blackmoon | b8dfc5ed03ddfa5073ea245dd4f8a3957004c8f745eca64c92431650729c9a16

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
07/03/2024, 23:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8dfc5ed03ddfa5073ea245dd4f8a3957004c8f745eca64c92431650729c9a16.exe
Size

366KB
MD5

02f045f3b7bb7ee410e65cc95131c7f9
SHA1

a155d58ecabd7e6d1c6ffe3dd3cd9f1914dbad01
SHA256

b8dfc5ed03ddfa5073ea245dd4f8a3957004c8f745eca64c92431650729c9a16
SHA512

3d0a1bc8f4fb059ebe106d5a736cfef7d96ce2e28bdb886876217b9b67b59c725fa1bbf9c39ce0f28df9b63cdbb29b3fcac953c4ee3b94df5e9f5a85e7a4df9f
SSDEEP

6144:BSfSHl+gv5gY1F53Aul/Egv4+E6qnwEGvIkJ7G9P1V:B2SHl+gv5gY1b5Eo4+EsEEIkJ7G9P1V

Score

10^/10

blackmoon banker trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023251-8.dat	family_blackmoon

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	b8dfc5ed03ddfa5073ea245dd4f8a3957004c8f745eca64c92431650729c9a16.exe

Deletes itself 1 IoCs

pid	Process
4392	Syslemshwub.exe

Executes dropped EXE 1 IoCs

pid	Process
4392	Syslemshwub.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4780	b8dfc5ed03ddfa5073ea245dd4f8a3957004c8f745eca64c92431650729c9a16.exe
4780	b8dfc5ed03ddfa5073ea245dd4f8a3957004c8f745eca64c92431650729c9a16.exe
4780	b8dfc5ed03ddfa5073ea245dd4f8a3957004c8f745eca64c92431650729c9a16.exe
4780	b8dfc5ed03ddfa5073ea245dd4f8a3957004c8f745eca64c92431650729c9a16.exe
4780	b8dfc5ed03ddfa5073ea245dd4f8a3957004c8f745eca64c92431650729c9a16.exe
4780	b8dfc5ed03ddfa5073ea245dd4f8a3957004c8f745eca64c92431650729c9a16.exe
4780	b8dfc5ed03ddfa5073ea245dd4f8a3957004c8f745eca64c92431650729c9a16.exe
4780	b8dfc5ed03ddfa5073ea245dd4f8a3957004c8f745eca64c92431650729c9a16.exe
4780	b8dfc5ed03ddfa5073ea245dd4f8a3957004c8f745eca64c92431650729c9a16.exe
4780	b8dfc5ed03ddfa5073ea245dd4f8a3957004c8f745eca64c92431650729c9a16.exe
4780	b8dfc5ed03ddfa5073ea245dd4f8a3957004c8f745eca64c92431650729c9a16.exe
4780	b8dfc5ed03ddfa5073ea245dd4f8a3957004c8f745eca64c92431650729c9a16.exe
4780	b8dfc5ed03ddfa5073ea245dd4f8a3957004c8f745eca64c92431650729c9a16.exe
4780	b8dfc5ed03ddfa5073ea245dd4f8a3957004c8f745eca64c92431650729c9a16.exe
4780	b8dfc5ed03ddfa5073ea245dd4f8a3957004c8f745eca64c92431650729c9a16.exe
4780	b8dfc5ed03ddfa5073ea245dd4f8a3957004c8f745eca64c92431650729c9a16.exe
4392	Syslemshwub.exe
4392	Syslemshwub.exe
4392	Syslemshwub.exe
4392	Syslemshwub.exe
4392	Syslemshwub.exe
4392	Syslemshwub.exe
4392	Syslemshwub.exe
4392	Syslemshwub.exe
4392	Syslemshwub.exe
4392	Syslemshwub.exe
4392	Syslemshwub.exe
4392	Syslemshwub.exe
4392	Syslemshwub.exe
4392	Syslemshwub.exe
4392	Syslemshwub.exe
4392	Syslemshwub.exe
4392	Syslemshwub.exe
4392	Syslemshwub.exe
4392	Syslemshwub.exe
4392	Syslemshwub.exe
4392	Syslemshwub.exe
4392	Syslemshwub.exe
4392	Syslemshwub.exe
4392	Syslemshwub.exe
4392	Syslemshwub.exe
4392	Syslemshwub.exe
4392	Syslemshwub.exe
4392	Syslemshwub.exe
4392	Syslemshwub.exe
4392	Syslemshwub.exe
4392	Syslemshwub.exe
4392	Syslemshwub.exe
4392	Syslemshwub.exe
4392	Syslemshwub.exe
4392	Syslemshwub.exe
4392	Syslemshwub.exe
4392	Syslemshwub.exe
4392	Syslemshwub.exe
4392	Syslemshwub.exe
4392	Syslemshwub.exe
4392	Syslemshwub.exe
4392	Syslemshwub.exe
4392	Syslemshwub.exe
4392	Syslemshwub.exe
4392	Syslemshwub.exe
4392	Syslemshwub.exe
4392	Syslemshwub.exe
4392	Syslemshwub.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4780 wrote to memory of 4392	4780	b8dfc5ed03ddfa5073ea245dd4f8a3957004c8f745eca64c92431650729c9a16.exe	97
PID 4780 wrote to memory of 4392	4780	b8dfc5ed03ddfa5073ea245dd4f8a3957004c8f745eca64c92431650729c9a16.exe	97
PID 4780 wrote to memory of 4392	4780	b8dfc5ed03ddfa5073ea245dd4f8a3957004c8f745eca64c92431650729c9a16.exe	97

C:\Users\Admin\AppData\Local\Temp\b8dfc5ed03ddfa5073ea245dd4f8a3957004c8f745eca64c92431650729c9a16.exe
"C:\Users\Admin\AppData\Local\Temp\b8dfc5ed03ddfa5073ea245dd4f8a3957004c8f745eca64c92431650729c9a16.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4780
- C:\Users\Admin\AppData\Local\Temp\Syslemshwub.exe
  "C:\Users\Admin\AppData\Local\Temp\Syslemshwub.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1348 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
1⤵
PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Syslemshwub.exe

Filesize
366KB

MD5
5ccdb9b2f8ae46eb32486e29988632eb

SHA1
eeeb93bad405ef7fa3f2413188921b8133350951

SHA256
59f64bd6d895e224123958df534c13ccda9c79e03f621bb4f8245e1c09dcdd43

SHA512
250ca81653a220ef105a4b1c1dee8ac18017c9789de2a3c815ff8d98e456542c968a07644a2e799b889d230075bb54356a89966c94b2e1b88850a0e6c93eff2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpath.ini

Filesize
102B

MD5
906f4f2e2628169c30890acbe81f7638

SHA1
e7e190f829624adc9740218af963e010eabd2951

SHA256
0fa3af936c52d26660c64846eaa930d63f1a9f386b4f9066d3d581a5d30ed8ce

SHA512
7166e391ce6f38ba32f74bbbdb373da1132d3709c3609a9138c2b66424f4904b488c94292eeaeab7268e58cb9736a98c4c0b1555c4e5837068e2d4fe4677b9f4

Download Submit