blackmoon | 10beb6f271ff10c87132ca40eb90f6d89cbe61aac4b0c6b2db6c1bcdbb7fb291

General

Target

10beb6f271ff10c87132ca40eb90f6d89cbe61aac4b0c6b2db6c1bcdbb7fb291.exe
Size

670KB
MD5

f11155ae786a74b4b6766f6849fa0b0b
SHA1

c6c3b33b2f46b1236ae8ff045151c1ddc30c822e
SHA256

10beb6f271ff10c87132ca40eb90f6d89cbe61aac4b0c6b2db6c1bcdbb7fb291
SHA512

733bef31a54e83d077f8f052c9b5a8b3d9ce894cd0dd528f01a6d3244c1f2696d45ce3171c01101057b854a3fccf00b0204e50a2a0c30e2316c7eebc646ce187
SSDEEP

12288:gYh9c1Xze30Y33Oc7jEWdsV7ds9HQlbBlhQLFN7:Jzc1KkY33Oc7jEWdcd8HyZWl

Score

10^/10

blackmoon gh0strat banker persistence rat trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 4 IoCs

resource	yara_rule
behavioral1/memory/2608-7-0x00000000035D0000-0x00000000036BB000-memory.dmp	family_blackmoon
behavioral1/memory/2608-11-0x00000000035D0000-0x00000000036BB000-memory.dmp	family_blackmoon
behavioral1/memory/2608-49-0x00000000035D0000-0x00000000036BB000-memory.dmp	family_blackmoon
behavioral1/memory/2608-50-0x00000000035D0000-0x00000000036BB000-memory.dmp	family_blackmoon

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral1/memory/2608-36-0x0000000010000000-0x0000000010017000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Loads dropped DLL 1 IoCs

pid	Process
2608	10beb6f271ff10c87132ca40eb90f6d89cbe61aac4b0c6b2db6c1bcdbb7fb291.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Run\qdatem = "C:\\Users\\Public\\Documents\\Applicationkysfz.exe"	10beb6f271ff10c87132ca40eb90f6d89cbe61aac4b0c6b2db6c1bcdbb7fb291.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	10beb6f271ff10c87132ca40eb90f6d89cbe61aac4b0c6b2db6c1bcdbb7fb291.exe
File opened (read-only)	\??\M:	10beb6f271ff10c87132ca40eb90f6d89cbe61aac4b0c6b2db6c1bcdbb7fb291.exe
File opened (read-only)	\??\P:	10beb6f271ff10c87132ca40eb90f6d89cbe61aac4b0c6b2db6c1bcdbb7fb291.exe
File opened (read-only)	\??\S:	10beb6f271ff10c87132ca40eb90f6d89cbe61aac4b0c6b2db6c1bcdbb7fb291.exe
File opened (read-only)	\??\G:	10beb6f271ff10c87132ca40eb90f6d89cbe61aac4b0c6b2db6c1bcdbb7fb291.exe
File opened (read-only)	\??\E:	10beb6f271ff10c87132ca40eb90f6d89cbe61aac4b0c6b2db6c1bcdbb7fb291.exe
File opened (read-only)	\??\L:	10beb6f271ff10c87132ca40eb90f6d89cbe61aac4b0c6b2db6c1bcdbb7fb291.exe
File opened (read-only)	\??\U:	10beb6f271ff10c87132ca40eb90f6d89cbe61aac4b0c6b2db6c1bcdbb7fb291.exe
File opened (read-only)	\??\V:	10beb6f271ff10c87132ca40eb90f6d89cbe61aac4b0c6b2db6c1bcdbb7fb291.exe
File opened (read-only)	\??\Y:	10beb6f271ff10c87132ca40eb90f6d89cbe61aac4b0c6b2db6c1bcdbb7fb291.exe
File opened (read-only)	\??\Z:	10beb6f271ff10c87132ca40eb90f6d89cbe61aac4b0c6b2db6c1bcdbb7fb291.exe
File opened (read-only)	\??\B:	10beb6f271ff10c87132ca40eb90f6d89cbe61aac4b0c6b2db6c1bcdbb7fb291.exe
File opened (read-only)	\??\J:	10beb6f271ff10c87132ca40eb90f6d89cbe61aac4b0c6b2db6c1bcdbb7fb291.exe
File opened (read-only)	\??\N:	10beb6f271ff10c87132ca40eb90f6d89cbe61aac4b0c6b2db6c1bcdbb7fb291.exe
File opened (read-only)	\??\O:	10beb6f271ff10c87132ca40eb90f6d89cbe61aac4b0c6b2db6c1bcdbb7fb291.exe
File opened (read-only)	\??\R:	10beb6f271ff10c87132ca40eb90f6d89cbe61aac4b0c6b2db6c1bcdbb7fb291.exe
File opened (read-only)	\??\T:	10beb6f271ff10c87132ca40eb90f6d89cbe61aac4b0c6b2db6c1bcdbb7fb291.exe
File opened (read-only)	\??\W:	10beb6f271ff10c87132ca40eb90f6d89cbe61aac4b0c6b2db6c1bcdbb7fb291.exe
File opened (read-only)	\??\X:	10beb6f271ff10c87132ca40eb90f6d89cbe61aac4b0c6b2db6c1bcdbb7fb291.exe
File opened (read-only)	\??\H:	10beb6f271ff10c87132ca40eb90f6d89cbe61aac4b0c6b2db6c1bcdbb7fb291.exe
File opened (read-only)	\??\Q:	10beb6f271ff10c87132ca40eb90f6d89cbe61aac4b0c6b2db6c1bcdbb7fb291.exe
File opened (read-only)	\??\I:	10beb6f271ff10c87132ca40eb90f6d89cbe61aac4b0c6b2db6c1bcdbb7fb291.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	10beb6f271ff10c87132ca40eb90f6d89cbe61aac4b0c6b2db6c1bcdbb7fb291.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	10beb6f271ff10c87132ca40eb90f6d89cbe61aac4b0c6b2db6c1bcdbb7fb291.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2724	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 41 IoCs

