blackmoon | e67a5de2a37a1f551b43856378beaf2b9dacf18947004c63fe5c3c077765b8d1

General

Target

saxbn.exe
Size

1.7MB
MD5

af7aac457eaefe1c228937403b933251
SHA1

166cbb657538ad45778dc77b9ae2b70eb961038b
SHA256

24411c2364855dfecc955f5ce2081d2ba9af1cb108eef97963b3c8a91ff288b8
SHA512

9b77d0605b3d4e0b79fc7ad01f7873e04c1331e438f20960fb18d51f4063ecb1c4df2d739e7731d78f2f5c89555e0135db65429baebc03a0144fc756f8410f8c
SSDEEP

49152:1Z6ZbaHcYz5aAVKiw6ZWqTG93jJ3hWpVc5:1g3Yz5J/693km

Score

10^/10

blackmoon gh0strat banker rat trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 5 IoCs

Processes:

resource	yara_rule
behavioral4/memory/344-149-0x0000000000400000-0x0000000000426000-memory.dmp	family_blackmoon
behavioral4/memory/344-150-0x0000000000400000-0x0000000000426000-memory.dmp	family_blackmoon
behavioral4/memory/344-158-0x0000000000400000-0x0000000000426000-memory.dmp	family_blackmoon
behavioral4/memory/344-156-0x0000000000400000-0x0000000000426000-memory.dmp	family_blackmoon
behavioral4/memory/5104-181-0x0000000010000000-0x0000000011000000-memory.dmp	family_blackmoon

Gh0st RAT payload 1 IoCs

Processes:

resource	yara_rule
behavioral4/memory/1932-151-0x0000000010000000-0x0000000010015000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Blocklisted process makes network request 36 IoCs

Processes:

cmd.exe

flow	pid	process
25	1932	cmd.exe
28	1932	cmd.exe
30	1932	cmd.exe
32	1932	cmd.exe
35	1932	cmd.exe
37	1932	cmd.exe
41	1932	cmd.exe
43	1932	cmd.exe
48	1932	cmd.exe
58	1932	cmd.exe
62	1932	cmd.exe
64	1932	cmd.exe
78	1932	cmd.exe
80	1932	cmd.exe
82	1932	cmd.exe
84	1932	cmd.exe
88	1932	cmd.exe
90	1932	cmd.exe
92	1932	cmd.exe
94	1932	cmd.exe
96	1932	cmd.exe
101	1932	cmd.exe
109	1932	cmd.exe
112	1932	cmd.exe
113	1932	cmd.exe
114	1932	cmd.exe
115	1932	cmd.exe
116	1932	cmd.exe
117	1932	cmd.exe
119	1932	cmd.exe
121	1932	cmd.exe
123	1932	cmd.exe
125	1932	cmd.exe
127	1932	cmd.exe
129	1932	cmd.exe
131	1932	cmd.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

saxbn.exe

description	pid	process	target process
PID 5104 set thread context of 1932	5104	saxbn.exe	cmd.exe
PID 5104 set thread context of 4416	5104	saxbn.exe	cmd.exe
PID 5104 set thread context of 344	5104	saxbn.exe	secvbnmcxccvxcxcsdsdsxcxczsasadrunshellcode86000.exe
PID 5104 set thread context of 1252	5104	saxbn.exe	mecxzcaasxzcxcassascxcxcx23667.exe
PID 5104 set thread context of 4524	5104	saxbn.exe	cmd.exe

Executes dropped EXE 3 IoCs

Processes:

secvbnmcxccvxcxcsdsdsxcxczsasadrunshellcode86000.exemecxzcaasxzcxcassascxcxcx23667.exemecxzcaasxzcxcassascxcxcx23667.exe

pid process

344 secvbnmcxccvxcxcsdsdsxcxczsasadrunshellcode86000.exe
3312 mecxzcaasxzcxcassascxcxcx23667.exe
1252 mecxzcaasxzcxcassascxcxcx23667.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4380 344 WerFault.exe secvbnmcxccvxcxcsdsdsxcxczsasadrunshellcode86000.exe
Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

saxbn.exe

pid process

5104 saxbn.exe
5104 saxbn.exe
5104 saxbn.exe
5104 saxbn.exe
5104 saxbn.exe
5104 saxbn.exe
5104 saxbn.exe
5104 saxbn.exe
5104 saxbn.exe
5104 saxbn.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

secvbnmcxccvxcxcsdsdsxcxczsasadrunshellcode86000.exemecxzcaasxzcxcassascxcxcx23667.exe

pid process

344 secvbnmcxccvxcxcsdsdsxcxczsasadrunshellcode86000.exe
1252 mecxzcaasxzcxcassascxcxcx23667.exe

pid	process
344	secvbnmcxccvxcxcsdsdsxcxczsasadrunshellcode86000.exe
3312	mecxzcaasxzcxcassascxcxcx23667.exe
1252	mecxzcaasxzcxcassascxcxcx23667.exe

pid	pid_target	process	target process
4380	344	WerFault.exe	secvbnmcxccvxcxcsdsdsxcxczsasadrunshellcode86000.exe

pid	process
5104	saxbn.exe
5104	saxbn.exe
5104	saxbn.exe
5104	saxbn.exe
5104	saxbn.exe
5104	saxbn.exe
5104	saxbn.exe
5104	saxbn.exe
5104	saxbn.exe
5104	saxbn.exe

pid	process
344	secvbnmcxccvxcxcsdsdsxcxczsasadrunshellcode86000.exe
1252	mecxzcaasxzcxcassascxcxcx23667.exe

Suspicious use of WriteProcessMemory 49 IoCs

Processes:

saxbn.exe

description	pid	process	target process
PID 5104 wrote to memory of 1932	5104	saxbn.exe	cmd.exe
PID 5104 wrote to memory of 1932	5104	saxbn.exe	cmd.exe
PID 5104 wrote to memory of 1932	5104	saxbn.exe	cmd.exe
PID 5104 wrote to memory of 1932	5104	saxbn.exe	cmd.exe
PID 5104 wrote to memory of 1932	5104	saxbn.exe	cmd.exe
PID 5104 wrote to memory of 1932	5104	saxbn.exe	cmd.exe
PID 5104 wrote to memory of 1932	5104	saxbn.exe	cmd.exe
PID 5104 wrote to memory of 1932	5104	saxbn.exe	cmd.exe
PID 5104 wrote to memory of 4128	5104	saxbn.exe	cmd.exe
PID 5104 wrote to memory of 4128	5104	saxbn.exe	cmd.exe
PID 5104 wrote to memory of 4128	5104	saxbn.exe	cmd.exe
PID 5104 wrote to memory of 4416	5104	saxbn.exe	cmd.exe
PID 5104 wrote to memory of 4416	5104	saxbn.exe	cmd.exe
PID 5104 wrote to memory of 4416	5104	saxbn.exe	cmd.exe
PID 5104 wrote to memory of 4416	5104	saxbn.exe	cmd.exe
PID 5104 wrote to memory of 4416	5104	saxbn.exe	cmd.exe
PID 5104 wrote to memory of 4416	5104	saxbn.exe	cmd.exe
PID 5104 wrote to memory of 4416	5104	saxbn.exe	cmd.exe
PID 5104 wrote to memory of 4416	5104	saxbn.exe	cmd.exe
PID 5104 wrote to memory of 344	5104	saxbn.exe	secvbnmcxccvxcxcsdsdsxcxczsasadrunshellcode86000.exe
PID 5104 wrote to memory of 344	5104	saxbn.exe	secvbnmcxccvxcxcsdsdsxcxczsasadrunshellcode86000.exe
PID 5104 wrote to memory of 344	5104	saxbn.exe	secvbnmcxccvxcxcsdsdsxcxczsasadrunshellcode86000.exe
PID 5104 wrote to memory of 344	5104	saxbn.exe	secvbnmcxccvxcxcsdsdsxcxczsasadrunshellcode86000.exe
PID 5104 wrote to memory of 344	5104	saxbn.exe	secvbnmcxccvxcxcsdsdsxcxczsasadrunshellcode86000.exe
PID 5104 wrote to memory of 344	5104	saxbn.exe	secvbnmcxccvxcxcsdsdsxcxczsasadrunshellcode86000.exe
PID 5104 wrote to memory of 344	5104	saxbn.exe	secvbnmcxccvxcxcsdsdsxcxczsasadrunshellcode86000.exe
PID 5104 wrote to memory of 344	5104	saxbn.exe	secvbnmcxccvxcxcsdsdsxcxczsasadrunshellcode86000.exe
PID 5104 wrote to memory of 344	5104	saxbn.exe	secvbnmcxccvxcxcsdsdsxcxczsasadrunshellcode86000.exe
PID 5104 wrote to memory of 3312	5104	saxbn.exe	mecxzcaasxzcxcassascxcxcx23667.exe
PID 5104 wrote to memory of 3312	5104	saxbn.exe	mecxzcaasxzcxcassascxcxcx23667.exe
PID 5104 wrote to memory of 3312	5104	saxbn.exe	mecxzcaasxzcxcassascxcxcx23667.exe
PID 5104 wrote to memory of 1252	5104	saxbn.exe	mecxzcaasxzcxcassascxcxcx23667.exe
PID 5104 wrote to memory of 1252	5104	saxbn.exe	mecxzcaasxzcxcassascxcxcx23667.exe
PID 5104 wrote to memory of 1252	5104	saxbn.exe	mecxzcaasxzcxcassascxcxcx23667.exe
PID 5104 wrote to memory of 1252	5104	saxbn.exe	mecxzcaasxzcxcassascxcxcx23667.exe
PID 5104 wrote to memory of 1252	5104	saxbn.exe	mecxzcaasxzcxcassascxcxcx23667.exe
PID 5104 wrote to memory of 1252	5104	saxbn.exe	mecxzcaasxzcxcassascxcxcx23667.exe
PID 5104 wrote to memory of 1252	5104	saxbn.exe	mecxzcaasxzcxcassascxcxcx23667.exe
PID 5104 wrote to memory of 1252	5104	saxbn.exe	mecxzcaasxzcxcassascxcxcx23667.exe
PID 5104 wrote to memory of 1252	5104	saxbn.exe	mecxzcaasxzcxcassascxcxcx23667.exe
PID 5104 wrote to memory of 1252	5104	saxbn.exe	mecxzcaasxzcxcassascxcxcx23667.exe
PID 5104 wrote to memory of 4524	5104	saxbn.exe	cmd.exe
PID 5104 wrote to memory of 4524	5104	saxbn.exe	cmd.exe
PID 5104 wrote to memory of 4524	5104	saxbn.exe	cmd.exe
PID 5104 wrote to memory of 4524	5104	saxbn.exe	cmd.exe
PID 5104 wrote to memory of 4524	5104	saxbn.exe	cmd.exe
PID 5104 wrote to memory of 4524	5104	saxbn.exe	cmd.exe
PID 5104 wrote to memory of 4524	5104	saxbn.exe	cmd.exe
PID 5104 wrote to memory of 4524	5104	saxbn.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\saxbn.exe
"C:\Users\Admin\AppData\Local\Temp\saxbn.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5104
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe
  2⤵
  - Blocklisted process makes network request
  PID:1932
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe
  2⤵
  PID:4128
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe
  2⤵
  PID:4416
- C:\Users\Admin\AppData\Local\Temp\secvbnmcxccvxcxcsdsdsxcxczsasadrunshellcode86000.exe
  C:\Users\Admin\AppData\Local\Temp\secvbnmcxccvxcxcsdsdsxcxczsasadrunshellcode86000.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:344
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 344 -s 420
    3⤵
    - Program crash
    PID:4380
- C:\Users\Admin\AppData\Local\Temp\mecxzcaasxzcxcassascxcxcx23667.exe
  C:\Users\Admin\AppData\Local\Temp\mecxzcaasxzcxcassascxcxcx23667.exe
  2⤵
  - Executes dropped EXE
  PID:3312
- C:\Users\Admin\AppData\Local\Temp\mecxzcaasxzcxcassascxcxcx23667.exe
  C:\Users\Admin\AppData\Local\Temp\mecxzcaasxzcxcassascxcxcx23667.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1252
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe
  2⤵
  PID:4524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 344 -ip 344
1⤵
PID:4944

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mecxzcaasxzcxcassascxcxcx23667.exe

Filesize
1.7MB

MD5
af7aac457eaefe1c228937403b933251

SHA1
166cbb657538ad45778dc77b9ae2b70eb961038b

SHA256
24411c2364855dfecc955f5ce2081d2ba9af1cb108eef97963b3c8a91ff288b8

SHA512
9b77d0605b3d4e0b79fc7ad01f7873e04c1331e438f20960fb18d51f4063ecb1c4df2d739e7731d78f2f5c89555e0135db65429baebc03a0144fc756f8410f8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mecxzcaasxzcxcassascxcxcx23667.exe

Filesize
1.7MB

MD5
af7aac457eaefe1c228937403b933251

SHA1
166cbb657538ad45778dc77b9ae2b70eb961038b

SHA256
24411c2364855dfecc955f5ce2081d2ba9af1cb108eef97963b3c8a91ff288b8

SHA512
9b77d0605b3d4e0b79fc7ad01f7873e04c1331e438f20960fb18d51f4063ecb1c4df2d739e7731d78f2f5c89555e0135db65429baebc03a0144fc756f8410f8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mecxzcaasxzcxcassascxcxcx23667.exe

Filesize
1.7MB

MD5
af7aac457eaefe1c228937403b933251

SHA1
166cbb657538ad45778dc77b9ae2b70eb961038b

SHA256
24411c2364855dfecc955f5ce2081d2ba9af1cb108eef97963b3c8a91ff288b8

SHA512
9b77d0605b3d4e0b79fc7ad01f7873e04c1331e438f20960fb18d51f4063ecb1c4df2d739e7731d78f2f5c89555e0135db65429baebc03a0144fc756f8410f8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\secvbnmcxccvxcxcsdsdsxcxczsasadrunshellcode86000.exe

Filesize
1.7MB

MD5
af7aac457eaefe1c228937403b933251

SHA1
166cbb657538ad45778dc77b9ae2b70eb961038b

SHA256
24411c2364855dfecc955f5ce2081d2ba9af1cb108eef97963b3c8a91ff288b8

SHA512
9b77d0605b3d4e0b79fc7ad01f7873e04c1331e438f20960fb18d51f4063ecb1c4df2d739e7731d78f2f5c89555e0135db65429baebc03a0144fc756f8410f8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\secvbnmcxccvxcxcsdsdsxcxczsasadrunshellcode86000.exe

Filesize
1.7MB

MD5
af7aac457eaefe1c228937403b933251

SHA1
166cbb657538ad45778dc77b9ae2b70eb961038b

SHA256
24411c2364855dfecc955f5ce2081d2ba9af1cb108eef97963b3c8a91ff288b8

SHA512
9b77d0605b3d4e0b79fc7ad01f7873e04c1331e438f20960fb18d51f4063ecb1c4df2d739e7731d78f2f5c89555e0135db65429baebc03a0144fc756f8410f8c

Download Submit
memory/344-148-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/344-158-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/344-149-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/344-150-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/344-156-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/344-147-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1252-165-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1252-168-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1252-175-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1252-173-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1252-166-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1252-172-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1252-167-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1252-169-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1932-137-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1932-151-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/1932-136-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1932-138-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1932-140-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/5104-135-0x0000000001320000-0x0000000001328000-memory.dmp

Filesize
32KB

Download
memory/5104-181-0x0000000010000000-0x0000000011000000-memory.dmp

Filesize
16.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads