blackmoon | c7a6d9c03343f882bf58d13a6a79db731c6eedabe67cb4a78d08e66b4971498a

Resubmissions

16-04-2023 17:34

230416-v5hkcsce3x 10

16-04-2023 17:26

230416-vzvbzaag27 10

Analysis

max time kernel
141s
max time network
148s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
16-04-2023 17:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

大航科技全球实体卡-虚拟卡接码PC端口/大航科技全球实体卡-虚拟卡接码PC端口.exe
Size

2.6MB
MD5

9f339063dbe562051732472b0f73c12d
SHA1

2ac2940992ad9cee88092e18566c82f6b6c114b1
SHA256

7955c98c1bd693e24c92833f2186d58dd0c5fad231a8f27572bac5aeb2793674
SHA512

06d44b0cdc4b62536a61d4cae7e9b96a435e13907890b1b423d64e9b2c68cf6dd342eefa3af1601018508353c837d35d2a28f1d29306f990b32367f63e09c7ab
SSDEEP

49152:MC8ie3CGb7SCEns4SdqyTZ0Z3dMZG0+RQnwyiAKP1HrlF0OS20wlR+BkpT:e3+P2wyiAA0OSylRMkp

Score

10^/10

blackmoon banker trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\D1Softwaredata\Plugins\qvlnk.dll	family_blackmoon
\Users\Admin\AppData\Roaming\D1Softwaredata\plugins\qvlnk.dll	family_blackmoon

ACProtect 1.3x - 1.4x DLL software 3 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\D1Softwaredata\echs.dll	acprotect
\Users\Admin\AppData\Roaming\D1Softwaredata\echs.dll	acprotect
\Users\Admin\AppData\Roaming\D1Softwaredata\echs.dll	acprotect

Executes dropped EXE 3 IoCs

Processes:

netbri.exeD1Bin.exerepair.exe

pid process

992 netbri.exe
4236 D1Bin.exe
2124 repair.exe
Loads dropped DLL 5 IoCs

Processes:

netbri.exe

pid process

992 netbri.exe
992 netbri.exe
992 netbri.exe
992 netbri.exe
992 netbri.exe

pid	process
992	netbri.exe
4236	D1Bin.exe
2124	repair.exe

pid	process
992	netbri.exe
992	netbri.exe
992	netbri.exe
992	netbri.exe
992	netbri.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\D1Softwaredata\echs.dll	upx
\Users\Admin\AppData\Roaming\D1Softwaredata\echs.dll	upx
\Users\Admin\AppData\Roaming\D1Softwaredata\echs.dll	upx
behavioral10/memory/992-146-0x0000000002A00000-0x0000000002B65000-memory.dmp	upx
behavioral10/memory/992-160-0x0000000002A00000-0x0000000002B65000-memory.dmp	upx

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

D1Bin.exe

pid process

4236 D1Bin.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

D1Bin.exe

description pid process

Token: SeDebugPrivilege 4236 D1Bin.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

大航科技全球实体卡-虚拟卡接码PC端口.exenetbri.exerepair.exe

pid process

4148 大航科技全球实体卡-虚拟卡接码PC端口.exe
992 netbri.exe
992 netbri.exe
2124 repair.exe
2124 repair.exe

pid	process
4236	D1Bin.exe

description	pid	process
Token: SeDebugPrivilege	4236	D1Bin.exe

pid	process
4148	大航科技全球实体卡-虚拟卡接码PC端口.exe
992	netbri.exe
992	netbri.exe
2124	repair.exe
2124	repair.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

大航科技全球实体卡-虚拟卡接码PC端口.exe

description	pid	process	target process
PID 4148 wrote to memory of 992	4148	大航科技全球实体卡-虚拟卡接码PC端口.exe	netbri.exe
PID 4148 wrote to memory of 992	4148	大航科技全球实体卡-虚拟卡接码PC端口.exe	netbri.exe
PID 4148 wrote to memory of 992	4148	大航科技全球实体卡-虚拟卡接码PC端口.exe	netbri.exe
PID 4148 wrote to memory of 4236	4148	大航科技全球实体卡-虚拟卡接码PC端口.exe	D1Bin.exe
PID 4148 wrote to memory of 4236	4148	大航科技全球实体卡-虚拟卡接码PC端口.exe	D1Bin.exe
PID 4148 wrote to memory of 2124	4148	大航科技全球实体卡-虚拟卡接码PC端口.exe	repair.exe
PID 4148 wrote to memory of 2124	4148	大航科技全球实体卡-虚拟卡接码PC端口.exe	repair.exe
PID 4148 wrote to memory of 2124	4148	大航科技全球实体卡-虚拟卡接码PC端口.exe	repair.exe

