blackmoon | 8857edf7b5ea7dd3dd3a3bcb4bbdaab657a08e5d3bca7b1353e95aa142a85b3f

Analysis

max time kernel
148s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07/05/2024, 23:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8857edf7b5ea7dd3dd3a3bcb4bbdaab657a08e5d3bca7b1353e95aa142a85b3f.exe
Size

92KB
MD5

e5428d1eca263dcb05b8858eefb9f81c
SHA1

dbbed6c49e5d7c8614d52b9eaf742242e5bfb2ef
SHA256

8857edf7b5ea7dd3dd3a3bcb4bbdaab657a08e5d3bca7b1353e95aa142a85b3f
SHA512

29d64ac45cc0f6c5bfeddc540bec0b895a288e2492712cb38a0cf9514de584c810ab8b4fb94c5529c94cd1dfebec57d3b240039d9ed625525a9fa6d7426fdf4c
SSDEEP

1536:Q/vTGudTe5k4Lo8KI2Z4yNcR5Mpk7WO9f2zXGYxTIx9JL8IoQ6CqZphkC:Q/bhOrBKIq4XR5Mpp+fw2CIx9JLYpkC

Score

10^/10

blackmoon banker trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 3 IoCs

resource	yara_rule
behavioral1/memory/1988-18-0x0000000000400000-0x000000000047F000-memory.dmp	family_blackmoon
behavioral1/memory/2872-15-0x0000000000400000-0x000000000047F000-memory.dmp	family_blackmoon
behavioral1/memory/1988-21-0x0000000000400000-0x000000000047F000-memory.dmp	family_blackmoon

UPX dump on OEP (original entry point) 5 IoCs

resource	yara_rule
behavioral1/memory/2872-0-0x0000000000400000-0x000000000047F000-memory.dmp	UPX
behavioral1/files/0x0007000000015d4e-10.dat	UPX
behavioral1/memory/1988-18-0x0000000000400000-0x000000000047F000-memory.dmp	UPX
behavioral1/memory/2872-15-0x0000000000400000-0x000000000047F000-memory.dmp	UPX
behavioral1/memory/1988-21-0x0000000000400000-0x000000000047F000-memory.dmp	UPX

