blackmoon | c0b78a59daf60b8dbd191a3c6b6ef6b6e64a365c447daffca3cb5a3779afe00d

General

Target

514e0cd471b6e2065a13931a2f75c586d419b1d68f32d4ea16309eed28e608f5 (1)/514e0cd471b6e2065a13931a2f75c58.exe
Size

844KB
MD5

07979781449b4a4de757c980a2368412
SHA1

811fe4940f1eac767a5912922b4b3001b0dfb2f9
SHA256

514e0cd471b6e2065a13931a2f75c586d419b1d68f32d4ea16309eed28e608f5
SHA512

4cb87e513e2d9ebf9be7aaf22dda491c55670b9861a10ea4011b5133ed4d1901dd573890d3696816ed89aec4cecf906b13b69a95ee0e36701498f8a5710606c7
SSDEEP

12288:bRZ5tsO2zUoq8qRgAH3yaCFoGvDoy2iAnRItlu4k7kO:bRZ5tsO2wohqqAXTCURmlO

Score

10^/10

blackmoon gh0strat banker persistence rat trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 8 IoCs

Processes:

resource	yara_rule
behavioral1/memory/624-58-0x00000000001B0000-0x00000000001EB000-memory.dmp	family_blackmoon
behavioral1/memory/624-57-0x00000000001B0000-0x00000000001EB000-memory.dmp	family_blackmoon
behavioral1/memory/624-59-0x00000000001B0000-0x00000000001EB000-memory.dmp	family_blackmoon
behavioral1/memory/624-64-0x0000000002370000-0x00000000023E6000-memory.dmp	family_blackmoon
behavioral1/memory/624-86-0x0000000002370000-0x00000000023E6000-memory.dmp	family_blackmoon
behavioral1/memory/624-105-0x0000000002370000-0x00000000023E6000-memory.dmp	family_blackmoon
behavioral1/memory/624-111-0x0000000002370000-0x00000000023E6000-memory.dmp	family_blackmoon
behavioral1/memory/624-112-0x00000000001B0000-0x00000000001EB000-memory.dmp	family_blackmoon

Gh0st RAT payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/624-93-0x0000000010000000-0x0000000010017000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Loads dropped DLL 2 IoCs

Processes:

514e0cd471b6e2065a13931a2f75c58.exe

pid process

624 514e0cd471b6e2065a13931a2f75c58.exe
624 514e0cd471b6e2065a13931a2f75c58.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

514e0cd471b6e2065a13931a2f75c58.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run	514e0cd471b6e2065a13931a2f75c58.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\qdatem = "C:\\Users\\Public\\Documents\\Applicationosqrf.exe"	514e0cd471b6e2065a13931a2f75c58.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

560 NOTEPAD.EXE

pid	process
560	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

514e0cd471b6e2065a13931a2f75c58.exe

pid	process
624	514e0cd471b6e2065a13931a2f75c58.exe
624	514e0cd471b6e2065a13931a2f75c58.exe
624	514e0cd471b6e2065a13931a2f75c58.exe
624	514e0cd471b6e2065a13931a2f75c58.exe
624	514e0cd471b6e2065a13931a2f75c58.exe
624	514e0cd471b6e2065a13931a2f75c58.exe
624	514e0cd471b6e2065a13931a2f75c58.exe
624	514e0cd471b6e2065a13931a2f75c58.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

514e0cd471b6e2065a13931a2f75c58.exe

pid process

624 514e0cd471b6e2065a13931a2f75c58.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

514e0cd471b6e2065a13931a2f75c58.exe

pid	process
624	514e0cd471b6e2065a13931a2f75c58.exe
624	514e0cd471b6e2065a13931a2f75c58.exe
624	514e0cd471b6e2065a13931a2f75c58.exe
624	514e0cd471b6e2065a13931a2f75c58.exe
624	514e0cd471b6e2065a13931a2f75c58.exe
624	514e0cd471b6e2065a13931a2f75c58.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

514e0cd471b6e2065a13931a2f75c58.exe

pid process

624 514e0cd471b6e2065a13931a2f75c58.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

514e0cd471b6e2065a13931a2f75c58.exe

description	pid	process	target process
PID 624 wrote to memory of 560	624	514e0cd471b6e2065a13931a2f75c58.exe	NOTEPAD.EXE
PID 624 wrote to memory of 560	624	514e0cd471b6e2065a13931a2f75c58.exe	NOTEPAD.EXE
PID 624 wrote to memory of 560	624	514e0cd471b6e2065a13931a2f75c58.exe	NOTEPAD.EXE
PID 624 wrote to memory of 560	624	514e0cd471b6e2065a13931a2f75c58.exe	NOTEPAD.EXE

