blackmoon | 020e77f8dee382d88007a53f1d4eca8f6a5e123e4fd6cc65b85105e6f30929cf

Analysis

max time kernel
137s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
02-06-2023 19:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

020e77f8dee382d88007a53f1d4eca8f6a5e123e4fd6cc65b85105e6f30929cf.exe
Size

4.2MB
MD5

819645deb48c161dd694592a64e67dc5
SHA1

37bf17eb82a8c42b8f7277c877c6ca66b2505797
SHA256

020e77f8dee382d88007a53f1d4eca8f6a5e123e4fd6cc65b85105e6f30929cf
SHA512

159fa590879cb0846b08987db3bf9f8d5083173f7e6ecc88d6117ea395e28ddcf15b5a4fca868b7306106289fdc6c63d7aabb5d3355196a1dfc37bc126fafe78
SSDEEP

98304:8A+6HYx3q7qWt1QNwpMXt89fX8jG4ZI7fK/thAH2DzAKKt9n1KB4MYqoe4XH+ex:8ug3q7qi1QNwpMXt89fX8jG4ZI7fK/tu

Score

10^/10

blackmoon gh0strat banker rat trojan

Malware Config

Extracted

Family

gh0strat

125.77.168.216

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Public\xiaodaxzqxia\jecxz.exe	family_blackmoon
C:\Users\Public\xiaodaxzqxia\jecxz.exe	family_blackmoon

Gh0st RAT payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/640-140-0x0000000002240000-0x0000000002256000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

020e77f8dee382d88007a53f1d4eca8f6a5e123e4fd6cc65b85105e6f30929cf.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	020e77f8dee382d88007a53f1d4eca8f6a5e123e4fd6cc65b85105e6f30929cf.exe

Drops startup file 2 IoCs

Processes:

v.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winzaxcvb.lnk	v.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winzaxcvb.lnk	v.exe

Executes dropped EXE 4 IoCs

Processes:

jecxz.exev.exev.exev.exe

pid process

640 jecxz.exe
3216 v.exe
4468 v.exe
4204 v.exe

pid	process
640	jecxz.exe
3216	v.exe
4468	v.exe
4204	v.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

jecxz.exe

description	ioc	process
File opened (read-only)	\??\F:	jecxz.exe
File opened (read-only)	\??\M:	jecxz.exe
File opened (read-only)	\??\R:	jecxz.exe
File opened (read-only)	\??\T:	jecxz.exe
File opened (read-only)	\??\X:	jecxz.exe
File opened (read-only)	\??\Y:	jecxz.exe
File opened (read-only)	\??\W:	jecxz.exe
File opened (read-only)	\??\I:	jecxz.exe
File opened (read-only)	\??\L:	jecxz.exe
File opened (read-only)	\??\N:	jecxz.exe
File opened (read-only)	\??\O:	jecxz.exe
File opened (read-only)	\??\P:	jecxz.exe
File opened (read-only)	\??\Q:	jecxz.exe
File opened (read-only)	\??\V:	jecxz.exe
File opened (read-only)	\??\Z:	jecxz.exe
File opened (read-only)	\??\B:	jecxz.exe
File opened (read-only)	\??\E:	jecxz.exe
File opened (read-only)	\??\H:	jecxz.exe
File opened (read-only)	\??\K:	jecxz.exe
File opened (read-only)	\??\S:	jecxz.exe
File opened (read-only)	\??\U:	jecxz.exe
File opened (read-only)	\??\G:	jecxz.exe
File opened (read-only)	\??\J:	jecxz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

jecxz.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	jecxz.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	jecxz.exe

Modifies registry class 1 IoCs

Processes:

020e77f8dee382d88007a53f1d4eca8f6a5e123e4fd6cc65b85105e6f30929cf.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings	020e77f8dee382d88007a53f1d4eca8f6a5e123e4fd6cc65b85105e6f30929cf.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

jecxz.exe

pid process

640 jecxz.exe
640 jecxz.exe

pid	process
640	jecxz.exe
640	jecxz.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

020e77f8dee382d88007a53f1d4eca8f6a5e123e4fd6cc65b85105e6f30929cf.exejecxz.exe

pid	process
3948	020e77f8dee382d88007a53f1d4eca8f6a5e123e4fd6cc65b85105e6f30929cf.exe
3948	020e77f8dee382d88007a53f1d4eca8f6a5e123e4fd6cc65b85105e6f30929cf.exe
640	jecxz.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

020e77f8dee382d88007a53f1d4eca8f6a5e123e4fd6cc65b85105e6f30929cf.exe

description	pid	process	target process
PID 3948 wrote to memory of 640	3948	020e77f8dee382d88007a53f1d4eca8f6a5e123e4fd6cc65b85105e6f30929cf.exe	jecxz.exe
PID 3948 wrote to memory of 640	3948	020e77f8dee382d88007a53f1d4eca8f6a5e123e4fd6cc65b85105e6f30929cf.exe	jecxz.exe
PID 3948 wrote to memory of 640	3948	020e77f8dee382d88007a53f1d4eca8f6a5e123e4fd6cc65b85105e6f30929cf.exe	jecxz.exe
PID 3948 wrote to memory of 3216	3948	020e77f8dee382d88007a53f1d4eca8f6a5e123e4fd6cc65b85105e6f30929cf.exe	v.exe
PID 3948 wrote to memory of 3216	3948	020e77f8dee382d88007a53f1d4eca8f6a5e123e4fd6cc65b85105e6f30929cf.exe	v.exe
PID 3948 wrote to memory of 3216	3948	020e77f8dee382d88007a53f1d4eca8f6a5e123e4fd6cc65b85105e6f30929cf.exe	v.exe

C:\Users\Admin\AppData\Local\Temp\020e77f8dee382d88007a53f1d4eca8f6a5e123e4fd6cc65b85105e6f30929cf.exe
"C:\Users\Admin\AppData\Local\Temp\020e77f8dee382d88007a53f1d4eca8f6a5e123e4fd6cc65b85105e6f30929cf.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3948

C:\Users\Public\xiaodaxzqxia\jecxz.exe
C:\Users\Public\xiaodaxzqxia\jecxz.exe
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:640

C:\Users\Public\xiaodaxzqxia\v.exe
"C:\Users\Public\xiaodaxzqxia\v.exe" -o C:\Users\Public\xiaodaxzqxia\111 -d C:\Users\Public\xiaodaxzqxia
2⤵
- Executes dropped EXE
PID:3216

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4488

C:\Users\Public\xiaodaxzqxia\v.exe
"C:\Users\Public\xiaodaxzqxia\v.exe" -n C:\Users\Public\xiaodaxzqxia\b -d C:\Users\Admin\AppData\Roaming
1⤵
- Drops startup file
- Executes dropped EXE
PID:4468

C:\Users\Public\xiaodaxzqxia\v.exe
"C:\Users\Public\xiaodaxzqxia\v.exe" -n C:\Users\Public\xiaodaxzqxia\b -d C:\Users\Admin\AppData\Roaming
1⤵
- Executes dropped EXE
PID:4204

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winzaxcvb.lnk
Filesize
1KB

MD5
65390da2a2a676e971e54730f385671d

SHA1
7a45295b5e44240b66c02635befe10f9b2ed2b06

SHA256
0437963c85448339ef452e7224c1712a29f6e0e775482324a2b4fda8debdc821

SHA512
710862fcaa063bfceabc6eafe009d8a0e583c5d214b069393db164e97d4a7fd9b36fd9153e9b0a9f9caee49eaa5606a5025332ee6aae8dbd99dd5d89445d4320

Download Submit
C:\Users\Public\xiaodaxzqxia\1
Filesize
122KB

MD5
4b8c048c709c1ac40abf26e96330d13e

SHA1
3de63e462a4ec0490c1863b02b5ec5de301516ea

SHA256
b7054a772fc19cba3d2314e4707b5664327ca027291b9ef3b15eca119a7ea07a

SHA512
898814dc1a3291e49fa55c6ae96da72659d8004393bdf9845cbf7500d66c65069facbf89369570f249d0dafcaa4854d242c5cd58496c4c86fdb5bec0a8bd3ba4

Download Submit
C:\Users\Public\xiaodaxzqxia\111
Filesize
1.2MB

MD5
18145d0fb3877cb4c19d57eba9357926

SHA1
40c37ccd0c641db22dee185400a4204e3ad20e46

SHA256
5857f126dbf6d3d159394d8423111bb4a897f9207e79c2d94e09aae464a87ff5

SHA512
e9f74ea25286e11832fb3f8b77c848cde0d46ed438a492015bfc540d1cee7df53ad82cbc5e17c6a8d6de9df0ab9ca03b49aea8a6e2d0bada71ad364e495578e5

Download Submit
C:\Users\Public\xiaodaxzqxia\b
Filesize
1KB

MD5
90ef125bfb1c56aa09bd25707d27677f

SHA1
fd39a1f56869c8a090f066ccbf052c6c6366d5e8

SHA256
43ae9f64ac4196544c30038df9f63823bf9a6644014cff8d02a9fd28462044da

SHA512
78cc4d07d0570e4ba09dcb40e4ba61e004de23b7f5d760518b3f7dcd2abcd7f732f09409ce7743138076d39783f0aada9b5adb6cbc61d75ef84018f2d5f81887

Download Submit
C:\Users\Public\xiaodaxzqxia\jecxz.exe
Filesize
124KB

MD5
9ab6d5eab5304d2b0a8d7cf451976543

SHA1
0b170a08c9e0925a11ce98eeb85e8a18cce34513

SHA256
fe94058f2c298857002a546fdf8a03132746bf8891bbd4525565d82e730e9dd5

SHA512
fb2aada2db53f3e29edfdb0a847536cf286c1ee8aebde3b95f59ceb0ed213c52d0ede2f8f7f14d38a4f8f2b4d7e73d5e89e37ed84f09317189755ac4fa35cf83

Download Submit
C:\Users\Public\xiaodaxzqxia\jecxz.exe
Filesize
124KB

MD5
9ab6d5eab5304d2b0a8d7cf451976543

SHA1
0b170a08c9e0925a11ce98eeb85e8a18cce34513

SHA256
fe94058f2c298857002a546fdf8a03132746bf8891bbd4525565d82e730e9dd5

SHA512
fb2aada2db53f3e29edfdb0a847536cf286c1ee8aebde3b95f59ceb0ed213c52d0ede2f8f7f14d38a4f8f2b4d7e73d5e89e37ed84f09317189755ac4fa35cf83

Download Submit
C:\Users\Public\xiaodaxzqxia\v.exe
Filesize
142KB

MD5
bbaea75e78b80434b7cd699749b93a97

SHA1
c7d151758cb88dee39dbb5f4cd30e7d226980dde

SHA256
c9a1c52f5f5c8deef76b8e989c6a377f00061fa369cbd1cee7f53f8f03295f5c

SHA512
7f41846d61452c73566554ba5f6ef356e757ff4c292ad68bbcc1b84f736c02c6b0bc52e13270e5d7be4cde743d40cfc281028d4a0e322fbeecd9b786d08bac3d

Download Submit
C:\Users\Public\xiaodaxzqxia\v.exe
Filesize
142KB

MD5
bbaea75e78b80434b7cd699749b93a97

SHA1
c7d151758cb88dee39dbb5f4cd30e7d226980dde

SHA256
c9a1c52f5f5c8deef76b8e989c6a377f00061fa369cbd1cee7f53f8f03295f5c

SHA512
7f41846d61452c73566554ba5f6ef356e757ff4c292ad68bbcc1b84f736c02c6b0bc52e13270e5d7be4cde743d40cfc281028d4a0e322fbeecd9b786d08bac3d

Download Submit
C:\Users\Public\xiaodaxzqxia\v.exe
Filesize
142KB

MD5
bbaea75e78b80434b7cd699749b93a97

SHA1
c7d151758cb88dee39dbb5f4cd30e7d226980dde

SHA256
c9a1c52f5f5c8deef76b8e989c6a377f00061fa369cbd1cee7f53f8f03295f5c

SHA512
7f41846d61452c73566554ba5f6ef356e757ff4c292ad68bbcc1b84f736c02c6b0bc52e13270e5d7be4cde743d40cfc281028d4a0e322fbeecd9b786d08bac3d

Download Submit
C:\Users\Public\xiaodaxzqxia\v.exe
Filesize
142KB

MD5
bbaea75e78b80434b7cd699749b93a97

SHA1
c7d151758cb88dee39dbb5f4cd30e7d226980dde

SHA256
c9a1c52f5f5c8deef76b8e989c6a377f00061fa369cbd1cee7f53f8f03295f5c

SHA512
7f41846d61452c73566554ba5f6ef356e757ff4c292ad68bbcc1b84f736c02c6b0bc52e13270e5d7be4cde743d40cfc281028d4a0e322fbeecd9b786d08bac3d

Download Submit
memory/640-140-0x0000000002240000-0x0000000002256000-memory.dmp

Filesize
88KB

Download
memory/3948-153-0x0000000000400000-0x000000000086E400-memory.dmp

Filesize
4.4MB

Download
memory/3948-133-0x0000000000400000-0x000000000086E400-memory.dmp

Filesize
4.4MB

Download
memory/3948-166-0x0000000000400000-0x000000000086E400-memory.dmp

Filesize
4.4MB

Download