pid	Process
2608	10beb6f271ff10c87132ca40eb90f6d89cbe61aac4b0c6b2db6c1bcdbb7fb291.exe
2608	10beb6f271ff10c87132ca40eb90f6d89cbe61aac4b0c6b2db6c1bcdbb7fb291.exe
2608	10beb6f271ff10c87132ca40eb90f6d89cbe61aac4b0c6b2db6c1bcdbb7fb291.exe
2608	10beb6f271ff10c87132ca40eb90f6d89cbe61aac4b0c6b2db6c1bcdbb7fb291.exe
2608	10beb6f271ff10c87132ca40eb90f6d89cbe61aac4b0c6b2db6c1bcdbb7fb291.exe
2608	10beb6f271ff10c87132ca40eb90f6d89cbe61aac4b0c6b2db6c1bcdbb7fb291.exe
2608	10beb6f271ff10c87132ca40eb90f6d89cbe61aac4b0c6b2db6c1bcdbb7fb291.exe
2608	10beb6f271ff10c87132ca40eb90f6d89cbe61aac4b0c6b2db6c1bcdbb7fb291.exe
2608	10beb6f271ff10c87132ca40eb90f6d89cbe61aac4b0c6b2db6c1bcdbb7fb291.exe
2608	10beb6f271ff10c87132ca40eb90f6d89cbe61aac4b0c6b2db6c1bcdbb7fb291.exe
2608	10beb6f271ff10c87132ca40eb90f6d89cbe61aac4b0c6b2db6c1bcdbb7fb291.exe
2608	10beb6f271ff10c87132ca40eb90f6d89cbe61aac4b0c6b2db6c1bcdbb7fb291.exe
2608	10beb6f271ff10c87132ca40eb90f6d89cbe61aac4b0c6b2db6c1bcdbb7fb291.exe
2608	10beb6f271ff10c87132ca40eb90f6d89cbe61aac4b0c6b2db6c1bcdbb7fb291.exe
2608	10beb6f271ff10c87132ca40eb90f6d89cbe61aac4b0c6b2db6c1bcdbb7fb291.exe
2608	10beb6f271ff10c87132ca40eb90f6d89cbe61aac4b0c6b2db6c1bcdbb7fb291.exe
2608	10beb6f271ff10c87132ca40eb90f6d89cbe61aac4b0c6b2db6c1bcdbb7fb291.exe
2608	10beb6f271ff10c87132ca40eb90f6d89cbe61aac4b0c6b2db6c1bcdbb7fb291.exe
2608	10beb6f271ff10c87132ca40eb90f6d89cbe61aac4b0c6b2db6c1bcdbb7fb291.exe
2608	10beb6f271ff10c87132ca40eb90f6d89cbe61aac4b0c6b2db6c1bcdbb7fb291.exe
2608	10beb6f271ff10c87132ca40eb90f6d89cbe61aac4b0c6b2db6c1bcdbb7fb291.exe
2608	10beb6f271ff10c87132ca40eb90f6d89cbe61aac4b0c6b2db6c1bcdbb7fb291.exe
2608	10beb6f271ff10c87132ca40eb90f6d89cbe61aac4b0c6b2db6c1bcdbb7fb291.exe
2608	10beb6f271ff10c87132ca40eb90f6d89cbe61aac4b0c6b2db6c1bcdbb7fb291.exe
2608	10beb6f271ff10c87132ca40eb90f6d89cbe61aac4b0c6b2db6c1bcdbb7fb291.exe
2608	10beb6f271ff10c87132ca40eb90f6d89cbe61aac4b0c6b2db6c1bcdbb7fb291.exe
2608	10beb6f271ff10c87132ca40eb90f6d89cbe61aac4b0c6b2db6c1bcdbb7fb291.exe
2608	10beb6f271ff10c87132ca40eb90f6d89cbe61aac4b0c6b2db6c1bcdbb7fb291.exe
2608	10beb6f271ff10c87132ca40eb90f6d89cbe61aac4b0c6b2db6c1bcdbb7fb291.exe
