blackmoon | 21edbfba775813ef7aa513c29630aad6b35d02c99dfc06492f3ebeaf6eedd3f6

Analysis

max time kernel
149s
max time network
127s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05/03/2024, 18:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21edbfba775813ef7aa513c29630aad6b35d02c99dfc06492f3ebeaf6eedd3f6.exe
Size

436KB
MD5

ebfc92cbe3d9688c1a9963a76fe4f347
SHA1

4ad7b106c65bbed8ed550d10c3dae41e15138284
SHA256

21edbfba775813ef7aa513c29630aad6b35d02c99dfc06492f3ebeaf6eedd3f6
SHA512

e6ff67524804ae4346de402ea25a8ff29056ba6a0e9289b831992a87a2e4641e283ccb44ff2775acf9678683cc655a36f7ad01460e3f0a9644e529b796052e26
SSDEEP

6144:dGdR+Yk/N8duBmG6t+UnRsRCQ/OJZOg7m:doR+Y4NSG6oUnRsdOJZOg7m

Score

10^/10

blackmoon banker trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 4 IoCs

resource	yara_rule
behavioral1/files/0x0008000000015e02-13.dat	family_blackmoon
behavioral1/files/0x0008000000015e02-10.dat	family_blackmoon
behavioral1/files/0x0008000000015e02-7.dat	family_blackmoon
behavioral1/files/0x0008000000015e02-14.dat	family_blackmoon

Deletes itself 1 IoCs

pid	Process
1148	Syslemqkgkp.exe

Executes dropped EXE 1 IoCs

pid	Process
1148	Syslemqkgkp.exe

Loads dropped DLL 2 IoCs

pid	Process
2456	21edbfba775813ef7aa513c29630aad6b35d02c99dfc06492f3ebeaf6eedd3f6.exe
2456	21edbfba775813ef7aa513c29630aad6b35d02c99dfc06492f3ebeaf6eedd3f6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2456	21edbfba775813ef7aa513c29630aad6b35d02c99dfc06492f3ebeaf6eedd3f6.exe
2456	21edbfba775813ef7aa513c29630aad6b35d02c99dfc06492f3ebeaf6eedd3f6.exe
2456	21edbfba775813ef7aa513c29630aad6b35d02c99dfc06492f3ebeaf6eedd3f6.exe
2456	21edbfba775813ef7aa513c29630aad6b35d02c99dfc06492f3ebeaf6eedd3f6.exe
2456	21edbfba775813ef7aa513c29630aad6b35d02c99dfc06492f3ebeaf6eedd3f6.exe
2456	21edbfba775813ef7aa513c29630aad6b35d02c99dfc06492f3ebeaf6eedd3f6.exe
2456	21edbfba775813ef7aa513c29630aad6b35d02c99dfc06492f3ebeaf6eedd3f6.exe
2456	21edbfba775813ef7aa513c29630aad6b35d02c99dfc06492f3ebeaf6eedd3f6.exe
1148	Syslemqkgkp.exe
1148	Syslemqkgkp.exe
1148	Syslemqkgkp.exe
1148	Syslemqkgkp.exe
1148	Syslemqkgkp.exe
1148	Syslemqkgkp.exe
1148	Syslemqkgkp.exe
1148	Syslemqkgkp.exe
1148	Syslemqkgkp.exe
1148	Syslemqkgkp.exe
1148	Syslemqkgkp.exe
1148	Syslemqkgkp.exe
1148	Syslemqkgkp.exe
1148	Syslemqkgkp.exe
1148	Syslemqkgkp.exe
1148	Syslemqkgkp.exe
1148	Syslemqkgkp.exe
1148	Syslemqkgkp.exe
1148	Syslemqkgkp.exe
1148	Syslemqkgkp.exe
1148	Syslemqkgkp.exe
1148	Syslemqkgkp.exe
1148	Syslemqkgkp.exe
1148	Syslemqkgkp.exe
1148	Syslemqkgkp.exe
1148	Syslemqkgkp.exe
1148	Syslemqkgkp.exe
1148	Syslemqkgkp.exe
1148	Syslemqkgkp.exe
1148	Syslemqkgkp.exe
1148	Syslemqkgkp.exe
1148	Syslemqkgkp.exe
1148	Syslemqkgkp.exe
1148	Syslemqkgkp.exe
1148	Syslemqkgkp.exe
1148	Syslemqkgkp.exe
1148	Syslemqkgkp.exe
1148	Syslemqkgkp.exe
1148	Syslemqkgkp.exe
1148	Syslemqkgkp.exe
1148	Syslemqkgkp.exe
1148	Syslemqkgkp.exe
1148	Syslemqkgkp.exe
1148	Syslemqkgkp.exe
1148	Syslemqkgkp.exe
1148	Syslemqkgkp.exe
1148	Syslemqkgkp.exe
1148	Syslemqkgkp.exe
1148	Syslemqkgkp.exe
1148	Syslemqkgkp.exe
1148	Syslemqkgkp.exe
1148	Syslemqkgkp.exe
1148	Syslemqkgkp.exe
1148	Syslemqkgkp.exe
1148	Syslemqkgkp.exe
1148	Syslemqkgkp.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2456 wrote to memory of 1148	2456	21edbfba775813ef7aa513c29630aad6b35d02c99dfc06492f3ebeaf6eedd3f6.exe	29
PID 2456 wrote to memory of 1148	2456	21edbfba775813ef7aa513c29630aad6b35d02c99dfc06492f3ebeaf6eedd3f6.exe	29
PID 2456 wrote to memory of 1148	2456	21edbfba775813ef7aa513c29630aad6b35d02c99dfc06492f3ebeaf6eedd3f6.exe	29
PID 2456 wrote to memory of 1148	2456	21edbfba775813ef7aa513c29630aad6b35d02c99dfc06492f3ebeaf6eedd3f6.exe	29

C:\Users\Admin\AppData\Local\Temp\21edbfba775813ef7aa513c29630aad6b35d02c99dfc06492f3ebeaf6eedd3f6.exe
"C:\Users\Admin\AppData\Local\Temp\21edbfba775813ef7aa513c29630aad6b35d02c99dfc06492f3ebeaf6eedd3f6.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2456
- C:\Users\Admin\AppData\Local\Temp\Syslemqkgkp.exe
  "C:\Users\Admin\AppData\Local\Temp\Syslemqkgkp.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Syslemqkgkp.exe

Filesize
192KB

MD5
8daa92afe4ea0796f01d27cf284d7025

SHA1
d4a3a23990df62f6991eeb1df1f834e9e5433452

SHA256
8f578ce1ba4ec9c019e8faecedc943469e5aefc614e9767c3097de110ce500c3

SHA512
930ec6a5baedc9750b741eba7ccb486b3c025fc46e22eade39de2e1d03f877fac8f9b6f96c3a7fee92bcbdb6c7b44e172740c168c83726cc146c7bed44eb432c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Syslemqkgkp.exe

Filesize
189KB

MD5
6a369835b2c89c58739553daa6f059f0

SHA1
27465016faf528ad6f744f2a47dea2c8399d385e

SHA256
90c849e83f624f3134f0207d16d9b6b119d19cab04e459faa39dc55969c23a09

SHA512
8fac8b05157f93a5be7303f932cdb07b71bc3cae526c2e088dfac41f9ea43f9c1b1439c3a55d0043542c32a23594be78166198988f913dd405e199f3a15f3ed4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Syslemqkgkp.exe

Filesize
436KB

MD5
2f9b011ecfb5a1ae18e4f2ec8a7bcd69

SHA1
48bdb2559298114108c1a64d2ee291b07aead074

SHA256
b2cca84fa19370e94ad79f01dd46d77d6f344875330ff002d5d590c31c86a89d

SHA512
e68ed9f371435e3c8cc8bd41c4e7acdca8f72e82e815d7d2d9df58c3f07b84d741c273adccc72879083fc4318f42fdf5dde09d7c04d6a3163283c85d4cd22e4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpath.ini

Filesize
102B

MD5
252b86dbaa70286204bf56b6304b5bb3

SHA1
15d79f00e75da87e4fd6ca69e8cb70c2046b89fa

SHA256
77ae67ea7fdf6de1fff2620104fe543d9451e6f9ee5263b1f05913a1dff5d887

SHA512
c2705dff19a29d2b8b237b1c8a5f4964b25728ca7665aaea213c49019d81f69b9e21cc37e04a7045beb39122de5150f1d272f5b5abda1e3e6c37ebbac7f26945

Download Submit
\Users\Admin\AppData\Local\Temp\Syslemqkgkp.exe

Filesize
256KB

MD5
591821cd46d2abf9ad5fa261b493c44c

SHA1
a169cc42918b636258c0d5cc4f286b41d3dee6a3

SHA256
93724a3cba778db02f72021c8889ccbc64164ed30277adb068279abcc1742ab5

SHA512
ffcc6beb7eb965bf9d1f91414865812ce63f6af2812157557d24b49c12cef67950d3c8406fc9926776f9a59cdcfc1656be65fd8433e8ed5fd3f9cece77ad95c7

Download Submit