blackmoon | 9711bc0fcdf0f0f42a46e859d7c26ea61d50b05aae3ec269a1edf668081330f1

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 20:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9711bc0fcdf0f0f42a46e859d7c26ea61d50b05aae3ec269a1edf668081330f1.exe
Size

1.8MB
MD5

d55234e703c601880f1f9392678d0dc8
SHA1

59435f8d2b585302447486b7719d209b45309cec
SHA256

9711bc0fcdf0f0f42a46e859d7c26ea61d50b05aae3ec269a1edf668081330f1
SHA512

ac91ff473406069a37780c319be5668909975b8108c601d4bd83b8ac84a32ee4ba86eab4f2e5b7aa8e8b43303cf4d35ea101e044e7faaaf0afd1e229d0d80a14
SSDEEP

24576:9r0TxazTID9UhQtRlA6Jz7kzSRciXSD3FbbBN/IyZJbOOEHqBh3SWgSklWNy+:9ZzED7tRX8SWwWpNN/IyjEOBST1WNy+

Score

10^/10

blackmoon banker trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023235-53.dat	family_blackmoon

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0008000000023231-55.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
1468	GFANLU.XQAL

Loads dropped DLL 4 IoCs

pid	Process
1468	GFANLU.XQAL
1468	GFANLU.XQAL
1468	GFANLU.XQAL
1468	GFANLU.XQAL

UPX packed file 42 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/448-2-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/448-3-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/448-4-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/448-6-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/448-8-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/448-10-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/448-12-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/448-14-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/448-16-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/448-19-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/448-22-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/448-24-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/448-29-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/448-27-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/448-31-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/448-33-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/448-36-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/448-39-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/448-41-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/448-44-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/448-46-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/448-48-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/448-50-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/files/0x0008000000023231-55.dat	upx
behavioral2/memory/1468-58-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1468-59-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/448-61-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1468-62-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1468-64-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1468-66-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1468-68-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1468-70-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1468-73-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1468-75-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1468-77-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1468-80-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1468-96-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1468-94-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1468-99-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1468-103-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1468-107-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1468-108-0x0000000010000000-0x000000001003E000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ESPI11.dll	GFANLU.XQAL
File created	C:\Windows\SysWOW64\ESPI11.dll	GFANLU.XQAL

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1468	GFANLU.XQAL
1468	GFANLU.XQAL
1468	GFANLU.XQAL
1468	GFANLU.XQAL
1468	GFANLU.XQAL
1468	GFANLU.XQAL
1468	GFANLU.XQAL
1468	GFANLU.XQAL
1468	GFANLU.XQAL
1468	GFANLU.XQAL
1468	GFANLU.XQAL
1468	GFANLU.XQAL
1468	GFANLU.XQAL
1468	GFANLU.XQAL
1468	GFANLU.XQAL
1468	GFANLU.XQAL
1468	GFANLU.XQAL
1468	GFANLU.XQAL
1468	GFANLU.XQAL
1468	GFANLU.XQAL
1468	GFANLU.XQAL
1468	GFANLU.XQAL
1468	GFANLU.XQAL
1468	GFANLU.XQAL
1468	GFANLU.XQAL
1468	GFANLU.XQAL
1468	GFANLU.XQAL
1468	GFANLU.XQAL
1468	GFANLU.XQAL
1468	GFANLU.XQAL
1468	GFANLU.XQAL
1468	GFANLU.XQAL
1468	GFANLU.XQAL
1468	GFANLU.XQAL
1468	GFANLU.XQAL
1468	GFANLU.XQAL
1468	GFANLU.XQAL
1468	GFANLU.XQAL
1468	GFANLU.XQAL
1468	GFANLU.XQAL
1468	GFANLU.XQAL
1468	GFANLU.XQAL
1468	GFANLU.XQAL
1468	GFANLU.XQAL
1468	GFANLU.XQAL
1468	GFANLU.XQAL
1468	GFANLU.XQAL
1468	GFANLU.XQAL
1468	GFANLU.XQAL
1468	GFANLU.XQAL
1468	GFANLU.XQAL
1468	GFANLU.XQAL
1468	GFANLU.XQAL
1468	GFANLU.XQAL
1468	GFANLU.XQAL
1468	GFANLU.XQAL
1468	GFANLU.XQAL
1468	GFANLU.XQAL
1468	GFANLU.XQAL
1468	GFANLU.XQAL
1468	GFANLU.XQAL
1468	GFANLU.XQAL
1468	GFANLU.XQAL
1468	GFANLU.XQAL

