Download

Analysis

Sharing