C:\Users\Admin\AppData\Local\Temp\大航科技全球实体卡-虚拟卡接码PC端口\大航科技全球实体卡-虚拟卡接码PC端口.exe
"C:\Users\Admin\AppData\Local\Temp\大航科技全球实体卡-虚拟卡接码PC端口\大航科技全球实体卡-虚拟卡接码PC端口.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4148

C:\Users\Admin\AppData\Roaming\D1Softwaredata\netbri.exe
C:\Users\Admin\AppData\Roaming\D1Softwaredata\netbri.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:992

C:\Users\Admin\AppData\Roaming\D1Softwaredata\Bin\D1Bin.exe
C:\Users\Admin\AppData\Roaming\D1Softwaredata\Bin\D1Bin.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4236

C:\Users\Admin\AppData\Roaming\D1Softwaredata\repair.exe
C:\Users\Admin\AppData\Roaming\D1Softwaredata\repair.exe -Ho9LN
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2124

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\D1Softwaredata\Bin\D1Bin.exe
Filesize
1.9MB

MD5
a0acc3b2c25d5a9d6994f013142159e7

SHA1
6d992746c197976b9df65a5ac8fbe74a4401d9bd

SHA256
0a14a43b4acb0785d6cdedd9d659caf469392c42f9dc3cb7891e8329c2957ff0

SHA512
bb5d3e73cee108af3d16c41bfd0c503e78fff1fcc2c3131960dc68e462c6bd9c243917b2c935f7a25a1e5802b63f7c71e7cc036811ef8b90353fa83df4446042

Download Submit
C:\Users\Admin\AppData\Roaming\D1Softwaredata\Bin\D1bin.exe
Filesize
1.9MB

MD5
a0acc3b2c25d5a9d6994f013142159e7

SHA1
6d992746c197976b9df65a5ac8fbe74a4401d9bd

SHA256
0a14a43b4acb0785d6cdedd9d659caf469392c42f9dc3cb7891e8329c2957ff0

SHA512
bb5d3e73cee108af3d16c41bfd0c503e78fff1fcc2c3131960dc68e462c6bd9c243917b2c935f7a25a1e5802b63f7c71e7cc036811ef8b90353fa83df4446042

Download Submit
C:\Users\Admin\AppData\Roaming\D1Softwaredata\HPSocket4C.dll
Filesize
2.1MB

MD5
c83247fac0840125db662eb3e27ac6a3

SHA1
6d7a24b3d1c10516232a6f3ac4aed8d69da56568

SHA256
2dc7b369e5e3d8c828e2fe947e79df7d4ed60cdb1a004e8e94bf2bf38698cdb2

SHA512
f3359e7ddd3fceeb442ba0b847ac9f744f9df01f02e0cda20078d4ad0af404a53e6151f8d908ad54f0c7d3469769d39c833f34d448f6b9c566a4f413ef41a50f

Download Submit
C:\Users\Admin\AppData\Roaming\D1Softwaredata\Plugins\qvlnk.dll
Filesize
492KB

MD5
001db37c243710301a862d8dd8a025e0

SHA1
7e4fc33b58dae290861712e4194e855923ebde1a

SHA256
5e6c4b35329f48fcf8fb7ec5dc13d6a4f41c8d58da1849ec5a761b4af86fbbeb

SHA512
7edee439741daa58e6fc108e28b177f2ac87fc8492dec52f4392df095c187ddd1bace043cdc0a2c0b8c9ddb8f86e7add2f8f822f53c5e25b758b69894f576a16

Download Submit
C:\Users\Admin\AppData\Roaming\D1Softwaredata\VCRUNTIME140.dll
Filesize
82KB

MD5
d0520569180accd7e17ed9697711d6ec

SHA1
46cb7e2db7efda70b9a5b75b2fe0bb6038499008

SHA256
13026df002b3575564f32927b7f791d59b4cc571f30ccc28075c4edb4afef67c

SHA512
86e96f5648d714914469a576693a656390291a547ea9dd5903c85853ac63c68f69129e54f95e5fc7aec781b883232ffaf0d5a536302226f4243d1f2e517e2034

Download Submit
C:\Users\Admin\AppData\Roaming\D1Softwaredata\config.ini
Filesize
124B

MD5
b64fc228d1274b2b2f18018d6a150bcd

SHA1
23de51df30878e1bd3f6a5774db5dbae11dde02a

SHA256
60b991a4bfc69ac231d6887fa35edd417b192b29a31ec268a83e5aa0239bc63b

SHA512
8089ab152eddaa105fdf3a6e61c3e9fab8ff39aab8a1bbfcb818067657bcd2a7ae80a4b50a62bbf8f5986ba76f3ff5fd0b54f0f62ce6f38f3c7668f7bdb36081

Download Submit
C:\Users\Admin\AppData\Roaming\D1Softwaredata\config.ini
Filesize
124B

MD5
b64fc228d1274b2b2f18018d6a150bcd

SHA1
23de51df30878e1bd3f6a5774db5dbae11dde02a

SHA256
60b991a4bfc69ac231d6887fa35edd417b192b29a31ec268a83e5aa0239bc63b

SHA512
8089ab152eddaa105fdf3a6e61c3e9fab8ff39aab8a1bbfcb818067657bcd2a7ae80a4b50a62bbf8f5986ba76f3ff5fd0b54f0f62ce6f38f3c7668f7bdb36081

Download Submit
C:\Users\Admin\AppData\Roaming\D1Softwaredata\echs.dll
Filesize
421KB

MD5
8e5dc64def28aee0032ed0c878127c39

SHA1
ad9685100b71f0fd4f2b3d65f62894beba1937de

SHA256
c121eb7c37949d789f5c4b7fcd4445057f70ab23befde95929e63e3db9c43e9a

SHA512
a337bb678534d93f74cdbd46728d87b3c8d4b3d5f5713f176ef4bf6d23d09c636c378fefd992e088611ec62cc559ebd4640a4ea61842a8edee39feffc8e8fab8

Download Submit
C:\Users\Admin\AppData\Roaming\D1Softwaredata\encode.dat
Filesize
3.9MB

MD5
013d85cf626e32fbc89daa124e10f7f0

SHA1
b3722239f268ee9a6d3408193081633daac6b05b

SHA256
74a5437c4f76f6d88628afc8dfbe7bbd6c2fd6f846cf957ea6262156eb76163c

SHA512
952c317ee5e54c2f55ec646cd1d7241f7a4270eccb8d53fdc6cd99963486bcedb9d66f46c099086de12872e95a515922f4bfc47294e6d58e202a425ef42c538a

Download Submit
C:\Users\Admin\AppData\Roaming\D1Softwaredata\netbri.exe
Filesize
314KB

MD5
dfee4c679663ffb566a7150bbc1768c7

SHA1
8f8144d26b141d097df742e4ef4d5c85bba685a3

SHA256
f0a82dba182ef5d8fe32bd358473cc7e9ec0d07e0f4a33f50c49d7cccbb5bc7a

SHA512
23ff4b55e4d01d7712a3313f9aecd69331cb4fb5fce8b2d8610332a1e7b3ced19bdab64ef37ab2d335179844e176e6bd5a2f5c6562c61451c02b37cb2e58da52

Download Submit
C:\Users\Admin\AppData\Roaming\D1Softwaredata\netbri.exe
Filesize
314KB

MD5
dfee4c679663ffb566a7150bbc1768c7

SHA1
8f8144d26b141d097df742e4ef4d5c85bba685a3

SHA256
f0a82dba182ef5d8fe32bd358473cc7e9ec0d07e0f4a33f50c49d7cccbb5bc7a

SHA512
23ff4b55e4d01d7712a3313f9aecd69331cb4fb5fce8b2d8610332a1e7b3ced19bdab64ef37ab2d335179844e176e6bd5a2f5c6562c61451c02b37cb2e58da52

Download Submit
C:\Users\Admin\AppData\Roaming\D1Softwaredata\repair.exe
Filesize
792KB

MD5
5ce000758e1b8fb5d2cab78003245ac1

SHA1
4ff5a6bbee58e63c100bac6130ee22eb740bed09

SHA256
483a0c0f6dfc0f54f972aefc4a6c9d7345b795be913f98283fecfeb3dda9126e

SHA512
228625ef8692c8be41294de551dc6fd38afb5d2f68860762984ea78bd2a3df43ceea32966a827173118abb507c9e0ffe4689c992b216bcf60d6f774b0d4a4748

Download Submit
C:\Users\Admin\AppData\Roaming\D1Softwaredata\repair.exe
Filesize
792KB

