blackmoon | f4123eee3b07c949f62dc2487495cff81addf4ab33ae9d54efb63cb31a9eb5a6

Analysis

max time kernel
148s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
13/02/2024, 10:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

993efe5c60988c5d0c9f3432adb8e17d.exe
Size

80KB
MD5

993efe5c60988c5d0c9f3432adb8e17d
SHA1

02983be0e8db96e4f75d14982b4ea92df3f982b2
SHA256

f4123eee3b07c949f62dc2487495cff81addf4ab33ae9d54efb63cb31a9eb5a6
SHA512

5db0cdaa6d23d56b80142f3826e5f54577362f309034c8bbd6fe1357eb69b6dca36cc173a18a6cdbc131885d3b49faff8a28aa2631a9cab1c4b94d441dccc47e
SSDEEP

1536:+VtjAKqURk0Ex/tIWLSYGc5cmFF+TTdGka2dQe5GrpXLaY:CN1qURFY/RLSO5cmFY9GMdKGY

Score

10^/10

blackmoon banker trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 2 IoCs

resource	yara_rule
behavioral1/memory/2668-18-0x0000000000400000-0x000000000046B000-memory.dmp	family_blackmoon
behavioral1/memory/2928-15-0x0000000000400000-0x000000000046B000-memory.dmp	family_blackmoon

Deletes itself 1 IoCs

pid	Process
2668	Systemkyhyc.exe

Executes dropped EXE 1 IoCs

pid	Process
2668	Systemkyhyc.exe

Loads dropped DLL 2 IoCs

pid	Process
2928	993efe5c60988c5d0c9f3432adb8e17d.exe
2928	993efe5c60988c5d0c9f3432adb8e17d.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2928-0-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/files/0x0007000000014395-8.dat	upx
behavioral1/memory/2668-18-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2928-15-0x0000000000400000-0x000000000046B000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2928	993efe5c60988c5d0c9f3432adb8e17d.exe
2928	993efe5c60988c5d0c9f3432adb8e17d.exe
2928	993efe5c60988c5d0c9f3432adb8e17d.exe
2928	993efe5c60988c5d0c9f3432adb8e17d.exe
2928	993efe5c60988c5d0c9f3432adb8e17d.exe
2928	993efe5c60988c5d0c9f3432adb8e17d.exe
2668	Systemkyhyc.exe
2668	Systemkyhyc.exe
2668	Systemkyhyc.exe
2668	Systemkyhyc.exe
2668	Systemkyhyc.exe
2668	Systemkyhyc.exe
2668	Systemkyhyc.exe
2668	Systemkyhyc.exe
2668	Systemkyhyc.exe
2668	Systemkyhyc.exe
2668	Systemkyhyc.exe
2668	Systemkyhyc.exe
2668	Systemkyhyc.exe
2668	Systemkyhyc.exe
2668	Systemkyhyc.exe
2668	Systemkyhyc.exe
2668	Systemkyhyc.exe
2668	Systemkyhyc.exe
2668	Systemkyhyc.exe
2668	Systemkyhyc.exe
2668	Systemkyhyc.exe
2668	Systemkyhyc.exe
2668	Systemkyhyc.exe
2668	Systemkyhyc.exe
2668	Systemkyhyc.exe
2668	Systemkyhyc.exe
2668	Systemkyhyc.exe
2668	Systemkyhyc.exe
2668	Systemkyhyc.exe
2668	Systemkyhyc.exe
2668	Systemkyhyc.exe
2668	Systemkyhyc.exe
2668	Systemkyhyc.exe
2668	Systemkyhyc.exe
2668	Systemkyhyc.exe
2668	Systemkyhyc.exe
2668	Systemkyhyc.exe
2668	Systemkyhyc.exe
2668	Systemkyhyc.exe
2668	Systemkyhyc.exe
2668	Systemkyhyc.exe
2668	Systemkyhyc.exe
2668	Systemkyhyc.exe
2668	Systemkyhyc.exe
2668	Systemkyhyc.exe
2668	Systemkyhyc.exe
2668	Systemkyhyc.exe
2668	Systemkyhyc.exe
2668	Systemkyhyc.exe
2668	Systemkyhyc.exe
2668	Systemkyhyc.exe
2668	Systemkyhyc.exe
2668	Systemkyhyc.exe
2668	Systemkyhyc.exe
2668	Systemkyhyc.exe
2668	Systemkyhyc.exe
2668	Systemkyhyc.exe
2668	Systemkyhyc.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2928 wrote to memory of 2668	2928	993efe5c60988c5d0c9f3432adb8e17d.exe	29
PID 2928 wrote to memory of 2668	2928	993efe5c60988c5d0c9f3432adb8e17d.exe	29
PID 2928 wrote to memory of 2668	2928	993efe5c60988c5d0c9f3432adb8e17d.exe	29
PID 2928 wrote to memory of 2668	2928	993efe5c60988c5d0c9f3432adb8e17d.exe	29

C:\Users\Admin\AppData\Local\Temp\993efe5c60988c5d0c9f3432adb8e17d.exe
"C:\Users\Admin\AppData\Local\Temp\993efe5c60988c5d0c9f3432adb8e17d.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2928
- C:\Users\Admin\AppData\Local\Temp\Systemkyhyc.exe
  "C:\Users\Admin\AppData\Local\Temp\Systemkyhyc.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fpath.ini

Filesize
70B

MD5
b1fbb8d113c20cb58f5357225f743704

SHA1
d8b7da6b4bd6e6d6abdf073afcd921bb53b3cbeb

SHA256
6afe26a810afd6534083dfbd5bb3227bf99c6ac92d38cc4d4cb745002d30cb18

SHA512
0b4b8cb9510255f77167cffca7bcde4d7b8a212c6fe24d1ce6dcfa02c5ec4ad10110e5deeec8e37cb4e23483b6f6824ab532100c2987d4ce83dc36c43d8bff3b

Download Submit
\Users\Admin\AppData\Local\Temp\Systemkyhyc.exe

Filesize
80KB

MD5
64e315990460410c92b3f6eb65763913

SHA1
b23d1d2072c7b07384d1fd4ffaba27077d85c0f0

SHA256
ce8cc0808c5511fbf446082ca5febf90e16d31f592b905d6dc35b7d924d3804a

SHA512
d06dd48080c181881f2b313d57a6fa601cc4d3d5eef5339f5344191af98672f0e829116eb4b416d013d8ead2854bc9f07bb44e1e71fafdac613ec65d91640046

Download Submit
memory/2668-18-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2928-0-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2928-16-0x0000000003640000-0x00000000036AB000-memory.dmp

Filesize
428KB

Download
memory/2928-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download