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1468	GFANLU.XQAL
Token: 33	1468	GFANLU.XQAL
Token: SeIncBasePriorityPrivilege	1468	GFANLU.XQAL
Token: 33	1468	GFANLU.XQAL
Token: SeIncBasePriorityPrivilege	1468	GFANLU.XQAL
Token: 33	1468	GFANLU.XQAL
Token: SeIncBasePriorityPrivilege	1468	GFANLU.XQAL
Token: 33	1468	GFANLU.XQAL
Token: SeIncBasePriorityPrivilege	1468	GFANLU.XQAL
Token: 33	1468	GFANLU.XQAL
Token: SeIncBasePriorityPrivilege	1468	GFANLU.XQAL
Token: 33	1468	GFANLU.XQAL
Token: SeIncBasePriorityPrivilege	1468	GFANLU.XQAL
Token: 33	1468	GFANLU.XQAL
Token: SeIncBasePriorityPrivilege	1468	GFANLU.XQAL
Token: 33	1468	GFANLU.XQAL
Token: SeIncBasePriorityPrivilege	1468	GFANLU.XQAL
Token: 33	1468	GFANLU.XQAL
Token: SeIncBasePriorityPrivilege	1468	GFANLU.XQAL
Token: 33	1468	GFANLU.XQAL
Token: SeIncBasePriorityPrivilege	1468	GFANLU.XQAL
Token: 33	1468	GFANLU.XQAL
Token: SeIncBasePriorityPrivilege	1468	GFANLU.XQAL
Token: 33	1468	GFANLU.XQAL
Token: SeIncBasePriorityPrivilege	1468	GFANLU.XQAL
Token: 33	1468	GFANLU.XQAL
Token: SeIncBasePriorityPrivilege	1468	GFANLU.XQAL
Token: 33	1468	GFANLU.XQAL
Token: SeIncBasePriorityPrivilege	1468	GFANLU.XQAL
Token: 33	1468	GFANLU.XQAL
Token: SeIncBasePriorityPrivilege	1468	GFANLU.XQAL
Token: 33	1468	GFANLU.XQAL
Token: SeIncBasePriorityPrivilege	1468	GFANLU.XQAL
Token: 33	1468	GFANLU.XQAL
Token: SeIncBasePriorityPrivilege	1468	GFANLU.XQAL
Token: 33	1468	GFANLU.XQAL
Token: SeIncBasePriorityPrivilege	1468	GFANLU.XQAL
Token: 33	1468	GFANLU.XQAL
Token: SeIncBasePriorityPrivilege	1468	GFANLU.XQAL
Token: 33	1468	GFANLU.XQAL
Token: SeIncBasePriorityPrivilege	1468	GFANLU.XQAL
Token: 33	1468	GFANLU.XQAL
Token: SeIncBasePriorityPrivilege	1468	GFANLU.XQAL
Token: 33	1468	GFANLU.XQAL
Token: SeIncBasePriorityPrivilege	1468	GFANLU.XQAL
Token: 33	1468	GFANLU.XQAL
Token: SeIncBasePriorityPrivilege	1468	GFANLU.XQAL
Token: 33	1468	GFANLU.XQAL
Token: SeIncBasePriorityPrivilege	1468	GFANLU.XQAL
Token: 33	1468	GFANLU.XQAL
Token: SeIncBasePriorityPrivilege	1468	GFANLU.XQAL
Token: 33	1468	GFANLU.XQAL
Token: SeIncBasePriorityPrivilege	1468	GFANLU.XQAL
Token: 33	1468	GFANLU.XQAL
Token: SeIncBasePriorityPrivilege	1468	GFANLU.XQAL
Token: 33	1468	GFANLU.XQAL
Token: SeIncBasePriorityPrivilege	1468	GFANLU.XQAL
Token: 33	1468	GFANLU.XQAL
Token: SeIncBasePriorityPrivilege	1468	GFANLU.XQAL
Token: 33	1468	GFANLU.XQAL
Token: SeIncBasePriorityPrivilege	1468	GFANLU.XQAL
Token: 33	1468	GFANLU.XQAL
Token: SeIncBasePriorityPrivilege	1468	GFANLU.XQAL
Token: 33	1468	GFANLU.XQAL

