blackmoon | 94fe4b29ccc16d73ebea55a83e742e5b0a7231a5fc62f5ab33bc7dad3413f363

Analysis

max time kernel
158s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
13-05-2023 02:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

94fe4b29ccc16d73ebea55a83e742e5b0a7231a5fc62f5ab33bc7dad3413f363.exe
Size

3.1MB
MD5

1145fc073c26ca9ab6a78d9c7c1faf2c
SHA1

7cc1eef3a73566d1f134bb270f1bfbe8f9b588c8
SHA256

94fe4b29ccc16d73ebea55a83e742e5b0a7231a5fc62f5ab33bc7dad3413f363
SHA512

b4bcc89b362571c59071dc5ed177aa87c7248a57b2acb3b8311e4c47001ba57084c2c419de4ca26b1e4eefabf22a438a342bd0273c29e521e6f5124ef8930ec5
SSDEEP

49152:3VQkN2zF9+d+j/wNEI31HCOohiId4/VmyUMlPw6rEDCEfihhmDT+E2Wt6ym++:lwCa/wNdFH/ogI6/VV3lYUUi6DT+68

Score

10^/10

blackmoon banker discovery evasion spyware stealer trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 13 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3404-133-0x0000000000400000-0x0000000000456000-memory.dmp	family_blackmoon
behavioral2/memory/3404-135-0x0000000002200000-0x000000000223F000-memory.dmp	family_blackmoon
behavioral2/memory/3404-136-0x0000000002200000-0x000000000223F000-memory.dmp	family_blackmoon
behavioral2/memory/2456-162-0x00000000007E0000-0x000000000081F000-memory.dmp	family_blackmoon
behavioral2/memory/3404-163-0x0000000000400000-0x0000000000456000-memory.dmp	family_blackmoon
behavioral2/memory/2456-164-0x0000000000400000-0x0000000000456000-memory.dmp	family_blackmoon
behavioral2/memory/2456-165-0x00000000007E0000-0x000000000081F000-memory.dmp	family_blackmoon
behavioral2/memory/2456-177-0x0000000000400000-0x0000000000456000-memory.dmp	family_blackmoon
behavioral2/memory/3404-185-0x0000000002200000-0x000000000223F000-memory.dmp	family_blackmoon
behavioral2/memory/3404-188-0x0000000002200000-0x000000000223F000-memory.dmp	family_blackmoon
behavioral2/memory/3404-189-0x0000000002200000-0x000000000223F000-memory.dmp	family_blackmoon
behavioral2/memory/3404-192-0x0000000002200000-0x000000000223F000-memory.dmp	family_blackmoon
behavioral2/memory/3404-200-0x0000000002200000-0x000000000223F000-memory.dmp	family_blackmoon

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

94fe4b29ccc16d73ebea55a83e742e5b0a7231a5fc62f5ab33bc7dad3413f363.exeUninstallTool_x64.dat

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	94fe4b29ccc16d73ebea55a83e742e5b0a7231a5fc62f5ab33bc7dad3413f363.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	UninstallTool_x64.dat

Executes dropped EXE 4 IoCs

Processes:

UninstallToolPortable.exeUninstallTool_x64.datUninstallToolHelper.exeRar.exe

pid process

32 UninstallToolPortable.exe
4436 UninstallTool_x64.dat
1092 UninstallToolHelper.exe
3044 Rar.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
32	UninstallToolPortable.exe
4436	UninstallTool_x64.dat
1092	UninstallToolHelper.exe
3044	Rar.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3404-133-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/3404-163-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/2456-164-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/2456-177-0x0000000000400000-0x0000000000456000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

4568 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

UninstallTool_x64.dat

pid process

4436 UninstallTool_x64.dat
4436 UninstallTool_x64.dat
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

UninstallTool_x64.dat

description pid process

Token: SeDebugPrivilege 4436 UninstallTool_x64.dat

pid	process
4568	sc.exe

description	pid	process
Token: SeDebugPrivilege	4436	UninstallTool_x64.dat

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

UninstallTool_x64.dat

pid	process
4436	UninstallTool_x64.dat
4436	UninstallTool_x64.dat
4436	UninstallTool_x64.dat
4436	UninstallTool_x64.dat
4436	UninstallTool_x64.dat
4436	UninstallTool_x64.dat
4436	UninstallTool_x64.dat
4436	UninstallTool_x64.dat
4436	UninstallTool_x64.dat

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

94fe4b29ccc16d73ebea55a83e742e5b0a7231a5fc62f5ab33bc7dad3413f363.exe94fe4b29ccc16d73ebea55a83e742e5b0a7231a5fc62f5ab33bc7dad3413f363.execmd.exeUninstallToolPortable.exenet.exeUninstallTool_x64.datcmd.exe

description	pid	process	target process
PID 3404 wrote to memory of 2456	3404	94fe4b29ccc16d73ebea55a83e742e5b0a7231a5fc62f5ab33bc7dad3413f363.exe	94fe4b29ccc16d73ebea55a83e742e5b0a7231a5fc62f5ab33bc7dad3413f363.exe
PID 3404 wrote to memory of 2456	3404	94fe4b29ccc16d73ebea55a83e742e5b0a7231a5fc62f5ab33bc7dad3413f363.exe	94fe4b29ccc16d73ebea55a83e742e5b0a7231a5fc62f5ab33bc7dad3413f363.exe
PID 3404 wrote to memory of 2456	3404	94fe4b29ccc16d73ebea55a83e742e5b0a7231a5fc62f5ab33bc7dad3413f363.exe	94fe4b29ccc16d73ebea55a83e742e5b0a7231a5fc62f5ab33bc7dad3413f363.exe
PID 2456 wrote to memory of 2068	2456	94fe4b29ccc16d73ebea55a83e742e5b0a7231a5fc62f5ab33bc7dad3413f363.exe	cmd.exe
PID 2456 wrote to memory of 2068	2456	94fe4b29ccc16d73ebea55a83e742e5b0a7231a5fc62f5ab33bc7dad3413f363.exe	cmd.exe
PID 2456 wrote to memory of 2068	2456	94fe4b29ccc16d73ebea55a83e742e5b0a7231a5fc62f5ab33bc7dad3413f363.exe	cmd.exe
PID 2068 wrote to memory of 32	2068	cmd.exe	UninstallToolPortable.exe
PID 2068 wrote to memory of 32	2068	cmd.exe	UninstallToolPortable.exe
PID 2068 wrote to memory of 32	2068	cmd.exe	UninstallToolPortable.exe
PID 32 wrote to memory of 4436	32	UninstallToolPortable.exe	UninstallTool_x64.dat
PID 32 wrote to memory of 4436	32	UninstallToolPortable.exe	UninstallTool_x64.dat
PID 2068 wrote to memory of 5000	2068	cmd.exe	net.exe
PID 2068 wrote to memory of 5000	2068	cmd.exe	net.exe
PID 2068 wrote to memory of 5000	2068	cmd.exe	net.exe
PID 5000 wrote to memory of 3184	5000	net.exe	net1.exe
PID 5000 wrote to memory of 3184	5000	net.exe	net1.exe
PID 5000 wrote to memory of 3184	5000	net.exe	net1.exe
PID 4436 wrote to memory of 1092	4436	UninstallTool_x64.dat	UninstallToolHelper.exe
PID 4436 wrote to memory of 1092	4436	UninstallTool_x64.dat	UninstallToolHelper.exe
PID 4436 wrote to memory of 1092	4436	UninstallTool_x64.dat	UninstallToolHelper.exe
PID 2068 wrote to memory of 4568	2068	cmd.exe	sc.exe
PID 2068 wrote to memory of 4568	2068	cmd.exe	sc.exe
PID 2068 wrote to memory of 4568	2068	cmd.exe	sc.exe
PID 2068 wrote to memory of 2144	2068	cmd.exe	reg.exe
PID 2068 wrote to memory of 2144	2068	cmd.exe	reg.exe
PID 2068 wrote to memory of 2144	2068	cmd.exe	reg.exe
PID 2068 wrote to memory of 2140	2068	cmd.exe	reg.exe
PID 2068 wrote to memory of 2140	2068	cmd.exe	reg.exe
PID 2068 wrote to memory of 2140	2068	cmd.exe	reg.exe
PID 3404 wrote to memory of 2252	3404	94fe4b29ccc16d73ebea55a83e742e5b0a7231a5fc62f5ab33bc7dad3413f363.exe	cmd.exe
PID 3404 wrote to memory of 2252	3404	94fe4b29ccc16d73ebea55a83e742e5b0a7231a5fc62f5ab33bc7dad3413f363.exe	cmd.exe
PID 3404 wrote to memory of 2252	3404	94fe4b29ccc16d73ebea55a83e742e5b0a7231a5fc62f5ab33bc7dad3413f363.exe	cmd.exe
PID 2252 wrote to memory of 3044	2252	cmd.exe	Rar.exe
PID 2252 wrote to memory of 3044	2252	cmd.exe	Rar.exe

C:\Users\Admin\AppData\Local\Temp\94fe4b29ccc16d73ebea55a83e742e5b0a7231a5fc62f5ab33bc7dad3413f363.exe
"C:\Users\Admin\AppData\Local\Temp\94fe4b29ccc16d73ebea55a83e742e5b0a7231a5fc62f5ab33bc7dad3413f363.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3404

C:\Users\Admin\AppData\Local\Temp\94fe4b29ccc16d73ebea55a83e742e5b0a7231a5fc62f5ab33bc7dad3413f363.exe
"C:\Users\Admin\AppData\Local\Temp\94fe4b29ccc16d73ebea55a83e742e5b0a7231a5fc62f5ab33bc7dad3413f363.exe" -sfxwaitall:1 "RemoveService.cmd"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RemoveService.cmd" "
3⤵
- Suspicious use of WriteProcessMemory
PID:2068

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\UninstallToolPortable.exe
UninstallToolPortable.exe ""
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:32

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\UninstallTool_x64.dat
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\UninstallTool_x64.dat
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4436

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\UninstallToolHelper.exe
UninstallToolHelper.exe
6⤵
- Executes dropped EXE
PID:1092

C:\Windows\SysWOW64\net.exe
net stop CisUtMonitor
4⤵
- Suspicious use of WriteProcessMemory
PID:5000

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop CisUtMonitor
5⤵
PID:3184

C:\Windows\SysWOW64\sc.exe
sc delete CisUtMonitor
4⤵
- Launches sc.exe
PID:4568

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\CisUtMonitor" /f
4⤵
PID:2144

C:\Windows\SysWOW64\reg.exe
reg delete "HKCU\Software\CrystalIdea Software" /f
4⤵
PID:2140

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Rar.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2252

C:\Users\Admin\AppData\Local\Temp\Rar.exe
C:\Users\Admin\AppData\Local\Temp\Rar.exe
3⤵
- Executes dropped EXE
PID:3044

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RemoveService.cmd

Filesize
434B

MD5
d162503927fa035790a8a721fc0d0bd3

SHA1
8bba568b36418ff069019a4872de79cddb8ce449

SHA256
e8ddc2ce37405cf0cefea4071a1dc745baeba0819e9b638837ee146dcd312663

SHA512
63f6f593c68a8c451f26cd533301954632b5e6be3d035d640d1cd1d91b5c67abf15cc7f0e37c8453f746599fad5dc4ae2f9fd5d4cd56c1b9d85222741a379270

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\UninstallToolHelper.exe

Filesize
463KB

MD5
d82e0a3786dba17f88929d11d6b00b96

SHA1
098f9b676677dc3a30530ad5254b7fb41e1391d9

SHA256
ba8d7b5662f85aa901fd6bcf86fc5989013577b18c81a91bffc1211fec31d6c8

SHA512
4df64c5f421103fabf156342d41ff2cece82ce6b7015c454ac78680611d4ab64788c7ed50b0505edcd4cc704fdbe3c118370464c476f8047bd0e022ddbc3424d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\UninstallToolHelper.exe

Filesize
463KB

MD5
d82e0a3786dba17f88929d11d6b00b96

SHA1
098f9b676677dc3a30530ad5254b7fb41e1391d9

SHA256
ba8d7b5662f85aa901fd6bcf86fc5989013577b18c81a91bffc1211fec31d6c8

SHA512
4df64c5f421103fabf156342d41ff2cece82ce6b7015c454ac78680611d4ab64788c7ed50b0505edcd4cc704fdbe3c118370464c476f8047bd0e022ddbc3424d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\UninstallToolPortable.exe

Filesize
327KB

MD5
56cfdeea82f27be12d1ad1c9bc737d9b

SHA1
c1d4d0147b680bf9a6f6dba2e8c174039c075744

SHA256
735925446abf2704e4adcafb495c9dd63d03eaf5888a72704e06655df35f35f0

SHA512
2f270042f202c978aaad688c54f383bcabd97a0a32be098229fcb846b079d549aee49940a104d3a0a931b32702743419d1a6e2d6679453bcdf54d787ea797064

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\UninstallTool_x64.dat

Filesize
4.7MB

MD5
6e5aaf93c1d697e69073d9752fba952e

SHA1
5122ae7e228a4929b6c8c94424de320ae8472320

SHA256
4db9cf64ea18594a2b9a21c15dcaf8b809a771b315dcc2e758b14459f24dd87f

SHA512
181dc0fde5311f0b182130e76df517ea0496eddd06a32a86694c58a7a098da73b65757d218f01b51045e277c6bdc3deb2c173e1beef79a1aae2b5e074bd3eb1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\UninstallTool_x64.dat

Filesize
4.7MB

MD5
6e5aaf93c1d697e69073d9752fba952e

SHA1
5122ae7e228a4929b6c8c94424de320ae8472320

SHA256
4db9cf64ea18594a2b9a21c15dcaf8b809a771b315dcc2e758b14459f24dd87f

SHA512
181dc0fde5311f0b182130e76df517ea0496eddd06a32a86694c58a7a098da73b65757d218f01b51045e277c6bdc3deb2c173e1beef79a1aae2b5e074bd3eb1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\languages\English.xml

Filesize
39KB

MD5
54f1488c16b874bf77aa21c843876024

SHA1
2ac1797382e794d69da42cd0b076d42441552d60

SHA256
8079512550ab75f7014cb42fb4a57b92ca645c7a3ad23cd29a6ee9f825ec04a6

SHA512
6f0f1527a9cfb670bfc9085b753978d3023a05f872952a729779c2d701457cf5d6449152cc3b7274a5d199b697058e2182e9c78109e40979532135b52ffaf969

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar.exe

Filesize
601KB

MD5
4fdc31997eb40979967fc04d9a9960f3

SHA1
7f13bd62c13324681913304644489bb6b66f584a

SHA256
e9ea78fab020718cb75a116993bfa2a5fe71c163a801995adb9e5abebc7990a2

SHA512
15146e24afcfea221616ca1f049d96e8a5f9b1eccefd3a27df150e4699993889fc1ab4952f2ba1ab519b1056baaeeb4490894bc795d0cb4630f663fa08316b9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\gr.txt

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1092-187-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1092-174-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2456-177-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2456-162-0x00000000007E0000-0x000000000081F000-memory.dmp

Filesize
252KB

Download
memory/2456-164-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2456-165-0x00000000007E0000-0x000000000081F000-memory.dmp

Filesize
252KB

Download
memory/3404-163-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3404-136-0x0000000002200000-0x000000000223F000-memory.dmp

Filesize
252KB

Download
memory/3404-185-0x0000000002200000-0x000000000223F000-memory.dmp

Filesize
252KB

Download
memory/3404-133-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3404-188-0x0000000002200000-0x000000000223F000-memory.dmp

Filesize
252KB

Download
memory/3404-189-0x0000000002200000-0x000000000223F000-memory.dmp

Filesize
252KB

Download
memory/3404-192-0x0000000002200000-0x000000000223F000-memory.dmp

Filesize
252KB

Download
memory/3404-135-0x0000000002200000-0x000000000223F000-memory.dmp

Filesize
252KB

Download
memory/3404-200-0x0000000002200000-0x000000000223F000-memory.dmp

Filesize
252KB

Download