blackmoon | a38d5346d345fc6c2654281bd517e787180472b6cc5154fd97624c03040c9557

Analysis

max time kernel
150s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
31/10/2023, 08:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.73ec55003c9cfcffe7abb285a979b150.exe
Size

374KB
MD5

73ec55003c9cfcffe7abb285a979b150
SHA1

dd6366166922e4a7656271ebc8793b3edcf664f7
SHA256

a38d5346d345fc6c2654281bd517e787180472b6cc5154fd97624c03040c9557
SHA512

f4cc5672d5d66b4fbaaf001990747a0df64cbcfa9d52756c728f672f639da5b5fd6d868dc0e9de91475129ecbed857da150abc76ee965f8a1301a59a8a4a8cd3
SSDEEP

3072:hZ+srvy+8+ANlhKeNPBJraHIL1c0gxQD9aXjsaouRIXMz+rpGbnb2HJ9+UuBx8t:hZrK+r+l0eNPBJrOxQD90saoTXrGsvgS

Score

10^/10

blackmoon banker trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 3 IoCs

resource	yara_rule
behavioral2/files/0x0008000000022e28-12.dat	family_blackmoon
behavioral2/files/0x0008000000022e28-40.dat	family_blackmoon
behavioral2/files/0x0008000000022e28-41.dat	family_blackmoon

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation	NEAS.73ec55003c9cfcffe7abb285a979b150.exe

Executes dropped EXE 1 IoCs

pid	Process
3528	Syslemiokns.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	NEAS.73ec55003c9cfcffe7abb285a979b150.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4196	NEAS.73ec55003c9cfcffe7abb285a979b150.exe
4196	NEAS.73ec55003c9cfcffe7abb285a979b150.exe
4196	NEAS.73ec55003c9cfcffe7abb285a979b150.exe
4196	NEAS.73ec55003c9cfcffe7abb285a979b150.exe
4196	NEAS.73ec55003c9cfcffe7abb285a979b150.exe
4196	NEAS.73ec55003c9cfcffe7abb285a979b150.exe
4196	NEAS.73ec55003c9cfcffe7abb285a979b150.exe
4196	NEAS.73ec55003c9cfcffe7abb285a979b150.exe
4196	NEAS.73ec55003c9cfcffe7abb285a979b150.exe
4196	NEAS.73ec55003c9cfcffe7abb285a979b150.exe
4196	NEAS.73ec55003c9cfcffe7abb285a979b150.exe
4196	NEAS.73ec55003c9cfcffe7abb285a979b150.exe
4196	NEAS.73ec55003c9cfcffe7abb285a979b150.exe
4196	NEAS.73ec55003c9cfcffe7abb285a979b150.exe
4196	NEAS.73ec55003c9cfcffe7abb285a979b150.exe
4196	NEAS.73ec55003c9cfcffe7abb285a979b150.exe
3528	Syslemiokns.exe
3528	Syslemiokns.exe
3528	Syslemiokns.exe
3528	Syslemiokns.exe
3528	Syslemiokns.exe
3528	Syslemiokns.exe
3528	Syslemiokns.exe
3528	Syslemiokns.exe
3528	Syslemiokns.exe
3528	Syslemiokns.exe
3528	Syslemiokns.exe
3528	Syslemiokns.exe
3528	Syslemiokns.exe
3528	Syslemiokns.exe
3528	Syslemiokns.exe
3528	Syslemiokns.exe
3528	Syslemiokns.exe
3528	Syslemiokns.exe
3528	Syslemiokns.exe
3528	Syslemiokns.exe
3528	Syslemiokns.exe
3528	Syslemiokns.exe
3528	Syslemiokns.exe
3528	Syslemiokns.exe
3528	Syslemiokns.exe
3528	Syslemiokns.exe
3528	Syslemiokns.exe
3528	Syslemiokns.exe
3528	Syslemiokns.exe
3528	Syslemiokns.exe
3528	Syslemiokns.exe
3528	Syslemiokns.exe
3528	Syslemiokns.exe
3528	Syslemiokns.exe
3528	Syslemiokns.exe
3528	Syslemiokns.exe
3528	Syslemiokns.exe
3528	Syslemiokns.exe
3528	Syslemiokns.exe
3528	Syslemiokns.exe
3528	Syslemiokns.exe
3528	Syslemiokns.exe
3528	Syslemiokns.exe
3528	Syslemiokns.exe
3528	Syslemiokns.exe
3528	Syslemiokns.exe
3528	Syslemiokns.exe
3528	Syslemiokns.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4196 wrote to memory of 3528	4196	NEAS.73ec55003c9cfcffe7abb285a979b150.exe	96
PID 4196 wrote to memory of 3528	4196	NEAS.73ec55003c9cfcffe7abb285a979b150.exe	96
PID 4196 wrote to memory of 3528	4196	NEAS.73ec55003c9cfcffe7abb285a979b150.exe	96

C:\Users\Admin\AppData\Local\Temp\NEAS.73ec55003c9cfcffe7abb285a979b150.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.73ec55003c9cfcffe7abb285a979b150.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4196
- C:\Users\Admin\AppData\Local\Temp\Syslemiokns.exe
  "C:\Users\Admin\AppData\Local\Temp\Syslemiokns.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Syslemiokns.exe

Filesize
374KB

MD5
26b686095274c87cbbbfd3eb1d8ac57f

SHA1
9aca3e5c8a58722a5c9c0de927f8ea06335f2a0b

SHA256
6d611cc1feb4e7914dfab63952c6475acc394085d5c319c985f8271c9e96bed8

SHA512
5842088b11fcf3ad685ffbc00a2ebff568d51b2be423528130c5e7d8b6a64625950941bc3db8a233e70c16d71e7b53d3d8587a3871f51fe8e544d73619f5f561

Download Submit
C:\Users\Admin\AppData\Local\Temp\Syslemiokns.exe

Filesize
374KB

MD5
26b686095274c87cbbbfd3eb1d8ac57f

SHA1
9aca3e5c8a58722a5c9c0de927f8ea06335f2a0b

SHA256
6d611cc1feb4e7914dfab63952c6475acc394085d5c319c985f8271c9e96bed8

SHA512
5842088b11fcf3ad685ffbc00a2ebff568d51b2be423528130c5e7d8b6a64625950941bc3db8a233e70c16d71e7b53d3d8587a3871f51fe8e544d73619f5f561

Download Submit
C:\Users\Admin\AppData\Local\Temp\Syslemiokns.exe

Filesize
374KB

MD5
26b686095274c87cbbbfd3eb1d8ac57f

SHA1
9aca3e5c8a58722a5c9c0de927f8ea06335f2a0b

SHA256
6d611cc1feb4e7914dfab63952c6475acc394085d5c319c985f8271c9e96bed8

SHA512
5842088b11fcf3ad685ffbc00a2ebff568d51b2be423528130c5e7d8b6a64625950941bc3db8a233e70c16d71e7b53d3d8587a3871f51fe8e544d73619f5f561

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpath.ini

Filesize
75B

MD5
4ec6f7fb61f11d3c00342a8ec8c7d830

SHA1
58e7f45b9c72c2805f9835fa87e661c0f93ee218

SHA256
3289f7a5472c68645a54f2ffe9bfe3906818f9d67f20388d652beedca4fc93be

SHA512
2264328bc950be19fdc1c9835a390220ed5690b1f422c9abd9c46467ca5f6086c5fa72d9808d6e93ae83dbb3b680678da238d3901e3fa9627616f17be7c10e75

Download Submit