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
448	9711bc0fcdf0f0f42a46e859d7c26ea61d50b05aae3ec269a1edf668081330f1.exe
448	9711bc0fcdf0f0f42a46e859d7c26ea61d50b05aae3ec269a1edf668081330f1.exe
448	9711bc0fcdf0f0f42a46e859d7c26ea61d50b05aae3ec269a1edf668081330f1.exe
1468	GFANLU.XQAL
1468	GFANLU.XQAL
1468	GFANLU.XQAL

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 448 wrote to memory of 1468	448	9711bc0fcdf0f0f42a46e859d7c26ea61d50b05aae3ec269a1edf668081330f1.exe	87
PID 448 wrote to memory of 1468	448	9711bc0fcdf0f0f42a46e859d7c26ea61d50b05aae3ec269a1edf668081330f1.exe	87
PID 448 wrote to memory of 1468	448	9711bc0fcdf0f0f42a46e859d7c26ea61d50b05aae3ec269a1edf668081330f1.exe	87
PID 1468 wrote to memory of 4552	1468	GFANLU.XQAL	91
PID 1468 wrote to memory of 4552	1468	GFANLU.XQAL	91
PID 1468 wrote to memory of 4552	1468	GFANLU.XQAL	91

C:\Users\Admin\AppData\Local\Temp\9711bc0fcdf0f0f42a46e859d7c26ea61d50b05aae3ec269a1edf668081330f1.exe
"C:\Users\Admin\AppData\Local\Temp\9711bc0fcdf0f0f42a46e859d7c26ea61d50b05aae3ec269a1edf668081330f1.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:448
- C:\Users\Admin\AppData\Local\Temp\GFANLU.XQAL
  "C:\Users\Admin\AppData\Local\Temp\GFANLU.XQAL"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1468
- - C:\Windows\SysWOW64\netsh.exe
    netsh winsock reset
    3⤵
    PID:4552

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ESPI.dll

Filesize
120KB

MD5
c3adbb35a05b44bc877a895d273aa270

SHA1
8afe20d8261d217fd23ccfe53bd45ad3bec82d2d

SHA256
b2b2ea9737587313d420bde96a42063c002a83e35d9f987f8ec0d5d4d96c262c

SHA512
614dc24e3368047d68e2833ecdf9cda1f5ef290fc74287769a70df46bfa937386ce2e1332b3bada0f7e54b470ecdfe7c8bbd4ec3fa1c815f52993bb7edb93afc

Download Submit
C:\Users\Admin\AppData\Local\Temp\GFANLU.XQAL

Filesize
1.8MB

MD5
8bd12df8f2b558c286b673a0a1568a02

SHA1
c0e8c844987ff66d8c884223b6a752e3c98a5bf1

SHA256
ce9220a1a73ca2023241b0d982e5d922a66f82ff83abf636d557bc2f209b568a

SHA512
ac797eee0cde5f325229483f1483ddbae7569ef7e93e908324ee2bca977cdee9dd0117f21f9ad1d6cbeb908fb358c3e158ddb3a1cddf7c446eee706b66870d02

Download Submit
C:\Users\Admin\AppData\Local\Temp\SKinH_EL.dll

Filesize
86KB

MD5
114054313070472cd1a6d7d28f7c5002

SHA1
9a044986e6101df1a126035da7326a50c3fe9a23

SHA256
e15d9e1b772fed3db19e67b8d54533d1a2d46a37f8b12702a5892c6b886e9db1

SHA512
a2ff8481e89698dae4a1c83404105093472e384d7a3debbd7014e010543e08efc8ebb3f67c8a4ce09029e6b2a8fb7779bb402aae7c9987e61389cd8a72c73522

Download Submit
memory/448-50-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/448-4-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/448-10-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/448-12-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/448-14-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/448-16-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/448-19-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/448-22-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/448-24-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/448-29-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/448-27-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/448-31-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/448-33-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/448-36-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/448-39-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/448-41-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/448-44-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/448-46-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/448-48-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/448-2-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/448-8-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/448-3-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/448-6-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/448-61-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1468-80-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1468-77-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1468-64-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1468-66-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1468-68-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1468-70-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1468-73-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1468-59-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1468-62-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1468-96-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1468-75-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1468-94-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1468-99-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1468-103-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1468-107-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1468-108-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1468-58-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download