blackmoon | d6db09cf67696d87898a507d1d2ed27e90778dc9272240932b26cd1b58ef7e1f

General

Target

d6db09cf67696d87898a507d1d2ed27e90778dc9272240932b26cd1b58ef7e1f.exe
Size

4.0MB
MD5

24fb820f2eea7cb91deb3ddfe49af1a8
SHA1

281ba24c6a65dae9e206b6713c783ac37425a369
SHA256

d6db09cf67696d87898a507d1d2ed27e90778dc9272240932b26cd1b58ef7e1f
SHA512

b387d5643f49d022be3f3e7f8c547d438b2278273b74179ccd2a09b02b56a062f5d618ee1394f5a03c5f12595f40cd7919b23794553ed91dfeb9c1f0c2e31e42
SSDEEP

98304:GczGF9E+wSReWIjp3tcb9YI/LsoayFPVdBOxt1bDkMBW:GczGPERuQjdtc5vzsoaMPVdMt1bDkMBW

Score

10^/10

blackmoon joker banker infostealer trojan upx

Malware Config

Extracted

Family

joker

C2

https://htuzi.oss-cn-shanghai.aliyuncs.com

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 4 IoCs

resource	yara_rule
behavioral2/memory/5036-132-0x0000000000400000-0x00000000010A2000-memory.dmp	family_blackmoon
behavioral2/memory/5036-134-0x0000000000400000-0x00000000010A2000-memory.dmp	family_blackmoon
behavioral2/memory/5036-135-0x0000000000400000-0x00000000010A2000-memory.dmp	family_blackmoon
behavioral2/memory/5036-151-0x0000000000400000-0x00000000010A2000-memory.dmp	family_blackmoon

joker
Joker is an Android malware that targets billing and SMS fraud.
infostealer trojan joker

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5036-136-0x0000000010000000-0x00000000100BE000-memory.dmp	upx
behavioral2/memory/5036-140-0x0000000010000000-0x00000000100BE000-memory.dmp	upx
behavioral2/memory/5036-139-0x0000000010000000-0x00000000100BE000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5036 set thread context of 4268	5036	d6db09cf67696d87898a507d1d2ed27e90778dc9272240932b26cd1b58ef7e1f.exe	83

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
5036	d6db09cf67696d87898a507d1d2ed27e90778dc9272240932b26cd1b58ef7e1f.exe
5036	d6db09cf67696d87898a507d1d2ed27e90778dc9272240932b26cd1b58ef7e1f.exe
4268	fontview.exe
4268	fontview.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
5036	d6db09cf67696d87898a507d1d2ed27e90778dc9272240932b26cd1b58ef7e1f.exe
5036	d6db09cf67696d87898a507d1d2ed27e90778dc9272240932b26cd1b58ef7e1f.exe
5036	d6db09cf67696d87898a507d1d2ed27e90778dc9272240932b26cd1b58ef7e1f.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
5036	d6db09cf67696d87898a507d1d2ed27e90778dc9272240932b26cd1b58ef7e1f.exe
5036	d6db09cf67696d87898a507d1d2ed27e90778dc9272240932b26cd1b58ef7e1f.exe
5036	d6db09cf67696d87898a507d1d2ed27e90778dc9272240932b26cd1b58ef7e1f.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
5036	d6db09cf67696d87898a507d1d2ed27e90778dc9272240932b26cd1b58ef7e1f.exe
5036	d6db09cf67696d87898a507d1d2ed27e90778dc9272240932b26cd1b58ef7e1f.exe
4268	fontview.exe
4268	fontview.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5036 wrote to memory of 4268	5036	d6db09cf67696d87898a507d1d2ed27e90778dc9272240932b26cd1b58ef7e1f.exe	83
PID 5036 wrote to memory of 4268	5036	d6db09cf67696d87898a507d1d2ed27e90778dc9272240932b26cd1b58ef7e1f.exe	83
PID 5036 wrote to memory of 4268	5036	d6db09cf67696d87898a507d1d2ed27e90778dc9272240932b26cd1b58ef7e1f.exe	83
PID 5036 wrote to memory of 4268	5036	d6db09cf67696d87898a507d1d2ed27e90778dc9272240932b26cd1b58ef7e1f.exe	83
PID 5036 wrote to memory of 4268	5036	d6db09cf67696d87898a507d1d2ed27e90778dc9272240932b26cd1b58ef7e1f.exe	83
PID 5036 wrote to memory of 4268	5036	d6db09cf67696d87898a507d1d2ed27e90778dc9272240932b26cd1b58ef7e1f.exe	83
PID 5036 wrote to memory of 4268	5036	d6db09cf67696d87898a507d1d2ed27e90778dc9272240932b26cd1b58ef7e1f.exe	83
PID 5036 wrote to memory of 4268	5036	d6db09cf67696d87898a507d1d2ed27e90778dc9272240932b26cd1b58ef7e1f.exe	83
PID 5036 wrote to memory of 4268	5036	d6db09cf67696d87898a507d1d2ed27e90778dc9272240932b26cd1b58ef7e1f.exe	83

