blackmoon | 017e0419fcb849cab6c7311d7b71f671570b71e1239f78fa3201eea819233876

Analysis

max time kernel
117s
max time network
120s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
16/11/2023, 11:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

017e0419fcb849cab6c7311d7b71f671570b71e1239f78fa3201eea819233876.exe
Size

15.8MB
MD5

8b93e40cdda9545f47c93bb0d3b44541
SHA1

9bf3a52a30a783062cedfa420c55be04f048eb18
SHA256

017e0419fcb849cab6c7311d7b71f671570b71e1239f78fa3201eea819233876
SHA512

14119f9ab7f5cff36613759db9441d6626461753859035f239c7ccd214a6a093c039a8253954558a7484325dca7b35a8f8e8d66293fe7a1dd1678fc2206a9a1a
SSDEEP

393216:sCdpg9wn5yUfejxlZFaRCiQyEPokxW4m4C:sCTgoHf0TaEhyEgH4mL

Score

10^/10

blackmoon banker trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 4 IoCs

resource	yara_rule
behavioral1/files/0x000800000001626a-41.dat	family_blackmoon
behavioral1/files/0x000800000001626a-43.dat	family_blackmoon
behavioral1/files/0x000800000001626a-45.dat	family_blackmoon
behavioral1/files/0x000800000001626a-47.dat	family_blackmoon

Deletes itself 1 IoCs

pid	Process
2580	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2968	ÌìÁúÐ¡ÃÛ[1116.1].exe

Loads dropped DLL 3 IoCs

pid	Process
2196	017e0419fcb849cab6c7311d7b71f671570b71e1239f78fa3201eea819233876.exe
2196	017e0419fcb849cab6c7311d7b71f671570b71e1239f78fa3201eea819233876.exe
2196	017e0419fcb849cab6c7311d7b71f671570b71e1239f78fa3201eea819233876.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Media\xminfo.wav	017e0419fcb849cab6c7311d7b71f671570b71e1239f78fa3201eea819233876.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	5	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2196	017e0419fcb849cab6c7311d7b71f671570b71e1239f78fa3201eea819233876.exe
2196	017e0419fcb849cab6c7311d7b71f671570b71e1239f78fa3201eea819233876.exe
2196	017e0419fcb849cab6c7311d7b71f671570b71e1239f78fa3201eea819233876.exe
2196	017e0419fcb849cab6c7311d7b71f671570b71e1239f78fa3201eea819233876.exe
2196	017e0419fcb849cab6c7311d7b71f671570b71e1239f78fa3201eea819233876.exe
2196	017e0419fcb849cab6c7311d7b71f671570b71e1239f78fa3201eea819233876.exe
2196	017e0419fcb849cab6c7311d7b71f671570b71e1239f78fa3201eea819233876.exe
2196	017e0419fcb849cab6c7311d7b71f671570b71e1239f78fa3201eea819233876.exe
2196	017e0419fcb849cab6c7311d7b71f671570b71e1239f78fa3201eea819233876.exe
2968	ÌìÁúÐ¡ÃÛ[1116.1].exe
2968	ÌìÁúÐ¡ÃÛ[1116.1].exe
2968	ÌìÁúÐ¡ÃÛ[1116.1].exe
2968	ÌìÁúÐ¡ÃÛ[1116.1].exe
2968	ÌìÁúÐ¡ÃÛ[1116.1].exe
2968	ÌìÁúÐ¡ÃÛ[1116.1].exe
2968	ÌìÁúÐ¡ÃÛ[1116.1].exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2196	017e0419fcb849cab6c7311d7b71f671570b71e1239f78fa3201eea819233876.exe
Token: SeDebugPrivilege	2196	017e0419fcb849cab6c7311d7b71f671570b71e1239f78fa3201eea819233876.exe
Token: SeDebugPrivilege	2196	017e0419fcb849cab6c7311d7b71f671570b71e1239f78fa3201eea819233876.exe
Token: SeDebugPrivilege	2968	ÌìÁúÐ¡ÃÛ[1116.1].exe
Token: SeDebugPrivilege	2968	ÌìÁúÐ¡ÃÛ[1116.1].exe
Token: SeDebugPrivilege	2968	ÌìÁúÐ¡ÃÛ[1116.1].exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2196	017e0419fcb849cab6c7311d7b71f671570b71e1239f78fa3201eea819233876.exe
2196	017e0419fcb849cab6c7311d7b71f671570b71e1239f78fa3201eea819233876.exe
2196	017e0419fcb849cab6c7311d7b71f671570b71e1239f78fa3201eea819233876.exe
2196	017e0419fcb849cab6c7311d7b71f671570b71e1239f78fa3201eea819233876.exe
2196	017e0419fcb849cab6c7311d7b71f671570b71e1239f78fa3201eea819233876.exe
2968	ÌìÁúÐ¡ÃÛ[1116.1].exe
2968	ÌìÁúÐ¡ÃÛ[1116.1].exe
2968	ÌìÁúÐ¡ÃÛ[1116.1].exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 2968	2196	017e0419fcb849cab6c7311d7b71f671570b71e1239f78fa3201eea819233876.exe	28
PID 2196 wrote to memory of 2968	2196	017e0419fcb849cab6c7311d7b71f671570b71e1239f78fa3201eea819233876.exe	28
PID 2196 wrote to memory of 2968	2196	017e0419fcb849cab6c7311d7b71f671570b71e1239f78fa3201eea819233876.exe	28
PID 2196 wrote to memory of 2968	2196	017e0419fcb849cab6c7311d7b71f671570b71e1239f78fa3201eea819233876.exe	28
PID 2196 wrote to memory of 2580	2196	017e0419fcb849cab6c7311d7b71f671570b71e1239f78fa3201eea819233876.exe	30
PID 2196 wrote to memory of 2580	2196	017e0419fcb849cab6c7311d7b71f671570b71e1239f78fa3201eea819233876.exe	30
PID 2196 wrote to memory of 2580	2196	017e0419fcb849cab6c7311d7b71f671570b71e1239f78fa3201eea819233876.exe	30
PID 2196 wrote to memory of 2580	2196	017e0419fcb849cab6c7311d7b71f671570b71e1239f78fa3201eea819233876.exe	30

C:\Users\Admin\AppData\Local\Temp\017e0419fcb849cab6c7311d7b71f671570b71e1239f78fa3201eea819233876.exe
"C:\Users\Admin\AppData\Local\Temp\017e0419fcb849cab6c7311d7b71f671570b71e1239f78fa3201eea819233876.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Users\Admin\AppData\Local\Temp\ÌìÁúÐ¡ÃÛ[1116.1].exe
  C:\Users\Admin\AppData\Local\Temp\ÌìÁúÐ¡ÃÛ[1116.1].exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2968
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\ .bat""
  2⤵
  - Deletes itself
  PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ .bat

Filesize
173B

MD5
5576360029e9089d986e81fabb43c12e

SHA1
5449d49246963b4268cddd7fd3dc5547bb15b395

SHA256
88324ff473801c6187ca4e8a80843feaa09b0b9a1e60212718f5ef99517ad2b8

SHA512
8067f591f96550302c99e9ed06b57d8d2417827a2936fefd40c1c0ea682ed259317eae6760f63c7cd7581c2ca6d57bbbe66cc39eb1e3732be322bedf2a498a5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ .bat

Filesize
173B

MD5
5576360029e9089d986e81fabb43c12e

SHA1
5449d49246963b4268cddd7fd3dc5547bb15b395

SHA256
88324ff473801c6187ca4e8a80843feaa09b0b9a1e60212718f5ef99517ad2b8

SHA512
8067f591f96550302c99e9ed06b57d8d2417827a2936fefd40c1c0ea682ed259317eae6760f63c7cd7581c2ca6d57bbbe66cc39eb1e3732be322bedf2a498a5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\8787.tmp

Filesize
1.2MB

MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
C:\Users\Admin\AppData\Local\Temp\88B1.tmp

Filesize
813KB

MD5
5e0db2d8b2750543cd2ebb9ea8e6cdd3

SHA1
8b997b38e179cd03c0a2e87bddbc1ebca39a8630

SHA256
01eb95fa3943cf3c6b1a21e473a5c3cb9fcbce46913b15c96cac14e4f04075b4

SHA512
38a2064f7a740feb6dba46d57998140f16da7b9302bfe217a24d593220c2340f854645d05993aac6b7ecf819b5c09e062c5c81ba29f79d919ae518e6de071716

Download Submit
C:\Users\Admin\AppData\Local\Temp\88B2.tmp

Filesize
304KB

MD5
d6d3ad7bf1d6f6ce9547613ed5e170a2

SHA1
6a20fe18619dc46e379c42f12ed761749053cbf9

SHA256
ea3bd7fec193a8cfe1d5736301acadc476fb6aac5475a45776d0a638e9845445

SHA512
2b900118d582eb8bba1612c67909bda97b2cd8755a00de1135c2809ab65385523a2f1c74eff7b37fc4ada585decfab2febbab9247d46038787a9ac786747c222

Download Submit
C:\Users\Admin\AppData\Local\Temp\ÌìÁúÐ¡ÃÛ[1116.1].exe

Filesize
15.8MB

MD5
71ab5b24ddb3804ebf7ccc223700cc15

SHA1
426ba1c0dde6f93f878fd5a6de93d2ecf530c2e8

SHA256
726acf9c3611831d9b8ce7a31493ec5650094aa2853a0640de54cd623b515ee0

SHA512
0b228e545162d5bca1c269d765a7f43e93d4dbd50aa66b9ca857e7212003a4adc01e3caffc65848cb273b3b0e4f954a0e4e7bc953ac0decd24359c73729bb3a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ÌìÁúÐ¡ÃÛ[1116.1].exe

Filesize
15.8MB

MD5
71ab5b24ddb3804ebf7ccc223700cc15

SHA1
426ba1c0dde6f93f878fd5a6de93d2ecf530c2e8

SHA256
726acf9c3611831d9b8ce7a31493ec5650094aa2853a0640de54cd623b515ee0

SHA512
0b228e545162d5bca1c269d765a7f43e93d4dbd50aa66b9ca857e7212003a4adc01e3caffc65848cb273b3b0e4f954a0e4e7bc953ac0decd24359c73729bb3a4

Download Submit
C:\ÌìÁúÐ¡ÃÛ\ÅäÖÃÎÄ¼þ\ÅäÖÃÎÄ¼þ.ini

Filesize
73B

MD5
b5a29d804e69aa9dfee1a7acdd72b545

SHA1
e909f164e1c4977e7d14928c16348b356b483d35

SHA256
b31cf95dea965f9037b14c9084c98de7849b5b28d23d29ea8018978a1637bad3

SHA512
fe3b1eb10222f6b2c16df5481a05be83fe0b68329caa4d077dc2a68563c7985f2768edb190bde1b9ae44c66e819b5db7b5f313a64f66c82fde4b9b35d862e2e6

Download Submit
C:\ÌìÁúÐ¡ÃÛ\ÔËÐÐÎÄ¼þ\QYCJ.dll

Filesize
3.0MB

MD5
54da9cb20347baec926b6678f8efb3ab

SHA1
18ca10861aa561c56666270cca7fd44c73c28d72

SHA256
038675d5ee0b22a17a12646ba9cf3fcffd0a2acfb712c1953102671774a82390

SHA512
e4608ef1875e2dd46c1352d5e750178ce439725a6b190d37a14decb7e960428841ea3ef5e17488226f9bcfc6d58793cb254f142ba4f54cd316c9cbee50cae77b

Download Submit
\Users\Admin\AppData\Local\Temp\ÌìÁúÐ¡ÃÛ[1116.1].exe

Filesize
15.8MB

MD5
71ab5b24ddb3804ebf7ccc223700cc15

SHA1
426ba1c0dde6f93f878fd5a6de93d2ecf530c2e8

SHA256
726acf9c3611831d9b8ce7a31493ec5650094aa2853a0640de54cd623b515ee0

SHA512
0b228e545162d5bca1c269d765a7f43e93d4dbd50aa66b9ca857e7212003a4adc01e3caffc65848cb273b3b0e4f954a0e4e7bc953ac0decd24359c73729bb3a4

Download Submit
\Users\Admin\AppData\Local\Temp\ÌìÁúÐ¡ÃÛ[1116.1].exe

Filesize
15.8MB

MD5
71ab5b24ddb3804ebf7ccc223700cc15

SHA1
426ba1c0dde6f93f878fd5a6de93d2ecf530c2e8

SHA256
726acf9c3611831d9b8ce7a31493ec5650094aa2853a0640de54cd623b515ee0

SHA512
0b228e545162d5bca1c269d765a7f43e93d4dbd50aa66b9ca857e7212003a4adc01e3caffc65848cb273b3b0e4f954a0e4e7bc953ac0decd24359c73729bb3a4

Download Submit
\ÌìÁúÐ¡ÃÛ\ÔËÐÐÎÄ¼þ\QYCJ.dll

Filesize
3.0MB

MD5
54da9cb20347baec926b6678f8efb3ab

SHA1
18ca10861aa561c56666270cca7fd44c73c28d72

SHA256
038675d5ee0b22a17a12646ba9cf3fcffd0a2acfb712c1953102671774a82390

SHA512
e4608ef1875e2dd46c1352d5e750178ce439725a6b190d37a14decb7e960428841ea3ef5e17488226f9bcfc6d58793cb254f142ba4f54cd316c9cbee50cae77b

Download Submit
memory/2196-37-0x0000000076ED0000-0x0000000076ED1000-memory.dmp

Filesize
4KB

Download
memory/2196-29-0x0000000002EE0000-0x0000000002EE1000-memory.dmp

Filesize
4KB

Download
memory/2196-30-0x0000000076ED0000-0x0000000076ED1000-memory.dmp

Filesize
4KB

Download
memory/2196-27-0x0000000002EE0000-0x0000000002EE1000-memory.dmp

Filesize
4KB

Download
memory/2196-26-0x0000000004570000-0x0000000004BBC000-memory.dmp

Filesize
6.3MB

Download
memory/2196-24-0x0000000002EE0000-0x0000000002EE1000-memory.dmp

Filesize
4KB

Download