blackmoon | 14db0f5a78d309facfffe21fb592030147a71d80d325492ec271240816225b9f

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
11-07-2023 13:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

1.4MB
MD5

89ebf1d0f154c2f3f8f385cccec04047
SHA1

56acc86c948a83e0791955242d90826bf1521318
SHA256

14db0f5a78d309facfffe21fb592030147a71d80d325492ec271240816225b9f
SHA512

f9b6646aaa74039eec16bb0accec3b203c2cc296c02c7ee98ff828bca2557710bb4587f2e5b2f810909f76f9390313b0d14f526c087e9c08f62326cfae5b29ef
SSDEEP

24576:iYFbkIsaPiXSVnC7Yp9zkNmZG8RRlnOyzyeHdSyO7xstT:iYREXSVMDi3N9SC

Score

10^/10

blackmoon gh0strat banker persistence rat trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2036-164-0x0000000000400000-0x00000000004DA000-memory.dmp	family_blackmoon
behavioral2/memory/2036-169-0x0000000000400000-0x00000000004DA000-memory.dmp	family_blackmoon

Gh0st RAT payload 4 IoCs

Processes:

resource	yara_rule
C:\Windows\SysWOW64\240622046.bat	family_gh0strat
C:\Windows\SysWOW64\240622046.bat	family_gh0strat
\??\c:\windows\SysWOW64\240622046.bat	family_gh0strat
C:\Windows\SysWOW64\240622046.bat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

look2.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\svchcst\Parameters\ServiceDll = "C:\\Windows\\system32\\240622046.bat"	look2.exe

Executes dropped EXE 3 IoCs

Processes:

look2.exeHD_tmp.exesvchcst.exe

pid process

4584 look2.exe
2036 HD_tmp.exe
2636 svchcst.exe
Loads dropped DLL 3 IoCs

Processes:

look2.exesvchost.exesvchcst.exe

pid process

4584 look2.exe
2376 svchost.exe
2636 svchcst.exe

pid	process
4584	look2.exe
2036	HD_tmp.exe
2636	svchcst.exe

pid	process
4584	look2.exe
2376	svchost.exe
2636	svchcst.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\HD_tmp.exe	upx
C:\Users\Admin\AppData\Local\Temp\HD_tmp.exe	upx
behavioral2/memory/2036-164-0x0000000000400000-0x00000000004DA000-memory.dmp	upx
behavioral2/memory/2036-169-0x0000000000400000-0x00000000004DA000-memory.dmp	upx

Drops file in System32 directory 4 IoCs

Processes:

svchost.exelook2.exe

description	ioc	process
File created	C:\Windows\SysWOW64\svchcst.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchcst.exe	svchost.exe
File created	C:\Windows\SysWOW64\240622046.bat	look2.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	look2.exe

Drops file in Program Files directory 1 IoCs

Processes:

tmp.exe

description ioc process

File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe tmp.exe
Drops file in Windows directory 1 IoCs

Processes:

HD_tmp.exe

description ioc process

File created C:\Windows\gzip.dll HD_tmp.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

tmp.exe

pid process

2816 tmp.exe
2816 tmp.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

HD_tmp.exe

description pid process

Token: SeDebugPrivilege 2036 HD_tmp.exe
Token: SeDebugPrivilege 2036 HD_tmp.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

tmp.exe

pid process

2816 tmp.exe
2816 tmp.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	tmp.exe

description	ioc	process
File created	C:\Windows\gzip.dll	HD_tmp.exe

pid	process
2816	tmp.exe
2816	tmp.exe

description	pid	process
Token: SeDebugPrivilege	2036	HD_tmp.exe
Token: SeDebugPrivilege	2036	HD_tmp.exe

pid	process
2816	tmp.exe
2816	tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

tmp.exesvchost.exe

description	pid	process	target process
PID 2816 wrote to memory of 4584	2816	tmp.exe	look2.exe
PID 2816 wrote to memory of 4584	2816	tmp.exe	look2.exe
PID 2816 wrote to memory of 4584	2816	tmp.exe	look2.exe
PID 2816 wrote to memory of 2036	2816	tmp.exe	HD_tmp.exe
PID 2816 wrote to memory of 2036	2816	tmp.exe	HD_tmp.exe
PID 2816 wrote to memory of 2036	2816	tmp.exe	HD_tmp.exe
PID 2376 wrote to memory of 2636	2376	svchost.exe	svchcst.exe
PID 2376 wrote to memory of 2636	2376	svchost.exe	svchcst.exe
PID 2376 wrote to memory of 2636	2376	svchost.exe	svchcst.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Users\Admin\AppData\Local\Temp\look2.exe
  C:\Users\Admin\AppData\Local\Temp\\look2.exe
  2⤵
  - Sets DLL path for service in the registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  PID:4584
- C:\Users\Admin\AppData\Local\Temp\HD_tmp.exe
  C:\Users\Admin\AppData\Local\Temp\HD_tmp.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2036

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "svchcst"
1⤵
PID:4320

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "svchcst"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Windows\SysWOW64\svchcst.exe
  C:\Windows\system32\svchcst.exe "c:\windows\system32\240622046.bat",MainThread
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2636

