blackmoon | bb6ee781765dbac84cf0ee6b5f0482cb3d9a3ff4ebde867eda01480e06dbca4f

General

Target

bb6ee781765dbac84cf0ee6b5f0482cb3d9a3ff4ebde867eda01480e06dbca4f.exe
Size

2.1MB
MD5

6ae82709d260e411f60120b958e627d3
SHA1

ace1d5d6e58b4fcee442d778f818f58ee0fc742f
SHA256

bb6ee781765dbac84cf0ee6b5f0482cb3d9a3ff4ebde867eda01480e06dbca4f
SHA512

eb797779373b17b05e03de050e0fcade9d77501f281e8f67b70f8493e9ab3938c4a8701212dbf5086a53594ac0b7c15fba257e2e77478d4736f7fc093fac6b61
SSDEEP

24576:ZYFbkIsaPiXSVnC7Yp9zkNmZG8RRlntyzFIQnsJ39LyjbJkQFMhmC+6GD9yl4ge:ZYREXSVMDi3TQnsHyjtk2MYC5GDIOge

Score

10^/10

blackmoon gh0strat banker persistence rat trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3736-138-0x0000000000400000-0x00000000004AD000-memory.dmp	family_blackmoon
behavioral2/memory/1836-174-0x0000000000400000-0x00000000004AD000-memory.dmp	family_blackmoon
behavioral2/memory/1836-175-0x0000000000400000-0x00000000004AD000-memory.dmp	family_blackmoon

Gh0st RAT payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x0006000000023225-5.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

look2.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\svchcst\Parameters\ServiceDll = "C:\\Windows\\system32\\240615328.bat"	look2.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Synaptics.exeHD_bb6ee781765dbac84cf0ee6b5f0482cb3d9a3ff4ebde867eda01480e06dbca4f.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	HD_bb6ee781765dbac84cf0ee6b5f0482cb3d9a3ff4ebde867eda01480e06dbca4f.exe

Executes dropped EXE 6 IoCs

Processes:

look2.exeHD_bb6ee781765dbac84cf0ee6b5f0482cb3d9a3ff4ebde867eda01480e06dbca4f.exesvchcst.exe._cache_HD_bb6ee781765dbac84cf0ee6b5f0482cb3d9a3ff4ebde867eda01480e06dbca4f.exeSynaptics.exe._cache_Synaptics.exe

pid	Process
2224	look2.exe
4672	HD_bb6ee781765dbac84cf0ee6b5f0482cb3d9a3ff4ebde867eda01480e06dbca4f.exe
1664	svchcst.exe
3736	._cache_HD_bb6ee781765dbac84cf0ee6b5f0482cb3d9a3ff4ebde867eda01480e06dbca4f.exe
2712	Synaptics.exe
1836	._cache_Synaptics.exe

Loads dropped DLL 3 IoCs

Processes:

look2.exesvchost.exesvchcst.exe

pid	Process
2224	look2.exe
4752	svchost.exe
1664	svchcst.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/files/0x000600000002322b-35.dat	upx
behavioral2/memory/3736-72-0x0000000000400000-0x00000000004AD000-memory.dmp	upx
behavioral2/memory/3736-138-0x0000000000400000-0x00000000004AD000-memory.dmp	upx
behavioral2/memory/1836-174-0x0000000000400000-0x00000000004AD000-memory.dmp	upx
behavioral2/memory/1836-175-0x0000000000400000-0x00000000004AD000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

HD_bb6ee781765dbac84cf0ee6b5f0482cb3d9a3ff4ebde867eda01480e06dbca4f.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	HD_bb6ee781765dbac84cf0ee6b5f0482cb3d9a3ff4ebde867eda01480e06dbca4f.exe

Drops file in System32 directory 4 IoCs

Processes:

look2.exesvchost.exe

description	ioc	Process
File created	C:\Windows\SysWOW64\240615328.bat	look2.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	look2.exe
File created	C:\Windows\SysWOW64\svchcst.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchcst.exe	svchost.exe

