Malware Analysis Report

2024-10-18 22:59

Sample ID 221115-14jnxsca7t
Target d6db09cf67696d87898a507d1d2ed27e90778dc9272240932b26cd1b58ef7e1f
SHA256 d6db09cf67696d87898a507d1d2ed27e90778dc9272240932b26cd1b58ef7e1f
Tags
aspackv2 blackmoon joker banker infostealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d6db09cf67696d87898a507d1d2ed27e90778dc9272240932b26cd1b58ef7e1f

Threat Level: Known bad

The file d6db09cf67696d87898a507d1d2ed27e90778dc9272240932b26cd1b58ef7e1f was found to be: Known bad.

Malicious Activity Summary

aspackv2 blackmoon joker banker infostealer trojan upx

Detect Blackmoon payload

Blackmoon, KrBanker

joker

ASPack v2.12-2.42

UPX packed file

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

Modifies Internet Explorer settings

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-15 22:12

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-15 22:12

Reported

2022-11-15 22:14

Platform

win7-20221111-en

Max time kernel

148s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d6db09cf67696d87898a507d1d2ed27e90778dc9272240932b26cd1b58ef7e1f.exe"

Signatures

Blackmoon, KrBanker

trojan banker blackmoon

Detect Blackmoon payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

joker

infostealer trojan joker

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\International\CpMRU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "374715820" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000256ed27e8919d04f83812f84ee5c95da00000000020000000000106600000001000020000000add3922a01ad56d1fc18b1f713d3cde13c6a0030b017b73fbe76fdc4aaeec21e000000000e80000000020000200000001420c46f92cd2a7ba8c33e28bd8e3e6e81152d0815032662a97190048dba62d0900000004e2497dde17d8afc76688ef598651d6ca5751aa29b9343b26124f0838a5604d83405f848f2ce092b5a54c4c27d9cafeac2404e6439727a5997b59bce4a833207e8e90f8d4f19e7bd7db177b3f333d39324f63c7d13652a9675754fec15fe4ba8c766af51e49b226b77d85769ac4dacf222277e36b54dc72c4c20457d25ce6605b2e186e242403fc66b0c45e34c7b0e9840000000197f4dd9d225622745afcb1fcc1eb17e103049ff73d3c30bd411968a2273cd10a0949be54827a0c591b7d8a7ed92cd247ea4478e32b0c1f8c6bf09725ebbd5b8 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10fb5dd547f9d801 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FC44FE91-653A-11ED-8B07-42F1C931D1AB} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000256ed27e8919d04f83812f84ee5c95da000000000200000000001066000000010000200000008d9f54df0f3f411326f8a6d134b152d60eebb4635b61f42bde66c091f3b08416000000000e800000000200002000000026c19f16b3d891a477a77c4038498a32f0f32e27f33cf7ea7629f11bd5a5fa1c200000004d03f1a5f2e7e26e1ad5633bc6587f5ae4ec78f7c747b85cbe0116fe93e74741400000006b96200d7c0560a2d28f97737b6a02e4fde33e1c3ba07d0586e72a78f32d1e2e3434fbea58f4ec0f5aa3850e6ec53ce0fba93e75ba71f49ad849d3f5dc394066 C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\Temp\d6db09cf67696d87898a507d1d2ed27e90778dc9272240932b26cd1b58ef7e1f.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Temp\d6db09cf67696d87898a507d1d2ed27e90778dc9272240932b26cd1b58ef7e1f.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d6db09cf67696d87898a507d1d2ed27e90778dc9272240932b26cd1b58ef7e1f.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d6db09cf67696d87898a507d1d2ed27e90778dc9272240932b26cd1b58ef7e1f.exe

"C:\Users\Admin\AppData\Local\Temp\d6db09cf67696d87898a507d1d2ed27e90778dc9272240932b26cd1b58ef7e1f.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.htuzi.com/

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:928 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 www.htuzi.com udp
N/A 47.91.134.74:443 www.htuzi.com tcp
N/A 8.8.8.8:53 bj.bcebos.com udp
N/A 103.235.46.61:443 bj.bcebos.com tcp
N/A 8.8.8.8:53 ocsp.digicert.cn udp
N/A 47.246.48.205:80 ocsp.digicert.cn tcp
N/A 8.8.8.8:53 image.suning.cn udp
N/A 101.226.26.244:443 image.suning.cn tcp
N/A 47.91.134.74:443 www.htuzi.com tcp
N/A 47.91.134.74:443 www.htuzi.com tcp
N/A 8.8.8.8:53 statuse.digitalcertvalidation.com udp
N/A 72.21.91.29:80 statuse.digitalcertvalidation.com tcp
N/A 72.21.91.29:80 statuse.digitalcertvalidation.com tcp
N/A 8.8.8.8:53 lib.baomitu.com udp
N/A 8.8.8.8:53 pv.sohu.com udp
N/A 8.8.8.8:53 sdk.51.la udp
N/A 47.91.134.74:443 www.htuzi.com tcp
N/A 47.91.134.74:443 www.htuzi.com tcp
N/A 47.91.134.74:443 www.htuzi.com tcp
N/A 47.91.134.74:443 www.htuzi.com tcp
N/A 8.8.8.8:53 img14.360buyimg.com udp
N/A 47.253.50.2:443 sdk.51.la tcp
N/A 47.253.50.2:443 sdk.51.la tcp
N/A 163.171.143.15:443 img14.360buyimg.com tcp
N/A 163.171.143.15:443 img14.360buyimg.com tcp
N/A 47.91.134.74:443 www.htuzi.com tcp
N/A 47.91.134.74:443 www.htuzi.com tcp
N/A 51.141.184.179:443 pv.sohu.com tcp
N/A 51.141.184.179:443 pv.sohu.com tcp
N/A 18.65.39.123:443 lib.baomitu.com tcp
N/A 18.65.39.123:443 lib.baomitu.com tcp
N/A 18.65.39.123:443 lib.baomitu.com tcp
N/A 18.65.39.123:443 lib.baomitu.com tcp
N/A 163.171.143.15:443 img14.360buyimg.com tcp
N/A 47.246.48.205:80 ocsp.digicert.cn tcp
N/A 47.246.48.205:80 ocsp.digicert.cn tcp
N/A 8.8.8.8:53 ocsp.crlocsp.cn udp
N/A 8.8.8.8:53 ocsp.crlocsp.cn udp
N/A 101.198.193.5:80 ocsp.crlocsp.cn tcp
N/A 101.198.193.5:80 ocsp.crlocsp.cn tcp
N/A 101.198.193.5:80 ocsp.crlocsp.cn tcp
N/A 101.198.193.5:80 ocsp.crlocsp.cn tcp
N/A 8.8.8.8:53 collect-v6.51.la udp
N/A 103.143.19.103:443 collect-v6.51.la tcp
N/A 8.8.8.8:53 tpc.googlesyndication.wiki udp
N/A 188.114.97.0:443 tpc.googlesyndication.wiki tcp
N/A 188.114.97.0:443 tpc.googlesyndication.wiki tcp
N/A 188.114.97.0:443 tpc.googlesyndication.wiki tcp
N/A 8.8.8.8:53 store.heytapimage.com udp
N/A 218.67.91.82:443 store.heytapimage.com tcp
N/A 218.67.91.82:443 store.heytapimage.com tcp
N/A 8.8.8.8:53 ocsp.dcocsp.cn udp
N/A 8.8.8.8:53 ocsp.dcocsp.cn udp
N/A 47.246.48.230:80 ocsp.dcocsp.cn tcp
N/A 47.246.48.230:80 ocsp.dcocsp.cn tcp
N/A 8.8.8.8:53 crl.crlocsp.cn udp
N/A 180.163.251.149:80 crl.crlocsp.cn tcp
N/A 204.79.197.200:443 ieonline.microsoft.com tcp
N/A 204.79.197.200:443 ieonline.microsoft.com tcp
N/A 204.79.197.200:443 ieonline.microsoft.com tcp
N/A 204.79.197.200:443 ieonline.microsoft.com tcp
N/A 204.79.197.200:443 ieonline.microsoft.com tcp
N/A 204.79.197.200:443 ieonline.microsoft.com tcp
N/A 204.79.197.200:443 ieonline.microsoft.com tcp
N/A 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/1284-54-0x00000000766F1000-0x00000000766F3000-memory.dmp