MD5
5ce000758e1b8fb5d2cab78003245ac1

SHA1
4ff5a6bbee58e63c100bac6130ee22eb740bed09

SHA256
483a0c0f6dfc0f54f972aefc4a6c9d7345b795be913f98283fecfeb3dda9126e

SHA512
228625ef8692c8be41294de551dc6fd38afb5d2f68860762984ea78bd2a3df43ceea32966a827173118abb507c9e0ffe4689c992b216bcf60d6f774b0d4a4748

Download Submit
\Users\Admin\AppData\Roaming\D1Softwaredata\HPSocket4C.dll
Filesize
2.1MB

MD5
c83247fac0840125db662eb3e27ac6a3

SHA1
6d7a24b3d1c10516232a6f3ac4aed8d69da56568

SHA256
2dc7b369e5e3d8c828e2fe947e79df7d4ed60cdb1a004e8e94bf2bf38698cdb2

SHA512
f3359e7ddd3fceeb442ba0b847ac9f744f9df01f02e0cda20078d4ad0af404a53e6151f8d908ad54f0c7d3469769d39c833f34d448f6b9c566a4f413ef41a50f

Download Submit
\Users\Admin\AppData\Roaming\D1Softwaredata\echs.dll
Filesize
421KB

MD5
8e5dc64def28aee0032ed0c878127c39

SHA1
ad9685100b71f0fd4f2b3d65f62894beba1937de

SHA256
c121eb7c37949d789f5c4b7fcd4445057f70ab23befde95929e63e3db9c43e9a

SHA512
a337bb678534d93f74cdbd46728d87b3c8d4b3d5f5713f176ef4bf6d23d09c636c378fefd992e088611ec62cc559ebd4640a4ea61842a8edee39feffc8e8fab8

Download Submit
\Users\Admin\AppData\Roaming\D1Softwaredata\echs.dll
Filesize
421KB

MD5
8e5dc64def28aee0032ed0c878127c39

SHA1
ad9685100b71f0fd4f2b3d65f62894beba1937de

SHA256
c121eb7c37949d789f5c4b7fcd4445057f70ab23befde95929e63e3db9c43e9a

SHA512
a337bb678534d93f74cdbd46728d87b3c8d4b3d5f5713f176ef4bf6d23d09c636c378fefd992e088611ec62cc559ebd4640a4ea61842a8edee39feffc8e8fab8

Download Submit
\Users\Admin\AppData\Roaming\D1Softwaredata\plugins\qvlnk.dll
Filesize
492KB

MD5
001db37c243710301a862d8dd8a025e0

SHA1
7e4fc33b58dae290861712e4194e855923ebde1a

SHA256
5e6c4b35329f48fcf8fb7ec5dc13d6a4f41c8d58da1849ec5a761b4af86fbbeb

SHA512
7edee439741daa58e6fc108e28b177f2ac87fc8492dec52f4392df095c187ddd1bace043cdc0a2c0b8c9ddb8f86e7add2f8f822f53c5e25b758b69894f576a16

Download Submit
\Users\Admin\AppData\Roaming\D1Softwaredata\vcruntime140.dll
Filesize
82KB

MD5
d0520569180accd7e17ed9697711d6ec

SHA1
46cb7e2db7efda70b9a5b75b2fe0bb6038499008

SHA256
13026df002b3575564f32927b7f791d59b4cc571f30ccc28075c4edb4afef67c

SHA512
86e96f5648d714914469a576693a656390291a547ea9dd5903c85853ac63c68f69129e54f95e5fc7aec781b883232ffaf0d5a536302226f4243d1f2e517e2034

Download Submit
memory/992-146-0x0000000002A00000-0x0000000002B65000-memory.dmp

Filesize
1.4MB

Download
memory/992-157-0x00000000042F0000-0x00000000047F5000-memory.dmp

Filesize
5.0MB

Download
memory/992-158-0x0000000002420000-0x0000000002447000-memory.dmp

Filesize
156KB

Download
memory/992-160-0x0000000002A00000-0x0000000002B65000-memory.dmp

Filesize
1.4MB

Download
memory/4236-144-0x0000022691750000-0x0000022691932000-memory.dmp

Filesize
1.9MB

Download
memory/4236-156-0x00000226ABFF0000-0x00000226AC000000-memory.dmp

Filesize
64KB

Download
memory/4236-159-0x00000226ABFF0000-0x00000226AC000000-memory.dmp

Filesize
64KB

Download
memory/4236-161-0x00000226ABFF0000-0x00000226AC000000-memory.dmp

Filesize
64KB

Download
memory/4236-162-0x00000226ABFF0000-0x00000226AC000000-memory.dmp

Filesize
64KB

Download