blackmoon | f903e135a65eb8054aa175ae64f9bbaf89e317967ef03c6f9819f2847a9ca67f

Analysis

max time kernel
148s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
17/05/2024, 06:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f903e135a65eb8054aa175ae64f9bbaf89e317967ef03c6f9819f2847a9ca67f.exe
Size

355KB
MD5

2eca7433ec9b1b18d9500a69d8699790
SHA1

54c2e6091297fe0b52f52a6d10c1b42d42ad2f00
SHA256

f903e135a65eb8054aa175ae64f9bbaf89e317967ef03c6f9819f2847a9ca67f
SHA512

ce0a2c309049b8d2e109ff4f93621c020026bc0fefe0c8071f5752a0def589aaa228794d400d097f4b38d7120013f5c1300be723cd87d4569bd61b7bc638a6f2
SSDEEP

6144:/qvk3Q5ibjnNuuXckaL7pbRBkce97aw/N4L7ov:/qvMQ5ibjnwka3pbRC19Gw/Nsov

Score

10^/10

blackmoon banker trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000015ceb-13.dat	family_blackmoon

Deletes itself 1 IoCs

pid	Process
2672	Systemxgjxn.exe

Executes dropped EXE 1 IoCs

pid	Process
2672	Systemxgjxn.exe

Loads dropped DLL 2 IoCs

pid	Process
2756	f903e135a65eb8054aa175ae64f9bbaf89e317967ef03c6f9819f2847a9ca67f.exe
2756	f903e135a65eb8054aa175ae64f9bbaf89e317967ef03c6f9819f2847a9ca67f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2756	f903e135a65eb8054aa175ae64f9bbaf89e317967ef03c6f9819f2847a9ca67f.exe
2756	f903e135a65eb8054aa175ae64f9bbaf89e317967ef03c6f9819f2847a9ca67f.exe
2756	f903e135a65eb8054aa175ae64f9bbaf89e317967ef03c6f9819f2847a9ca67f.exe
2756	f903e135a65eb8054aa175ae64f9bbaf89e317967ef03c6f9819f2847a9ca67f.exe
2756	f903e135a65eb8054aa175ae64f9bbaf89e317967ef03c6f9819f2847a9ca67f.exe
2756	f903e135a65eb8054aa175ae64f9bbaf89e317967ef03c6f9819f2847a9ca67f.exe
2672	Systemxgjxn.exe
2672	Systemxgjxn.exe
2672	Systemxgjxn.exe
2672	Systemxgjxn.exe
2672	Systemxgjxn.exe
2672	Systemxgjxn.exe
2672	Systemxgjxn.exe
2672	Systemxgjxn.exe
2672	Systemxgjxn.exe
2672	Systemxgjxn.exe
2672	Systemxgjxn.exe
2672	Systemxgjxn.exe
2672	Systemxgjxn.exe
2672	Systemxgjxn.exe
2672	Systemxgjxn.exe
2672	Systemxgjxn.exe
2672	Systemxgjxn.exe
2672	Systemxgjxn.exe
2672	Systemxgjxn.exe
2672	Systemxgjxn.exe
2672	Systemxgjxn.exe
2672	Systemxgjxn.exe
2672	Systemxgjxn.exe
2672	Systemxgjxn.exe
2672	Systemxgjxn.exe
2672	Systemxgjxn.exe
2672	Systemxgjxn.exe
2672	Systemxgjxn.exe
2672	Systemxgjxn.exe
2672	Systemxgjxn.exe
2672	Systemxgjxn.exe
2672	Systemxgjxn.exe
2672	Systemxgjxn.exe
2672	Systemxgjxn.exe
2672	Systemxgjxn.exe
2672	Systemxgjxn.exe
2672	Systemxgjxn.exe
2672	Systemxgjxn.exe
2672	Systemxgjxn.exe
2672	Systemxgjxn.exe
2672	Systemxgjxn.exe
2672	Systemxgjxn.exe
2672	Systemxgjxn.exe
2672	Systemxgjxn.exe
2672	Systemxgjxn.exe
2672	Systemxgjxn.exe
2672	Systemxgjxn.exe
2672	Systemxgjxn.exe
2672	Systemxgjxn.exe
2672	Systemxgjxn.exe
2672	Systemxgjxn.exe
2672	Systemxgjxn.exe
2672	Systemxgjxn.exe
2672	Systemxgjxn.exe
2672	Systemxgjxn.exe
2672	Systemxgjxn.exe
2672	Systemxgjxn.exe
2672	Systemxgjxn.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 2672	2756	f903e135a65eb8054aa175ae64f9bbaf89e317967ef03c6f9819f2847a9ca67f.exe	29
PID 2756 wrote to memory of 2672	2756	f903e135a65eb8054aa175ae64f9bbaf89e317967ef03c6f9819f2847a9ca67f.exe	29
PID 2756 wrote to memory of 2672	2756	f903e135a65eb8054aa175ae64f9bbaf89e317967ef03c6f9819f2847a9ca67f.exe	29
PID 2756 wrote to memory of 2672	2756	f903e135a65eb8054aa175ae64f9bbaf89e317967ef03c6f9819f2847a9ca67f.exe	29

C:\Users\Admin\AppData\Local\Temp\f903e135a65eb8054aa175ae64f9bbaf89e317967ef03c6f9819f2847a9ca67f.exe
"C:\Users\Admin\AppData\Local\Temp\f903e135a65eb8054aa175ae64f9bbaf89e317967ef03c6f9819f2847a9ca67f.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Users\Admin\AppData\Local\Temp\Systemxgjxn.exe
  "C:\Users\Admin\AppData\Local\Temp\Systemxgjxn.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Systemxgjxn.exe

Filesize
355KB

MD5
c913aeb16a24076d7a36e7d106ff9a61

SHA1
27ba913fd4ff366ddba278304aeb4a0e05b8c102

SHA256
8e5e7a4128a6ebf4fef5dbe4052460df58e0b4cb925445e25c6ef9fa1ee6c0f2

SHA512
26558c965b8f1819ebd258818d26e4f248263d0126bc4a6ea96e9d953e0da9a0f2cc019666d0a68fcbaa62890d274ffdf39de9bcb89eb511bf99e1257fe493f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\fpath.ini

Filesize
102B

MD5
a2f2093d029cd344db897bd91c46ad21

SHA1
34b39f76d221d4a07d5177c01a2bff9b74156efb

SHA256
34cd9d0a43a31cbff3ade43299b0c44c0dc64705f6f401efbd3087a53b271a2e

SHA512
f3425767f42a0ada4d6a03e43049e6bcc95d1122e22051692cddbf2f1980d13bd9a9e90021a463e82486cf8b6ccdd215542c9de2645c5244dae482e9aaf7ed0f

Download Submit