memory/1284-55-0x0000000000400000-0x00000000010A2000-memory.dmp

memory/1284-56-0x0000000000400000-0x00000000010A2000-memory.dmp

memory/1284-57-0x0000000000400000-0x00000000010A2000-memory.dmp

memory/1284-58-0x0000000000400000-0x00000000010A2000-memory.dmp

memory/1284-59-0x000000001006C000-0x00000000100AC000-memory.dmp

memory/1284-60-0x0000000000400000-0x00000000010A2000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 057ffed45719f1bac328142ba1dd17f3
SHA1 cc3210366aae2b97007182f63404dd4c3b39e2b8
SHA256 bd8a18e49f3643190507433b5a6a2813fa0d5d9f9c8f47adfcd725a797e0b695
SHA512 99aac20354da966817029e14ab771852adc41c35b7d0353a1362247e9b9b50e2f926e6168f63dfe1c87aa05396302863f3e66eeb4e686fe7410cb0f5d05016dc

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\t9o3c8r\imagestore.dat

MD5 62166b418a0e12321acdeffb5cd8feda
SHA1 f765c50eaa692d18f3be172d4e8c977e80ef2ba6
SHA256 af61977e29c192c59af24e42d9bfda543e1d6e34b30fc8df0071fc86dcf7b6aa
SHA512 faf44782d3f483c3cfb7fdfaa22cbc424ddf192e7c85e3f84b918e35480647613ca941881093553819e76d6e2bb896b17aaeac4d8cda880033abb49a02a23c88

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ed1287c73284bc4411f68303f9bdd877
SHA1 e0c2d4f3ff8950817827631ade9daa9828d362fe
SHA256 4cda93962ea5ee3566f82b0ac57fefbba2ee1dda49bf4ea064af9f40d9094f99
SHA512 fffcd536cba1f716b552e1c4541c89dfe41da273e4b9bfea18c618fe35cd3ec53595f3bf9d83b15cbaf34cf3a29f68e23db5edea2c80d26f75fb4b3aa9b2451b

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-15 22:12

Reported

2022-11-15 22:14

Platform

win10v2004-20221111-en

Max time kernel

90s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d6db09cf67696d87898a507d1d2ed27e90778dc9272240932b26cd1b58ef7e1f.exe"

Signatures

Blackmoon, KrBanker

trojan banker blackmoon

Detect Blackmoon payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

joker

infostealer trojan joker

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 5036 set thread context of 4268 N/A C:\Users\Admin\AppData\Local\Temp\d6db09cf67696d87898a507d1d2ed27e90778dc9272240932b26cd1b58ef7e1f.exe C:\Windows\SysWOW64\fontview.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5036 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\d6db09cf67696d87898a507d1d2ed27e90778dc9272240932b26cd1b58ef7e1f.exe C:\Windows\SysWOW64\fontview.exe
PID 5036 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\d6db09cf67696d87898a507d1d2ed27e90778dc9272240932b26cd1b58ef7e1f.exe C:\Windows\SysWOW64\fontview.exe
PID 5036 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\d6db09cf67696d87898a507d1d2ed27e90778dc9272240932b26cd1b58ef7e1f.exe C:\Windows\SysWOW64\fontview.exe
PID 5036 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\d6db09cf67696d87898a507d1d2ed27e90778dc9272240932b26cd1b58ef7e1f.exe C:\Windows\SysWOW64\fontview.exe
PID 5036 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\d6db09cf67696d87898a507d1d2ed27e90778dc9272240932b26cd1b58ef7e1f.exe C:\Windows\SysWOW64\fontview.exe
PID 5036 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\d6db09cf67696d87898a507d1d2ed27e90778dc9272240932b26cd1b58ef7e1f.exe C:\Windows\SysWOW64\fontview.exe
PID 5036 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\d6db09cf67696d87898a507d1d2ed27e90778dc9272240932b26cd1b58ef7e1f.exe C:\Windows\SysWOW64\fontview.exe
PID 5036 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\d6db09cf67696d87898a507d1d2ed27e90778dc9272240932b26cd1b58ef7e1f.exe C:\Windows\SysWOW64\fontview.exe
PID 5036 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\d6db09cf67696d87898a507d1d2ed27e90778dc9272240932b26cd1b58ef7e1f.exe C:\Windows\SysWOW64\fontview.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d6db09cf67696d87898a507d1d2ed27e90778dc9272240932b26cd1b58ef7e1f.exe

