blackmoon | 6209ce232261153e832b5429432db6cfb1c9b8f4313a3dfb4670160ae93327b1

Analysis

max time kernel
150s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2024, 20:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6209ce232261153e832b5429432db6cfb1c9b8f4313a3dfb4670160ae93327b1.exe
Size

436KB
MD5

7e929437e5cdb172b7ab930566d26806
SHA1

20f81b2e6fbc3c0c6792adbb6504c371677df778
SHA256

6209ce232261153e832b5429432db6cfb1c9b8f4313a3dfb4670160ae93327b1
SHA512

90aac4b91e597b72353a4b4a0c81c1fdcf608f8929251d0ab53453a4fd208f59c34451d161000665a45d779fd9453181d20608ddfaa113d93a64ff05d434e153
SSDEEP

6144:dGdR+Yk/N8duBmG6t+UnRsRCQ/OJZOg7M:doR+Y4NSG6oUnRsdOJZOg7M

Score

10^/10

blackmoon banker trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
behavioral2/files/0x000300000002276e-8.dat	family_blackmoon

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	6209ce232261153e832b5429432db6cfb1c9b8f4313a3dfb4670160ae93327b1.exe

Deletes itself 1 IoCs

pid	Process
804	Syslemgmffg.exe

Executes dropped EXE 1 IoCs

pid	Process
804	Syslemgmffg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2964	6209ce232261153e832b5429432db6cfb1c9b8f4313a3dfb4670160ae93327b1.exe
2964	6209ce232261153e832b5429432db6cfb1c9b8f4313a3dfb4670160ae93327b1.exe
2964	6209ce232261153e832b5429432db6cfb1c9b8f4313a3dfb4670160ae93327b1.exe
2964	6209ce232261153e832b5429432db6cfb1c9b8f4313a3dfb4670160ae93327b1.exe
2964	6209ce232261153e832b5429432db6cfb1c9b8f4313a3dfb4670160ae93327b1.exe
2964	6209ce232261153e832b5429432db6cfb1c9b8f4313a3dfb4670160ae93327b1.exe
2964	6209ce232261153e832b5429432db6cfb1c9b8f4313a3dfb4670160ae93327b1.exe
2964	6209ce232261153e832b5429432db6cfb1c9b8f4313a3dfb4670160ae93327b1.exe
2964	6209ce232261153e832b5429432db6cfb1c9b8f4313a3dfb4670160ae93327b1.exe
2964	6209ce232261153e832b5429432db6cfb1c9b8f4313a3dfb4670160ae93327b1.exe
2964	6209ce232261153e832b5429432db6cfb1c9b8f4313a3dfb4670160ae93327b1.exe
2964	6209ce232261153e832b5429432db6cfb1c9b8f4313a3dfb4670160ae93327b1.exe
2964	6209ce232261153e832b5429432db6cfb1c9b8f4313a3dfb4670160ae93327b1.exe
2964	6209ce232261153e832b5429432db6cfb1c9b8f4313a3dfb4670160ae93327b1.exe
2964	6209ce232261153e832b5429432db6cfb1c9b8f4313a3dfb4670160ae93327b1.exe
2964	6209ce232261153e832b5429432db6cfb1c9b8f4313a3dfb4670160ae93327b1.exe
804	Syslemgmffg.exe
804	Syslemgmffg.exe
804	Syslemgmffg.exe
804	Syslemgmffg.exe
804	Syslemgmffg.exe
804	Syslemgmffg.exe
804	Syslemgmffg.exe
804	Syslemgmffg.exe
804	Syslemgmffg.exe
804	Syslemgmffg.exe
804	Syslemgmffg.exe
804	Syslemgmffg.exe
804	Syslemgmffg.exe
804	Syslemgmffg.exe
804	Syslemgmffg.exe
804	Syslemgmffg.exe
804	Syslemgmffg.exe
804	Syslemgmffg.exe
804	Syslemgmffg.exe
804	Syslemgmffg.exe
804	Syslemgmffg.exe
804	Syslemgmffg.exe
804	Syslemgmffg.exe
804	Syslemgmffg.exe
804	Syslemgmffg.exe
804	Syslemgmffg.exe
804	Syslemgmffg.exe
804	Syslemgmffg.exe
804	Syslemgmffg.exe
804	Syslemgmffg.exe
804	Syslemgmffg.exe
804	Syslemgmffg.exe
804	Syslemgmffg.exe
804	Syslemgmffg.exe
804	Syslemgmffg.exe
804	Syslemgmffg.exe
804	Syslemgmffg.exe
804	Syslemgmffg.exe
804	Syslemgmffg.exe
804	Syslemgmffg.exe
804	Syslemgmffg.exe
804	Syslemgmffg.exe
804	Syslemgmffg.exe
804	Syslemgmffg.exe
804	Syslemgmffg.exe
804	Syslemgmffg.exe
804	Syslemgmffg.exe
804	Syslemgmffg.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 804	2964	6209ce232261153e832b5429432db6cfb1c9b8f4313a3dfb4670160ae93327b1.exe	91
PID 2964 wrote to memory of 804	2964	6209ce232261153e832b5429432db6cfb1c9b8f4313a3dfb4670160ae93327b1.exe	91
PID 2964 wrote to memory of 804	2964	6209ce232261153e832b5429432db6cfb1c9b8f4313a3dfb4670160ae93327b1.exe	91

C:\Users\Admin\AppData\Local\Temp\6209ce232261153e832b5429432db6cfb1c9b8f4313a3dfb4670160ae93327b1.exe
"C:\Users\Admin\AppData\Local\Temp\6209ce232261153e832b5429432db6cfb1c9b8f4313a3dfb4670160ae93327b1.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Users\Admin\AppData\Local\Temp\Syslemgmffg.exe
  "C:\Users\Admin\AppData\Local\Temp\Syslemgmffg.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Syslemgmffg.exe

Filesize
436KB

MD5
776daee6c5f34cf996b05a705d2a14ee

SHA1
d591ef470c7bb26b33b8aeb41d327ffbfa88a8bc

SHA256
9eba933c0c4ab8f7334f2d4d81ba69a3b515bc6f8cf81924a289a502d540003c

SHA512
92b549c6651d1368907a60c1e2e5d8345b090fbd26f4ee5dc76f5333dae3f89d40216b390c1c6ecb16cf9ccbb0021e77a0118a7d67a1f902430892b7b01e8642

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpath.ini

Filesize
102B

MD5
7e2edbbd8a760181891de1fa7f6faf34

SHA1
ccbd33b7173b0a9b8faef3a09f8200aa68d039e7

SHA256
b45d8627a7c4c00228daca9839532d8f582d29bc9837d6c0332ccdffdc631d31

SHA512
0bc74350bbbca8d2014200956dec9c4e2fb92b012bfaf8413f782fdc45af0ccec290a4fc195cfb5a90a464f8136446ec06ec10e2571545adaecc915166d1c885

Download Submit