C:\Users\Admin\AppData\Local\Temp\514e0cd471b6e2065a13931a2f75c586d419b1d68f32d4ea16309eed28e608f5 (1)\514e0cd471b6e2065a13931a2f75c58.exe
"C:\Users\Admin\AppData\Local\Temp\514e0cd471b6e2065a13931a2f75c586d419b1d68f32d4ea16309eed28e608f5 (1)\514e0cd471b6e2065a13931a2f75c58.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:624

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\514e0cd471b6e2065a13931a2f75c58.txt
2⤵
- Opens file in notepad (likely ransom note)
PID:560

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\514e0cd471b6e2065a13931a2f75c58.txt
Filesize
120KB

MD5
3aea5b78bac5359a799c2714fecccd1a

SHA1
5d3203b328ecfc7a55c0ded1032d209e9f273367

SHA256
c05e763cab67cf9daf5be7a6a6cff2650223987a9693eaa119f69b2bbb6df6c3

SHA512
9513cc84a7ed3dd709d4affb03f6e286dcd43e82f33441c00a9d74d2b45449f2ee20baa8db46218d7a59d9e62fb7f95050ea305166e70f3e71dde39ccf07b6d3

Download Submit
C:\Users\Public\Documents\sjsw.log
Filesize
284B

MD5
5a2961c930fd0938318b1b76dbfe6299

SHA1
9096e9293497f68b3cef75c5d5bd96400085cbe9

SHA256
944cd9c7dfe71505b6013bb86f2c3c5449c65861d6bf1a3b06cd256d1f0d4fea

SHA512
1eeafbbb2b02589e6e61d8742205b9ad268754208b0d7ffc84c155defee634d8b00a4dfd6be6464c2e0e59f70bab76b6f3e0b7abe8e08c00e22f4263f1072d0f

Download Submit
\Users\Admin\AppData\Local\Temp\aaaty.dll
Filesize
2KB

MD5
7943effe67a4647e06def2348949020e

SHA1
eabd561f0639a975de259633f63896d82c3f878d

SHA256
3fac47db92d581b2daef7a4f9493be2fe441041e5158101d80873d05808d5cfa

SHA512
c9db1962e7457c94426c2a5c7f439736697d4399db6982c45357459d58805daa4a9d297912135488b6990e265ffa59d687fd5ba43717aab46ccc212083ef5003

Download Submit
\Users\Public\Documents\tooy.dll
Filesize
2KB

MD5
7943effe67a4647e06def2348949020e

SHA1
eabd561f0639a975de259633f63896d82c3f878d

SHA256
3fac47db92d581b2daef7a4f9493be2fe441041e5158101d80873d05808d5cfa

SHA512
c9db1962e7457c94426c2a5c7f439736697d4399db6982c45357459d58805daa4a9d297912135488b6990e265ffa59d687fd5ba43717aab46ccc212083ef5003

Download Submit
memory/624-87-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/624-91-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/624-64-0x0000000002370000-0x00000000023E6000-memory.dmp

Filesize
472KB

Download
memory/624-59-0x00000000001B0000-0x00000000001EB000-memory.dmp

Filesize
236KB

Download
memory/624-57-0x00000000001B0000-0x00000000001EB000-memory.dmp

Filesize
236KB

Download
memory/624-86-0x0000000002370000-0x00000000023E6000-memory.dmp

Filesize
472KB

Download
memory/624-58-0x00000000001B0000-0x00000000001EB000-memory.dmp

Filesize
236KB

Download
memory/624-89-0x00000000043D0000-0x00000000044C2000-memory.dmp

Filesize
968KB

Download
memory/624-90-0x00000000043D0000-0x00000000044C2000-memory.dmp

Filesize
968KB

Download
memory/624-60-0x00000000001F0000-0x00000000001F3000-memory.dmp

Filesize
12KB

Download
memory/624-92-0x00000000043D0000-0x00000000044C2000-memory.dmp

Filesize
968KB

Download
memory/624-93-0x0000000010000000-0x0000000010017000-memory.dmp

Filesize
92KB

Download
memory/624-96-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/624-105-0x0000000002370000-0x00000000023E6000-memory.dmp

Filesize
472KB

Download
memory/624-107-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/624-111-0x0000000002370000-0x00000000023E6000-memory.dmp

Filesize
472KB

Download
memory/624-112-0x00000000001B0000-0x00000000001EB000-memory.dmp

Filesize
236KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads