blackmoon | d4ec9f854ef9d310d0f09fc5553a02d5a3d90ce80b886cb8b8f417231db9253c

Analysis

max time kernel
150s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
22-02-2024 19:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d4ec9f854ef9d310d0f09fc5553a02d5a3d90ce80b886cb8b8f417231db9253c.exe
Size

13.1MB
MD5

dd2f704ac1941412de7d11fb65db4b31
SHA1

08b4ae480f7d3db703b47115d6b984633b0fc2b9
SHA256

d4ec9f854ef9d310d0f09fc5553a02d5a3d90ce80b886cb8b8f417231db9253c
SHA512

935b8c11977a4a417d7da56cff3f90f580f0fe58d916c8da7a3d5eeb48311bb086fef772ec4cffecf8526c5e6f085611bbbc982fc8b0af874a629bc18021b7bf
SSDEEP

196608:xklTueLqKk6Cf30B0epeRFeaXttXkKCBOv4ViND9l2cfwTgENsB4kg3FCRtYZyIl:xUOwSVdtLvrND9ljPiaJg1CRtYZC/e

Score

10^/10

blackmoon banker trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 15 IoCs

resource	yara_rule
behavioral2/memory/336-23-0x0000000000400000-0x0000000001D7E000-memory.dmp	family_blackmoon
behavioral2/memory/336-51-0x0000000000400000-0x0000000001D7E000-memory.dmp	family_blackmoon
behavioral2/memory/336-77-0x0000000000400000-0x0000000001D7E000-memory.dmp	family_blackmoon
behavioral2/memory/336-79-0x0000000000400000-0x0000000001D7E000-memory.dmp	family_blackmoon
behavioral2/memory/336-81-0x0000000000400000-0x0000000001D7E000-memory.dmp	family_blackmoon
behavioral2/memory/336-83-0x0000000000400000-0x0000000001D7E000-memory.dmp	family_blackmoon
behavioral2/memory/336-85-0x0000000000400000-0x0000000001D7E000-memory.dmp	family_blackmoon
behavioral2/memory/336-87-0x0000000000400000-0x0000000001D7E000-memory.dmp	family_blackmoon
behavioral2/memory/336-89-0x0000000000400000-0x0000000001D7E000-memory.dmp	family_blackmoon
behavioral2/memory/336-91-0x0000000000400000-0x0000000001D7E000-memory.dmp	family_blackmoon
behavioral2/memory/336-93-0x0000000000400000-0x0000000001D7E000-memory.dmp	family_blackmoon
behavioral2/memory/336-95-0x0000000000400000-0x0000000001D7E000-memory.dmp	family_blackmoon
behavioral2/memory/336-97-0x0000000000400000-0x0000000001D7E000-memory.dmp	family_blackmoon
behavioral2/memory/336-99-0x0000000000400000-0x0000000001D7E000-memory.dmp	family_blackmoon
behavioral2/memory/336-101-0x0000000000400000-0x0000000001D7E000-memory.dmp	family_blackmoon

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000\Control Panel\International\Geo\Nation	d4ec9f854ef9d310d0f09fc5553a02d5a3d90ce80b886cb8b8f417231db9253c.exe

Executes dropped EXE 1 IoCs

pid	Process
2672	aria2c.exe

Loads dropped DLL 1 IoCs

pid	Process
336	d4ec9f854ef9d310d0f09fc5553a02d5a3d90ce80b886cb8b8f417231db9253c.exe

UPX packed file 21 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/336-0-0x0000000000400000-0x0000000001D7E000-memory.dmp	upx
behavioral2/memory/336-5-0x0000000006D90000-0x0000000007331000-memory.dmp	upx
behavioral2/memory/336-6-0x0000000006D90000-0x0000000007331000-memory.dmp	upx
behavioral2/memory/336-8-0x0000000007680000-0x000000000773E000-memory.dmp	upx
behavioral2/memory/336-19-0x0000000007680000-0x000000000773E000-memory.dmp	upx
behavioral2/memory/336-23-0x0000000000400000-0x0000000001D7E000-memory.dmp	upx
behavioral2/memory/336-51-0x0000000000400000-0x0000000001D7E000-memory.dmp	upx
behavioral2/memory/336-55-0x0000000006D90000-0x0000000007331000-memory.dmp	upx
behavioral2/memory/336-77-0x0000000000400000-0x0000000001D7E000-memory.dmp	upx
behavioral2/memory/336-79-0x0000000000400000-0x0000000001D7E000-memory.dmp	upx
behavioral2/memory/336-81-0x0000000000400000-0x0000000001D7E000-memory.dmp	upx
behavioral2/memory/336-83-0x0000000000400000-0x0000000001D7E000-memory.dmp	upx
behavioral2/memory/336-85-0x0000000000400000-0x0000000001D7E000-memory.dmp	upx
behavioral2/memory/336-87-0x0000000000400000-0x0000000001D7E000-memory.dmp	upx
behavioral2/memory/336-89-0x0000000000400000-0x0000000001D7E000-memory.dmp	upx
behavioral2/memory/336-91-0x0000000000400000-0x0000000001D7E000-memory.dmp	upx
behavioral2/memory/336-93-0x0000000000400000-0x0000000001D7E000-memory.dmp	upx
behavioral2/memory/336-95-0x0000000000400000-0x0000000001D7E000-memory.dmp	upx
behavioral2/memory/336-97-0x0000000000400000-0x0000000001D7E000-memory.dmp	upx
behavioral2/memory/336-99-0x0000000000400000-0x0000000001D7E000-memory.dmp	upx
behavioral2/memory/336-101-0x0000000000400000-0x0000000001D7E000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
336	d4ec9f854ef9d310d0f09fc5553a02d5a3d90ce80b886cb8b8f417231db9253c.exe
336	d4ec9f854ef9d310d0f09fc5553a02d5a3d90ce80b886cb8b8f417231db9253c.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
336	d4ec9f854ef9d310d0f09fc5553a02d5a3d90ce80b886cb8b8f417231db9253c.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	336	d4ec9f854ef9d310d0f09fc5553a02d5a3d90ce80b886cb8b8f417231db9253c.exe
Token: 33	4872	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4872	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
336	d4ec9f854ef9d310d0f09fc5553a02d5a3d90ce80b886cb8b8f417231db9253c.exe
336	d4ec9f854ef9d310d0f09fc5553a02d5a3d90ce80b886cb8b8f417231db9253c.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 336 wrote to memory of 2672	336	d4ec9f854ef9d310d0f09fc5553a02d5a3d90ce80b886cb8b8f417231db9253c.exe	91
PID 336 wrote to memory of 2672	336	d4ec9f854ef9d310d0f09fc5553a02d5a3d90ce80b886cb8b8f417231db9253c.exe	91

C:\Users\Admin\AppData\Local\Temp\d4ec9f854ef9d310d0f09fc5553a02d5a3d90ce80b886cb8b8f417231db9253c.exe
"C:\Users\Admin\AppData\Local\Temp\d4ec9f854ef9d310d0f09fc5553a02d5a3d90ce80b886cb8b8f417231db9253c.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:336
- C:\Users\Admin\AppData\Roaming\Downloader\aria2c.exe
  "C:\Users\Admin\AppData\Roaming\Downloader\aria2c.exe" --conf-path="C:\Users\Admin\AppData\Roaming\Downloader\aria2.conf" #--save-session="C:\Users\Admin\AppData\Roaming\Downloader\aria2.session" --input-file="C:\Users\Admin\AppData\Roaming\Downloader\aria2.session" --rpc-listen-port=6288 --listen-port=6388 --dht-listen-port=6390 --enable-rpc=true --rpc-allow-origin-all=true --disable-ipv6=false --rpc-secret=123 --enable-dht=true --enable-dht6=true --dht-file-path="C:\Users\Admin\AppData\Roaming\Downloader\dht.dat" --dht-file-path6="C:\Users\Admin\AppData\Roaming\Downloader\dht6.dat" --bt-external-ip= --stop-with-process=336 --check-certificate=false
  2⤵
  - Executes dropped EXE
  PID:2672

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x390 0x398
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Downloader\aria2.conf

Filesize
55KB

MD5
be2848313251cc4bdc3f4d83fbb678ee

SHA1
1e43738b25f0abcb6288e12b7e8d01b3e8666e8a

SHA256
35a633ec422857ce9d27f0e6b948d8b871af90c0430754bdd3f7ca70970e866d

SHA512
7093a99574544973a2c4ea9abebeefdb8b463bb42514a5d06dc29bff6cdd34381f10e394f79a8a5af1b27b86b5a31a71a48e569a2c76a20d4f982a5df61b3932

Download Submit
C:\Users\Admin\AppData\Roaming\Downloader\aria2c.exe

Filesize
4.8MB

MD5
a5c047f169471bd325552c255d6c04af

SHA1
e313cff2f3d668ec5d0e90920bd622b0f38aed9d

SHA256
cec8bb942475690363c1558fdf55e3cf59f29607967a822a626d4976a348334a

SHA512
6cf929d36ea0c95815d3218a3b11f0c8f539a6113c368642a70d41379145ba7ace9aed1e5b78836a4cd2ca861d9bcd10fea3e7fc126adb85822ed4cf4f762f0d

Download Submit
C:\Users\Admin\AppData\Roaming\Downloader\libcurl.dll

Filesize
1.6MB

MD5
bd22ce5f3a65508f99b15bafa1124fc3

SHA1
dd3593cd1ca1b0f650accf8251c6f96cea153d79

SHA256
fd33e455719cad3bbe1cce40aa66a36a0d9fefa336135a3b474fb7496c30130b

SHA512
07849bc13d68eecc84688c45b9a4cc24dcf58f72951385d325a9935a55e41cec4c4f591bbe0cc535719d6bfdb950377eedb7ccb32685d4a94c38185ee1a09b9c

Download Submit
C:\Users\Admin\AppData\Roaming\Downloader\log.txt

Filesize
320B

MD5
45bd4675db504d97da341d2246389424

SHA1
5b7010f695070ac2588df58ac38d33bd83cb4176

SHA256
a779da1910e35faaa9728579481ee64714929c621accb9856b341342d56274d0

SHA512
f70df66b741ff07548b02ae5e2eabfd186c3bc4284fc81cd4fadd763bde98f31e6cb27f931876a4894dd562f86b1659678486672c799fe21747eb3abd2735d86

Download Submit
memory/336-55-0x0000000006D90000-0x0000000007331000-memory.dmp

Filesize
5.6MB

Download
memory/336-99-0x0000000000400000-0x0000000001D7E000-memory.dmp

Filesize
25.5MB

Download
memory/336-5-0x0000000006D90000-0x0000000007331000-memory.dmp

Filesize
5.6MB

Download
memory/336-6-0x0000000006D90000-0x0000000007331000-memory.dmp

Filesize
5.6MB

Download
memory/336-8-0x0000000007680000-0x000000000773E000-memory.dmp

Filesize
760KB

Download
memory/336-7-0x0000000004050000-0x000000000406A000-memory.dmp

Filesize
104KB

Download
memory/336-9-0x0000000075FF0000-0x00000000760E0000-memory.dmp

Filesize
960KB

Download
memory/336-15-0x00000000073F0000-0x00000000074E0000-memory.dmp

Filesize
960KB

Download
memory/336-16-0x0000000007340000-0x000000000735A000-memory.dmp

Filesize
104KB

Download
memory/336-17-0x0000000075FF0000-0x00000000760E0000-memory.dmp

Filesize
960KB

Download
memory/336-18-0x0000000075FF0000-0x00000000760E0000-memory.dmp

Filesize
960KB

Download
memory/336-19-0x0000000007680000-0x000000000773E000-memory.dmp

Filesize
760KB

Download
memory/336-20-0x0000000075FF0000-0x00000000760E0000-memory.dmp

Filesize
960KB

Download
memory/336-22-0x0000000007380000-0x000000000739A000-memory.dmp

Filesize
104KB

Download
memory/336-21-0x0000000075FF0000-0x00000000760E0000-memory.dmp

Filesize
960KB

Download
memory/336-23-0x0000000000400000-0x0000000001D7E000-memory.dmp

Filesize
25.5MB

Download
memory/336-24-0x0000000008320000-0x0000000008321000-memory.dmp

Filesize
4KB

Download
memory/336-25-0x00000000073D0000-0x00000000073D1000-memory.dmp

Filesize
4KB

Download
memory/336-48-0x000000000B490000-0x000000000B4A0000-memory.dmp

Filesize
64KB

Download
memory/336-49-0x000000000B490000-0x000000000B4A0000-memory.dmp

Filesize
64KB

Download
memory/336-51-0x0000000000400000-0x0000000001D7E000-memory.dmp

Filesize
25.5MB

Download
memory/336-53-0x000000000B490000-0x000000000B4A0000-memory.dmp

Filesize
64KB

Download
memory/336-57-0x0000000075FF0000-0x00000000760E0000-memory.dmp

Filesize
960KB

Download
memory/336-54-0x000000000B490000-0x000000000B4A0000-memory.dmp

Filesize
64KB

Download
memory/336-0-0x0000000000400000-0x0000000001D7E000-memory.dmp

Filesize
25.5MB

Download
memory/336-56-0x0000000004050000-0x000000000406A000-memory.dmp

Filesize
104KB

Download
memory/336-50-0x000000000B490000-0x000000000B4A0000-memory.dmp

Filesize
64KB

Download
memory/336-1-0x0000000010000000-0x0000000010116000-memory.dmp

Filesize
1.1MB

Download
memory/336-72-0x000000000B490000-0x000000000B4A0000-memory.dmp

Filesize
64KB

Download
memory/336-64-0x0000000075FF0000-0x00000000760E0000-memory.dmp

Filesize
960KB

Download
memory/336-65-0x0000000075FF0000-0x00000000760E0000-memory.dmp

Filesize
960KB

Download
memory/336-63-0x0000000075FF0000-0x00000000760E0000-memory.dmp

Filesize
960KB

Download
memory/336-66-0x000000000B490000-0x000000000B4A0000-memory.dmp

Filesize
64KB

Download
memory/336-67-0x000000000B490000-0x000000000B4A0000-memory.dmp

Filesize
64KB

Download
memory/336-68-0x000000000B490000-0x000000000B4A0000-memory.dmp

Filesize
64KB

Download
memory/336-69-0x000000000B490000-0x000000000B4A0000-memory.dmp

Filesize
64KB

Download
memory/336-70-0x000000000B490000-0x000000000B4A0000-memory.dmp

Filesize
64KB

Download
memory/336-62-0x0000000075FF0000-0x00000000760E0000-memory.dmp

Filesize
960KB

Download
memory/336-73-0x000000000B490000-0x000000000B4A0000-memory.dmp

Filesize
64KB

Download
memory/336-74-0x000000000B490000-0x000000000B4A0000-memory.dmp

Filesize
64KB

Download
memory/336-75-0x000000000B490000-0x000000000B4A0000-memory.dmp

Filesize
64KB

Download
memory/336-77-0x0000000000400000-0x0000000001D7E000-memory.dmp

Filesize
25.5MB

Download
memory/336-79-0x0000000000400000-0x0000000001D7E000-memory.dmp

Filesize
25.5MB

Download
memory/336-81-0x0000000000400000-0x0000000001D7E000-memory.dmp

Filesize
25.5MB

Download
memory/336-83-0x0000000000400000-0x0000000001D7E000-memory.dmp

Filesize
25.5MB

Download
memory/336-85-0x0000000000400000-0x0000000001D7E000-memory.dmp

Filesize
25.5MB

Download
memory/336-87-0x0000000000400000-0x0000000001D7E000-memory.dmp

Filesize
25.5MB

Download
memory/336-89-0x0000000000400000-0x0000000001D7E000-memory.dmp

Filesize
25.5MB

Download
memory/336-91-0x0000000000400000-0x0000000001D7E000-memory.dmp

Filesize
25.5MB

Download
memory/336-93-0x0000000000400000-0x0000000001D7E000-memory.dmp

Filesize
25.5MB

Download
memory/336-95-0x0000000000400000-0x0000000001D7E000-memory.dmp

Filesize
25.5MB

Download
memory/336-97-0x0000000000400000-0x0000000001D7E000-memory.dmp

Filesize
25.5MB

Download
memory/336-58-0x000000000B490000-0x000000000B4A0000-memory.dmp

Filesize
64KB

Download
memory/336-101-0x0000000000400000-0x0000000001D7E000-memory.dmp

Filesize
25.5MB

Download
memory/2672-78-0x0000000000400000-0x00000000008CE000-memory.dmp

Filesize
4.8MB

Download