blackmoon | d67dd66d7f97cca8e9091c6f59e8bc9b4973d73df1f5fdc13fd7e68211679d32

Analysis

max time kernel
149s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
19-05-2024 18:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exe
Size

440KB
MD5

179a3747b82b58a9c3589974e145adf0
SHA1

80af51f31d6492945a846bd19f773005717f5c2c
SHA256

d67dd66d7f97cca8e9091c6f59e8bc9b4973d73df1f5fdc13fd7e68211679d32
SHA512

09aff14d940db5c491bba80e46f93ba2251505c092eb8b915f6da1b0b7d81b39a81041cfbe8e5685bf500460f15ebbbd777864f84869d6242b17b1ced4721fe2
SSDEEP

6144:xozXQKqfmiiyWwuiFOLeyOV0R7YRXxMSaAt:xgXQKSLpOCtV0R8xMSaAt

Score

10^/10

blackmoon banker trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Syslemtkdfz.exe	family_blackmoon

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exe

Deletes itself 1 IoCs

Processes:

Syslemtkdfz.exe

pid process

4824 Syslemtkdfz.exe
Executes dropped EXE 1 IoCs

Processes:

Syslemtkdfz.exe

pid process

4824 Syslemtkdfz.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4824	Syslemtkdfz.exe

pid	process
4824	Syslemtkdfz.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exeSyslemtkdfz.exe

pid	process
4404	179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exe
4404	179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exe
4404	179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exe
4404	179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exe
4404	179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exe
4404	179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exe
4404	179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exe
4404	179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exe
4404	179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exe
4404	179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exe
4404	179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exe
4404	179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exe
4404	179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exe
4404	179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exe
4404	179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exe
4404	179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exe
4824	Syslemtkdfz.exe
4824	Syslemtkdfz.exe
4824	Syslemtkdfz.exe
4824	Syslemtkdfz.exe
4824	Syslemtkdfz.exe
4824	Syslemtkdfz.exe
4824	Syslemtkdfz.exe
4824	Syslemtkdfz.exe
4824	Syslemtkdfz.exe
4824	Syslemtkdfz.exe
4824	Syslemtkdfz.exe
4824	Syslemtkdfz.exe
4824	Syslemtkdfz.exe
4824	Syslemtkdfz.exe
4824	Syslemtkdfz.exe
4824	Syslemtkdfz.exe
4824	Syslemtkdfz.exe
4824	Syslemtkdfz.exe
4824	Syslemtkdfz.exe
4824	Syslemtkdfz.exe
4824	Syslemtkdfz.exe
4824	Syslemtkdfz.exe
4824	Syslemtkdfz.exe
4824	Syslemtkdfz.exe
4824	Syslemtkdfz.exe
4824	Syslemtkdfz.exe
4824	Syslemtkdfz.exe
4824	Syslemtkdfz.exe
4824	Syslemtkdfz.exe
4824	Syslemtkdfz.exe
4824	Syslemtkdfz.exe
4824	Syslemtkdfz.exe
4824	Syslemtkdfz.exe
4824	Syslemtkdfz.exe
4824	Syslemtkdfz.exe
4824	Syslemtkdfz.exe
4824	Syslemtkdfz.exe
4824	Syslemtkdfz.exe
4824	Syslemtkdfz.exe
4824	Syslemtkdfz.exe
4824	Syslemtkdfz.exe
4824	Syslemtkdfz.exe
4824	Syslemtkdfz.exe
4824	Syslemtkdfz.exe
4824	Syslemtkdfz.exe
4824	Syslemtkdfz.exe
4824	Syslemtkdfz.exe
4824	Syslemtkdfz.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exe

description	pid	process	target process
PID 4404 wrote to memory of 4824	4404	179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exe	Syslemtkdfz.exe
PID 4404 wrote to memory of 4824	4404	179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exe	Syslemtkdfz.exe
PID 4404 wrote to memory of 4824	4404	179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exe	Syslemtkdfz.exe

C:\Users\Admin\AppData\Local\Temp\179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4404

C:\Users\Admin\AppData\Local\Temp\Syslemtkdfz.exe
"C:\Users\Admin\AppData\Local\Temp\Syslemtkdfz.exe"
2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Syslemtkdfz.exe

Filesize
440KB

MD5
4c5a5be459de8c3d4337200262d00496

SHA1
4f3c89e27f155a0186a8185a5d3a0ef6a7ac2658

SHA256
27b75cf01e3e5eec11a5da70d5271de1458b37ce24bff79d73a6eb8c6b5c2072

SHA512
b7fdb330a6cdd920bad43fa5b37f522b2232488826eb92653dc36f380f4e81db52450c44b47d88ddf8c5d25d6ea9cb97552bceacac39a7b5393650ccd5411a13

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpath.ini

Filesize
85B

MD5
54d41c70346c63fe3c979fde34619245

SHA1
67b3fb2513cb6139cc59fc2f3e8d2a7dda90075e

SHA256
78bdb350a85957d40c526bcac8ee71f821376600c40c8d21b08628a38b5f4797

SHA512
50f6e2acc57cd9793d20503d842736b9b97802082872d50d0c293d5551b79e805a2c7c213df6de3dca5306bfa497f03a64fda3c902158c2236b189242e0e4df8

Download Submit