"C:\Users\Admin\AppData\Local\Temp\d6db09cf67696d87898a507d1d2ed27e90778dc9272240932b26cd1b58ef7e1f.exe"

C:\Windows\SysWOW64\fontview.exe

C:\Windows\SysWOW64\fontview.exe

Network

Country Destination Domain Proto
N/A 209.197.3.8:80 tcp
N/A 8.8.8.8:53 www.htuzi.com udp
N/A 47.91.134.74:443 www.htuzi.com tcp
N/A 8.8.8.8:53 bj.bcebos.com udp
N/A 103.235.46.61:443 bj.bcebos.com tcp
N/A 8.8.8.8:53 ocsp.digicert.cn udp
N/A 47.246.48.205:80 ocsp.digicert.cn tcp
N/A 8.8.8.8:53 image.suning.cn udp
N/A 180.163.40.34:443 image.suning.cn tcp
N/A 104.80.225.205:443 tcp
N/A 40.79.189.58:443 tcp
N/A 209.197.3.8:80 tcp
N/A 209.197.3.8:80 tcp
N/A 8.238.21.126:80 tcp

Files

memory/5036-133-0x0000000000400000-0x00000000010A2000-memory.dmp

memory/5036-132-0x0000000000400000-0x00000000010A2000-memory.dmp

memory/5036-134-0x0000000000400000-0x00000000010A2000-memory.dmp

memory/5036-135-0x0000000000400000-0x00000000010A2000-memory.dmp

memory/5036-136-0x0000000010000000-0x00000000100BE000-memory.dmp

memory/5036-140-0x0000000010000000-0x00000000100BE000-memory.dmp

memory/5036-139-0x0000000010000000-0x00000000100BE000-memory.dmp

memory/4268-141-0x0000000000000000-mapping.dmp

memory/4268-142-0x0000000000400000-0x0000000000503000-memory.dmp

memory/4268-143-0x0000000000400000-0x0000000000503000-memory.dmp

memory/4268-144-0x0000000000400000-0x0000000000503000-memory.dmp

memory/4268-145-0x0000000000400000-0x0000000000503000-memory.dmp

memory/4268-147-0x0000000000400000-0x0000000000503000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5036_update\7z.7z

MD5 bbff4f98fe176335df3a0d98e9a1f5f3
SHA1 88c0eb3ce20c013d5a22445b3a37d67a74d727cd
SHA256 87d2d4d94ea048792b0a05e126feacca9bb7902d857ed4dd30d6b5fe05df230b
SHA512 a454e9739ce9949bce41933aced118164820df02d6d28cd6fabc774bbc6e6ce63e8f46a2b2063a1740f2b9b834642261a1764e2afe4265b4eb6d98ed76cb5728

C:\Users\Admin\AppData\Local\Temp\5036_update\data.ini

MD5 af4d7d9e29e2dbbfbb5251b5e4bf81e6
SHA1 21cb7480e8d126c7aec17254c1ed5e81775d5565
SHA256 998ab36245f6efbe322ca6269ce446040a88b1e65e3f32217b251702ca9bec1f
SHA512 8a461991469aa1096572613ea6796127ed23136aaa2eabcef311b0ce5d7b666cd0362bca6f966236dfd151029b62aea9b30e4c95902d18a8f3cf6f17103763dd

C:\EasySkin.ini

MD5 78d89536fa344a82364f1dda81d78f3a
SHA1 e866b4f7713f3b6718c2b4b836937c8b35ff7c31
SHA256 32c064c7c56cae4ea4ee32cf8ee2f110f2f715ed064c28c1a5e5b4b384439fa5
SHA512 2a04d9ea26e8617c60f5af189f2fce74baf151bb414390aa617adf140bce277d492764dc7a34671d0a09c61edebbd0b9f8d3ce591a2d6d54f66495f53cce6d58

memory/5036-151-0x0000000000400000-0x00000000010A2000-memory.dmp