C:\Users\Admin\AppData\Local\Temp\d6db09cf67696d87898a507d1d2ed27e90778dc9272240932b26cd1b58ef7e1f.exe
"C:\Users\Admin\AppData\Local\Temp\d6db09cf67696d87898a507d1d2ed27e90778dc9272240932b26cd1b58ef7e1f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5036
- C:\Windows\SysWOW64\fontview.exe
  C:\Windows\SysWOW64\fontview.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4268

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\EasySkin.ini

Filesize
129B

MD5
78d89536fa344a82364f1dda81d78f3a

SHA1
e866b4f7713f3b6718c2b4b836937c8b35ff7c31

SHA256
32c064c7c56cae4ea4ee32cf8ee2f110f2f715ed064c28c1a5e5b4b384439fa5

SHA512
2a04d9ea26e8617c60f5af189f2fce74baf151bb414390aa617adf140bce277d492764dc7a34671d0a09c61edebbd0b9f8d3ce591a2d6d54f66495f53cce6d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\5036_update\7z.7z

Filesize
4.0MB

MD5
bbff4f98fe176335df3a0d98e9a1f5f3

SHA1
88c0eb3ce20c013d5a22445b3a37d67a74d727cd

SHA256
87d2d4d94ea048792b0a05e126feacca9bb7902d857ed4dd30d6b5fe05df230b

SHA512
a454e9739ce9949bce41933aced118164820df02d6d28cd6fabc774bbc6e6ce63e8f46a2b2063a1740f2b9b834642261a1764e2afe4265b4eb6d98ed76cb5728

Download Submit
C:\Users\Admin\AppData\Local\Temp\5036_update\data.ini

Filesize
169B

MD5
af4d7d9e29e2dbbfbb5251b5e4bf81e6

SHA1
21cb7480e8d126c7aec17254c1ed5e81775d5565

SHA256
998ab36245f6efbe322ca6269ce446040a88b1e65e3f32217b251702ca9bec1f

SHA512
8a461991469aa1096572613ea6796127ed23136aaa2eabcef311b0ce5d7b666cd0362bca6f966236dfd151029b62aea9b30e4c95902d18a8f3cf6f17103763dd

Download Submit
memory/4268-147-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/4268-144-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/4268-145-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/4268-143-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/4268-142-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/5036-139-0x0000000010000000-0x00000000100BE000-memory.dmp

Filesize
760KB

Download
memory/5036-136-0x0000000010000000-0x00000000100BE000-memory.dmp

Filesize
760KB

Download
memory/5036-140-0x0000000010000000-0x00000000100BE000-memory.dmp

Filesize
760KB

Download
memory/5036-133-0x0000000000400000-0x00000000010A2000-memory.dmp

Filesize
12.6MB

Download
memory/5036-135-0x0000000000400000-0x00000000010A2000-memory.dmp

Filesize
12.6MB

Download
memory/5036-134-0x0000000000400000-0x00000000010A2000-memory.dmp

Filesize
12.6MB

Download
memory/5036-132-0x0000000000400000-0x00000000010A2000-memory.dmp

Filesize
12.6MB

Download
memory/5036-151-0x0000000000400000-0x00000000010A2000-memory.dmp

Filesize
12.6MB

Download

Analysis

Sharing