blackmoon | 9df901aa003bd47016ef7976233bcfbc63a7f74a21537a38498110cdf1955341

Analysis

max time kernel
150s
max time network
136s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/04/2024, 20:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9df901aa003bd47016ef7976233bcfbc63a7f74a21537a38498110cdf1955341.exe
Size

440KB
MD5

d5239ba56ef2f39b1da523e804f33625
SHA1

a9399024792609e7943c95a5e7b61c75255606e4
SHA256

9df901aa003bd47016ef7976233bcfbc63a7f74a21537a38498110cdf1955341
SHA512

ce4257251920599a88e67f36d91585c9b58ba2d7a40023bb35b28241b01752b98afcf569e7777b0fed5a9512d09e15fbc648518b7c6cf2656e68024c1e4e6288
SSDEEP

6144:xozXQKqfmiiyWwuiFOLeyOV0R7YRXxMSaAn:xgXQKSLpOCtV0R8xMSaAn

Score

10^/10

blackmoon banker trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000016c60-7.dat	family_blackmoon

Deletes itself 1 IoCs

pid	Process
1572	Syslemohgcd.exe

Executes dropped EXE 1 IoCs

pid	Process
1572	Syslemohgcd.exe

Loads dropped DLL 2 IoCs

pid	Process
2188	9df901aa003bd47016ef7976233bcfbc63a7f74a21537a38498110cdf1955341.exe
2188	9df901aa003bd47016ef7976233bcfbc63a7f74a21537a38498110cdf1955341.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2188	9df901aa003bd47016ef7976233bcfbc63a7f74a21537a38498110cdf1955341.exe
2188	9df901aa003bd47016ef7976233bcfbc63a7f74a21537a38498110cdf1955341.exe
2188	9df901aa003bd47016ef7976233bcfbc63a7f74a21537a38498110cdf1955341.exe
2188	9df901aa003bd47016ef7976233bcfbc63a7f74a21537a38498110cdf1955341.exe
2188	9df901aa003bd47016ef7976233bcfbc63a7f74a21537a38498110cdf1955341.exe
2188	9df901aa003bd47016ef7976233bcfbc63a7f74a21537a38498110cdf1955341.exe
2188	9df901aa003bd47016ef7976233bcfbc63a7f74a21537a38498110cdf1955341.exe
2188	9df901aa003bd47016ef7976233bcfbc63a7f74a21537a38498110cdf1955341.exe
1572	Syslemohgcd.exe
1572	Syslemohgcd.exe
1572	Syslemohgcd.exe
1572	Syslemohgcd.exe
1572	Syslemohgcd.exe
1572	Syslemohgcd.exe
1572	Syslemohgcd.exe
1572	Syslemohgcd.exe
1572	Syslemohgcd.exe
1572	Syslemohgcd.exe
1572	Syslemohgcd.exe
1572	Syslemohgcd.exe
1572	Syslemohgcd.exe
1572	Syslemohgcd.exe
1572	Syslemohgcd.exe
1572	Syslemohgcd.exe
1572	Syslemohgcd.exe
1572	Syslemohgcd.exe
1572	Syslemohgcd.exe
1572	Syslemohgcd.exe
1572	Syslemohgcd.exe
1572	Syslemohgcd.exe
1572	Syslemohgcd.exe
1572	Syslemohgcd.exe
1572	Syslemohgcd.exe
1572	Syslemohgcd.exe
1572	Syslemohgcd.exe
1572	Syslemohgcd.exe
1572	Syslemohgcd.exe
1572	Syslemohgcd.exe
1572	Syslemohgcd.exe
1572	Syslemohgcd.exe
1572	Syslemohgcd.exe
1572	Syslemohgcd.exe
1572	Syslemohgcd.exe
1572	Syslemohgcd.exe
1572	Syslemohgcd.exe
1572	Syslemohgcd.exe
1572	Syslemohgcd.exe
1572	Syslemohgcd.exe
1572	Syslemohgcd.exe
1572	Syslemohgcd.exe
1572	Syslemohgcd.exe
1572	Syslemohgcd.exe
1572	Syslemohgcd.exe
1572	Syslemohgcd.exe
1572	Syslemohgcd.exe
1572	Syslemohgcd.exe
1572	Syslemohgcd.exe
1572	Syslemohgcd.exe
1572	Syslemohgcd.exe
1572	Syslemohgcd.exe
1572	Syslemohgcd.exe
1572	Syslemohgcd.exe
1572	Syslemohgcd.exe
1572	Syslemohgcd.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 1572	2188	9df901aa003bd47016ef7976233bcfbc63a7f74a21537a38498110cdf1955341.exe	29
PID 2188 wrote to memory of 1572	2188	9df901aa003bd47016ef7976233bcfbc63a7f74a21537a38498110cdf1955341.exe	29
PID 2188 wrote to memory of 1572	2188	9df901aa003bd47016ef7976233bcfbc63a7f74a21537a38498110cdf1955341.exe	29
PID 2188 wrote to memory of 1572	2188	9df901aa003bd47016ef7976233bcfbc63a7f74a21537a38498110cdf1955341.exe	29

C:\Users\Admin\AppData\Local\Temp\9df901aa003bd47016ef7976233bcfbc63a7f74a21537a38498110cdf1955341.exe
"C:\Users\Admin\AppData\Local\Temp\9df901aa003bd47016ef7976233bcfbc63a7f74a21537a38498110cdf1955341.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Users\Admin\AppData\Local\Temp\Syslemohgcd.exe
  "C:\Users\Admin\AppData\Local\Temp\Syslemohgcd.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lpath.ini

Filesize
102B

MD5
cf91ff5eb93d270fe15a0b5a5540e521

SHA1
26b5fe6abdd6bbde5d4bbd27bddc2408f78fe168

SHA256
4e73437b3b3c1878e3a958f52ca16e696fc005af49d7c6dc6aef1f13feffd1e2

SHA512
f84e6820396db592fb35d607a82fe048651a3d762175ada0188efeac739a67544ab73d7b1c0a5b370d1db31dd68c138aaab00cc23687d52e66192ff73a7edb1c

Download Submit
\Users\Admin\AppData\Local\Temp\Syslemohgcd.exe

Filesize
440KB

MD5
5f832cdc081bbd9a0098265bdba6c8b4

SHA1
435ca4594f43e7f5fa89c60e80a0790042bc2329

SHA256
66ab918566364df1df62dca35560dc208269340358aa0bcdc948a49dde36572e

SHA512
2f096f1f82c07b3d585a9c77ed6808037236ef78a75ac963fb44ea49b97ec4e108f283ada8506fad988af4dd493a0c3bbe5f243730fae63052766102e42fb36b

Download Submit