blackmoon | 185487a76e98e7ba79f8b7e59ab55b78a02038f9487542a545c31d7b017c028a

General

Target

8fabbda1d779a34f2dcdd6bc6e8d4874.exe
Size

247KB
MD5

8fabbda1d779a34f2dcdd6bc6e8d4874
SHA1

6fcceac353b07564108c6e2e7b8415c12bbc8773
SHA256

185487a76e98e7ba79f8b7e59ab55b78a02038f9487542a545c31d7b017c028a
SHA512

c7a3a2f713553c14c4d1ce2844828e4e46236b75e4f8082da085476a9d2104acff3369e3dc7ff9d7c1f272828763016a5f6e8924d06edfb9a21dc7729410646b
SSDEEP

6144:ubDkES+ZLIbb9Bq3mGrvQSud3Sx4RGQOWalAUXnDjmUf:2DkES+CGmGre3SaRDOWalAU3/x

Score

10^/10

blackmoon gh0strat banker persistence rat trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 4 IoCs

resource	yara_rule
behavioral1/files/0x000c00000001233b-7.dat	family_blackmoon
behavioral1/files/0x0007000000015ce7-54.dat	family_blackmoon
behavioral1/memory/2652-57-0x0000000000400000-0x00000000004D7000-memory.dmp	family_blackmoon
behavioral1/memory/2652-63-0x0000000000400000-0x00000000004D7000-memory.dmp	family_blackmoon

Gh0st RAT payload 2 IoCs

resource	yara_rule
behavioral1/memory/2652-57-0x0000000000400000-0x00000000004D7000-memory.dmp	family_gh0strat
behavioral1/memory/2652-63-0x0000000000400000-0x00000000004D7000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Registers new Print Monitor 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\RunDllExe\Driver = "C:\\Windows\\Logs\\RunDllExe.dll"	8fabbda1d779a34f2dcdd6bc6e8d4874.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\RunDllExe	8fabbda1d779a34f2dcdd6bc6e8d4874.exe

Deletes itself 1 IoCs

pid	Process
2184	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
864	Process not Found
2368	RunDllExe.exe
2300	RunDllExe.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2652-0-0x0000000000400000-0x00000000004D7000-memory.dmp	upx
behavioral1/memory/2652-57-0x0000000000400000-0x00000000004D7000-memory.dmp	upx
behavioral1/memory/2652-63-0x0000000000400000-0x00000000004D7000-memory.dmp	upx

Unexpected DNS network traffic destination 2 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114
Destination IP	203.124.11.111

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2368 set thread context of 2756	2368	RunDllExe.exe	31
PID 2300 set thread context of 2832	2300	RunDllExe.exe	30

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\Logs\RunDllExe_New.dll	RunDllExe.exe
File created	C:\Windows\Logs\RunDllExe_New.dll	RunDllExe.exe
File created	C:\Windows\Logs\RunDllExe_New	RunDllExe.exe
File created	C:\Windows\Logs\RunDllExe_New	RunDllExe.exe
File created	C:\Windows\Logs\RunDllExe.exe	8fabbda1d779a34f2dcdd6bc6e8d4874.exe
File created	C:\Windows\Logs\RunDllExe	8fabbda1d779a34f2dcdd6bc6e8d4874.exe
File created	C:\Windows\Logs\RunDllExe.dll	8fabbda1d779a34f2dcdd6bc6e8d4874.exe
File created	C:\Windows\MpMgSvc.dll	8fabbda1d779a34f2dcdd6bc6e8d4874.exe
File opened for modification	C:\Windows\Logs\RunDllExe.dll	RunDllExe.exe
File opened for modification	C:\Windows\Logs\RunDllExe	RunDllExe.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2652	8fabbda1d779a34f2dcdd6bc6e8d4874.exe
2368	RunDllExe.exe
2300	RunDllExe.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 2832	2300	RunDllExe.exe	30
PID 2300 wrote to memory of 2832	2300	RunDllExe.exe	30
PID 2300 wrote to memory of 2832	2300	RunDllExe.exe	30
PID 2300 wrote to memory of 2832	2300	RunDllExe.exe	30
PID 2368 wrote to memory of 2756	2368	RunDllExe.exe	31
PID 2368 wrote to memory of 2756	2368	RunDllExe.exe	31
PID 2368 wrote to memory of 2756	2368	RunDllExe.exe	31
PID 2368 wrote to memory of 2756	2368	RunDllExe.exe	31
PID 2368 wrote to memory of 2756	2368	RunDllExe.exe	31
PID 2300 wrote to memory of 2832	2300	RunDllExe.exe	30
PID 2368 wrote to memory of 2756	2368	RunDllExe.exe	31
PID 2300 wrote to memory of 2832	2300	RunDllExe.exe	30
PID 2368 wrote to memory of 2756	2368	RunDllExe.exe	31
PID 2300 wrote to memory of 2832	2300	RunDllExe.exe	30
PID 2368 wrote to memory of 2756	2368	RunDllExe.exe	31
PID 2300 wrote to memory of 2832	2300	RunDllExe.exe	30
PID 2368 wrote to memory of 2756	2368	RunDllExe.exe	31
PID 2300 wrote to memory of 2832	2300	RunDllExe.exe	30
PID 2368 wrote to memory of 2756	2368	RunDllExe.exe	31
PID 2300 wrote to memory of 2832	2300	RunDllExe.exe	30
PID 2652 wrote to memory of 2184	2652	8fabbda1d779a34f2dcdd6bc6e8d4874.exe	33
PID 2652 wrote to memory of 2184	2652	8fabbda1d779a34f2dcdd6bc6e8d4874.exe	33
PID 2652 wrote to memory of 2184	2652	8fabbda1d779a34f2dcdd6bc6e8d4874.exe	33
PID 2652 wrote to memory of 2184	2652	8fabbda1d779a34f2dcdd6bc6e8d4874.exe	33

C:\Users\Admin\AppData\Local\Temp\8fabbda1d779a34f2dcdd6bc6e8d4874.exe
"C:\Users\Admin\AppData\Local\Temp\8fabbda1d779a34f2dcdd6bc6e8d4874.exe"
1⤵
- Registers new Print Monitor
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\8fabbda1d779a34f2dcdd6bc6e8d4874.exe"
  2⤵
  - Deletes itself
  PID:2184

C:\Windows\Logs\RunDllExe.exe
C:\Windows\Logs\RunDllExe.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:2756

C:\Windows\Logs\RunDllExe.exe
C:\Windows\Logs\RunDllExe.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Logs\RunDllExe.exe

Filesize
160KB

MD5
645564cf1c80e047a6e90ac0f2d6a6b7

SHA1
35e4b5e065b90fe5b1713e5a4645875f023b6a18

SHA256
6f3a1b04d5398967356e42fb0245e26fb2d15c5e03db2650e225c6fbe9f6cef9

SHA512
e4ce9ad7f83c84932b30641937c1b9fc9c2dbb647fa05743f8ec5f01b66a7813441b410166e181b432fc2ca47c7edbb94000bd4d389c53961c2a100f319a0c21

Download Submit
C:\Windows\Logs\RunDllExe_New

Filesize
160KB

MD5
24156be9f3d550f945b51ce684ff9c05

SHA1
c5bd9218628886ec2874e8bc2ada71e0aad25add

SHA256
8eaef0fd58b0094806ff11ff0697ca6ba243a589f9895b8a73ce9304f9c48c00

SHA512
ff3c5b286bd0172522d32736639fce88438ea0d15ee017ff0d7c9c8506b7d937833d47d428e3f437b6e8f0f0f528502c16073a352c89fb3bacfca8fe82e851ce

Download Submit
C:\Windows\Logs\RunDllExe_New.dll

Filesize
89KB

MD5
f33c1d2ec851a214133ab8a6208ce9c8

SHA1
bd7d1823ac71a7a15b4124be050669fda0acf6d8

SHA256
e92c2dea14e58e4069b198c973563a036cdd38b97288259bac1a1efb667741cb

SHA512
6c3561141bc34a57a1f569ca8456efc0aff7ca0c29c615d01d571782f3f153caad22b83c886aadf6f337d85885a581936696c02a84846ea1010b132f991c9e92

Download Submit
\Windows\Logs\RunDllExe.dll

Filesize
89KB

MD5
c02d9300deea8aaa42bf5e9c56ddcf29

SHA1
4c547bab0a92ba6fe77a8bfcef56faf5f1a0ad89

SHA256
54dd6ca2fab1eab858fa8d06fa095a943d6d1ff601c71a4c6af5e9061019f9d5

SHA512
c2537d3bf63bf67ac0e844fc65285bcd444896201fd14add9bef7bab054eb93269248ecfa752268e3f692bb8ea3bc8d861e40f4ba5f63b5428f8f75a204315e1

Download Submit
memory/2652-0-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/2652-63-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/2652-57-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/2756-36-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2756-28-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2756-42-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2756-22-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2756-16-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2756-12-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2832-37-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2832-8-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads