blackmoon | c7a6d9c03343f882bf58d13a6a79db731c6eedabe67cb4a78d08e66b4971498a

Resubmissions

16-04-2023 17:34

230416-v5hkcsce3x 10

16-04-2023 17:26

230416-vzvbzaag27 10

Analysis

max time kernel
141s
max time network
148s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
16-04-2023 17:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

大航全球实体卡-虚拟卡接码电脑端口/大航全球实体卡-虚拟卡接码电脑端口.exe
Size

2.6MB
MD5

9f339063dbe562051732472b0f73c12d
SHA1

2ac2940992ad9cee88092e18566c82f6b6c114b1
SHA256

7955c98c1bd693e24c92833f2186d58dd0c5fad231a8f27572bac5aeb2793674
SHA512

06d44b0cdc4b62536a61d4cae7e9b96a435e13907890b1b423d64e9b2c68cf6dd342eefa3af1601018508353c837d35d2a28f1d29306f990b32367f63e09c7ab
SSDEEP

49152:MC8ie3CGb7SCEns4SdqyTZ0Z3dMZG0+RQnwyiAKP1HrlF0OS20wlR+BkpT:e3+P2wyiAA0OSylRMkp

Score

10^/10

blackmoon banker trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\D1Softwaredata\Plugins\qvlnk.dll	family_blackmoon
\Users\Admin\AppData\Roaming\D1Softwaredata\plugins\qvlnk.dll	family_blackmoon

ACProtect 1.3x - 1.4x DLL software 3 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\D1Softwaredata\echs.dll	acprotect
\Users\Admin\AppData\Roaming\D1Softwaredata\echs.dll	acprotect
\Users\Admin\AppData\Roaming\D1Softwaredata\echs.dll	acprotect

Executes dropped EXE 3 IoCs

Processes:

netbri.exeD1Bin.exerepair.exe

pid process

4128 netbri.exe
304 D1Bin.exe
372 repair.exe
Loads dropped DLL 5 IoCs

Processes:

netbri.exe

pid process

4128 netbri.exe
4128 netbri.exe
4128 netbri.exe
4128 netbri.exe
4128 netbri.exe

pid	process
4128	netbri.exe
304	D1Bin.exe
372	repair.exe

pid	process
4128	netbri.exe
4128	netbri.exe
4128	netbri.exe
4128	netbri.exe
4128	netbri.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\D1Softwaredata\echs.dll	upx
\Users\Admin\AppData\Roaming\D1Softwaredata\echs.dll	upx
\Users\Admin\AppData\Roaming\D1Softwaredata\echs.dll	upx
behavioral4/memory/4128-149-0x00000000028D0000-0x0000000002A35000-memory.dmp	upx
behavioral4/memory/4128-155-0x00000000028D0000-0x0000000002A35000-memory.dmp	upx
behavioral4/memory/4128-164-0x00000000028D0000-0x0000000002A35000-memory.dmp	upx

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

D1Bin.exe

pid process

304 D1Bin.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

D1Bin.exe

description pid process

Token: SeDebugPrivilege 304 D1Bin.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

大航全球实体卡-虚拟卡接码电脑端口.exenetbri.exerepair.exe

pid process

4104 大航全球实体卡-虚拟卡接码电脑端口.exe
4128 netbri.exe
4128 netbri.exe
372 repair.exe
372 repair.exe

pid	process
304	D1Bin.exe

description	pid	process
Token: SeDebugPrivilege	304	D1Bin.exe

pid	process
4104	大航全球实体卡-虚拟卡接码电脑端口.exe
4128	netbri.exe
4128	netbri.exe
372	repair.exe
372	repair.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

大航全球实体卡-虚拟卡接码电脑端口.exe

description	pid	process	target process
PID 4104 wrote to memory of 4128	4104	大航全球实体卡-虚拟卡接码电脑端口.exe	netbri.exe
PID 4104 wrote to memory of 4128	4104	大航全球实体卡-虚拟卡接码电脑端口.exe	netbri.exe
PID 4104 wrote to memory of 4128	4104	大航全球实体卡-虚拟卡接码电脑端口.exe	netbri.exe
PID 4104 wrote to memory of 304	4104	大航全球实体卡-虚拟卡接码电脑端口.exe	D1Bin.exe
PID 4104 wrote to memory of 304	4104	大航全球实体卡-虚拟卡接码电脑端口.exe	D1Bin.exe
PID 4104 wrote to memory of 372	4104	大航全球实体卡-虚拟卡接码电脑端口.exe	repair.exe
PID 4104 wrote to memory of 372	4104	大航全球实体卡-虚拟卡接码电脑端口.exe	repair.exe
PID 4104 wrote to memory of 372	4104	大航全球实体卡-虚拟卡接码电脑端口.exe	repair.exe

C:\Users\Admin\AppData\Local\Temp\大航全球实体卡-虚拟卡接码电脑端口\大航全球实体卡-虚拟卡接码电脑端口.exe
"C:\Users\Admin\AppData\Local\Temp\大航全球实体卡-虚拟卡接码电脑端口\大航全球实体卡-虚拟卡接码电脑端口.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4104

C:\Users\Admin\AppData\Roaming\D1Softwaredata\netbri.exe
C:\Users\Admin\AppData\Roaming\D1Softwaredata\netbri.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4128

C:\Users\Admin\AppData\Roaming\D1Softwaredata\Bin\D1Bin.exe
C:\Users\Admin\AppData\Roaming\D1Softwaredata\Bin\D1Bin.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:304

C:\Users\Admin\AppData\Roaming\D1Softwaredata\repair.exe
C:\Users\Admin\AppData\Roaming\D1Softwaredata\repair.exe -Ho9LN
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:372

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\D1Softwaredata\Bin\D1Bin.exe
Filesize
1.9MB

MD5
a0acc3b2c25d5a9d6994f013142159e7

SHA1
6d992746c197976b9df65a5ac8fbe74a4401d9bd

SHA256
0a14a43b4acb0785d6cdedd9d659caf469392c42f9dc3cb7891e8329c2957ff0

SHA512
bb5d3e73cee108af3d16c41bfd0c503e78fff1fcc2c3131960dc68e462c6bd9c243917b2c935f7a25a1e5802b63f7c71e7cc036811ef8b90353fa83df4446042

Download Submit
C:\Users\Admin\AppData\Roaming\D1Softwaredata\Bin\D1bin.exe
Filesize
1.9MB

MD5
a0acc3b2c25d5a9d6994f013142159e7

SHA1
6d992746c197976b9df65a5ac8fbe74a4401d9bd

SHA256
0a14a43b4acb0785d6cdedd9d659caf469392c42f9dc3cb7891e8329c2957ff0

SHA512
bb5d3e73cee108af3d16c41bfd0c503e78fff1fcc2c3131960dc68e462c6bd9c243917b2c935f7a25a1e5802b63f7c71e7cc036811ef8b90353fa83df4446042

Download Submit
C:\Users\Admin\AppData\Roaming\D1Softwaredata\HPSocket4C.dll
Filesize
2.1MB

MD5
c83247fac0840125db662eb3e27ac6a3

SHA1
6d7a24b3d1c10516232a6f3ac4aed8d69da56568

SHA256
2dc7b369e5e3d8c828e2fe947e79df7d4ed60cdb1a004e8e94bf2bf38698cdb2

SHA512
f3359e7ddd3fceeb442ba0b847ac9f744f9df01f02e0cda20078d4ad0af404a53e6151f8d908ad54f0c7d3469769d39c833f34d448f6b9c566a4f413ef41a50f

Download Submit
C:\Users\Admin\AppData\Roaming\D1Softwaredata\Plugins\qvlnk.dll
Filesize
492KB

MD5
001db37c243710301a862d8dd8a025e0

SHA1
7e4fc33b58dae290861712e4194e855923ebde1a

SHA256
5e6c4b35329f48fcf8fb7ec5dc13d6a4f41c8d58da1849ec5a761b4af86fbbeb

SHA512
7edee439741daa58e6fc108e28b177f2ac87fc8492dec52f4392df095c187ddd1bace043cdc0a2c0b8c9ddb8f86e7add2f8f822f53c5e25b758b69894f576a16

Download Submit
C:\Users\Admin\AppData\Roaming\D1Softwaredata\VCRUNTIME140.dll
Filesize
82KB

MD5
d0520569180accd7e17ed9697711d6ec

SHA1
46cb7e2db7efda70b9a5b75b2fe0bb6038499008

SHA256
13026df002b3575564f32927b7f791d59b4cc571f30ccc28075c4edb4afef67c

SHA512
86e96f5648d714914469a576693a656390291a547ea9dd5903c85853ac63c68f69129e54f95e5fc7aec781b883232ffaf0d5a536302226f4243d1f2e517e2034

Download Submit
C:\Users\Admin\AppData\Roaming\D1Softwaredata\config.ini
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\D1Softwaredata\config.ini
Filesize
124B

MD5
375a945235aeaa8f51368b44523df3b8

SHA1
33303ad5e9fdb8098356059894ea0483aa8c6ad2

SHA256
a086dc0a15b3013aa8cd2f9faae1ed11750116c3e5102dade68ad0586edfe840

SHA512
8d7235c8beb21e6f3c0b84a38c968dcdfe342487e38214c6a20745b66f18b75f6234bdb04f0ecd82a26ecc98e6ab634f6d3c7f76c0e3faed2f2c567b2a6e31e1

Download Submit
C:\Users\Admin\AppData\Roaming\D1Softwaredata\echs.dll
Filesize
421KB

MD5
8e5dc64def28aee0032ed0c878127c39

SHA1
ad9685100b71f0fd4f2b3d65f62894beba1937de

SHA256
c121eb7c37949d789f5c4b7fcd4445057f70ab23befde95929e63e3db9c43e9a

SHA512
a337bb678534d93f74cdbd46728d87b3c8d4b3d5f5713f176ef4bf6d23d09c636c378fefd992e088611ec62cc559ebd4640a4ea61842a8edee39feffc8e8fab8

Download Submit
C:\Users\Admin\AppData\Roaming\D1Softwaredata\encode.dat
Filesize
3.9MB

MD5
013d85cf626e32fbc89daa124e10f7f0

SHA1
b3722239f268ee9a6d3408193081633daac6b05b

SHA256
74a5437c4f76f6d88628afc8dfbe7bbd6c2fd6f846cf957ea6262156eb76163c

SHA512
952c317ee5e54c2f55ec646cd1d7241f7a4270eccb8d53fdc6cd99963486bcedb9d66f46c099086de12872e95a515922f4bfc47294e6d58e202a425ef42c538a

Download Submit
C:\Users\Admin\AppData\Roaming\D1Softwaredata\netbri.exe
Filesize
314KB

MD5
dfee4c679663ffb566a7150bbc1768c7

SHA1
8f8144d26b141d097df742e4ef4d5c85bba685a3

SHA256
f0a82dba182ef5d8fe32bd358473cc7e9ec0d07e0f4a33f50c49d7cccbb5bc7a

SHA512
23ff4b55e4d01d7712a3313f9aecd69331cb4fb5fce8b2d8610332a1e7b3ced19bdab64ef37ab2d335179844e176e6bd5a2f5c6562c61451c02b37cb2e58da52

Download Submit
C:\Users\Admin\AppData\Roaming\D1Softwaredata\netbri.exe
Filesize
314KB

MD5
dfee4c679663ffb566a7150bbc1768c7

SHA1
8f8144d26b141d097df742e4ef4d5c85bba685a3

SHA256
f0a82dba182ef5d8fe32bd358473cc7e9ec0d07e0f4a33f50c49d7cccbb5bc7a

SHA512
23ff4b55e4d01d7712a3313f9aecd69331cb4fb5fce8b2d8610332a1e7b3ced19bdab64ef37ab2d335179844e176e6bd5a2f5c6562c61451c02b37cb2e58da52

Download Submit
C:\Users\Admin\AppData\Roaming\D1Softwaredata\repair.exe
Filesize
792KB

MD5
5ce000758e1b8fb5d2cab78003245ac1

SHA1
4ff5a6bbee58e63c100bac6130ee22eb740bed09

SHA256
483a0c0f6dfc0f54f972aefc4a6c9d7345b795be913f98283fecfeb3dda9126e

SHA512
228625ef8692c8be41294de551dc6fd38afb5d2f68860762984ea78bd2a3df43ceea32966a827173118abb507c9e0ffe4689c992b216bcf60d6f774b0d4a4748

Download Submit
C:\Users\Admin\AppData\Roaming\D1Softwaredata\repair.exe
Filesize
792KB

MD5
5ce000758e1b8fb5d2cab78003245ac1

SHA1
4ff5a6bbee58e63c100bac6130ee22eb740bed09

SHA256
483a0c0f6dfc0f54f972aefc4a6c9d7345b795be913f98283fecfeb3dda9126e

SHA512
228625ef8692c8be41294de551dc6fd38afb5d2f68860762984ea78bd2a3df43ceea32966a827173118abb507c9e0ffe4689c992b216bcf60d6f774b0d4a4748

Download Submit
\Users\Admin\AppData\Roaming\D1Softwaredata\HPSocket4C.dll
Filesize
2.1MB

MD5
c83247fac0840125db662eb3e27ac6a3

SHA1
6d7a24b3d1c10516232a6f3ac4aed8d69da56568

SHA256
2dc7b369e5e3d8c828e2fe947e79df7d4ed60cdb1a004e8e94bf2bf38698cdb2

SHA512
f3359e7ddd3fceeb442ba0b847ac9f744f9df01f02e0cda20078d4ad0af404a53e6151f8d908ad54f0c7d3469769d39c833f34d448f6b9c566a4f413ef41a50f

Download Submit
\Users\Admin\AppData\Roaming\D1Softwaredata\echs.dll
Filesize
421KB

MD5
8e5dc64def28aee0032ed0c878127c39

SHA1
ad9685100b71f0fd4f2b3d65f62894beba1937de

SHA256
c121eb7c37949d789f5c4b7fcd4445057f70ab23befde95929e63e3db9c43e9a

SHA512
a337bb678534d93f74cdbd46728d87b3c8d4b3d5f5713f176ef4bf6d23d09c636c378fefd992e088611ec62cc559ebd4640a4ea61842a8edee39feffc8e8fab8

Download Submit
\Users\Admin\AppData\Roaming\D1Softwaredata\echs.dll
Filesize
421KB

MD5
8e5dc64def28aee0032ed0c878127c39

SHA1
ad9685100b71f0fd4f2b3d65f62894beba1937de

SHA256
c121eb7c37949d789f5c4b7fcd4445057f70ab23befde95929e63e3db9c43e9a

SHA512
a337bb678534d93f74cdbd46728d87b3c8d4b3d5f5713f176ef4bf6d23d09c636c378fefd992e088611ec62cc559ebd4640a4ea61842a8edee39feffc8e8fab8

Download Submit
\Users\Admin\AppData\Roaming\D1Softwaredata\plugins\qvlnk.dll
Filesize
492KB

MD5
001db37c243710301a862d8dd8a025e0

SHA1
7e4fc33b58dae290861712e4194e855923ebde1a

SHA256
5e6c4b35329f48fcf8fb7ec5dc13d6a4f41c8d58da1849ec5a761b4af86fbbeb

SHA512
7edee439741daa58e6fc108e28b177f2ac87fc8492dec52f4392df095c187ddd1bace043cdc0a2c0b8c9ddb8f86e7add2f8f822f53c5e25b758b69894f576a16

Download Submit
\Users\Admin\AppData\Roaming\D1Softwaredata\vcruntime140.dll
Filesize
82KB

MD5
d0520569180accd7e17ed9697711d6ec

SHA1
46cb7e2db7efda70b9a5b75b2fe0bb6038499008

SHA256
13026df002b3575564f32927b7f791d59b4cc571f30ccc28075c4edb4afef67c

SHA512
86e96f5648d714914469a576693a656390291a547ea9dd5903c85853ac63c68f69129e54f95e5fc7aec781b883232ffaf0d5a536302226f4243d1f2e517e2034

Download Submit
memory/304-160-0x0000025A3B0D0000-0x0000025A3B0E0000-memory.dmp

Filesize
64KB

Download
memory/304-147-0x0000025A20940000-0x0000025A20B22000-memory.dmp

Filesize
1.9MB

Download
memory/304-163-0x0000025A3B0D0000-0x0000025A3B0E0000-memory.dmp

Filesize
64KB

Download
memory/304-165-0x0000025A3B0D0000-0x0000025A3B0E0000-memory.dmp

Filesize
64KB

Download
memory/304-166-0x0000025A3B0D0000-0x0000025A3B0E0000-memory.dmp

Filesize
64KB

Download
memory/4128-155-0x00000000028D0000-0x0000000002A35000-memory.dmp

Filesize
1.4MB

Download
memory/4128-149-0x00000000028D0000-0x0000000002A35000-memory.dmp

Filesize
1.4MB

Download
memory/4128-161-0x0000000003360000-0x0000000003387000-memory.dmp

Filesize
156KB

Download
memory/4128-162-0x00000000042E0000-0x00000000047E5000-memory.dmp

Filesize
5.0MB

Download
memory/4128-164-0x00000000028D0000-0x0000000002A35000-memory.dmp

Filesize
1.4MB

Download