blackmoon | a81a2cef02dd0eb36b589345429bbd67c51933246d6d0a1e6a5b676ea5bef804

Analysis

max time kernel
121s
max time network
147s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
13-05-2024 16:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be780bcdb9a3cd5a8b4b9840433ac9f0_NeikiAnalytics.exe
Size

1.0MB
MD5

be780bcdb9a3cd5a8b4b9840433ac9f0
SHA1

b54ad3e4a69a878bbecd9e4be24077126d11b6e8
SHA256

a81a2cef02dd0eb36b589345429bbd67c51933246d6d0a1e6a5b676ea5bef804
SHA512

6e2e7394e7c390f842cc3383bb1a62ff0d18a3094e5e9e6afd0e02ecaf61e17fb008cba560766e6fb1e3e37ecdf186c08afad516dbb37fe9b9432da7fe476854
SSDEEP

24576:VEeG1Gv/aSmn77FP/Dpn/JTM/3iVIwSa/l:VEvGnaS8vFnDLk3EIwS

Score

10^/10

blackmoon fatalrat banker infostealer persistence rat trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0036000000016d45-2.dat	family_blackmoon

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 1 IoCs

rat infostealer

resource	yara_rule
behavioral1/memory/2652-18-0x0000000010000000-0x0000000010029000-memory.dmp	fatalrat

Executes dropped EXE 1 IoCs

pid	Process
2652	Agghosts.exe

Loads dropped DLL 3 IoCs

pid	Process
2976	be780bcdb9a3cd5a8b4b9840433ac9f0_NeikiAnalytics.exe
2652	Agghosts.exe
2652	Agghosts.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Çý¶¯Éú = "C:\\zabucr\\Agghosts.exe"	Agghosts.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Agghosts.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Agghosts.exe

Suspicious behavior: EnumeratesProcesses 52 IoCs

pid	Process
2652	Agghosts.exe
2652	Agghosts.exe
2652	Agghosts.exe
2652	Agghosts.exe
2652	Agghosts.exe
2652	Agghosts.exe
2652	Agghosts.exe
2652	Agghosts.exe
2652	Agghosts.exe
2652	Agghosts.exe
2652	Agghosts.exe
2652	Agghosts.exe
2652	Agghosts.exe
2652	Agghosts.exe
2652	Agghosts.exe
2652	Agghosts.exe
2652	Agghosts.exe
2652	Agghosts.exe
2652	Agghosts.exe
2652	Agghosts.exe
2652	Agghosts.exe
2652	Agghosts.exe
2652	Agghosts.exe
2652	Agghosts.exe
2652	Agghosts.exe
2652	Agghosts.exe
2652	Agghosts.exe
2652	Agghosts.exe
2652	Agghosts.exe
2652	Agghosts.exe
2652	Agghosts.exe
2652	Agghosts.exe
2652	Agghosts.exe
2652	Agghosts.exe
2652	Agghosts.exe
2652	Agghosts.exe
2652	Agghosts.exe
2652	Agghosts.exe
2652	Agghosts.exe
2652	Agghosts.exe
2652	Agghosts.exe
2652	Agghosts.exe
2652	Agghosts.exe
2652	Agghosts.exe
2652	Agghosts.exe
2652	Agghosts.exe
2652	Agghosts.exe
2652	Agghosts.exe
2652	Agghosts.exe
2652	Agghosts.exe
2652	Agghosts.exe
2976	be780bcdb9a3cd5a8b4b9840433ac9f0_NeikiAnalytics.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2268	helppane.exe
Token: SeDebugPrivilege	2652	Agghosts.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2268	helppane.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2268	helppane.exe
2268	helppane.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 2652	2268	helppane.exe	29
PID 2268 wrote to memory of 2652	2268	helppane.exe	29
PID 2268 wrote to memory of 2652	2268	helppane.exe	29
PID 2268 wrote to memory of 2652	2268	helppane.exe	29

C:\Users\Admin\AppData\Local\Temp\be780bcdb9a3cd5a8b4b9840433ac9f0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\be780bcdb9a3cd5a8b4b9840433ac9f0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2976

C:\Windows\helppane.exe
C:\Windows\helppane.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2268
- C:\zabucr\Agghosts.exe
  "C:\zabucr\Agghosts.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\zabucr\Agghosts.exe

Filesize
23KB

MD5
5aab297fa8f143bfa67310ad78b76d3f

SHA1
5db963c2cca1bc8c8c060c52f7df76ccb477f01a

SHA256
8ec64bc55e5641d7683288e5e8e27c9391f06eb4da096c3d677d8f25ca4d04df

SHA512
c1ee67bd4c6bcfdc4179f905c7abc4ac632c9265b61dd5fdb90eeeec39802abe2cc487a5c8ded8a0748728104170c1b4d3a88904f102e1c3f891fac7702a2256

Download Submit
C:\zabucr\Enpud.png

Filesize
157KB

MD5
c1e4b112fb3a145e42ddea34f47033e1

SHA1
e62dde9931108e6a26239e9faf6c770b63b5b381

SHA256
9a2e8017e6c3eac3fe203630f805f0ec1f9a08b73d409f8076466f33db9fb6e0

SHA512
d086b878007103a8408a442b29b8571d706f8b788234b491ac70a61d115766165a14430679930051787ac354c6cdccd84aa778331f6d2855eaa426dd5b9ae0c4

Download Submit
\Users\Public\Videos\study50\2.dll

Filesize
536KB

MD5
3ac57b27cb56ba11a3c96426bdc6d7d9

SHA1
b4ad69727c12a004484a9a45e5914a43c2f7d877

SHA256
eacd208cedc90a0a97c802de48ac252f6374b276ab3a47daa5ecd4587a502802

SHA512
19108594cf70b4aa87fdcc55d078639c6b7fc8cc83d98aac88f3bf89ff67f620cf7cc2a814b1b5c86ab562314443f2630a3e49a80b552556fe79114e6b8a43b2

Download Submit
\zabucr\QiDianBrowserMgr.dll

Filesize
123KB

MD5
5e426092839f4fb2b77b10968500b6f7

SHA1
96e0be8e3975f93d429b27869fe3353c8462757b

SHA256
ed419431870a7bf25a04d1919023837b350f5956f05d683cc25ef0debf47e69c

SHA512
9c1d55ff14d57711d2f3a4fb04adf62f2a186ef7b4160ca37178a413ebb3b20c703d9380e6d54b3d03a4e1cd97b44f66cf6f5a67028e1a4cc34e74f576915a46

Download Submit
\zabucr\vcruntime140.dll

Filesize
77KB

MD5
f107a3c7371c4543bd3908ba729dd2db

SHA1
af8e7e8f446de74db2f31d532e46eab8bbf41e0a

SHA256
00df0901c101254525a219d93ff1830da3a20d3f14bc323354d8d5fee5854ec0

SHA512
fd776f8ceaac498f4f44819794c0fa89224712a8c476819ffc76ba4c7ff4caa9b360b9d299d9df7965387e5bbcb330f316f53759b5146a73b27a5f2e964c3530

Download Submit
memory/2268-10-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2652-18-0x0000000010000000-0x0000000010029000-memory.dmp

Filesize
164KB

Download