blackmoon | 57de7cee41f4ae1a322b1cbe583be6e4de79fa6c76ca8aef37b663ac80158ed2

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29/12/2023, 20:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

03d39237e46983d571a602be445752f6.exe
Size

425KB
MD5

03d39237e46983d571a602be445752f6
SHA1

151f7ce5632c25d7c8be38fdc9ca83f99c7876ce
SHA256

57de7cee41f4ae1a322b1cbe583be6e4de79fa6c76ca8aef37b663ac80158ed2
SHA512

322c17bc070fc0e395fac7286ffb3cf1cb077651d17aada8fb347b28cccf7508d28bfb1863b64d6a5c0e843689ae7d1f1466d1c6e697fc6f8890b711072bb511
SSDEEP

6144:evk3Q5ibjnNuuXckaL7pbRBkce97awz7L7orT2O:evMQ5ibjnwka3pbRC19Gwz7orT2O

Score

10^/10

blackmoon banker trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 6 IoCs

resource	yara_rule
behavioral2/memory/2804-0-0x0000000000400000-0x000000000046D000-memory.dmp	family_blackmoon
behavioral2/files/0x000a000000023130-9.dat	family_blackmoon
behavioral2/files/0x000a000000023130-13.dat	family_blackmoon
behavioral2/memory/1472-14-0x0000000000400000-0x000000000046D000-memory.dmp	family_blackmoon
behavioral2/files/0x000a000000023130-12.dat	family_blackmoon
behavioral2/memory/2804-16-0x0000000000400000-0x000000000046D000-memory.dmp	family_blackmoon

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	03d39237e46983d571a602be445752f6.exe

Deletes itself 1 IoCs

pid	Process
1472	Systemlzhal.exe

Executes dropped EXE 1 IoCs

pid	Process
1472	Systemlzhal.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2804-0-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/files/0x000a000000023130-9.dat	upx
behavioral2/files/0x000a000000023130-13.dat	upx
behavioral2/memory/1472-14-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/files/0x000a000000023130-12.dat	upx
behavioral2/memory/2804-16-0x0000000000400000-0x000000000046D000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2804	03d39237e46983d571a602be445752f6.exe
2804	03d39237e46983d571a602be445752f6.exe
2804	03d39237e46983d571a602be445752f6.exe
2804	03d39237e46983d571a602be445752f6.exe
2804	03d39237e46983d571a602be445752f6.exe
2804	03d39237e46983d571a602be445752f6.exe
2804	03d39237e46983d571a602be445752f6.exe
2804	03d39237e46983d571a602be445752f6.exe
2804	03d39237e46983d571a602be445752f6.exe
2804	03d39237e46983d571a602be445752f6.exe
2804	03d39237e46983d571a602be445752f6.exe
2804	03d39237e46983d571a602be445752f6.exe
1472	Systemlzhal.exe
1472	Systemlzhal.exe
1472	Systemlzhal.exe
1472	Systemlzhal.exe
1472	Systemlzhal.exe
1472	Systemlzhal.exe
1472	Systemlzhal.exe
1472	Systemlzhal.exe
1472	Systemlzhal.exe
1472	Systemlzhal.exe
1472	Systemlzhal.exe
1472	Systemlzhal.exe
1472	Systemlzhal.exe
1472	Systemlzhal.exe
1472	Systemlzhal.exe
1472	Systemlzhal.exe
1472	Systemlzhal.exe
1472	Systemlzhal.exe
1472	Systemlzhal.exe
1472	Systemlzhal.exe
1472	Systemlzhal.exe
1472	Systemlzhal.exe
1472	Systemlzhal.exe
1472	Systemlzhal.exe
1472	Systemlzhal.exe
1472	Systemlzhal.exe
1472	Systemlzhal.exe
1472	Systemlzhal.exe
1472	Systemlzhal.exe
1472	Systemlzhal.exe
1472	Systemlzhal.exe
1472	Systemlzhal.exe
1472	Systemlzhal.exe
1472	Systemlzhal.exe
1472	Systemlzhal.exe
1472	Systemlzhal.exe
1472	Systemlzhal.exe
1472	Systemlzhal.exe
1472	Systemlzhal.exe
1472	Systemlzhal.exe
1472	Systemlzhal.exe
1472	Systemlzhal.exe
1472	Systemlzhal.exe
1472	Systemlzhal.exe
1472	Systemlzhal.exe
1472	Systemlzhal.exe
1472	Systemlzhal.exe
1472	Systemlzhal.exe
1472	Systemlzhal.exe
1472	Systemlzhal.exe
1472	Systemlzhal.exe
1472	Systemlzhal.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2804 wrote to memory of 1472	2804	03d39237e46983d571a602be445752f6.exe	92
PID 2804 wrote to memory of 1472	2804	03d39237e46983d571a602be445752f6.exe	92
PID 2804 wrote to memory of 1472	2804	03d39237e46983d571a602be445752f6.exe	92

C:\Users\Admin\AppData\Local\Temp\03d39237e46983d571a602be445752f6.exe
"C:\Users\Admin\AppData\Local\Temp\03d39237e46983d571a602be445752f6.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Users\Admin\AppData\Local\Temp\Systemlzhal.exe
  "C:\Users\Admin\AppData\Local\Temp\Systemlzhal.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Systemlzhal.exe

Filesize
171KB

MD5
c527387b819fe833bd52edd659cef3a2

SHA1
50a7ac32bc87a04aa5eb18912862bf435c667fe8

SHA256
af2e2db343bccd65cf94c1e5db75fa6f5cb8c9c3e7933413164bf68b90ab7b2b

SHA512
2cf52b99b904a376cfb19b876d5ee9a92b2e69de8b8c85c4d69b00c826d2b74151c088094e7072bfde80c9b7b7b94319b105390049afc63a186312a295a2fe3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Systemlzhal.exe

Filesize
425KB

MD5
625b94327c3778295f029a99e363e4dc

SHA1
65d14fa8a868e074e076f6502cb9076d3bda1d9b

SHA256
ae3ff9d1ed118d2c337cc959caa6a351cdc53e591c3381cbab8c61fb33b16aff

SHA512
caf66e725505348ec22a2a0836ce8d199b5b726febc7dd3662207ba1265c3c4773b18eefbcfebfb7fcea1d48a4df19840637241fdafcf1e05c8cf61b09d07f10

Download Submit
C:\Users\Admin\AppData\Local\Temp\Systemlzhal.exe

Filesize
146KB

MD5
b61467816e2dea9052275bd0e53d62a1

SHA1
f70919c9a48f0a36ff5f1eeaafa7d781321b48e3

SHA256
2ebecb98a81b877d06ceebf1467e9b7bf1e4821a5ff84cb5ecfc062f13429462

SHA512
2d8b2475afe0a53365db3b229415ea191c44601b1c9fac495c6bd80038b2bcbd59b279be07074d2cff08f53a144faf6be269edcc1bd48ea24c9dd194304470b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\fpath.ini

Filesize
70B

MD5
2893ad06f5f205edbb5f61c4c3b47330

SHA1
1c2b9ffb1401acf428fe3065a48273a91413d1ad

SHA256
300a4bbfcd56a0fd9f2b6c5b4ade0cb1e9366fdd5f866e2c49327c65933dbfaa

SHA512
f65c94d7a79fa9490ef612dfccc75bfe674a9466cb1c11f47b9dcd66483fc749a8a4b34534f883f1ba048dd67d9c7b943f2607401b6ce8298f5534354cd85feb

Download Submit
memory/1472-14-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2804-0-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2804-16-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download