blackmoon | e42c82fd5db6848c96c01254dc3f3551a9180ba5f82750058fdb7180386084d7

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
11-07-2023 14:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

1.9MB
MD5

e5aad337eb94f764f8a05aeaddbec2df
SHA1

eeb1a8d621b45b3fd7ab521b522a946834a25d31
SHA256

e42c82fd5db6848c96c01254dc3f3551a9180ba5f82750058fdb7180386084d7
SHA512

3568fcf61f82b1d1f1ab3aa703ead77b12a917bd3718cd13e9a0d729ac248aa31e9af7e2a68b9aa0e50cdaad88ec32b651cdd16bc31cb9a6db603cdfa6dafb43
SSDEEP

24576:iYFbkIsaPiXSVnC7Yp9zkNmZG8RRlnOyzrRRDWRvIHwZ1PEEa+prqez7iJNOlKzX:iYREXSVMDi3fzABeohfZ7wSM

Score

10^/10

blackmoon gh0strat banker persistence rat trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\HD_tmp.exe	family_blackmoon
C:\Users\Admin\AppData\Local\Temp\HD_tmp.exe	family_blackmoon
behavioral2/memory/2084-151-0x0000000000400000-0x00000000004D0000-memory.dmp	family_blackmoon

Gh0st RAT payload 4 IoCs

Processes:

resource	yara_rule
C:\Windows\SysWOW64\240610546.bat	family_gh0strat
C:\Windows\SysWOW64\240610546.bat	family_gh0strat
\??\c:\windows\SysWOW64\240610546.bat	family_gh0strat
C:\Windows\SysWOW64\240610546.bat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

look2.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\svchcst\Parameters\ServiceDll = "C:\\Windows\\system32\\240610546.bat"	look2.exe

Executes dropped EXE 3 IoCs

Processes:

look2.exeHD_tmp.exesvchcst.exe

pid process

1976 look2.exe
2084 HD_tmp.exe
3720 svchcst.exe
Loads dropped DLL 3 IoCs

Processes:

look2.exesvchost.exesvchcst.exe

pid process

1976 look2.exe
4292 svchost.exe
3720 svchcst.exe

pid	process
1976	look2.exe
2084	HD_tmp.exe
3720	svchcst.exe

pid	process
1976	look2.exe
4292	svchost.exe
3720	svchcst.exe

Drops file in System32 directory 4 IoCs

Processes:

look2.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\ini.ini	look2.exe
File created	C:\Windows\SysWOW64\svchcst.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchcst.exe	svchost.exe
File created	C:\Windows\SysWOW64\240610546.bat	look2.exe

Drops file in Program Files directory 1 IoCs

Processes:

tmp.exe

description ioc process

File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe tmp.exe
Drops file in Windows directory 1 IoCs

Processes:

HD_tmp.exe

description ioc process

File created C:\Windows\gzip.dll HD_tmp.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

tmp.exe

pid process

4940 tmp.exe
4940 tmp.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

HD_tmp.exe

description pid process

Token: SeDebugPrivilege 2084 HD_tmp.exe
Token: SeDebugPrivilege 2084 HD_tmp.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

tmp.exe

pid process

4940 tmp.exe
4940 tmp.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	tmp.exe

description	ioc	process
File created	C:\Windows\gzip.dll	HD_tmp.exe

pid	process
4940	tmp.exe
4940	tmp.exe

description	pid	process
Token: SeDebugPrivilege	2084	HD_tmp.exe
Token: SeDebugPrivilege	2084	HD_tmp.exe

pid	process
4940	tmp.exe
4940	tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

tmp.exesvchost.exe

description	pid	process	target process
PID 4940 wrote to memory of 1976	4940	tmp.exe	look2.exe
PID 4940 wrote to memory of 1976	4940	tmp.exe	look2.exe
PID 4940 wrote to memory of 1976	4940	tmp.exe	look2.exe
PID 4940 wrote to memory of 2084	4940	tmp.exe	HD_tmp.exe
PID 4940 wrote to memory of 2084	4940	tmp.exe	HD_tmp.exe
PID 4940 wrote to memory of 2084	4940	tmp.exe	HD_tmp.exe
PID 4292 wrote to memory of 3720	4292	svchost.exe	svchcst.exe
PID 4292 wrote to memory of 3720	4292	svchost.exe	svchcst.exe
PID 4292 wrote to memory of 3720	4292	svchost.exe	svchcst.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4940
- C:\Users\Admin\AppData\Local\Temp\look2.exe
  C:\Users\Admin\AppData\Local\Temp\\look2.exe
  2⤵
  - Sets DLL path for service in the registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  PID:1976
- C:\Users\Admin\AppData\Local\Temp\HD_tmp.exe
  C:\Users\Admin\AppData\Local\Temp\HD_tmp.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2084

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "svchcst"
1⤵
PID:2468

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "svchcst"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4292
- C:\Windows\SysWOW64\svchcst.exe
  C:\Windows\system32\svchcst.exe "c:\windows\system32\240610546.bat",MainThread
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3720

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HD_X.dat

Filesize
1.2MB

MD5
4072f56dae8124ee92dd3e340b88d6b1

SHA1
5fd45a241df228b4ac239bf3ac162d4f407d39db

SHA256
1b7e0d60ea9de822c05b9620dd6e86baa7923becfbb3f66553ae023280c60db6

SHA512
e84ec29f9ab8e6b63ac6eafecb39224b5045524626ec042447c22572055d97520c2e39b84dacfa8c8442c1ebe26bdc4f4818df1bdb668dbca7e35b83e4605efc