Drops file in Program Files directory 1 IoCs

Processes:

bb6ee781765dbac84cf0ee6b5f0482cb3d9a3ff4ebde867eda01480e06dbca4f.exe

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	bb6ee781765dbac84cf0ee6b5f0482cb3d9a3ff4ebde867eda01480e06dbca4f.exe

Drops file in Windows directory 1 IoCs

Processes:

._cache_HD_bb6ee781765dbac84cf0ee6b5f0482cb3d9a3ff4ebde867eda01480e06dbca4f.exe

description	ioc	Process
File created	C:\Windows\gzip.dll	._cache_HD_bb6ee781765dbac84cf0ee6b5f0482cb3d9a3ff4ebde867eda01480e06dbca4f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

Processes:

HD_bb6ee781765dbac84cf0ee6b5f0482cb3d9a3ff4ebde867eda01480e06dbca4f.exeSynaptics.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	HD_bb6ee781765dbac84cf0ee6b5f0482cb3d9a3ff4ebde867eda01480e06dbca4f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

bb6ee781765dbac84cf0ee6b5f0482cb3d9a3ff4ebde867eda01480e06dbca4f.exe

pid	Process
932	bb6ee781765dbac84cf0ee6b5f0482cb3d9a3ff4ebde867eda01480e06dbca4f.exe
932	bb6ee781765dbac84cf0ee6b5f0482cb3d9a3ff4ebde867eda01480e06dbca4f.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

._cache_HD_bb6ee781765dbac84cf0ee6b5f0482cb3d9a3ff4ebde867eda01480e06dbca4f.exe._cache_Synaptics.exe

description	pid	Process
Token: SeDebugPrivilege	3736	._cache_HD_bb6ee781765dbac84cf0ee6b5f0482cb3d9a3ff4ebde867eda01480e06dbca4f.exe
Token: SeDebugPrivilege	3736	._cache_HD_bb6ee781765dbac84cf0ee6b5f0482cb3d9a3ff4ebde867eda01480e06dbca4f.exe
Token: SeDebugPrivilege	1836	._cache_Synaptics.exe
Token: SeDebugPrivilege	1836	._cache_Synaptics.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

bb6ee781765dbac84cf0ee6b5f0482cb3d9a3ff4ebde867eda01480e06dbca4f.exe

pid	Process
932	bb6ee781765dbac84cf0ee6b5f0482cb3d9a3ff4ebde867eda01480e06dbca4f.exe
932	bb6ee781765dbac84cf0ee6b5f0482cb3d9a3ff4ebde867eda01480e06dbca4f.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

bb6ee781765dbac84cf0ee6b5f0482cb3d9a3ff4ebde867eda01480e06dbca4f.exesvchost.exeHD_bb6ee781765dbac84cf0ee6b5f0482cb3d9a3ff4ebde867eda01480e06dbca4f.exeSynaptics.exe

description	pid	Process	procid_target
PID 932 wrote to memory of 2224	932	bb6ee781765dbac84cf0ee6b5f0482cb3d9a3ff4ebde867eda01480e06dbca4f.exe	91
PID 932 wrote to memory of 2224	932	bb6ee781765dbac84cf0ee6b5f0482cb3d9a3ff4ebde867eda01480e06dbca4f.exe	91
PID 932 wrote to memory of 2224	932	bb6ee781765dbac84cf0ee6b5f0482cb3d9a3ff4ebde867eda01480e06dbca4f.exe	91
PID 932 wrote to memory of 4672	932	bb6ee781765dbac84cf0ee6b5f0482cb3d9a3ff4ebde867eda01480e06dbca4f.exe	94
PID 932 wrote to memory of 4672	932	bb6ee781765dbac84cf0ee6b5f0482cb3d9a3ff4ebde867eda01480e06dbca4f.exe	94
PID 932 wrote to memory of 4672	932	bb6ee781765dbac84cf0ee6b5f0482cb3d9a3ff4ebde867eda01480e06dbca4f.exe	94
PID 4752 wrote to memory of 1664	4752	svchost.exe	95
PID 4752 wrote to memory of 1664	4752	svchost.exe	95
PID 4752 wrote to memory of 1664	4752	svchost.exe	95
PID 4672 wrote to memory of 3736	4672	HD_bb6ee781765dbac84cf0ee6b5f0482cb3d9a3ff4ebde867eda01480e06dbca4f.exe	96
PID 4672 wrote to memory of 3736	4672	HD_bb6ee781765dbac84cf0ee6b5f0482cb3d9a3ff4ebde867eda01480e06dbca4f.exe	96
PID 4672 wrote to memory of 3736	4672	HD_bb6ee781765dbac84cf0ee6b5f0482cb3d9a3ff4ebde867eda01480e06dbca4f.exe	96
PID 4672 wrote to memory of 2712	4672	HD_bb6ee781765dbac84cf0ee6b5f0482cb3d9a3ff4ebde867eda01480e06dbca4f.exe	97
PID 4672 wrote to memory of 2712	4672	HD_bb6ee781765dbac84cf0ee6b5f0482cb3d9a3ff4ebde867eda01480e06dbca4f.exe	97
PID 4672 wrote to memory of 2712	4672	HD_bb6ee781765dbac84cf0ee6b5f0482cb3d9a3ff4ebde867eda01480e06dbca4f.exe	97
PID 2712 wrote to memory of 1836	2712	Synaptics.exe	98
PID 2712 wrote to memory of 1836	2712	Synaptics.exe	98
PID 2712 wrote to memory of 1836	2712	Synaptics.exe	98

C:\Users\Admin\AppData\Local\Temp\bb6ee781765dbac84cf0ee6b5f0482cb3d9a3ff4ebde867eda01480e06dbca4f.exe
"C:\Users\Admin\AppData\Local\Temp\bb6ee781765dbac84cf0ee6b5f0482cb3d9a3ff4ebde867eda01480e06dbca4f.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:932
- C:\Users\Admin\AppData\Local\Temp\look2.exe
  C:\Users\Admin\AppData\Local\Temp\\look2.exe
  2⤵
  - Sets DLL path for service in the registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  PID:2224
- C:\Users\Admin\AppData\Local\Temp\HD_bb6ee781765dbac84cf0ee6b5f0482cb3d9a3ff4ebde867eda01480e06dbca4f.exe
  C:\Users\Admin\AppData\Local\Temp\HD_bb6ee781765dbac84cf0ee6b5f0482cb3d9a3ff4ebde867eda01480e06dbca4f.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4672
- - C:\Users\Admin\AppData\Local\Temp\._cache_HD_bb6ee781765dbac84cf0ee6b5f0482cb3d9a3ff4ebde867eda01480e06dbca4f.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_HD_bb6ee781765dbac84cf0ee6b5f0482cb3d9a3ff4ebde867eda01480e06dbca4f.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    PID:3736
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1836

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "svchcst"
1⤵
PID:2472

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "svchcst"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4752
- C:\Windows\SysWOW64\svchcst.exe
  C:\Windows\system32\svchcst.exe "c:\windows\system32\240615328.bat",MainThread
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
192KB

MD5
135e5a2e29404f1664d548f2a4d11a2c

SHA1
e4d2605dfe7483be90e46b860bd72b252afcb397

SHA256
8d219615eda44d3847c794d93299d42c36ab0b6e16de6d2088fde0072f139111

SHA512
42140356bf52f02fbafeb285950c9c9d03eb3a12de978133e4b7462d54283eca19c329af8f246dadcb88d3c03dab0ff144f7321c887029f65822c8f5e5f48381

