blackmoon | 176996c48c2f4dbe5dc4a20628d6c8dd728be5eef22f9abf205b0696ecfae78f

General

Target

176996c48c2f4dbe5dc4a20628d6c8dd728be5eef22f9abf205b0696ecfae78f.exe
Size

4.0MB
MD5

6481509a5d3a32abdef685297980f7d8
SHA1

b9abfb0457909be6ff5ba2facddfd2c185f862c0
SHA256

176996c48c2f4dbe5dc4a20628d6c8dd728be5eef22f9abf205b0696ecfae78f
SHA512

2bb86030b6e832d0c2627029f4d9d42d40efdafba4452a1420b88fa888c8472d42bba07d87f2c22a45980da51e9bd1062a0c826a31ac7eff12d14b88f2747d0f
SSDEEP

98304:GczGF9E+wSReWIjp3tcb9YI/LsoayFPVdBOxt1bDkMBE:GczGPERuQjdtc5vzsoaMPVdMt1bDkMBE

Score

10^/10

blackmoon joker banker infostealer trojan upx

Malware Config

Extracted

Family

joker

C2

https://htuzi.oss-cn-shanghai.aliyuncs.com

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 4 IoCs

resource	yara_rule
behavioral2/memory/3836-132-0x0000000000400000-0x00000000010A2000-memory.dmp	family_blackmoon
behavioral2/memory/3836-133-0x0000000000400000-0x00000000010A2000-memory.dmp	family_blackmoon
behavioral2/memory/3836-134-0x0000000000400000-0x00000000010A2000-memory.dmp	family_blackmoon
behavioral2/memory/3836-147-0x0000000000400000-0x00000000010A2000-memory.dmp	family_blackmoon

joker
Joker is an Android malware that targets billing and SMS fraud.
infostealer trojan joker

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3836-135-0x0000000010000000-0x00000000100BE000-memory.dmp	upx
behavioral2/memory/3836-137-0x0000000010000000-0x00000000100BE000-memory.dmp	upx
behavioral2/memory/3836-138-0x0000000010000000-0x00000000100BE000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3836 set thread context of 2308	3836	176996c48c2f4dbe5dc4a20628d6c8dd728be5eef22f9abf205b0696ecfae78f.exe	82

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3836	176996c48c2f4dbe5dc4a20628d6c8dd728be5eef22f9abf205b0696ecfae78f.exe
3836	176996c48c2f4dbe5dc4a20628d6c8dd728be5eef22f9abf205b0696ecfae78f.exe
2308	rasdial.exe
2308	rasdial.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3836	176996c48c2f4dbe5dc4a20628d6c8dd728be5eef22f9abf205b0696ecfae78f.exe
3836	176996c48c2f4dbe5dc4a20628d6c8dd728be5eef22f9abf205b0696ecfae78f.exe
3836	176996c48c2f4dbe5dc4a20628d6c8dd728be5eef22f9abf205b0696ecfae78f.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3836	176996c48c2f4dbe5dc4a20628d6c8dd728be5eef22f9abf205b0696ecfae78f.exe
3836	176996c48c2f4dbe5dc4a20628d6c8dd728be5eef22f9abf205b0696ecfae78f.exe
3836	176996c48c2f4dbe5dc4a20628d6c8dd728be5eef22f9abf205b0696ecfae78f.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3836	176996c48c2f4dbe5dc4a20628d6c8dd728be5eef22f9abf205b0696ecfae78f.exe
3836	176996c48c2f4dbe5dc4a20628d6c8dd728be5eef22f9abf205b0696ecfae78f.exe
2308	rasdial.exe
2308	rasdial.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3836 wrote to memory of 2160	3836	176996c48c2f4dbe5dc4a20628d6c8dd728be5eef22f9abf205b0696ecfae78f.exe	81
PID 3836 wrote to memory of 2160	3836	176996c48c2f4dbe5dc4a20628d6c8dd728be5eef22f9abf205b0696ecfae78f.exe	81
PID 3836 wrote to memory of 2160	3836	176996c48c2f4dbe5dc4a20628d6c8dd728be5eef22f9abf205b0696ecfae78f.exe	81
PID 3836 wrote to memory of 2308	3836	176996c48c2f4dbe5dc4a20628d6c8dd728be5eef22f9abf205b0696ecfae78f.exe	82
PID 3836 wrote to memory of 2308	3836	176996c48c2f4dbe5dc4a20628d6c8dd728be5eef22f9abf205b0696ecfae78f.exe	82
PID 3836 wrote to memory of 2308	3836	176996c48c2f4dbe5dc4a20628d6c8dd728be5eef22f9abf205b0696ecfae78f.exe	82
PID 3836 wrote to memory of 2308	3836	176996c48c2f4dbe5dc4a20628d6c8dd728be5eef22f9abf205b0696ecfae78f.exe	82
PID 3836 wrote to memory of 2308	3836	176996c48c2f4dbe5dc4a20628d6c8dd728be5eef22f9abf205b0696ecfae78f.exe	82
PID 3836 wrote to memory of 2308	3836	176996c48c2f4dbe5dc4a20628d6c8dd728be5eef22f9abf205b0696ecfae78f.exe	82
PID 3836 wrote to memory of 2308	3836	176996c48c2f4dbe5dc4a20628d6c8dd728be5eef22f9abf205b0696ecfae78f.exe	82
PID 3836 wrote to memory of 2308	3836	176996c48c2f4dbe5dc4a20628d6c8dd728be5eef22f9abf205b0696ecfae78f.exe	82
PID 3836 wrote to memory of 2308	3836	176996c48c2f4dbe5dc4a20628d6c8dd728be5eef22f9abf205b0696ecfae78f.exe	82

