blackmoon | b8dfc5ed03ddfa5073ea245dd4f8a3957004c8f745eca64c92431650729c9a16

Analysis

max time kernel
148s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07/03/2024, 23:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8dfc5ed03ddfa5073ea245dd4f8a3957004c8f745eca64c92431650729c9a16.exe
Size

366KB
MD5

02f045f3b7bb7ee410e65cc95131c7f9
SHA1

a155d58ecabd7e6d1c6ffe3dd3cd9f1914dbad01
SHA256

b8dfc5ed03ddfa5073ea245dd4f8a3957004c8f745eca64c92431650729c9a16
SHA512

3d0a1bc8f4fb059ebe106d5a736cfef7d96ce2e28bdb886876217b9b67b59c725fa1bbf9c39ce0f28df9b63cdbb29b3fcac953c4ee3b94df5e9f5a85e7a4df9f
SSDEEP

6144:BSfSHl+gv5gY1F53Aul/Egv4+E6qnwEGvIkJ7G9P1V:B2SHl+gv5gY1b5Eo4+EsEEIkJ7G9P1V

Score

10^/10

blackmoon banker trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000800000001340b-7.dat	family_blackmoon

Deletes itself 1 IoCs

pid	Process
2604	Syslemcmyem.exe

Executes dropped EXE 1 IoCs

pid	Process
2604	Syslemcmyem.exe

Loads dropped DLL 2 IoCs

pid	Process
2856	b8dfc5ed03ddfa5073ea245dd4f8a3957004c8f745eca64c92431650729c9a16.exe
2856	b8dfc5ed03ddfa5073ea245dd4f8a3957004c8f745eca64c92431650729c9a16.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2856	b8dfc5ed03ddfa5073ea245dd4f8a3957004c8f745eca64c92431650729c9a16.exe
2856	b8dfc5ed03ddfa5073ea245dd4f8a3957004c8f745eca64c92431650729c9a16.exe
2856	b8dfc5ed03ddfa5073ea245dd4f8a3957004c8f745eca64c92431650729c9a16.exe
2856	b8dfc5ed03ddfa5073ea245dd4f8a3957004c8f745eca64c92431650729c9a16.exe
2856	b8dfc5ed03ddfa5073ea245dd4f8a3957004c8f745eca64c92431650729c9a16.exe
2856	b8dfc5ed03ddfa5073ea245dd4f8a3957004c8f745eca64c92431650729c9a16.exe
2856	b8dfc5ed03ddfa5073ea245dd4f8a3957004c8f745eca64c92431650729c9a16.exe
2856	b8dfc5ed03ddfa5073ea245dd4f8a3957004c8f745eca64c92431650729c9a16.exe
2604	Syslemcmyem.exe
2604	Syslemcmyem.exe
2604	Syslemcmyem.exe
2604	Syslemcmyem.exe
2604	Syslemcmyem.exe
2604	Syslemcmyem.exe
2604	Syslemcmyem.exe
2604	Syslemcmyem.exe
2604	Syslemcmyem.exe
2604	Syslemcmyem.exe
2604	Syslemcmyem.exe
2604	Syslemcmyem.exe
2604	Syslemcmyem.exe
2604	Syslemcmyem.exe
2604	Syslemcmyem.exe
2604	Syslemcmyem.exe
2604	Syslemcmyem.exe
2604	Syslemcmyem.exe
2604	Syslemcmyem.exe
2604	Syslemcmyem.exe
2604	Syslemcmyem.exe
2604	Syslemcmyem.exe
2604	Syslemcmyem.exe
2604	Syslemcmyem.exe
2604	Syslemcmyem.exe
2604	Syslemcmyem.exe
2604	Syslemcmyem.exe
2604	Syslemcmyem.exe
2604	Syslemcmyem.exe
2604	Syslemcmyem.exe
2604	Syslemcmyem.exe
2604	Syslemcmyem.exe
2604	Syslemcmyem.exe
2604	Syslemcmyem.exe
2604	Syslemcmyem.exe
2604	Syslemcmyem.exe
2604	Syslemcmyem.exe
2604	Syslemcmyem.exe
2604	Syslemcmyem.exe
2604	Syslemcmyem.exe
2604	Syslemcmyem.exe
2604	Syslemcmyem.exe
2604	Syslemcmyem.exe
2604	Syslemcmyem.exe
2604	Syslemcmyem.exe
2604	Syslemcmyem.exe
2604	Syslemcmyem.exe
2604	Syslemcmyem.exe
2604	Syslemcmyem.exe
2604	Syslemcmyem.exe
2604	Syslemcmyem.exe
2604	Syslemcmyem.exe
2604	Syslemcmyem.exe
2604	Syslemcmyem.exe
2604	Syslemcmyem.exe
2604	Syslemcmyem.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 2604	2856	b8dfc5ed03ddfa5073ea245dd4f8a3957004c8f745eca64c92431650729c9a16.exe	29
PID 2856 wrote to memory of 2604	2856	b8dfc5ed03ddfa5073ea245dd4f8a3957004c8f745eca64c92431650729c9a16.exe	29
PID 2856 wrote to memory of 2604	2856	b8dfc5ed03ddfa5073ea245dd4f8a3957004c8f745eca64c92431650729c9a16.exe	29
PID 2856 wrote to memory of 2604	2856	b8dfc5ed03ddfa5073ea245dd4f8a3957004c8f745eca64c92431650729c9a16.exe	29

C:\Users\Admin\AppData\Local\Temp\b8dfc5ed03ddfa5073ea245dd4f8a3957004c8f745eca64c92431650729c9a16.exe
"C:\Users\Admin\AppData\Local\Temp\b8dfc5ed03ddfa5073ea245dd4f8a3957004c8f745eca64c92431650729c9a16.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Users\Admin\AppData\Local\Temp\Syslemcmyem.exe
  "C:\Users\Admin\AppData\Local\Temp\Syslemcmyem.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lpath.ini

Filesize
102B

MD5
906f4f2e2628169c30890acbe81f7638

SHA1
e7e190f829624adc9740218af963e010eabd2951

SHA256
0fa3af936c52d26660c64846eaa930d63f1a9f386b4f9066d3d581a5d30ed8ce

SHA512
7166e391ce6f38ba32f74bbbdb373da1132d3709c3609a9138c2b66424f4904b488c94292eeaeab7268e58cb9736a98c4c0b1555c4e5837068e2d4fe4677b9f4

Download Submit
\Users\Admin\AppData\Local\Temp\Syslemcmyem.exe

Filesize
366KB

MD5
f7a2d03993f1179dccf95ff7cefaffeb

SHA1
4129c7e138d828fcb3db5285efe4a1053ccd9902

SHA256
7fe2420ab245ab61bdf5de2b5fb43db656ddc2a964e5d95a38866fe6aece7476

SHA512
c77f2b4f1580b975a528f9241ff73c3691a845fe7cc99d77dc0daffd5869050f3ea99e313ba0dacaad6937265ba40aca2d058ad632e3c6417c4b8aba1aa38784

Download Submit