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
64KB

MD5
144ac44b53ed643da8d59f503dc6a300

SHA1
f90f89da66b2d2bc70be63df0881e6fc5a09bc93

SHA256
c0e5854b68553cc3548f4f8afe10f3249386c972032de15bcef0cbff2c61821b

SHA512
2a224f3ea68e9e618b7d547df69bad3748e59097ea1031b6e739145e214697beba7628428880b658887f974377c5ea9e71f6c14c4d9ea280b4394bc63f930d3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_HD_bb6ee781765dbac84cf0ee6b5f0482cb3d9a3ff4ebde867eda01480e06dbca4f.exe

Filesize
163KB

MD5
4bc56ded809159a6f2b1474d210b8b3e

SHA1
756557828c0530d07aa6bc67a94fc0252210ac43

SHA256
4aa550f49e4ee285bf02ad4edbc3eaf3929284f7bf23b904b35f1c80d06a3408

SHA512
80f0a5616e62b6613cd7de75a9b5bf92c1611963efd74baddc49faa8dbb3f0defa60a61250e98f3c510ebf527cca5048b7dff96c9b6f00d2e7f4e8fde3a8ce60

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_X.dat

Filesize
1.2MB

MD5
6594d28676705443d5acae1e0c95b4cd

SHA1
35a23ca1a5ed2ee1fa5b26cd17440b4c09b09944

SHA256
c7895551d086055203a9c2ba5bafe5cc56c794015e20ab8ba7da76fa9d115a16

SHA512
d09fa38e9ea90b35541f6f206508b0866400356ef68893959112b38e76fad9738da7201e17fa76064903d555b8f4101ca310581dda0e29315ef3ca604a265bfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_bb6ee781765dbac84cf0ee6b5f0482cb3d9a3ff4ebde867eda01480e06dbca4f.exe

Filesize
916KB

MD5
f9ca881b043fd7fb6efe1a8b16544d4e

SHA1
044b407df348dff814a0498461d80a2dee0f5160

SHA256
158564b0146e9126d35327aff83924db0c2954de05df28dc43ab48279f91ffdb

SHA512
6c59c33639eb2bdd94ed5c1cd0ca10ec8804cc0948bd8edf519a1b507fd27b9098318dd0621530a263b91b58a80141123b34fc4a75b3667f4c981377cdd7489d

Download Submit
C:\Users\Admin\AppData\Local\Temp\look2.exe

Filesize
337KB

MD5
2f3b6f16e33e28ad75f3fdaef2567807

SHA1
85e907340faf1edfc9210db85a04abd43d21b741

SHA256
86492ebf2d6f471a5ee92977318d099b3ea86175b5b7ae522237ae01d07a4857

SHA512
db17e99e2df918cfc9ccbe934adfe73f0777ce1ce9f28b57a4b24ecd821efe2e0b976a634853247b77b16627d2bb3af4ba20306059d1d25ef38ffada7da3e3a4

Download Submit
C:\Windows\SysWOW64\240615328.bat

Filesize
51KB

MD5
549fd0c94c5480a726b98401e5f75302

SHA1
7570cd2d24989aa2cfc2f24b19bb9f7a9940ec70

SHA256
78f72c957c87aa5e4eddd204bf8b072f4dcf32d11a7a50d1d9db4484cd2814fe

SHA512
82c27757167bf37724a1c102df32da219f6775667fa949a9f94d1132fd6fa0ed94a4a8021e7d96aa18826e81a373bf3a243748df2313f34925a468544fdab8e7

Download Submit
C:\Windows\SysWOW64\svchcst.exe

Filesize
60KB

MD5
889b99c52a60dd49227c5e485a016679

SHA1
8fa889e456aa646a4d0a4349977430ce5fa5e2d7

SHA256
6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

SHA512
08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

Download Submit
memory/1836-175-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/1836-174-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2712-139-0x0000000000750000-0x0000000000751000-memory.dmp

Filesize
4KB

Download
memory/2712-173-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/2712-176-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/2712-177-0x0000000000750000-0x0000000000751000-memory.dmp

Filesize
4KB

Download
memory/2712-183-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/2712-199-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/3736-138-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/3736-72-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/4672-137-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/4672-18-0x0000000002220000-0x0000000002221000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads