blackmoon | cc86d62510abdeea2b7162d0e1db859a6be677e3585099678f3d9d8683df81aa

General

Target

邮箱升级补丁.exe
Size

532KB
MD5

01edc3a3885e09d53064331159173217
SHA1

6dfbc89921b6f73aea6a71f367173dc284c2ab6d
SHA256

cc86d62510abdeea2b7162d0e1db859a6be677e3585099678f3d9d8683df81aa
SHA512

879e53c271dbcffd28ad0e227c9e2ed1cf6a4b3ad915a46ef5460b298415db64068d9001743965e9511e398040187f29ed8e0dbec94440547365876764bd64cc
SSDEEP

3072:QkvZbBLzNa6haoKpaagaNSTtu1xF0DN+ew3q6IL99pGU2PlwFaEFkVUX:QkvZbBLzNa6I5xNSYxuN+e7xSlQS+

Score

10^/10

blackmoon gh0strat banker persistence rat trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 7 IoCs

Processes:

resource	yara_rule
behavioral2/memory/100-147-0x00000000035A0000-0x00000000035D9000-memory.dmp	family_blackmoon
behavioral2/memory/100-148-0x00000000035A0000-0x00000000035D9000-memory.dmp	family_blackmoon
behavioral2/memory/100-151-0x00000000035A0000-0x00000000035D9000-memory.dmp	family_blackmoon
behavioral2/memory/100-173-0x0000000003740000-0x000000000378B000-memory.dmp	family_blackmoon
behavioral2/memory/100-193-0x0000000003740000-0x000000000378B000-memory.dmp	family_blackmoon
behavioral2/memory/100-194-0x0000000003740000-0x000000000378B000-memory.dmp	family_blackmoon
behavioral2/memory/100-199-0x00000000035A0000-0x00000000035D9000-memory.dmp	family_blackmoon

Gh0st RAT payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/100-181-0x0000000010000000-0x0000000010003000-memory.dmp	family_gh0strat
behavioral2/memory/100-180-0x0000000010001000-0x000000001000F000-memory.dmp	family_gh0strat
behavioral2/memory/100-182-0x0000000010000000-0x0000000010017000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Loads dropped DLL 3 IoCs

Processes:

邮箱升级补丁.exe

pid process

100 邮箱升级补丁.exe
100 邮箱升级补丁.exe
100 邮箱升级补丁.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

邮箱升级补丁.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Windows\CurrentVersion\Run	邮箱升级补丁.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qdatem = "C:\\Users\\Public\\Documents\\Applicationrpsen.exe"	邮箱升级补丁.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe

Modifies registry class 1 IoCs

Processes:

taskmgr.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings taskmgr.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

邮箱升级补丁.exetaskmgr.exe

pid	process
100	邮箱升级补丁.exe
100	邮箱升级补丁.exe
100	邮箱升级补丁.exe
100	邮箱升级补丁.exe
100	邮箱升级补丁.exe
100	邮箱升级补丁.exe
100	邮箱升级补丁.exe
100	邮箱升级补丁.exe
100	邮箱升级补丁.exe
100	邮箱升级补丁.exe
100	邮箱升级补丁.exe
100	邮箱升级补丁.exe
100	邮箱升级补丁.exe
100	邮箱升级补丁.exe
100	邮箱升级补丁.exe
100	邮箱升级补丁.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid process

3212 taskmgr.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

taskmgr.exe邮箱升级补丁.exe

description	pid	process
Token: SeDebugPrivilege	3212	taskmgr.exe
Token: SeSystemProfilePrivilege	3212	taskmgr.exe
Token: SeCreateGlobalPrivilege	3212	taskmgr.exe
Token: 33	100	邮箱升级补丁.exe
Token: SeIncBasePriorityPrivilege	100	邮箱升级补丁.exe
Token: 33	100	邮箱升级补丁.exe
Token: SeIncBasePriorityPrivilege	100	邮箱升级补丁.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exe

pid	process
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exe

pid	process
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe
3212	taskmgr.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

邮箱升级补丁.exe

pid process

100 邮箱升级补丁.exe
100 邮箱升级补丁.exe
100 邮箱升级补丁.exe
100 邮箱升级补丁.exe
100 邮箱升级补丁.exe

C:\Users\Admin\AppData\Local\Temp\邮箱升级补丁.exe
"C:\Users\Admin\AppData\Local\Temp\邮箱升级补丁.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:100

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3212

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2200

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\grty.dll

Filesize
2KB

MD5
7943effe67a4647e06def2348949020e

SHA1
eabd561f0639a975de259633f63896d82c3f878d

SHA256
3fac47db92d581b2daef7a4f9493be2fe441041e5158101d80873d05808d5cfa

SHA512
c9db1962e7457c94426c2a5c7f439736697d4399db6982c45357459d58805daa4a9d297912135488b6990e265ffa59d687fd5ba43717aab46ccc212083ef5003

Download Submit
C:\Users\Public\Documents\saty.dll

Filesize
2KB

MD5
7943effe67a4647e06def2348949020e

SHA1
eabd561f0639a975de259633f63896d82c3f878d

SHA256
3fac47db92d581b2daef7a4f9493be2fe441041e5158101d80873d05808d5cfa

SHA512
c9db1962e7457c94426c2a5c7f439736697d4399db6982c45357459d58805daa4a9d297912135488b6990e265ffa59d687fd5ba43717aab46ccc212083ef5003