C:\Users\Admin\AppData\Local\Temp\176996c48c2f4dbe5dc4a20628d6c8dd728be5eef22f9abf205b0696ecfae78f.exe
"C:\Users\Admin\AppData\Local\Temp\176996c48c2f4dbe5dc4a20628d6c8dd728be5eef22f9abf205b0696ecfae78f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3836
- C:\Windows\SysWOW64\resmon.exe
  C:\Windows\SysWOW64\resmon.exe
  2⤵
  PID:2160
- C:\Windows\SysWOW64\rasdial.exe
  C:\Windows\SysWOW64\rasdial.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2308

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\EasySkin.ini

Filesize
166B

MD5
3e7d2ba379f525cdb15ee4e3fabb546e

SHA1
29e3014d9ce15aa8689e2c80d67b414bbfad0e7b

SHA256
79e907c54f7de75716d585ae35038ae3e3d6ef378a8d4962b4fb9f4a1b8c2986

SHA512
737c352524526c250b9ea1d1a9836aa5f27cd11dda80a1d17d721e2fb8c0d49f057d46657baa651d1b8b7e73f9951fd50fd11c300cad4b03efe9f9d72f18bbad

Download Submit
C:\Users\Admin\AppData\Local\Temp\3836_update\7z.7z

Filesize
4.0MB

MD5
f88236ac58d508dd747da0bfca466c72

SHA1
cd16259c208e83a6329dc02bfbee3c2e7a52b995

SHA256
3f40f4868be1627095fa4c91825c2f4aea63240a4e0f63bb09b97e3b1a6b37e0

SHA512
e7104a1e4f817b964c1f4c44481943fd98dcbb12523e99ea90edc62aaf7589d4a0b510a8f9e649c5cc8df4d7f719288412a6b31f17c565adfa136fceb074a3cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\3836_update\data.ini

Filesize
165B

MD5
4db37fefd624f6ed221791e8a7750867

SHA1
fd810ea9dfcfce4b7aec66c15c86460d1ebfb26e

SHA256
6f8062dd395dec777ce6c7bb0f85bac907f6ad807c950d65ac19b7920c4dcea0

SHA512
b3f40ef8c3f65095493f160a3dc40825e5292ba7177305d860e59e8cadc3c89a1be544d2c94d0d95870411cbef4fddbdbf287e0e4e8955fb16de4bfaba9997a4

Download Submit
memory/2308-143-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/2308-148-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/2308-144-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/2308-141-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/2308-142-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/3836-137-0x0000000010000000-0x00000000100BE000-memory.dmp

Filesize
760KB

Download
memory/3836-138-0x0000000010000000-0x00000000100BE000-memory.dmp

Filesize
760KB

Download
memory/3836-146-0x0000000010000000-0x00000000100BE000-memory.dmp

Filesize
760KB

Download
memory/3836-147-0x0000000000400000-0x00000000010A2000-memory.dmp

Filesize
12.6MB

Download
memory/3836-132-0x0000000000400000-0x00000000010A2000-memory.dmp

Filesize
12.6MB

Download
memory/3836-135-0x0000000010000000-0x00000000100BE000-memory.dmp

Filesize
760KB

Download
memory/3836-134-0x0000000000400000-0x00000000010A2000-memory.dmp

Filesize
12.6MB

Download
memory/3836-133-0x0000000000400000-0x00000000010A2000-memory.dmp

Filesize
12.6MB

Download

Analysis

Sharing