Deletes itself 1 IoCs

pid	Process
1988	Syslemuxeck.exe

Executes dropped EXE 1 IoCs

pid	Process
1988	Syslemuxeck.exe

Loads dropped DLL 2 IoCs

pid	Process
2872	8857edf7b5ea7dd3dd3a3bcb4bbdaab657a08e5d3bca7b1353e95aa142a85b3f.exe
2872	8857edf7b5ea7dd3dd3a3bcb4bbdaab657a08e5d3bca7b1353e95aa142a85b3f.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2872-0-0x0000000000400000-0x000000000047F000-memory.dmp	upx
behavioral1/files/0x0007000000015d4e-10.dat	upx
behavioral1/memory/1988-18-0x0000000000400000-0x000000000047F000-memory.dmp	upx
behavioral1/memory/2872-15-0x0000000000400000-0x000000000047F000-memory.dmp	upx
behavioral1/memory/1988-21-0x0000000000400000-0x000000000047F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2872	8857edf7b5ea7dd3dd3a3bcb4bbdaab657a08e5d3bca7b1353e95aa142a85b3f.exe
2872	8857edf7b5ea7dd3dd3a3bcb4bbdaab657a08e5d3bca7b1353e95aa142a85b3f.exe
2872	8857edf7b5ea7dd3dd3a3bcb4bbdaab657a08e5d3bca7b1353e95aa142a85b3f.exe
2872	8857edf7b5ea7dd3dd3a3bcb4bbdaab657a08e5d3bca7b1353e95aa142a85b3f.exe
2872	8857edf7b5ea7dd3dd3a3bcb4bbdaab657a08e5d3bca7b1353e95aa142a85b3f.exe
2872	8857edf7b5ea7dd3dd3a3bcb4bbdaab657a08e5d3bca7b1353e95aa142a85b3f.exe
2872	8857edf7b5ea7dd3dd3a3bcb4bbdaab657a08e5d3bca7b1353e95aa142a85b3f.exe
2872	8857edf7b5ea7dd3dd3a3bcb4bbdaab657a08e5d3bca7b1353e95aa142a85b3f.exe
1988	Syslemuxeck.exe
1988	Syslemuxeck.exe
1988	Syslemuxeck.exe
1988	Syslemuxeck.exe
1988	Syslemuxeck.exe
1988	Syslemuxeck.exe
1988	Syslemuxeck.exe
1988	Syslemuxeck.exe
1988	Syslemuxeck.exe
1988	Syslemuxeck.exe
1988	Syslemuxeck.exe
1988	Syslemuxeck.exe
1988	Syslemuxeck.exe
1988	Syslemuxeck.exe
1988	Syslemuxeck.exe
1988	Syslemuxeck.exe
1988	Syslemuxeck.exe
1988	Syslemuxeck.exe
1988	Syslemuxeck.exe
1988	Syslemuxeck.exe
1988	Syslemuxeck.exe
1988	Syslemuxeck.exe
1988	Syslemuxeck.exe
1988	Syslemuxeck.exe
1988	Syslemuxeck.exe
1988	Syslemuxeck.exe
1988	Syslemuxeck.exe
1988	Syslemuxeck.exe
1988	Syslemuxeck.exe
1988	Syslemuxeck.exe
1988	Syslemuxeck.exe
1988	Syslemuxeck.exe
1988	Syslemuxeck.exe
1988	Syslemuxeck.exe
1988	Syslemuxeck.exe
1988	Syslemuxeck.exe
1988	Syslemuxeck.exe
1988	Syslemuxeck.exe
1988	Syslemuxeck.exe
1988	Syslemuxeck.exe
1988	Syslemuxeck.exe
1988	Syslemuxeck.exe
1988	Syslemuxeck.exe
1988	Syslemuxeck.exe
1988	Syslemuxeck.exe
1988	Syslemuxeck.exe
1988	Syslemuxeck.exe
1988	Syslemuxeck.exe
1988	Syslemuxeck.exe
1988	Syslemuxeck.exe
1988	Syslemuxeck.exe
1988	Syslemuxeck.exe
1988	Syslemuxeck.exe
1988	Syslemuxeck.exe
1988	Syslemuxeck.exe
1988	Syslemuxeck.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 1988	2872	8857edf7b5ea7dd3dd3a3bcb4bbdaab657a08e5d3bca7b1353e95aa142a85b3f.exe	29
PID 2872 wrote to memory of 1988	2872	8857edf7b5ea7dd3dd3a3bcb4bbdaab657a08e5d3bca7b1353e95aa142a85b3f.exe	29
PID 2872 wrote to memory of 1988	2872	8857edf7b5ea7dd3dd3a3bcb4bbdaab657a08e5d3bca7b1353e95aa142a85b3f.exe	29
PID 2872 wrote to memory of 1988	2872	8857edf7b5ea7dd3dd3a3bcb4bbdaab657a08e5d3bca7b1353e95aa142a85b3f.exe	29

C:\Users\Admin\AppData\Local\Temp\8857edf7b5ea7dd3dd3a3bcb4bbdaab657a08e5d3bca7b1353e95aa142a85b3f.exe
"C:\Users\Admin\AppData\Local\Temp\8857edf7b5ea7dd3dd3a3bcb4bbdaab657a08e5d3bca7b1353e95aa142a85b3f.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Users\Admin\AppData\Local\Temp\Syslemuxeck.exe
  "C:\Users\Admin\AppData\Local\Temp\Syslemuxeck.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lpath.ini

Filesize
102B

MD5
43ca01e5abbe6045773e285a7eb0d220

SHA1
367ca173934f15508fb300b8ebff8b04dac9d955

SHA256
9c8475607b73673ac6a07f9dfc077fa8332415cfbbb8ee1f81f683fbf09a757c

SHA512
f0c61397cff937c93d968e60d972edc4650be7fa3e757dbd80848ffd1978320d9ba5a5e3b8e692c6bbd9cd37a912a3da941ea48dbc8d01489e887274a2ef7247

Download Submit
\Users\Admin\AppData\Local\Temp\Syslemuxeck.exe

Filesize
92KB

MD5
46ee6d2749f2000e0f37c351296ab6b4

SHA1
7bcf560a40092c19aa9e579d1528d3fb0acaf3c6

SHA256
f7db04d8f8b39d4fb45c6d1dcc6444403b2b64c37cc4fb36523f2410a98cbfa8

SHA512
e2aecc2aa092688f906d09ed0798d5404db834e2f0b9c0f23470e34849d046bafa68b1e3fe23e7544df852c24acd74b7d25b69fe3747654104faebe6a63c1498

Download Submit
memory/1988-18-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1988-21-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2872-0-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2872-16-0x0000000002DC0000-0x0000000002E3F000-memory.dmp

Filesize
508KB

Download
memory/2872-15-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download