Download Submit
C:\Users\Public\Documents\saty2.dll

Filesize
2KB

MD5
7943effe67a4647e06def2348949020e

SHA1
eabd561f0639a975de259633f63896d82c3f878d

SHA256
3fac47db92d581b2daef7a4f9493be2fe441041e5158101d80873d05808d5cfa

SHA512
c9db1962e7457c94426c2a5c7f439736697d4399db6982c45357459d58805daa4a9d297912135488b6990e265ffa59d687fd5ba43717aab46ccc212083ef5003

Download Submit
C:\Users\Public\Documents\saty2.dll

Filesize
2KB

MD5
7943effe67a4647e06def2348949020e

SHA1
eabd561f0639a975de259633f63896d82c3f878d

SHA256
3fac47db92d581b2daef7a4f9493be2fe441041e5158101d80873d05808d5cfa

SHA512
c9db1962e7457c94426c2a5c7f439736697d4399db6982c45357459d58805daa4a9d297912135488b6990e265ffa59d687fd5ba43717aab46ccc212083ef5003

Download Submit
C:\Users\Public\Documents\sjsw.log

Filesize
172B

MD5
e16a3505366aa1ef004814b9af7defa0

SHA1
1c0bc113ba289163aa9bd8bba0063518cd0a7982

SHA256
4247b7404f01a9ef859aaf9279794ac2cd7c9de07fc3f02f7e24fc92886978b0

SHA512
adb6a83b13eaeccf10dbf046712feb88e604982694a3fc0370558509e0543a4955d869798fd851b615345919317c9e31f09cb63ce75576cb03e14f5cce15ffca

Download Submit
memory/100-181-0x0000000010000000-0x0000000010003000-memory.dmp

Filesize
12KB

Download
memory/100-182-0x0000000010000000-0x0000000010017000-memory.dmp

Filesize
92KB

Download
memory/100-147-0x00000000035A0000-0x00000000035D9000-memory.dmp

Filesize
228KB

Download
memory/100-140-0x0000000002A50000-0x0000000002A53000-memory.dmp

Filesize
12KB

Download
memory/100-151-0x00000000035A0000-0x00000000035D9000-memory.dmp

Filesize
228KB

Download
memory/100-152-0x00000000035E0000-0x00000000035E3000-memory.dmp

Filesize
12KB

Download
memory/100-139-0x0000000002D10000-0x0000000002D3B000-memory.dmp

Filesize
172KB

Download
memory/100-138-0x0000000002D10000-0x0000000002D3B000-memory.dmp

Filesize
172KB

Download
memory/100-173-0x0000000003740000-0x000000000378B000-memory.dmp

Filesize
300KB

Download
memory/100-175-0x0000000004120000-0x000000000420C000-memory.dmp

Filesize
944KB

Download
memory/100-176-0x0000000004120000-0x000000000420C000-memory.dmp

Filesize
944KB

Download
memory/100-177-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/100-178-0x0000000004120000-0x000000000420C000-memory.dmp

Filesize
944KB

Download
memory/100-137-0x0000000002D10000-0x0000000002D3B000-memory.dmp

Filesize
172KB

Download
memory/100-180-0x0000000010001000-0x000000001000F000-memory.dmp

Filesize
56KB

Download
memory/100-148-0x00000000035A0000-0x00000000035D9000-memory.dmp

Filesize
228KB

Download
memory/100-184-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/100-193-0x0000000003740000-0x000000000378B000-memory.dmp

Filesize
300KB

Download
memory/100-195-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/100-194-0x0000000003740000-0x000000000378B000-memory.dmp

Filesize
300KB

Download
memory/100-196-0x0000000002D10000-0x0000000002D3B000-memory.dmp

Filesize
172KB

Download
memory/100-199-0x00000000035A0000-0x00000000035D9000-memory.dmp

Filesize
228KB

Download
memory/3212-197-0x000002AEDF1D0000-0x000002AEDF1D1000-memory.dmp

Filesize
4KB

Download
memory/3212-198-0x000002AEDF1D0000-0x000002AEDF1D1000-memory.dmp

Filesize
4KB

Download
memory/3212-200-0x000002AEDF1D0000-0x000002AEDF1D1000-memory.dmp

Filesize
4KB

Download
memory/3212-204-0x000002AEDF1D0000-0x000002AEDF1D1000-memory.dmp

Filesize
4KB

Download
memory/3212-205-0x000002AEDF1D0000-0x000002AEDF1D1000-memory.dmp

Filesize
4KB

Download
memory/3212-206-0x000002AEDF1D0000-0x000002AEDF1D1000-memory.dmp

Filesize
4KB

Download
memory/3212-207-0x000002AEDF1D0000-0x000002AEDF1D1000-memory.dmp

Filesize
4KB

Download
memory/3212-208-0x000002AEDF1D0000-0x000002AEDF1D1000-memory.dmp

Filesize
4KB

Download
memory/3212-209-0x000002AEDF1D0000-0x000002AEDF1D1000-memory.dmp

Filesize
4KB

Download
memory/3212-210-0x000002AEDF1D0000-0x000002AEDF1D1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads