blackmoon | 9fdce593fa16c76525206982a35718da11007319501d0910af25a253588702c1

Resubmissions

28-06-2023 10:24

230628-mftmbsha65 10

28-06-2023 10:20

230628-mdkxeaaa4t 10

Analysis

max time kernel
233s
max time network
295s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2023 10:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

汇单图.exe
Size

265KB
MD5

7dfe3a740d55d5e677802cf8a68b0437
SHA1

c183a2fa41659d4df18d4b79ec09e6151d16aee0
SHA256

9fdce593fa16c76525206982a35718da11007319501d0910af25a253588702c1
SHA512

026b75192ac0c1cde44cb1d8916a3535493a5259d56d3db65b30c21db94d44a9bb3ee9e68fe9a56bb1ecbeca715c483f25ddaa4f3fd153fae5c074ec81c495eb
SSDEEP

3072:u30JBc9y8BpUwMyZ+BvK2t5SBjTCktECyqewTvDyRxwUdj/Tss0mGGMKT:u30JB58TnMys5iBj4CtpyFvss0mxMQ

Score

10^/10

blackmoon banker trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1036-133-0x0000000000400000-0x0000000000456200-memory.dmp	family_blackmoon
behavioral2/memory/1036-134-0x0000000000400000-0x0000000000456200-memory.dmp	family_blackmoon

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

汇单图.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\International\Geo\Nation	汇单图.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

汇单图.exe

description pid process

Token: SeIncBasePriorityPrivilege 1036 汇单图.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

汇单图.exe

pid process

1036 汇单图.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	1036	汇单图.exe

pid	process
1036	汇单图.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

汇单图.exe

description	pid	process	target process
PID 1036 wrote to memory of 3344	1036	汇单图.exe	cmd.exe
PID 1036 wrote to memory of 3344	1036	汇单图.exe	cmd.exe
PID 1036 wrote to memory of 3344	1036	汇单图.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\汇单图.exe
"C:\Users\Admin\AppData\Local\Temp\汇单图.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1036

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\77AA~1.EXE > nul
2⤵
PID:3344

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1036-133-0x0000000000400000-0x0000000000456200-memory.dmp

Filesize
344KB

Download
memory/1036-134-0x0000000000400000-0x0000000000456200-memory.dmp

Filesize
344KB

Download