blackmoon | cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3

General

Target

cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exe
Size

14.2MB
MD5

45cefebb1570dc47f83314d7aabfb81b
SHA1

f9fc1c320158fd14cb7501882b86ed5c3ab258a5
SHA256

cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3
SHA512

b32b13b66f6710e2e1a800ac61311f92b01b7925f170ae0a388aa0b8505d09429e8481d752bcd2fb3d568fd954def2d0caf7a5f542de87b5dc900f86f7e25790
SSDEEP

393216:IpHf+wfENad5MIyWHC6gg//OuzdYe3kyDVRu:IFfINadRyECguihru

Score

10^/10

blackmoon gh0strat banker persistence rat trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2620-83-0x0000000000400000-0x0000000001D81000-memory.dmp	family_blackmoon

Gh0st RAT payload 1 IoCs

Processes:

resource	yara_rule
\Windows\SysWOW64\259393174.bat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

look2.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\svchcst\Parameters\ServiceDll = "C:\\Windows\\system32\\259393174.bat"	look2.exe

Executes dropped EXE 4 IoCs

Processes:

look2.exeHD_cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exearia2c.exesvchcst.exe

pid process

1228 look2.exe
2620 HD_cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exe
1600 aria2c.exe
2532 svchcst.exe

pid	process
1228	look2.exe
2620	HD_cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exe
1600	aria2c.exe
2532	svchcst.exe

Loads dropped DLL 9 IoCs

Processes:

cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exelook2.exesvchost.exeHD_cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exesvchcst.exe

pid	process
2028	cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exe
1228	look2.exe
2228	svchost.exe
2028	cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exe
2620	HD_cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exe
2620	HD_cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exe
2696
2228	svchost.exe
2532	svchcst.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\HD_cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exe	upx
behavioral1/memory/2028-19-0x0000000005740000-0x00000000070C1000-memory.dmp	upx
behavioral1/memory/2620-20-0x0000000000400000-0x0000000001D81000-memory.dmp	upx
behavioral1/memory/2620-37-0x0000000004240000-0x00000000047E1000-memory.dmp	upx
behavioral1/memory/2620-38-0x0000000003AD0000-0x0000000003B8E000-memory.dmp	upx
behavioral1/memory/2620-83-0x0000000000400000-0x0000000001D81000-memory.dmp	upx

Drops file in System32 directory 4 IoCs

Processes:

look2.exesvchost.exe

description	ioc	process
File created	C:\Windows\SysWOW64\259393174.bat	look2.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	look2.exe
File created	C:\Windows\SysWOW64\svchcst.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchcst.exe	svchost.exe

Drops file in Program Files directory 1 IoCs

Processes:

cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

HD_cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	HD_cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	HD_cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exeHD_cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exe

pid	process
2028	cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exe
2620	HD_cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

HD_cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exe

description pid process

Token: SeDebugPrivilege 2620 HD_cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exe

description	pid	process
Token: SeDebugPrivilege	2620	HD_cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exeHD_cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exe

pid	process
2028	cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exe
2028	cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exe
2620	HD_cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exe
2620	HD_cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exeHD_cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exesvchost.exe

description	pid	process	target process
PID 2028 wrote to memory of 1228	2028	cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exe	look2.exe
PID 2028 wrote to memory of 1228	2028	cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exe	look2.exe
PID 2028 wrote to memory of 1228	2028	cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exe	look2.exe
PID 2028 wrote to memory of 1228	2028	cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exe	look2.exe
PID 2028 wrote to memory of 2620	2028	cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exe	HD_cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exe
PID 2028 wrote to memory of 2620	2028	cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exe	HD_cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exe
PID 2028 wrote to memory of 2620	2028	cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exe	HD_cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exe
PID 2028 wrote to memory of 2620	2028	cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exe	HD_cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exe
PID 2620 wrote to memory of 1600	2620	HD_cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exe	aria2c.exe
PID 2620 wrote to memory of 1600	2620	HD_cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exe	aria2c.exe
PID 2620 wrote to memory of 1600	2620	HD_cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exe	aria2c.exe
PID 2620 wrote to memory of 1600	2620	HD_cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exe	aria2c.exe
PID 2228 wrote to memory of 2532	2228	svchost.exe	svchcst.exe
PID 2228 wrote to memory of 2532	2228	svchost.exe	svchcst.exe
PID 2228 wrote to memory of 2532	2228	svchost.exe	svchcst.exe
PID 2228 wrote to memory of 2532	2228	svchost.exe	svchcst.exe

C:\Users\Admin\AppData\Local\Temp\cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exe
"C:\Users\Admin\AppData\Local\Temp\cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2028

C:\Users\Admin\AppData\Local\Temp\look2.exe
C:\Users\Admin\AppData\Local\Temp\\look2.exe
2⤵
- Sets DLL path for service in the registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1228

C:\Users\Admin\AppData\Local\Temp\HD_cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exe
C:\Users\Admin\AppData\Local\Temp\HD_cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2620

C:\Users\Admin\AppData\Roaming\Downloader\aria2c.exe
"C:\Users\Admin\AppData\Roaming\Downloader\aria2c.exe" --conf-path="C:\Users\Admin\AppData\Roaming\Downloader\aria2.conf" #--save-session="C:\Users\Admin\AppData\Roaming\Downloader\aria2.session" --input-file="C:\Users\Admin\AppData\Roaming\Downloader\aria2.session" --rpc-listen-port=6288 --listen-port=6388 --dht-listen-port=6390 --enable-rpc=true --rpc-allow-origin-all=true --disable-ipv6=false --rpc-secret=123 --enable-dht=true --enable-dht6=true --dht-file-path="C:\Users\Admin\AppData\Roaming\Downloader\dht.dat" --dht-file-path6="C:\Users\Admin\AppData\Roaming\Downloader\dht6.dat" --bt-external-ip=191.101.209.39 --stop-with-process=2620 --check-certificate=false
3⤵
- Executes dropped EXE
PID:1600

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "svchcst"
1⤵
PID:2884

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "svchcst"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2228

C:\Windows\SysWOW64\svchcst.exe
C:\Windows\system32\svchcst.exe "c:\windows\system32\259393174.bat",MainThread
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2532

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HD_X.dat
Filesize
1.1MB

MD5
4100bc4d5d8235492162f1ed49623c2d

SHA1
5e781f41bffbd811322e792cc8fe24bca3991667

SHA256
8fc1780c2a30ffd38002497a7b5f4440cf46bd8400f2f1e30349686ff23edaa2

SHA512
4d807b459473451c3768313012a3bc92ba920a043a33dd57d8bfd11fa9c45d77dac756f7ac1f42b937d1ec464699eacbab25e9102b91d93ada08909b60364606

Download Submit
C:\Users\Admin\AppData\Roaming\Downloader\aria2.conf
Filesize
55KB

MD5
be2848313251cc4bdc3f4d83fbb678ee

SHA1
1e43738b25f0abcb6288e12b7e8d01b3e8666e8a

SHA256
35a633ec422857ce9d27f0e6b948d8b871af90c0430754bdd3f7ca70970e866d

SHA512
7093a99574544973a2c4ea9abebeefdb8b463bb42514a5d06dc29bff6cdd34381f10e394f79a8a5af1b27b86b5a31a71a48e569a2c76a20d4f982a5df61b3932

Download Submit
\Users\Admin\AppData\Local\Temp\HD_cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exe
Filesize
13.0MB

MD5
43920d1836f15875181e7a8bebc1a2e6

SHA1
d34deeaad77c4fb3290ec213af8369128704d1ab

SHA256
5f855e37af978982982c9d63b6349f3dd06f2e077818d195c54d97f557ad54e1

SHA512
d71ed34965cbc68e4aa4c78d2489bf833a8057ac49ef4ef957d62d19e4ec00730de3d4fdc169ea4da813512d758df772ca2ab76376015a796a8c836763eba484

Download Submit
\Users\Admin\AppData\Local\Temp\look2.exe
Filesize
337KB

MD5
2f3b6f16e33e28ad75f3fdaef2567807

SHA1
85e907340faf1edfc9210db85a04abd43d21b741

SHA256
86492ebf2d6f471a5ee92977318d099b3ea86175b5b7ae522237ae01d07a4857

SHA512
db17e99e2df918cfc9ccbe934adfe73f0777ce1ce9f28b57a4b24ecd821efe2e0b976a634853247b77b16627d2bb3af4ba20306059d1d25ef38ffada7da3e3a4

Download Submit
\Users\Admin\AppData\Roaming\Downloader\aria2c.exe
Filesize
4.8MB

MD5
a5c047f169471bd325552c255d6c04af

SHA1
e313cff2f3d668ec5d0e90920bd622b0f38aed9d

SHA256
cec8bb942475690363c1558fdf55e3cf59f29607967a822a626d4976a348334a

SHA512
6cf929d36ea0c95815d3218a3b11f0c8f539a6113c368642a70d41379145ba7ace9aed1e5b78836a4cd2ca861d9bcd10fea3e7fc126adb85822ed4cf4f762f0d

Download Submit
\Users\Admin\AppData\Roaming\Downloader\libcurl.dll
Filesize
1.7MB

MD5
c827add774456c759d2a7b35a2ae3525

SHA1
e6817d1b5c62460bdfd4aa3cd3941a6e7ecdc533

SHA256
5eb7c4723acab028d8bfea807cae6dad1f38d2c21b11586d77a69a716fbc4f2a

SHA512
5febaf93c07eb86b2dd9a228fe18e55ba57183d7300c07da802ddf7d381c3138e20601386744e92caed15e183fa793969ce47fa799e9f124c3f09e0b2c1da22d

Download Submit
\Windows\SysWOW64\259393174.bat
Filesize
51KB

MD5
517b0fb664581edf784c75ceddf4e570

SHA1
9597971b8cbe92047f0e9dcf0ed2a42193ec2967

SHA256
83fcccde56a1a4e06093b9066227912a822aaae57c21e9780c7a38f1a5b554b6

SHA512
4e4504909bfcbb27422e9311f6b49a93c86e3f5729aef893388c10066ab1b2871027d57a48586beef53ad685af0d7a77dfeb701d7e70c366029a77c8b5e9b66c

Download Submit
\Windows\SysWOW64\svchcst.exe
Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
memory/1600-84-0x0000000000400000-0x00000000008CE000-memory.dmp

Filesize
4.8MB

Download
memory/2028-19-0x0000000005740000-0x00000000070C1000-memory.dmp

Filesize
25.5MB

Download
memory/2620-21-0x0000000010000000-0x0000000010116000-memory.dmp

Filesize
1.1MB

Download
memory/2620-37-0x0000000004240000-0x00000000047E1000-memory.dmp

Filesize
5.6MB

Download
memory/2620-38-0x0000000003AD0000-0x0000000003B8E000-memory.dmp

Filesize
760KB

Download
memory/2620-20-0x0000000000400000-0x0000000001D81000-memory.dmp

Filesize
25.5MB

Download
memory/2620-83-0x0000000000400000-0x0000000001D81000-memory.dmp

Filesize
25.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads