blackmoon | bbebddadf556c91966fa760f21d04d8990481f254e25b2f38de423503d787ab9

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10/04/2024, 02:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bbebddadf556c91966fa760f21d04d8990481f254e25b2f38de423503d787ab9.exe
Size

338KB
MD5

ded7639442d93d3835c150a1dac7d9ed
SHA1

a67b69acf9749adfd677ac43d443265b756f15ed
SHA256

bbebddadf556c91966fa760f21d04d8990481f254e25b2f38de423503d787ab9
SHA512

0bd5c739928b3c8d9c65d9c747c512969e27042d56c25eee5d220347f95ffc6616c59cdac8064fd99af9b37de827257427af067f3eb95e0fd73d8daadc22d847
SSDEEP

6144:b5/YZ58drqrhGcbLhmvjSN6jZhixVK/B/zkXudes:b5/Q58drihGiLhmGNiZsx0B/zkXoes

Score

10^/10

blackmoon banker trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023254-25.dat	family_blackmoon

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	bbebddadf556c91966fa760f21d04d8990481f254e25b2f38de423503d787ab9.exe

Executes dropped EXE 1 IoCs

pid	Process
3156	Sysceamegayu.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	bbebddadf556c91966fa760f21d04d8990481f254e25b2f38de423503d787ab9.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3156	Sysceamegayu.exe
3156	Sysceamegayu.exe
3156	Sysceamegayu.exe
3156	Sysceamegayu.exe
3156	Sysceamegayu.exe
3156	Sysceamegayu.exe
3156	Sysceamegayu.exe
3156	Sysceamegayu.exe
3156	Sysceamegayu.exe
3156	Sysceamegayu.exe
3156	Sysceamegayu.exe
3156	Sysceamegayu.exe
3156	Sysceamegayu.exe
3156	Sysceamegayu.exe
3156	Sysceamegayu.exe
3156	Sysceamegayu.exe
3156	Sysceamegayu.exe
3156	Sysceamegayu.exe
3156	Sysceamegayu.exe
3156	Sysceamegayu.exe
3156	Sysceamegayu.exe
3156	Sysceamegayu.exe
3156	Sysceamegayu.exe
3156	Sysceamegayu.exe
3156	Sysceamegayu.exe
3156	Sysceamegayu.exe
3156	Sysceamegayu.exe
3156	Sysceamegayu.exe
3156	Sysceamegayu.exe
3156	Sysceamegayu.exe
3156	Sysceamegayu.exe
3156	Sysceamegayu.exe
3156	Sysceamegayu.exe
3156	Sysceamegayu.exe
3156	Sysceamegayu.exe
3156	Sysceamegayu.exe
3156	Sysceamegayu.exe
3156	Sysceamegayu.exe
3156	Sysceamegayu.exe
3156	Sysceamegayu.exe
3156	Sysceamegayu.exe
3156	Sysceamegayu.exe
3156	Sysceamegayu.exe
3156	Sysceamegayu.exe
3156	Sysceamegayu.exe
3156	Sysceamegayu.exe
3156	Sysceamegayu.exe
3156	Sysceamegayu.exe
3156	Sysceamegayu.exe
3156	Sysceamegayu.exe
3156	Sysceamegayu.exe
3156	Sysceamegayu.exe
3156	Sysceamegayu.exe
3156	Sysceamegayu.exe
3156	Sysceamegayu.exe
3156	Sysceamegayu.exe
3156	Sysceamegayu.exe
3156	Sysceamegayu.exe
3156	Sysceamegayu.exe
3156	Sysceamegayu.exe
3156	Sysceamegayu.exe
3156	Sysceamegayu.exe
3156	Sysceamegayu.exe
3156	Sysceamegayu.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4504 wrote to memory of 3156	4504	bbebddadf556c91966fa760f21d04d8990481f254e25b2f38de423503d787ab9.exe	101
PID 4504 wrote to memory of 3156	4504	bbebddadf556c91966fa760f21d04d8990481f254e25b2f38de423503d787ab9.exe	101
PID 4504 wrote to memory of 3156	4504	bbebddadf556c91966fa760f21d04d8990481f254e25b2f38de423503d787ab9.exe	101

C:\Users\Admin\AppData\Local\Temp\bbebddadf556c91966fa760f21d04d8990481f254e25b2f38de423503d787ab9.exe
"C:\Users\Admin\AppData\Local\Temp\bbebddadf556c91966fa760f21d04d8990481f254e25b2f38de423503d787ab9.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4504
- C:\Users\Admin\AppData\Local\Temp\Sysceamegayu.exe
  "C:\Users\Admin\AppData\Local\Temp\Sysceamegayu.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3156

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4076 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
1⤵
PID:4732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475

Filesize
1KB

MD5
f37c60de23dd55fa79cd93a33c82b5c8

SHA1
72f98b2e80b36b8cbe738d24abaf795429d01018

SHA256
528d3fb0110d6e00baf949dd8f1259f8769fa902fb33de541747bd28367da13f

SHA512
a9877867a70615762ebc055bbf7845884499dcdd6ef32ff5f069f5cb2ba547430e4c3c808e10792270afc9352e95b077283a7407f9a2b47038246ff7e9003cc8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C