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HD_X.dat

Filesize
1.2MB

MD5
6555b624879b075c809e9f89cd04693d

SHA1
e12a234dc8a4810213b4d1e23f7f64008028a704

SHA256
81145af5a4122bcb12d88cc6957a1233eb248e429b3c31ebce45b27acc891907

SHA512
660984685d6dbcd053d7a90bff2c28229363e4054040957f926c6b78ed3bdae50143a1fde0cb09f38fdd6ade819c39d15fed3b5fc3ae8849f7f278bd76ea588d

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_tmp.exe

Filesize
286KB

MD5
9a8a833759a1e975eca310d76f3f76df

SHA1
39f7069889f88089a6d655a19d7d7d1ecca61887

SHA256
92b5384fd26823d4423c226645cabf8055d5502a00e362db77b1f19cab17df5a

SHA512
961ee3479bf33df688572568c20ed27ebbd6d11edd580fdab6437c1bea1247efacaeccbbd659de8c037e0bcf01aa3b35c56f8718a64f87a9388fa90e3d438bd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_tmp.exe

Filesize
286KB

MD5
9a8a833759a1e975eca310d76f3f76df

SHA1
39f7069889f88089a6d655a19d7d7d1ecca61887

SHA256
92b5384fd26823d4423c226645cabf8055d5502a00e362db77b1f19cab17df5a

SHA512
961ee3479bf33df688572568c20ed27ebbd6d11edd580fdab6437c1bea1247efacaeccbbd659de8c037e0bcf01aa3b35c56f8718a64f87a9388fa90e3d438bd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\look2.exe

Filesize
337KB

MD5
2f3b6f16e33e28ad75f3fdaef2567807

SHA1
85e907340faf1edfc9210db85a04abd43d21b741

SHA256
86492ebf2d6f471a5ee92977318d099b3ea86175b5b7ae522237ae01d07a4857

SHA512
db17e99e2df918cfc9ccbe934adfe73f0777ce1ce9f28b57a4b24ecd821efe2e0b976a634853247b77b16627d2bb3af4ba20306059d1d25ef38ffada7da3e3a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\look2.exe

Filesize
337KB

MD5
2f3b6f16e33e28ad75f3fdaef2567807

SHA1
85e907340faf1edfc9210db85a04abd43d21b741

SHA256
86492ebf2d6f471a5ee92977318d099b3ea86175b5b7ae522237ae01d07a4857

SHA512
db17e99e2df918cfc9ccbe934adfe73f0777ce1ce9f28b57a4b24ecd821efe2e0b976a634853247b77b16627d2bb3af4ba20306059d1d25ef38ffada7da3e3a4

Download Submit
C:\Windows\SysWOW64\240622046.bat

Filesize
51KB

MD5
34c437751d55fb08fab09cddff60b2e9

SHA1
bf609240d1f13d6c2796ad30ab1ae55c04ed80f7

SHA256
26f70461b1e46cdf37f8bb6bcee230ad71dd81bf61a11ef5ccabe49e9247de1d

SHA512
7ff0c6039132a58549365be06ef4208a5420cd2ce83dc0d996c9b42d0fca622127d591a2dd167c558cd7d4e4b84b88389264ee6bd313e353de768cdec87da7ca

Download Submit
C:\Windows\SysWOW64\240622046.bat

Filesize
51KB

MD5
34c437751d55fb08fab09cddff60b2e9

SHA1
bf609240d1f13d6c2796ad30ab1ae55c04ed80f7

SHA256
26f70461b1e46cdf37f8bb6bcee230ad71dd81bf61a11ef5ccabe49e9247de1d

SHA512
7ff0c6039132a58549365be06ef4208a5420cd2ce83dc0d996c9b42d0fca622127d591a2dd167c558cd7d4e4b84b88389264ee6bd313e353de768cdec87da7ca

Download Submit
C:\Windows\SysWOW64\240622046.bat

Filesize
51KB

MD5
34c437751d55fb08fab09cddff60b2e9

SHA1
bf609240d1f13d6c2796ad30ab1ae55c04ed80f7

SHA256
26f70461b1e46cdf37f8bb6bcee230ad71dd81bf61a11ef5ccabe49e9247de1d

SHA512
7ff0c6039132a58549365be06ef4208a5420cd2ce83dc0d996c9b42d0fca622127d591a2dd167c558cd7d4e4b84b88389264ee6bd313e353de768cdec87da7ca

Download Submit
C:\Windows\SysWOW64\svchcst.exe

Filesize
60KB

MD5
889b99c52a60dd49227c5e485a016679

SHA1
8fa889e456aa646a4d0a4349977430ce5fa5e2d7

SHA256
6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

SHA512
08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

Download Submit
C:\Windows\SysWOW64\svchcst.exe

Filesize
60KB

MD5
889b99c52a60dd49227c5e485a016679

SHA1
8fa889e456aa646a4d0a4349977430ce5fa5e2d7

SHA256
6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

SHA512
08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

Download Submit
\??\c:\windows\SysWOW64\240622046.bat

Filesize
51KB

MD5
34c437751d55fb08fab09cddff60b2e9

SHA1
bf609240d1f13d6c2796ad30ab1ae55c04ed80f7

SHA256
26f70461b1e46cdf37f8bb6bcee230ad71dd81bf61a11ef5ccabe49e9247de1d

SHA512
7ff0c6039132a58549365be06ef4208a5420cd2ce83dc0d996c9b42d0fca622127d591a2dd167c558cd7d4e4b84b88389264ee6bd313e353de768cdec87da7ca

Download Submit
memory/2036-164-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/2036-169-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download