blackmoon | 7bedb97f8d7696215bdaad9a743979047c71a798d737c4176af4c04f2bd1a5c8

Analysis

max time kernel
149s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09-04-2024 20:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7bedb97f8d7696215bdaad9a743979047c71a798d737c4176af4c04f2bd1a5c8.exe
Size

338KB
MD5

4e41e5c0337518e0af73d40dcac7fe28
SHA1

2d0aac986459b1cfb11a3d80154053553bc43523
SHA256

7bedb97f8d7696215bdaad9a743979047c71a798d737c4176af4c04f2bd1a5c8
SHA512

9e7302d2332e093d598bab3c8292d84a240144d04889c42c39b3b2d76f6f8da70ae695d13dae5b1cd2377963a375121531237412965d8f05eb484422cb324196
SSDEEP

6144:b5/YZ58drqrhGcbLhmvjSN6jZhixVK/B/zkXudeM:b5/Q58drihGiLhmGNiZsx0B/zkXoeM

Score

10^/10

blackmoon banker trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
behavioral2/files/0x000400000001da5d-25.dat	family_blackmoon

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	7bedb97f8d7696215bdaad9a743979047c71a798d737c4176af4c04f2bd1a5c8.exe

Executes dropped EXE 1 IoCs

pid	Process
2128	Sysceampqegl.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	7bedb97f8d7696215bdaad9a743979047c71a798d737c4176af4c04f2bd1a5c8.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2128	Sysceampqegl.exe
2128	Sysceampqegl.exe
2128	Sysceampqegl.exe
2128	Sysceampqegl.exe
2128	Sysceampqegl.exe
2128	Sysceampqegl.exe
2128	Sysceampqegl.exe
2128	Sysceampqegl.exe
2128	Sysceampqegl.exe
2128	Sysceampqegl.exe
2128	Sysceampqegl.exe
2128	Sysceampqegl.exe
2128	Sysceampqegl.exe
2128	Sysceampqegl.exe
2128	Sysceampqegl.exe
2128	Sysceampqegl.exe
2128	Sysceampqegl.exe
2128	Sysceampqegl.exe
2128	Sysceampqegl.exe
2128	Sysceampqegl.exe
2128	Sysceampqegl.exe
2128	Sysceampqegl.exe
2128	Sysceampqegl.exe
2128	Sysceampqegl.exe
2128	Sysceampqegl.exe
2128	Sysceampqegl.exe
2128	Sysceampqegl.exe
2128	Sysceampqegl.exe
2128	Sysceampqegl.exe
2128	Sysceampqegl.exe
2128	Sysceampqegl.exe
2128	Sysceampqegl.exe
2128	Sysceampqegl.exe
2128	Sysceampqegl.exe
2128	Sysceampqegl.exe
2128	Sysceampqegl.exe
2128	Sysceampqegl.exe
2128	Sysceampqegl.exe
2128	Sysceampqegl.exe
2128	Sysceampqegl.exe
2128	Sysceampqegl.exe
2128	Sysceampqegl.exe
2128	Sysceampqegl.exe
2128	Sysceampqegl.exe
2128	Sysceampqegl.exe
2128	Sysceampqegl.exe
2128	Sysceampqegl.exe
2128	Sysceampqegl.exe
2128	Sysceampqegl.exe
2128	Sysceampqegl.exe
2128	Sysceampqegl.exe
2128	Sysceampqegl.exe
2128	Sysceampqegl.exe
2128	Sysceampqegl.exe
2128	Sysceampqegl.exe
2128	Sysceampqegl.exe
2128	Sysceampqegl.exe
2128	Sysceampqegl.exe
2128	Sysceampqegl.exe
2128	Sysceampqegl.exe
2128	Sysceampqegl.exe
2128	Sysceampqegl.exe
2128	Sysceampqegl.exe
2128	Sysceampqegl.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 552 wrote to memory of 2128	552	7bedb97f8d7696215bdaad9a743979047c71a798d737c4176af4c04f2bd1a5c8.exe	100
PID 552 wrote to memory of 2128	552	7bedb97f8d7696215bdaad9a743979047c71a798d737c4176af4c04f2bd1a5c8.exe	100
PID 552 wrote to memory of 2128	552	7bedb97f8d7696215bdaad9a743979047c71a798d737c4176af4c04f2bd1a5c8.exe	100

C:\Users\Admin\AppData\Local\Temp\7bedb97f8d7696215bdaad9a743979047c71a798d737c4176af4c04f2bd1a5c8.exe
"C:\Users\Admin\AppData\Local\Temp\7bedb97f8d7696215bdaad9a743979047c71a798d737c4176af4c04f2bd1a5c8.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:552
- C:\Users\Admin\AppData\Local\Temp\Sysceampqegl.exe
  "C:\Users\Admin\AppData\Local\Temp\Sysceampqegl.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475

Filesize
1KB

MD5
05651edc7e6882d86621e189f61da8ca

SHA1
af3e7fc472ed2e8f83a80382b71990cceac67780

SHA256
4b41dba679ca244d3e15b5e100c0deb6ff76764f1731a1477f5d921e1229df35

SHA512
117800d588a55cd209d3a2111cb630944f1aefdb10baf7d755d95be54b09db9fcc1e5a34ed04a5c2e0741ff786183b301dd0a5a9f9b3dcb3159505512bb98c5c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C

Filesize
471B

MD5
a2e7b1441875f636f9f7ebbd038d396a

SHA1
9fe7abd976554c9e7bf1b126e5bc351370d65521

SHA256
edf0af90c4630d96df73574ed2b3ec8bf46a6096053e8a16a7e40d636c2dc0eb

SHA512
f6cf0ad1aa01247ccfd8cbd6256c663252516cb0ed2c449d77a08de29731732640b58d15e4889d152fd739b73838d29406704f43c913c0429091e4bb29772ece

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_0EFD97AA1ED1EC939D6B2DC09A53FAC0

Filesize
471B

MD5
f65f27f41acb28105e071c710851626f

SHA1
993444938d84861187f643506a47076b85f152a8

SHA256
65f87fda17c1d76cb51023d917689d8cb692271809990e9ea9399580d350c4f5

SHA512
b5c376aa0325d4c7963df4c318adacad217573b3391ecf6655504e6ba50e02d4405c0eb7847a753c1f13676361431c7f4eff79360fb510edee48e9e09641eb44

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CF14D1855652602540DFCFECD21854DB_54BE0F4A529F65D13ED30F3AD0874E58

Filesize
1KB

MD5
b315c12276adeca50bc7557f56840272

SHA1
aa595bdc4b07cf4c66f6fdde508ecf2f70fde4c8

SHA256
ca5dcd9db3808826542eb06e18a6a08202c24e78d1c8ad94d1152a344296a182

SHA512
c1c322e026929fe3ee1a69683de9399a1c279fc39f6937835a6a95a20e77c258fe004f7a0ac72c9f49d860fbb77aeef0fd8863d8b601defa946253f1d4b92134

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475

Filesize
500B

MD5
e25b08c4c8ffdc7cb76839087b8e60a7

SHA1
bfb2155f834e2a921424813a2808d458bea5ed10

SHA256
57bd78c6bf43eddf184c9d9f0e89ec30f547325f5d1a72e3924fa07dfffebef3

SHA512
7aeadcbaa8b2ed563d5d591435f2a34128bf0bea31b0ef3a5cef83d784e688651565102b60dd1268224f12cf70c4e85bd1e3ce0c3e099d078cb48829848074ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C

Filesize
398B

MD5
ec4aec6b541eaec0b2bbc35e5335fa30

SHA1
7c246e96a98b40137e6eb02532a5bb19be48950c

SHA256
3abd622cf96d273c32ada8a00f014e4fa9ba4ccff90907bc7fc31e2cbb6e908e

SHA512
76a0107eb4d1ed459e6cff57a9b5a75df638312c772be44380a7099c7b38a3e50abe2cba0812dcf6b35ad178f987d21a3c0f943af2c65c847f13cb964be762dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AD5F118F7897046E8CA970AE6A6AB70B_0EFD97AA1ED1EC939D6B2DC09A53FAC0

Filesize
402B

MD5
a70883b8de8cb3c984b1480ff98431cd

SHA1
471b2badb243bbbcefbe8d60de905733ea7b0b58

SHA256
a6eb448999c5085986f10ac3d9a610d154af4ba5432bb8f390db846490c98433

SHA512
5e7e107c8f65351328279ce02438c11201950f2257d62748572acc04464f891af9c0b15d30d08fbce41e54b568d197fad274037210f731ef81fbdbf68c5cbf4c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CF14D1855652602540DFCFECD21854DB_54BE0F4A529F65D13ED30F3AD0874E58

Filesize
536B

MD5
237a88e8c06a1e319fb77760deb70141

SHA1
a36bd5a5929c7cf3038acfa75009e5307a4566b7

SHA256
f10e1024c96aaaadea34c438897f1dec28e4be8ace0db44c513e4363b4b98659

SHA512
5f4db5950b1c365af1c09e847b6b5ce8adb4b25e53968a99f442ffbe20982a1e10c4983778f2dd71a3a1f22a27f78a581a2073d7d807d119d9fff68517684e82

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysceampqegl.exe

Filesize
338KB

MD5
73d8393c38c7147ed9852dfa1e63fc99

SHA1
fb2d670b5aacc17e58005b4197e0eacae992c22e

SHA256
d728c6e4fc84d2a9c19b764df68b79fe28019cde22f0a7a77c508c9736f9d9c8

SHA512
59af31000c00de956fbe34cb96123bd0d725dae346d611f2afb9a964a8986a12a4a157f9d910d9d891181eff2b8e9bbf48648650a9d2abd2fc3c0229f0a8582b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpath.ini

Filesize
102B

MD5
ed0b0b80f777083e90626f85fb2b57ef

SHA1
d36d42becfaef3d9d3aa0c894707ce5bfaf8cb38

SHA256
33ad609a71c8dad5ab01022f341fab4af467a8deb7ec7b6ba40a3721be1c1613

SHA512
055a8788f815402eaf19e5c29de9508c5d0a59a9714ca2ea434d2850268bd089814f203f8e8a4da15c8682c13a63f566a43dc441311294227cee8df7d92926cb

Download Submit