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_tmp.exe

Filesize
724KB

MD5
3bf0de29b9c3c43fe8d3974b09fea8c6

SHA1
3cf76e65b9331a775043583774ceb38da3a5dc6b

SHA256
8f201925821601927ae782e9eea8b6f76007266eb9dcbc07ab263e859f03387e

SHA512
763e4ed512704d8cd8a5fd3168146c8c6c1d0ad6e0d5481eb4b25951bdcbe20e520be118710595da2b110f9f82260761381072c0eb162fbd9f672dd33a44d860

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_tmp.exe

Filesize
724KB

MD5
3bf0de29b9c3c43fe8d3974b09fea8c6

SHA1
3cf76e65b9331a775043583774ceb38da3a5dc6b

SHA256
8f201925821601927ae782e9eea8b6f76007266eb9dcbc07ab263e859f03387e

SHA512
763e4ed512704d8cd8a5fd3168146c8c6c1d0ad6e0d5481eb4b25951bdcbe20e520be118710595da2b110f9f82260761381072c0eb162fbd9f672dd33a44d860

Download Submit
C:\Users\Admin\AppData\Local\Temp\look2.exe

Filesize
337KB

MD5
2f3b6f16e33e28ad75f3fdaef2567807

SHA1
85e907340faf1edfc9210db85a04abd43d21b741

SHA256
86492ebf2d6f471a5ee92977318d099b3ea86175b5b7ae522237ae01d07a4857

SHA512
db17e99e2df918cfc9ccbe934adfe73f0777ce1ce9f28b57a4b24ecd821efe2e0b976a634853247b77b16627d2bb3af4ba20306059d1d25ef38ffada7da3e3a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\look2.exe

Filesize
337KB

MD5
2f3b6f16e33e28ad75f3fdaef2567807

SHA1
85e907340faf1edfc9210db85a04abd43d21b741

SHA256
86492ebf2d6f471a5ee92977318d099b3ea86175b5b7ae522237ae01d07a4857

SHA512
db17e99e2df918cfc9ccbe934adfe73f0777ce1ce9f28b57a4b24ecd821efe2e0b976a634853247b77b16627d2bb3af4ba20306059d1d25ef38ffada7da3e3a4

Download Submit
C:\Windows\SysWOW64\240610546.bat

Filesize
51KB

MD5
bed608286a8ad8e719ec5a246a246936

SHA1
99342ae0e180abdab73fb95aa56cf2375b139c4a

SHA256
834d243cf8bea9fedaa16469da5b21d8193cdf40ff957a30060565bf3a53540b

SHA512
4429c12373d83fffa5e8f40e83b979614dff8dedcb301fd299aa6fa9eb12d2c8580d75ee89959da8f6325d9f12b57ed5ef70296a2948931487b02f70454929cd

Download Submit
C:\Windows\SysWOW64\240610546.bat

Filesize
51KB

MD5
bed608286a8ad8e719ec5a246a246936

SHA1
99342ae0e180abdab73fb95aa56cf2375b139c4a

SHA256
834d243cf8bea9fedaa16469da5b21d8193cdf40ff957a30060565bf3a53540b

SHA512
4429c12373d83fffa5e8f40e83b979614dff8dedcb301fd299aa6fa9eb12d2c8580d75ee89959da8f6325d9f12b57ed5ef70296a2948931487b02f70454929cd

Download Submit
C:\Windows\SysWOW64\240610546.bat

Filesize
51KB

MD5
bed608286a8ad8e719ec5a246a246936

SHA1
99342ae0e180abdab73fb95aa56cf2375b139c4a

SHA256
834d243cf8bea9fedaa16469da5b21d8193cdf40ff957a30060565bf3a53540b

SHA512
4429c12373d83fffa5e8f40e83b979614dff8dedcb301fd299aa6fa9eb12d2c8580d75ee89959da8f6325d9f12b57ed5ef70296a2948931487b02f70454929cd

Download Submit
C:\Windows\SysWOW64\svchcst.exe

Filesize
60KB

MD5
889b99c52a60dd49227c5e485a016679

SHA1
8fa889e456aa646a4d0a4349977430ce5fa5e2d7

SHA256
6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

SHA512
08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

Download Submit
C:\Windows\SysWOW64\svchcst.exe

Filesize
60KB

MD5
889b99c52a60dd49227c5e485a016679

SHA1
8fa889e456aa646a4d0a4349977430ce5fa5e2d7

SHA256
6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

SHA512
08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

Download Submit
\??\c:\windows\SysWOW64\240610546.bat

Filesize
51KB

MD5
bed608286a8ad8e719ec5a246a246936

SHA1
99342ae0e180abdab73fb95aa56cf2375b139c4a

SHA256
834d243cf8bea9fedaa16469da5b21d8193cdf40ff957a30060565bf3a53540b

SHA512
4429c12373d83fffa5e8f40e83b979614dff8dedcb301fd299aa6fa9eb12d2c8580d75ee89959da8f6325d9f12b57ed5ef70296a2948931487b02f70454929cd

Download Submit
memory/2084-151-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download