blackmoon | d86613fdaab9d2fe793b942537fddff60825f399662d33b3787351082785f7e1

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2023, 09:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d86613fdaab9d2fe793b942537fddff60825f399662d33b3787351082785f7e1.exe
Size

6.8MB
MD5

cc20d385490674e062242b7020bc3027
SHA1

9892627b2d2fc652d4772fbed7a816f64237b7bb
SHA256

d86613fdaab9d2fe793b942537fddff60825f399662d33b3787351082785f7e1
SHA512

e66b160909fd020d4fb244f7aceb4909ae5123efc5c3928c250a177b56d442d8c239e2a77376efb96d98c5d694e27b2840b7366f79326eadf8d50d1d175276dc
SSDEEP

98304:tgNYvZGiuCvKdfX3rwGacTT5GWDQIdc/cbN8cr8EYRNwILL1mP3IH7BU+JsnGOMq:SNYqCkjTtGWMKc/cbNtAEyyPE5/LC

Score

10^/10

blackmoon banker trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 2 IoCs

resource	yara_rule
behavioral2/memory/4952-28-0x0000000002C50000-0x0000000002C75000-memory.dmp	family_blackmoon
behavioral2/memory/1464-38-0x0000000002140000-0x0000000002165000-memory.dmp	family_blackmoon

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation	d86613fdaab9d2fe793b942537fddff60825f399662d33b3787351082785f7e1.exe

Executes dropped EXE 3 IoCs

pid	Process
4880	libcef.exe
4952	libcef.exe
1464	libcef.exe

Loads dropped DLL 3 IoCs

pid	Process
4880	libcef.exe
4952	libcef.exe
1464	libcef.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings	libcef.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4952	libcef.exe
4952	libcef.exe
4952	libcef.exe
4952	libcef.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3532 wrote to memory of 4880	3532	d86613fdaab9d2fe793b942537fddff60825f399662d33b3787351082785f7e1.exe	91
PID 3532 wrote to memory of 4880	3532	d86613fdaab9d2fe793b942537fddff60825f399662d33b3787351082785f7e1.exe	91
PID 3532 wrote to memory of 4880	3532	d86613fdaab9d2fe793b942537fddff60825f399662d33b3787351082785f7e1.exe	91

C:\Users\Admin\AppData\Local\Temp\d86613fdaab9d2fe793b942537fddff60825f399662d33b3787351082785f7e1.exe
"C:\Users\Admin\AppData\Local\Temp\d86613fdaab9d2fe793b942537fddff60825f399662d33b3787351082785f7e1.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3532
- C:\Users\Public\Documents\libcef.exe
  "C:\Users\Public\Documents\libcef.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  PID:4880

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1904

C:\Users\Public\Documents\libcef.exe
"C:\Users\Public\Documents\libcef.exe" AAAABBAAAA
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4952

C:\Users\Public\Documents\libcef.exe
"C:\Users\Public\Documents\libcef.exe" AAAABBAAAA
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Documents\libcef.dll

Filesize
64.4MB

MD5
559a386d021fbbb81299061cfb2dd458

SHA1
2703a3095f012f3634c045072457bdb7fc01ca0e

SHA256
4230ddad8ce25e50dd3c36265bb53035d094d6863824a2652a2940e2ff88d601

SHA512
7b3d5792199f23aeffe13a21da0c624fc95ecec99349f730827641bee018ebeeb4565f2b284fdf9eae7c68f56ca7dcd06b00923b1df189c1f7cba7129140de16

Download Submit
C:\Users\Public\Documents\libcef.dll

Filesize
64.4MB

MD5
559a386d021fbbb81299061cfb2dd458

SHA1
2703a3095f012f3634c045072457bdb7fc01ca0e

SHA256
4230ddad8ce25e50dd3c36265bb53035d094d6863824a2652a2940e2ff88d601

SHA512
7b3d5792199f23aeffe13a21da0c624fc95ecec99349f730827641bee018ebeeb4565f2b284fdf9eae7c68f56ca7dcd06b00923b1df189c1f7cba7129140de16

Download Submit
C:\Users\Public\Documents\libcef.dll

Filesize
64.4MB

MD5
559a386d021fbbb81299061cfb2dd458

SHA1
2703a3095f012f3634c045072457bdb7fc01ca0e

SHA256
4230ddad8ce25e50dd3c36265bb53035d094d6863824a2652a2940e2ff88d601

SHA512
7b3d5792199f23aeffe13a21da0c624fc95ecec99349f730827641bee018ebeeb4565f2b284fdf9eae7c68f56ca7dcd06b00923b1df189c1f7cba7129140de16

Download Submit
C:\Users\Public\Documents\libcef.dll

Filesize
64.4MB

MD5
559a386d021fbbb81299061cfb2dd458

SHA1
2703a3095f012f3634c045072457bdb7fc01ca0e

SHA256
4230ddad8ce25e50dd3c36265bb53035d094d6863824a2652a2940e2ff88d601

SHA512
7b3d5792199f23aeffe13a21da0c624fc95ecec99349f730827641bee018ebeeb4565f2b284fdf9eae7c68f56ca7dcd06b00923b1df189c1f7cba7129140de16

Download Submit
C:\Users\Public\Documents\libcef.exe

Filesize
264KB

MD5
0a5b0607f6db1e8c9e3d2ca0da5c8d58

SHA1
099a3435eacd5b82f4599203558e802c0a1b3c67

SHA256
a7b2b51c542c883cac36465555dbd027be01e9dd5757b060b6245235181608a7

SHA512
5e4f5e4fba9fe1e037e31cf9961bdc7f07f7eca893562fddadab9eef6b642a455d3ac4281a6c8d1f4e6f2525a947932cc31067ae5d96f1d3497ba0b8cbaf0560

Download Submit
C:\Users\Public\Documents\libcef.exe

Filesize
264KB

MD5
0a5b0607f6db1e8c9e3d2ca0da5c8d58

SHA1
099a3435eacd5b82f4599203558e802c0a1b3c67

SHA256
a7b2b51c542c883cac36465555dbd027be01e9dd5757b060b6245235181608a7

SHA512
5e4f5e4fba9fe1e037e31cf9961bdc7f07f7eca893562fddadab9eef6b642a455d3ac4281a6c8d1f4e6f2525a947932cc31067ae5d96f1d3497ba0b8cbaf0560

Download Submit
C:\Users\Public\Documents\libcef.exe

Filesize
264KB

MD5
0a5b0607f6db1e8c9e3d2ca0da5c8d58

SHA1
099a3435eacd5b82f4599203558e802c0a1b3c67

SHA256
a7b2b51c542c883cac36465555dbd027be01e9dd5757b060b6245235181608a7

SHA512
5e4f5e4fba9fe1e037e31cf9961bdc7f07f7eca893562fddadab9eef6b642a455d3ac4281a6c8d1f4e6f2525a947932cc31067ae5d96f1d3497ba0b8cbaf0560

Download Submit
C:\Users\Public\Documents\libcef.exe

Filesize
264KB

MD5
0a5b0607f6db1e8c9e3d2ca0da5c8d58

SHA1
099a3435eacd5b82f4599203558e802c0a1b3c67

SHA256
a7b2b51c542c883cac36465555dbd027be01e9dd5757b060b6245235181608a7

SHA512
5e4f5e4fba9fe1e037e31cf9961bdc7f07f7eca893562fddadab9eef6b642a455d3ac4281a6c8d1f4e6f2525a947932cc31067ae5d96f1d3497ba0b8cbaf0560

Download Submit
C:\Users\Public\Documents\libcef.exe

Filesize
264KB

MD5
0a5b0607f6db1e8c9e3d2ca0da5c8d58

SHA1
099a3435eacd5b82f4599203558e802c0a1b3c67

SHA256
a7b2b51c542c883cac36465555dbd027be01e9dd5757b060b6245235181608a7

SHA512
5e4f5e4fba9fe1e037e31cf9961bdc7f07f7eca893562fddadab9eef6b642a455d3ac4281a6c8d1f4e6f2525a947932cc31067ae5d96f1d3497ba0b8cbaf0560

Download Submit
C:\Users\Public\Documents\libcef.png

Filesize
788KB

MD5
aa0118e0a49834998273ae445da46084

SHA1
a346c15358a778884234052bde5eb17878e1a514

SHA256
5fa1eb46409889affd9e0359b6ea197dfb589ba1fe9e699dd31ae4fc8b904e85

SHA512
92ec3d01466851f4e442b460f04fcdd81e90cc9741af5f690e57e16457bd726f1c5b32e539bc93556d4ecc8ac9c00f3f1f286c73e1263878899efb3945bf89a9

Download Submit
memory/1464-38-0x0000000002140000-0x0000000002165000-memory.dmp

Filesize
148KB

Download
memory/4880-16-0x0000000010000000-0x00000000100CC000-memory.dmp

Filesize
816KB

Download
memory/4952-25-0x0000000010000000-0x00000000100CC000-memory.dmp

Filesize
816KB

Download
memory/4952-28-0x0000000002C50000-0x0000000002C75000-memory.dmp

Filesize
148KB

Download