2608	10beb6f271ff10c87132ca40eb90f6d89cbe61aac4b0c6b2db6c1bcdbb7fb291.exe
2608	10beb6f271ff10c87132ca40eb90f6d89cbe61aac4b0c6b2db6c1bcdbb7fb291.exe
2608	10beb6f271ff10c87132ca40eb90f6d89cbe61aac4b0c6b2db6c1bcdbb7fb291.exe
2608	10beb6f271ff10c87132ca40eb90f6d89cbe61aac4b0c6b2db6c1bcdbb7fb291.exe
2608	10beb6f271ff10c87132ca40eb90f6d89cbe61aac4b0c6b2db6c1bcdbb7fb291.exe
2608	10beb6f271ff10c87132ca40eb90f6d89cbe61aac4b0c6b2db6c1bcdbb7fb291.exe
2608	10beb6f271ff10c87132ca40eb90f6d89cbe61aac4b0c6b2db6c1bcdbb7fb291.exe
2608	10beb6f271ff10c87132ca40eb90f6d89cbe61aac4b0c6b2db6c1bcdbb7fb291.exe
2608	10beb6f271ff10c87132ca40eb90f6d89cbe61aac4b0c6b2db6c1bcdbb7fb291.exe
2608	10beb6f271ff10c87132ca40eb90f6d89cbe61aac4b0c6b2db6c1bcdbb7fb291.exe
2608	10beb6f271ff10c87132ca40eb90f6d89cbe61aac4b0c6b2db6c1bcdbb7fb291.exe
2608	10beb6f271ff10c87132ca40eb90f6d89cbe61aac4b0c6b2db6c1bcdbb7fb291.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2608	10beb6f271ff10c87132ca40eb90f6d89cbe61aac4b0c6b2db6c1bcdbb7fb291.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2608	10beb6f271ff10c87132ca40eb90f6d89cbe61aac4b0c6b2db6c1bcdbb7fb291.exe
2608	10beb6f271ff10c87132ca40eb90f6d89cbe61aac4b0c6b2db6c1bcdbb7fb291.exe
2608	10beb6f271ff10c87132ca40eb90f6d89cbe61aac4b0c6b2db6c1bcdbb7fb291.exe
2608	10beb6f271ff10c87132ca40eb90f6d89cbe61aac4b0c6b2db6c1bcdbb7fb291.exe
2608	10beb6f271ff10c87132ca40eb90f6d89cbe61aac4b0c6b2db6c1bcdbb7fb291.exe
2608	10beb6f271ff10c87132ca40eb90f6d89cbe61aac4b0c6b2db6c1bcdbb7fb291.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2608	10beb6f271ff10c87132ca40eb90f6d89cbe61aac4b0c6b2db6c1bcdbb7fb291.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2608 wrote to memory of 2724	2608	10beb6f271ff10c87132ca40eb90f6d89cbe61aac4b0c6b2db6c1bcdbb7fb291.exe	28
PID 2608 wrote to memory of 2724	2608	10beb6f271ff10c87132ca40eb90f6d89cbe61aac4b0c6b2db6c1bcdbb7fb291.exe	28
PID 2608 wrote to memory of 2724	2608	10beb6f271ff10c87132ca40eb90f6d89cbe61aac4b0c6b2db6c1bcdbb7fb291.exe	28
PID 2608 wrote to memory of 2724	2608	10beb6f271ff10c87132ca40eb90f6d89cbe61aac4b0c6b2db6c1bcdbb7fb291.exe	28

C:\Users\Admin\AppData\Local\Temp\10beb6f271ff10c87132ca40eb90f6d89cbe61aac4b0c6b2db6c1bcdbb7fb291.exe
"C:\Users\Admin\AppData\Local\Temp\10beb6f271ff10c87132ca40eb90f6d89cbe61aac4b0c6b2db6c1bcdbb7fb291.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2608
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\10beb6f271ff10c87132ca40eb90f6d89cbe61aac4b0c6b2db6c1bcdbb7fb291.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\10beb6f271ff10c87132ca40eb90f6d89cbe61aac4b0c6b2db6c1bcdbb7fb291.txt

Filesize
649KB

MD5
d504f3e79833f38f69ab0696a9ed8205

SHA1
88ca3e8ec7886048102125539b22b2e7d3ec3dc5

SHA256
174c0c0d80346d35c31674baf20f06040341ebd6b5103c762e64fb7e1b4a244c

SHA512
bc28d5566b5569f3a69ceb6b7c6db200aa22d6fcc41d4c03b18472143a44b58e8e4afa7d445c573d75f2cd3d375ae3cf568bc23f13e342cc80ee9f84c74638c1

Download Submit
C:\Users\Public\Documents\sjsw.log

Filesize
232B

MD5
7c6d73e998513522505ce81329095d10

SHA1
77fbde7b6289814315caef0247f4a4d0b24835bf

SHA256
7807a7ea4d1cd978134c8d5da344b8a5b6562ebe4f972b88bcd7b7e29135d1f5

SHA512
667d2f679ac45617231beb43f8017facc0032b7bd27ab597bded19be7706e848b1cf4fefc9aa5e2c56687efbb51891d194f5f6685ada5f633a0db64ab76f5fae

Download Submit
\Users\Public\Documents\xffvd.dll

Filesize
2KB

MD5
7943effe67a4647e06def2348949020e

SHA1
eabd561f0639a975de259633f63896d82c3f878d

SHA256
3fac47db92d581b2daef7a4f9493be2fe441041e5158101d80873d05808d5cfa

SHA512
c9db1962e7457c94426c2a5c7f439736697d4399db6982c45357459d58805daa4a9d297912135488b6990e265ffa59d687fd5ba43717aab46ccc212083ef5003

Download Submit
memory/2608-8-0x00000000035D0000-0x00000000036BB000-memory.dmp

Filesize
940KB

Download
memory/2608-32-0x0000000004370000-0x0000000004463000-memory.dmp

Filesize
972KB

Download
memory/2608-0-0x0000000000400000-0x0000000000598000-memory.dmp

Filesize
1.6MB

Download
memory/2608-7-0x00000000035D0000-0x00000000036BB000-memory.dmp

Filesize
940KB

Download
memory/2608-9-0x0000000000600000-0x0000000000603000-memory.dmp

Filesize
12KB

Download
memory/2608-11-0x00000000035D0000-0x00000000036BB000-memory.dmp

Filesize
940KB

Download
memory/2608-3-0x0000000000400000-0x0000000000598000-memory.dmp

Filesize
1.6MB

Download
memory/2608-1-0x0000000000400000-0x0000000000598000-memory.dmp

Filesize
1.6MB

Download
memory/2608-30-0x0000000004370000-0x0000000004463000-memory.dmp

Filesize
972KB

Download
memory/2608-2-0x0000000000400000-0x0000000000598000-memory.dmp

Filesize
1.6MB

Download
memory/2608-33-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2608-34-0x0000000004370000-0x0000000004463000-memory.dmp

Filesize
972KB

Download
memory/2608-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2608-36-0x0000000010000000-0x0000000010017000-memory.dmp

Filesize
92KB

Download
memory/2608-39-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2608-49-0x00000000035D0000-0x00000000036BB000-memory.dmp

Filesize
940KB

Download
memory/2608-50-0x00000000035D0000-0x00000000036BB000-memory.dmp

Filesize
940KB

Download
memory/2608-52-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2608-58-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads