blackmoon | 8d6113a90dd18104a7ae2586fa414ba80beef922083b8bdadfede1f5a81d07e0

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/04/2024, 20:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8d6113a90dd18104a7ae2586fa414ba80beef922083b8bdadfede1f5a81d07e0.exe
Size

366KB
MD5

a0abc9b568ecaedbaa97275980661174
SHA1

efad7f2696246ddbbc46b65303fc56e7740211a9
SHA256

8d6113a90dd18104a7ae2586fa414ba80beef922083b8bdadfede1f5a81d07e0
SHA512

2ccdde4214afb76ea78c8a99663b6d5a8fc2fa9d8e6ae235fd95a0a2e7cf827968308bd3ea8991eb803ad9f0e065c5ebbe1bd57f7822ad87ee155598e97e67b4
SSDEEP

6144:BSfSHl+gv5gY1F53Aul/Egv4+E6qnwEGvIkJ7G9P16:B2SHl+gv5gY1b5Eo4+EsEEIkJ7G9P16

Score

10^/10

blackmoon banker trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0009000000015e07-10.dat	family_blackmoon

Deletes itself 1 IoCs

pid	Process
2064	Syslemonlua.exe

Executes dropped EXE 1 IoCs

pid	Process
2064	Syslemonlua.exe

Loads dropped DLL 2 IoCs

pid	Process
2976	8d6113a90dd18104a7ae2586fa414ba80beef922083b8bdadfede1f5a81d07e0.exe
2976	8d6113a90dd18104a7ae2586fa414ba80beef922083b8bdadfede1f5a81d07e0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2976	8d6113a90dd18104a7ae2586fa414ba80beef922083b8bdadfede1f5a81d07e0.exe
2976	8d6113a90dd18104a7ae2586fa414ba80beef922083b8bdadfede1f5a81d07e0.exe
2976	8d6113a90dd18104a7ae2586fa414ba80beef922083b8bdadfede1f5a81d07e0.exe
2976	8d6113a90dd18104a7ae2586fa414ba80beef922083b8bdadfede1f5a81d07e0.exe
2976	8d6113a90dd18104a7ae2586fa414ba80beef922083b8bdadfede1f5a81d07e0.exe
2976	8d6113a90dd18104a7ae2586fa414ba80beef922083b8bdadfede1f5a81d07e0.exe
2976	8d6113a90dd18104a7ae2586fa414ba80beef922083b8bdadfede1f5a81d07e0.exe
2976	8d6113a90dd18104a7ae2586fa414ba80beef922083b8bdadfede1f5a81d07e0.exe
2064	Syslemonlua.exe
2064	Syslemonlua.exe
2064	Syslemonlua.exe
2064	Syslemonlua.exe
2064	Syslemonlua.exe
2064	Syslemonlua.exe
2064	Syslemonlua.exe
2064	Syslemonlua.exe
2064	Syslemonlua.exe
2064	Syslemonlua.exe
2064	Syslemonlua.exe
2064	Syslemonlua.exe
2064	Syslemonlua.exe
2064	Syslemonlua.exe
2064	Syslemonlua.exe
2064	Syslemonlua.exe
2064	Syslemonlua.exe
2064	Syslemonlua.exe
2064	Syslemonlua.exe
2064	Syslemonlua.exe
2064	Syslemonlua.exe
2064	Syslemonlua.exe
2064	Syslemonlua.exe
2064	Syslemonlua.exe
2064	Syslemonlua.exe
2064	Syslemonlua.exe
2064	Syslemonlua.exe
2064	Syslemonlua.exe
2064	Syslemonlua.exe
2064	Syslemonlua.exe
2064	Syslemonlua.exe
2064	Syslemonlua.exe
2064	Syslemonlua.exe
2064	Syslemonlua.exe
2064	Syslemonlua.exe
2064	Syslemonlua.exe
2064	Syslemonlua.exe
2064	Syslemonlua.exe
2064	Syslemonlua.exe
2064	Syslemonlua.exe
2064	Syslemonlua.exe
2064	Syslemonlua.exe
2064	Syslemonlua.exe
2064	Syslemonlua.exe
2064	Syslemonlua.exe
2064	Syslemonlua.exe
2064	Syslemonlua.exe
2064	Syslemonlua.exe
2064	Syslemonlua.exe
2064	Syslemonlua.exe
2064	Syslemonlua.exe
2064	Syslemonlua.exe
2064	Syslemonlua.exe
2064	Syslemonlua.exe
2064	Syslemonlua.exe
2064	Syslemonlua.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 2064	2976	8d6113a90dd18104a7ae2586fa414ba80beef922083b8bdadfede1f5a81d07e0.exe	29
PID 2976 wrote to memory of 2064	2976	8d6113a90dd18104a7ae2586fa414ba80beef922083b8bdadfede1f5a81d07e0.exe	29
PID 2976 wrote to memory of 2064	2976	8d6113a90dd18104a7ae2586fa414ba80beef922083b8bdadfede1f5a81d07e0.exe	29
PID 2976 wrote to memory of 2064	2976	8d6113a90dd18104a7ae2586fa414ba80beef922083b8bdadfede1f5a81d07e0.exe	29

C:\Users\Admin\AppData\Local\Temp\8d6113a90dd18104a7ae2586fa414ba80beef922083b8bdadfede1f5a81d07e0.exe
"C:\Users\Admin\AppData\Local\Temp\8d6113a90dd18104a7ae2586fa414ba80beef922083b8bdadfede1f5a81d07e0.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Users\Admin\AppData\Local\Temp\Syslemonlua.exe
  "C:\Users\Admin\AppData\Local\Temp\Syslemonlua.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Syslemonlua.exe

Filesize
366KB

MD5
f6d68c37650744d0f897741d2f66449c

SHA1
5f919ad64530762b964a99f2a59f59644f111a46

SHA256
5e89efd1e748186ac5719e9f0efea68c5e31ebfc1055d7e6d652cc9fae969fb1

SHA512
272526a29f34072902e674c9e0f636578ca151cd74f926f7cd71e665f628b52d0543a90119e7b336c3e74821ea60c4d89296659a98790053d50aa7446e7f26b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpath.ini

Filesize
102B

MD5
0fa174849605ad28bd6456cf9b8880ff

SHA1
5aa88d4d40c5d72169b1a516bf8cd5a3e6ec3780

SHA256
dcd64b274111e34910653a332d2b98234fe4f78218207fcdfef867aec5f48ced

SHA512
056d3257613a2f85d74b826b75df4147c3a347c17d19e6d3b80a121fdec76a86b978a654018b9deca99542331ba0e391db21dc988e0e5be88dc51e40ae10b82b

Download Submit