Filesize
471B

MD5
a2e7b1441875f636f9f7ebbd038d396a

SHA1
9fe7abd976554c9e7bf1b126e5bc351370d65521

SHA256
edf0af90c4630d96df73574ed2b3ec8bf46a6096053e8a16a7e40d636c2dc0eb

SHA512
f6cf0ad1aa01247ccfd8cbd6256c663252516cb0ed2c449d77a08de29731732640b58d15e4889d152fd739b73838d29406704f43c913c0429091e4bb29772ece

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_0EFD97AA1ED1EC939D6B2DC09A53FAC0

Filesize
471B

MD5
f65f27f41acb28105e071c710851626f

SHA1
993444938d84861187f643506a47076b85f152a8

SHA256
65f87fda17c1d76cb51023d917689d8cb692271809990e9ea9399580d350c4f5

SHA512
b5c376aa0325d4c7963df4c318adacad217573b3391ecf6655504e6ba50e02d4405c0eb7847a753c1f13676361431c7f4eff79360fb510edee48e9e09641eb44

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CF14D1855652602540DFCFECD21854DB_54BE0F4A529F65D13ED30F3AD0874E58

Filesize
1KB

MD5
823574f0875aa5feb1795d399307c0f6

SHA1
04b035574860a7a50abad5506fb1dc49c07ed147

SHA256
bdbe27d307b118ef3cdd76bd3ab7677cac2718e15665c59934141f075f14768f

SHA512
2043937145dd0e0430eb1808c9b369710c3c33c0d3b274138ee4671fbeb3ceacefa6599307172ea7874f4a1ea468ad961aaf660a15dc44f7df980d61108addb9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475

Filesize
500B

MD5
f4efd66d0f1ffefa0b2a25a606bc2566

SHA1
7ce49dc1a5012a22540cc95970a26a790707ff81

SHA256
22184ede068bbcf5c5f10a8946f59ba06b8ee177d5897d3282cf8427f2784a4c

SHA512
5c7c02f8784168ee31cc5f6930b20d92567540d28212d02a1cd719cf22fa490ddc4cfd887b38f88b2836b6cf5f106f0d1b7defe037380d34044cb346538f50dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C

Filesize
398B

MD5
8d33f11505f409044a0727de12c96bc0

SHA1
7728e28116f04c4556bdba8fa8dcea9b15a7be41

SHA256
776e858e3f261fd730bab2ac678c6a3c45777a62c62ce1cb702961be95cb1b35

SHA512
4b9ed9673a1c9387f9c2a284157364a18e61cae589e9f5a9e5df0ca9090682e55b9590afa6c59eec82c808e4c44a0227424788fca8c4dffca70056c9b08eaacf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AD5F118F7897046E8CA970AE6A6AB70B_0EFD97AA1ED1EC939D6B2DC09A53FAC0

Filesize
402B

MD5
a015f49ce3a9a6b2bb65fee2130fd7b6

SHA1
2c015d053f3075b225a9b0b70233e7f2e94e0ae5

SHA256
60098261fbdf5026a422ba20944015ec596f1b0160a56748e441ca0d4dcf5ffd

SHA512
4aecf90603c8e69094e5d41925563b03482be03a5264e5269d53476aabbb1017689785e3349b623236e399449d25d3c13c396b8f861d0b60b9a283ca48d0533b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CF14D1855652602540DFCFECD21854DB_54BE0F4A529F65D13ED30F3AD0874E58

Filesize
536B

MD5
f620a2a346e9a07ce1d195a5f14184e7

SHA1
4f32cfcf6575f8c7880a22f23238d3d56189d829

SHA256
733868982125af33abeb41ba66ecf123cabd3bb717f550070a8c25ff0b28c72d

SHA512
601b320c1fa46f6cdee0299781453cc1a27bd848136302b6f32bcae035b0c0054b4eb60ed4424ab0e7c59cca4380437c92cd771eb0043e6ddb3524048e95318c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysceamegayu.exe

Filesize
338KB

MD5
1475b3fcf4acd9be69f3ab9ee82c2451

SHA1
d385381d80687554b84f05ceb43090e295de865a

SHA256
4366afc87f5f1696fe54fbd3a338718c45d29fdca30af7f7776cbba6ee4c9ce7

SHA512
68c312cc2f38d18115cd04570815ef997cb378454072ac94508a3afc3806373a5149b2865dee10b8b7cb2640f7e3050cbe6b24240f058765947690a8e3a9de78

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpath.ini

Filesize
102B

MD5
1942c36b30b2a4c292d6268b5b762c39

SHA1
ded23e306f117dd3434ef779efbc2d833f3578c7

SHA256
60fa25ebf8eec1a896d49ce99f91820e8e39bbcf19eac5acc224dd15d248ff51

SHA512
6b7d2767e1688389bd9abc0b28dbe194453640f9b624de8aff9885b1d436156d5d763729fd91b39411dcd6a1884e74de42c842084b35cd52ed989ee76b609ac9

Download Submit