blackmoon | e76f9b6958fca510d682943b4234893a0e4a8d81d75c8c30aac38e5a916f1428

Analysis

max time kernel
175s
max time network
62s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/04/2024, 20:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e76f9b6958fca510d682943b4234893a0e4a8d81d75c8c30aac38e5a916f1428.exe
Size

366KB
MD5

a0307df6eb0b3cce819ad6a5894c08ee
SHA1

13725598a9d292256bc6321bf8abeb2220e479c7
SHA256

e76f9b6958fca510d682943b4234893a0e4a8d81d75c8c30aac38e5a916f1428
SHA512

ba9a10f71653d4a5365db9168a4e2939d10b4e6ec9ef4fd908a288561d20297c819b1bdb4b673113099b07c522fe8d0637a91a160034bdd392e2f666e8bd6a3a
SSDEEP

6144:BSfSHl+gv5gY1F53Aul/Egv4+E6qnwEGvIkJ7G9P1p:B2SHl+gv5gY1b5Eo4+EsEEIkJ7G9P1p

Score

10^/10

blackmoon banker trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
behavioral1/files/0x00110000000055a2-7.dat	family_blackmoon

Deletes itself 1 IoCs

pid	Process
1932	Syslemajcxy.exe

Executes dropped EXE 1 IoCs

pid	Process
1932	Syslemajcxy.exe

Loads dropped DLL 2 IoCs

pid	Process
2652	e76f9b6958fca510d682943b4234893a0e4a8d81d75c8c30aac38e5a916f1428.exe
2652	e76f9b6958fca510d682943b4234893a0e4a8d81d75c8c30aac38e5a916f1428.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2652	e76f9b6958fca510d682943b4234893a0e4a8d81d75c8c30aac38e5a916f1428.exe
2652	e76f9b6958fca510d682943b4234893a0e4a8d81d75c8c30aac38e5a916f1428.exe
2652	e76f9b6958fca510d682943b4234893a0e4a8d81d75c8c30aac38e5a916f1428.exe
2652	e76f9b6958fca510d682943b4234893a0e4a8d81d75c8c30aac38e5a916f1428.exe
2652	e76f9b6958fca510d682943b4234893a0e4a8d81d75c8c30aac38e5a916f1428.exe
2652	e76f9b6958fca510d682943b4234893a0e4a8d81d75c8c30aac38e5a916f1428.exe
2652	e76f9b6958fca510d682943b4234893a0e4a8d81d75c8c30aac38e5a916f1428.exe
2652	e76f9b6958fca510d682943b4234893a0e4a8d81d75c8c30aac38e5a916f1428.exe
1932	Syslemajcxy.exe
1932	Syslemajcxy.exe
1932	Syslemajcxy.exe
1932	Syslemajcxy.exe
1932	Syslemajcxy.exe
1932	Syslemajcxy.exe
1932	Syslemajcxy.exe
1932	Syslemajcxy.exe
1932	Syslemajcxy.exe
1932	Syslemajcxy.exe
1932	Syslemajcxy.exe
1932	Syslemajcxy.exe
1932	Syslemajcxy.exe
1932	Syslemajcxy.exe
1932	Syslemajcxy.exe
1932	Syslemajcxy.exe
1932	Syslemajcxy.exe
1932	Syslemajcxy.exe
1932	Syslemajcxy.exe
1932	Syslemajcxy.exe
1932	Syslemajcxy.exe
1932	Syslemajcxy.exe
1932	Syslemajcxy.exe
1932	Syslemajcxy.exe
1932	Syslemajcxy.exe
1932	Syslemajcxy.exe
1932	Syslemajcxy.exe
1932	Syslemajcxy.exe
1932	Syslemajcxy.exe
1932	Syslemajcxy.exe
1932	Syslemajcxy.exe
1932	Syslemajcxy.exe
1932	Syslemajcxy.exe
1932	Syslemajcxy.exe
1932	Syslemajcxy.exe
1932	Syslemajcxy.exe
1932	Syslemajcxy.exe
1932	Syslemajcxy.exe
1932	Syslemajcxy.exe
1932	Syslemajcxy.exe
1932	Syslemajcxy.exe
1932	Syslemajcxy.exe
1932	Syslemajcxy.exe
1932	Syslemajcxy.exe
1932	Syslemajcxy.exe
1932	Syslemajcxy.exe
1932	Syslemajcxy.exe
1932	Syslemajcxy.exe
1932	Syslemajcxy.exe
1932	Syslemajcxy.exe
1932	Syslemajcxy.exe
1932	Syslemajcxy.exe
1932	Syslemajcxy.exe
1932	Syslemajcxy.exe
1932	Syslemajcxy.exe
1932	Syslemajcxy.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 1932	2652	e76f9b6958fca510d682943b4234893a0e4a8d81d75c8c30aac38e5a916f1428.exe	32
PID 2652 wrote to memory of 1932	2652	e76f9b6958fca510d682943b4234893a0e4a8d81d75c8c30aac38e5a916f1428.exe	32
PID 2652 wrote to memory of 1932	2652	e76f9b6958fca510d682943b4234893a0e4a8d81d75c8c30aac38e5a916f1428.exe	32
PID 2652 wrote to memory of 1932	2652	e76f9b6958fca510d682943b4234893a0e4a8d81d75c8c30aac38e5a916f1428.exe	32

C:\Users\Admin\AppData\Local\Temp\e76f9b6958fca510d682943b4234893a0e4a8d81d75c8c30aac38e5a916f1428.exe
"C:\Users\Admin\AppData\Local\Temp\e76f9b6958fca510d682943b4234893a0e4a8d81d75c8c30aac38e5a916f1428.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Users\Admin\AppData\Local\Temp\Syslemajcxy.exe
  "C:\Users\Admin\AppData\Local\Temp\Syslemajcxy.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lpath.ini

Filesize
102B

MD5
1226e6a47fdbfd78df76bdd45cb0564c

SHA1
8a08de365b4413c6d7882bfd8a3775d26d367712

SHA256
2280de56f43d6a590c031f896069615a7aec2a7f749bc20b323eb67a253da6d3

SHA512
bd620b7b953abc34714ee711d6b77cac9c81dd195884cb8e37937822cd2884a0775bf7413c92f17784e7f1e500f18951f95e7918f5a6fecfee546a2d34a4f029

Download Submit
\Users\Admin\AppData\Local\Temp\Syslemajcxy.exe

Filesize
366KB

MD5
acc11a8280acb5e6040fc3f0e0f34d27

SHA1
c73968a9a441bc510998120d49e987c13ffc8fb3

SHA256
91feb5e490281cc17d34f03ea6497b8b42314db355200a41d0e5bb8bd4d9c1c2

SHA512
6c390e2d37a8760f5e6b5a66cf43c91aaabe21c4d31c8b8a280c9295f23a9190e19c8a3cde06f3e01471de4bf0f9a1e13f68f0559c32f9ade3148cbe9aa6bb96

Download Submit