blackmoon | 9c6bdc6db4bc616c6c5eedee78b7b518eeb82406402a5bb4df7f0b981854a9f7

Analysis

max time kernel
144s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
09/10/2023, 12:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9c6bdc6db4bc616c6c5eedee78b7b518eeb82406402a5bb4df7f0b981854a9f7.exe
Size

5.3MB
MD5

1d2715694fe50a9ded28f50f4288b696
SHA1

d0ca0183b78ec03dd38ee393f6d4c0539afd57f1
SHA256

9c6bdc6db4bc616c6c5eedee78b7b518eeb82406402a5bb4df7f0b981854a9f7
SHA512

7fd1aabfa7a4c71da49e6d95a853f1a8b531ea8de2ca63bcb245cf4e5549ef1f019edb30fcda30e006b28db1844f69ee283be9b3bfa43084cc7a5d2bd19b9a44
SSDEEP

98304:xIZyMfdsowCw+yIM+5imauM5HNnJbzAJ/1ucUYdl1r//Db7aMUewtt9P8053:ElsotX8IIZJPAPucLdlNfwt/Pn

Score

10^/10

blackmoon banker trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 15 IoCs

resource	yara_rule
behavioral2/memory/4636-9-0x0000000000400000-0x0000000000E38000-memory.dmp	family_blackmoon
behavioral2/memory/4468-47-0x0000000000400000-0x0000000000E38000-memory.dmp	family_blackmoon
behavioral2/memory/4468-50-0x0000000000400000-0x0000000000E38000-memory.dmp	family_blackmoon
behavioral2/memory/4468-52-0x0000000000400000-0x0000000000E38000-memory.dmp	family_blackmoon
behavioral2/memory/4468-54-0x0000000000400000-0x0000000000E38000-memory.dmp	family_blackmoon
behavioral2/memory/4468-56-0x0000000000400000-0x0000000000E38000-memory.dmp	family_blackmoon
behavioral2/memory/4468-58-0x0000000000400000-0x0000000000E38000-memory.dmp	family_blackmoon
behavioral2/memory/4468-61-0x0000000000400000-0x0000000000E38000-memory.dmp	family_blackmoon
behavioral2/memory/4468-63-0x0000000000400000-0x0000000000E38000-memory.dmp	family_blackmoon
behavioral2/memory/4468-64-0x0000000000400000-0x0000000000E38000-memory.dmp	family_blackmoon
behavioral2/memory/4468-67-0x0000000000400000-0x0000000000E38000-memory.dmp	family_blackmoon
behavioral2/memory/4468-69-0x0000000000400000-0x0000000000E38000-memory.dmp	family_blackmoon
behavioral2/memory/4468-71-0x0000000000400000-0x0000000000E38000-memory.dmp	family_blackmoon
behavioral2/memory/4468-73-0x0000000000400000-0x0000000000E38000-memory.dmp	family_blackmoon
behavioral2/memory/4468-81-0x0000000000400000-0x0000000000E38000-memory.dmp	family_blackmoon

Executes dropped EXE 2 IoCs

pid	Process
4468	9c6bdc6db4bc616c6c5eedee78b7b518eeb82406402a5bb4df7f0b981854a9f7[Êµ].exe
4588	Õ½¼ÇÊÚÈ¨¹«Ê¾Óë·À³ÁÃÔÈÏÖ¤.exe

Loads dropped DLL 1 IoCs

pid	Process
4588	Õ½¼ÇÊÚÈ¨¹«Ê¾Óë·À³ÁÃÔÈÏÖ¤.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4588	Õ½¼ÇÊÚÈ¨¹«Ê¾Óë·À³ÁÃÔÈÏÖ¤.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
4588	Õ½¼ÇÊÚÈ¨¹«Ê¾Óë·À³ÁÃÔÈÏÖ¤.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4588	Õ½¼ÇÊÚÈ¨¹«Ê¾Óë·À³ÁÃÔÈÏÖ¤.exe
4588	Õ½¼ÇÊÚÈ¨¹«Ê¾Óë·À³ÁÃÔÈÏÖ¤.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4636 wrote to memory of 4468	4636	9c6bdc6db4bc616c6c5eedee78b7b518eeb82406402a5bb4df7f0b981854a9f7.exe	86
PID 4636 wrote to memory of 4468	4636	9c6bdc6db4bc616c6c5eedee78b7b518eeb82406402a5bb4df7f0b981854a9f7.exe	86
PID 4636 wrote to memory of 4468	4636	9c6bdc6db4bc616c6c5eedee78b7b518eeb82406402a5bb4df7f0b981854a9f7.exe	86
PID 4468 wrote to memory of 4588	4468	9c6bdc6db4bc616c6c5eedee78b7b518eeb82406402a5bb4df7f0b981854a9f7[Êµ].exe	87
PID 4468 wrote to memory of 4588	4468	9c6bdc6db4bc616c6c5eedee78b7b518eeb82406402a5bb4df7f0b981854a9f7[Êµ].exe	87
PID 4468 wrote to memory of 4588	4468	9c6bdc6db4bc616c6c5eedee78b7b518eeb82406402a5bb4df7f0b981854a9f7[Êµ].exe	87

C:\Users\Admin\AppData\Local\Temp\9c6bdc6db4bc616c6c5eedee78b7b518eeb82406402a5bb4df7f0b981854a9f7.exe
"C:\Users\Admin\AppData\Local\Temp\9c6bdc6db4bc616c6c5eedee78b7b518eeb82406402a5bb4df7f0b981854a9f7.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4636
- C:\Users\Admin\AppData\Roaming\genwangame\9c6bdc6db4bc616c6c5eedee78b7b518eeb82406402a5bb4df7f0b981854a9f7[Êµ]\9c6bdc6db4bc616c6c5eedee78b7b518eeb82406402a5bb4df7f0b981854a9f7[Êµ].exe
  C:\Users\Admin\AppData\Roaming\genwangame\9c6bdc6db4bc616c6c5eedee78b7b518eeb82406402a5bb4df7f0b981854a9f7[Êµ]\9c6bdc6db4bc616c6c5eedee78b7b518eeb82406402a5bb4df7f0b981854a9f7[Êµ].exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4468
- - C:\Users\Admin\AppData\Roaming\genwangame\cqzj_sevice\Õ½¼ÇÊÚÈ¨¹«Ê¾Óë·À³ÁÃÔÈÏÖ¤.exe
    C:\Users\Admin\AppData\Roaming\genwangame\cqzj_sevice\Õ½¼ÇÊÚÈ¨¹«Ê¾Óë·À³ÁÃÔÈÏÖ¤.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:4588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\genwangame\9c6bdc6db4bc616c6c5eedee78b7b518eeb82406402a5bb4df7f0b981854a9f7[Êµ]\9c6bdc6db4bc616c6c5eedee78b7b518eeb82406402a5bb4df7f0b981854a9f7[Êµ].exe

Filesize
5.3MB

MD5
1d2715694fe50a9ded28f50f4288b696

SHA1
d0ca0183b78ec03dd38ee393f6d4c0539afd57f1

SHA256
9c6bdc6db4bc616c6c5eedee78b7b518eeb82406402a5bb4df7f0b981854a9f7

SHA512
7fd1aabfa7a4c71da49e6d95a853f1a8b531ea8de2ca63bcb245cf4e5549ef1f019edb30fcda30e006b28db1844f69ee283be9b3bfa43084cc7a5d2bd19b9a44

Download Submit
C:\Users\Admin\AppData\Roaming\genwangame\9c6bdc6db4bc616c6c5eedee78b7b518eeb82406402a5bb4df7f0b981854a9f7[Êµ]\9c6bdc6db4bc616c6c5eedee78b7b518eeb82406402a5bb4df7f0b981854a9f7[Êµ].exe

Filesize
5.3MB

MD5
1d2715694fe50a9ded28f50f4288b696

SHA1
d0ca0183b78ec03dd38ee393f6d4c0539afd57f1

SHA256
9c6bdc6db4bc616c6c5eedee78b7b518eeb82406402a5bb4df7f0b981854a9f7

SHA512
7fd1aabfa7a4c71da49e6d95a853f1a8b531ea8de2ca63bcb245cf4e5549ef1f019edb30fcda30e006b28db1844f69ee283be9b3bfa43084cc7a5d2bd19b9a44

Download Submit
C:\Users\Admin\AppData\Roaming\genwangame\cqzj_sevice\ExuiKrnln_Win32.lib

Filesize
1.6MB

MD5
031ad1ecd93701d39265771942ec716c

SHA1
cb3ef507bf0e848894fbb96a29bfc94a0c302152

SHA256
9a7fde2ea7883701bf858e0daef74d787a31c3cbd9f1171cec0a3a382ee9e6ba

SHA512
374dab32b6304834c7acd8b5e6701ece016bf57d3abdd416ef2b63f7cbda24c9e59f9dfc27b6823ac6256bbab38aace74334dec7d57f1ef6cb9b80c239003bae

Download Submit
C:\Users\Admin\AppData\Roaming\genwangame\cqzj_sevice\ExuiKrnln_Win32.lib

Filesize
1.6MB

MD5
031ad1ecd93701d39265771942ec716c

SHA1
cb3ef507bf0e848894fbb96a29bfc94a0c302152

SHA256
9a7fde2ea7883701bf858e0daef74d787a31c3cbd9f1171cec0a3a382ee9e6ba

SHA512
374dab32b6304834c7acd8b5e6701ece016bf57d3abdd416ef2b63f7cbda24c9e59f9dfc27b6823ac6256bbab38aace74334dec7d57f1ef6cb9b80c239003bae

Download Submit
C:\Users\Admin\AppData\Roaming\genwangame\cqzj_sevice\Õ½¼ÇÊÚÈ¨¹«Ê¾Óë·À³ÁÃÔÈÏÖ¤.exe

Filesize
2.5MB

MD5
529428ba2fe0eb9e5606bcfa7d8a24cf

SHA1
da75f9374597c390a7b1b183074cc49fd7065a63

SHA256
f0dbc0549588a38c26627f66fcc62bd08755743b78aef3c3931bf62100f38cf8

SHA512
ba61c617d9c060d59625ed46343d0b849bd77a5df73a51ae8236e3af15d22dbb249a798b6917977bf74cad93b3c863438742c181a6c87328f0a8caf7ff0a37ec

Download Submit
C:\Users\Admin\AppData\Roaming\genwangame\cqzj_sevice\Õ½¼ÇÊÚÈ¨¹«Ê¾Óë·À³ÁÃÔÈÏÖ¤.exe

Filesize
2.5MB

MD5
529428ba2fe0eb9e5606bcfa7d8a24cf

SHA1
da75f9374597c390a7b1b183074cc49fd7065a63

SHA256
f0dbc0549588a38c26627f66fcc62bd08755743b78aef3c3931bf62100f38cf8

SHA512
ba61c617d9c060d59625ed46343d0b849bd77a5df73a51ae8236e3af15d22dbb249a798b6917977bf74cad93b3c863438742c181a6c87328f0a8caf7ff0a37ec

Download Submit
memory/4468-64-0x0000000000400000-0x0000000000E38000-memory.dmp

Filesize
10.2MB

Download
memory/4468-52-0x0000000000400000-0x0000000000E38000-memory.dmp

Filesize
10.2MB

Download
memory/4468-81-0x0000000000400000-0x0000000000E38000-memory.dmp

Filesize
10.2MB

Download
memory/4468-12-0x0000000000E50000-0x0000000000E53000-memory.dmp

Filesize
12KB

Download
memory/4468-13-0x0000000010000000-0x00000000101A1000-memory.dmp

Filesize
1.6MB

Download
memory/4468-14-0x0000000002B40000-0x0000000002B99000-memory.dmp

Filesize
356KB

Download
memory/4468-73-0x0000000000400000-0x0000000000E38000-memory.dmp

Filesize
10.2MB

Download
memory/4468-71-0x0000000000400000-0x0000000000E38000-memory.dmp

Filesize
10.2MB

Download
memory/4468-69-0x0000000000400000-0x0000000000E38000-memory.dmp

Filesize
10.2MB

Download
memory/4468-67-0x0000000000400000-0x0000000000E38000-memory.dmp

Filesize
10.2MB

Download
memory/4468-63-0x0000000000400000-0x0000000000E38000-memory.dmp

Filesize
10.2MB

Download
memory/4468-61-0x0000000000400000-0x0000000000E38000-memory.dmp

Filesize
10.2MB

Download
memory/4468-11-0x0000000000400000-0x0000000000E38000-memory.dmp

Filesize
10.2MB

Download
memory/4468-58-0x0000000000400000-0x0000000000E38000-memory.dmp

Filesize
10.2MB

Download
memory/4468-34-0x0000000000E50000-0x0000000000E53000-memory.dmp

Filesize
12KB

Download
memory/4468-40-0x0000000010000000-0x00000000101A1000-memory.dmp

Filesize
1.6MB

Download
memory/4468-47-0x0000000000400000-0x0000000000E38000-memory.dmp

Filesize
10.2MB

Download
memory/4468-56-0x0000000000400000-0x0000000000E38000-memory.dmp

Filesize
10.2MB

Download
memory/4468-50-0x0000000000400000-0x0000000000E38000-memory.dmp

Filesize
10.2MB

Download
memory/4468-54-0x0000000000400000-0x0000000000E38000-memory.dmp

Filesize
10.2MB

Download
memory/4588-26-0x0000000010000000-0x0000000010059000-memory.dmp

Filesize
356KB

Download
memory/4588-66-0x0000000000400000-0x0000000000A9A000-memory.dmp

Filesize
6.6MB

Download
memory/4588-51-0x0000000000400000-0x0000000000A9A000-memory.dmp

Filesize
6.6MB

Download
memory/4588-55-0x0000000000400000-0x0000000000A9A000-memory.dmp

Filesize
6.6MB

Download
memory/4588-49-0x0000000000400000-0x0000000000A9A000-memory.dmp

Filesize
6.6MB

Download
memory/4588-57-0x0000000000400000-0x0000000000A9A000-memory.dmp

Filesize
6.6MB

Download
memory/4588-27-0x0000000002B00000-0x0000000002B59000-memory.dmp

Filesize
356KB

Download
memory/4588-60-0x0000000000400000-0x0000000000A9A000-memory.dmp

Filesize
6.6MB

Download
memory/4588-84-0x0000000000400000-0x0000000000A9A000-memory.dmp

Filesize
6.6MB

Download
memory/4588-62-0x0000000000400000-0x0000000000A9A000-memory.dmp

Filesize
6.6MB

Download
memory/4588-82-0x0000000000400000-0x0000000000A9A000-memory.dmp

Filesize
6.6MB

Download
memory/4588-77-0x0000000000400000-0x0000000000A9A000-memory.dmp

Filesize
6.6MB

Download
memory/4588-65-0x0000000000400000-0x0000000000A9A000-memory.dmp

Filesize
6.6MB

Download
memory/4588-53-0x0000000000400000-0x0000000000A9A000-memory.dmp

Filesize
6.6MB

Download
memory/4588-23-0x0000000000AB0000-0x0000000000AB3000-memory.dmp

Filesize
12KB

Download
memory/4588-68-0x0000000000400000-0x0000000000A9A000-memory.dmp

Filesize
6.6MB

Download
memory/4588-22-0x0000000000400000-0x0000000000A9A000-memory.dmp

Filesize
6.6MB

Download
memory/4588-70-0x0000000000400000-0x0000000000A9A000-memory.dmp

Filesize
6.6MB

Download
memory/4588-72-0x0000000000400000-0x0000000000A9A000-memory.dmp

Filesize
6.6MB

Download
memory/4636-3-0x0000000002CA0000-0x0000000002CF9000-memory.dmp

Filesize
356KB

Download
memory/4636-9-0x0000000000400000-0x0000000000E38000-memory.dmp

Filesize
10.2MB

Download
memory/4636-0-0x0000000000400000-0x0000000000E38000-memory.dmp

Filesize
10.2MB

Download
memory/4636-10-0x0000000010000000-0x00000000101A1000-memory.dmp

Filesize
1.6MB

Download
memory/4636-2-0x0000000010000000-0x00000000101A1000-memory.dmp

Filesize
1.6MB

Download
memory/4636-1-0x0000000000F20000-0x0000000000F23000-memory.dmp

Filesize
12KB

Download