blackmoon | cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3

General

Target

cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exe
Size

14.2MB
MD5

45cefebb1570dc47f83314d7aabfb81b
SHA1

f9fc1c320158fd14cb7501882b86ed5c3ab258a5
SHA256

cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3
SHA512

b32b13b66f6710e2e1a800ac61311f92b01b7925f170ae0a388aa0b8505d09429e8481d752bcd2fb3d568fd954def2d0caf7a5f542de87b5dc900f86f7e25790
SSDEEP

393216:IpHf+wfENad5MIyWHC6gg//OuzdYe3kyDVRu:IFfINadRyECguihru

Score

10^/10

blackmoon gh0strat banker persistence rat trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3364-79-0x0000000000400000-0x0000000001D81000-memory.dmp	family_blackmoon

Gh0st RAT payload 1 IoCs

Processes:

resource	yara_rule
C:\Windows\SysWOW64\240594937.bat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

look2.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\svchcst\Parameters\ServiceDll = "C:\\Windows\\system32\\240594937.bat"	look2.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

HD_cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	HD_cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exe

Executes dropped EXE 4 IoCs

Processes:

look2.exeHD_cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exearia2c.exesvchcst.exe

pid process

2164 look2.exe
3364 HD_cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exe
4312 aria2c.exe
3648 svchcst.exe
Loads dropped DLL 4 IoCs

Processes:

look2.exesvchost.exeHD_cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exesvchcst.exe

pid process

2164 look2.exe
4732 svchost.exe
3364 HD_cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exe
3648 svchcst.exe

pid	process
2164	look2.exe
3364	HD_cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exe
4312	aria2c.exe
3648	svchcst.exe

pid	process
2164	look2.exe
4732	svchost.exe
3364	HD_cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exe
3648	svchcst.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\HD_cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exe	upx
behavioral2/memory/3364-18-0x0000000000400000-0x0000000001D81000-memory.dmp	upx
behavioral2/memory/3364-35-0x0000000006C50000-0x00000000071F1000-memory.dmp	upx
behavioral2/memory/3364-36-0x0000000007540000-0x00000000075FE000-memory.dmp	upx
behavioral2/memory/3364-79-0x0000000000400000-0x0000000001D81000-memory.dmp	upx

Drops file in System32 directory 4 IoCs

Processes:

look2.exesvchost.exe

description	ioc	process
File created	C:\Windows\SysWOW64\240594937.bat	look2.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	look2.exe
File created	C:\Windows\SysWOW64\svchcst.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchcst.exe	svchost.exe

Drops file in Program Files directory 1 IoCs

Processes:

cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exeHD_cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exe

pid	process
432	cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exe
432	cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exe
3364	HD_cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exe
3364	HD_cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

HD_cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exe

description pid process

Token: SeDebugPrivilege 3364 HD_cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exe

description	pid	process
Token: SeDebugPrivilege	3364	HD_cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exeHD_cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exe

pid	process
432	cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exe
432	cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exe
3364	HD_cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exe
3364	HD_cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exeHD_cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exesvchost.exe

description	pid	process	target process
PID 432 wrote to memory of 2164	432	cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exe	look2.exe
PID 432 wrote to memory of 2164	432	cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exe	look2.exe
PID 432 wrote to memory of 2164	432	cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exe	look2.exe
PID 432 wrote to memory of 3364	432	cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exe	HD_cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exe
PID 432 wrote to memory of 3364	432	cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exe	HD_cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exe
PID 432 wrote to memory of 3364	432	cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exe	HD_cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exe
PID 3364 wrote to memory of 4312	3364	HD_cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exe	aria2c.exe
PID 3364 wrote to memory of 4312	3364	HD_cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exe	aria2c.exe
PID 4732 wrote to memory of 3648	4732	svchost.exe	svchcst.exe
PID 4732 wrote to memory of 3648	4732	svchost.exe	svchcst.exe
PID 4732 wrote to memory of 3648	4732	svchost.exe	svchcst.exe

C:\Users\Admin\AppData\Local\Temp\cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exe
"C:\Users\Admin\AppData\Local\Temp\cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:432

C:\Users\Admin\AppData\Local\Temp\look2.exe
C:\Users\Admin\AppData\Local\Temp\\look2.exe
2⤵
- Sets DLL path for service in the registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2164

C:\Users\Admin\AppData\Local\Temp\HD_cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exe
C:\Users\Admin\AppData\Local\Temp\HD_cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3364

C:\Users\Admin\AppData\Roaming\Downloader\aria2c.exe
"C:\Users\Admin\AppData\Roaming\Downloader\aria2c.exe" --conf-path="C:\Users\Admin\AppData\Roaming\Downloader\aria2.conf" #--save-session="C:\Users\Admin\AppData\Roaming\Downloader\aria2.session" --input-file="C:\Users\Admin\AppData\Roaming\Downloader\aria2.session" --rpc-listen-port=6288 --listen-port=6388 --dht-listen-port=6390 --enable-rpc=true --rpc-allow-origin-all=true --disable-ipv6=false --rpc-secret=123 --enable-dht=true --enable-dht6=true --dht-file-path="C:\Users\Admin\AppData\Roaming\Downloader\dht.dat" --dht-file-path6="C:\Users\Admin\AppData\Roaming\Downloader\dht6.dat" --bt-external-ip=191.101.209.39 --stop-with-process=3364 --check-certificate=false
3⤵
- Executes dropped EXE
PID:4312

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "svchcst"
1⤵
PID:2796

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "svchcst"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4732

C:\Windows\SysWOW64\svchcst.exe
C:\Windows\system32\svchcst.exe "c:\windows\system32\240594937.bat",MainThread
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3648

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HD_X.dat
Filesize
1.1MB

MD5
4100bc4d5d8235492162f1ed49623c2d

SHA1
5e781f41bffbd811322e792cc8fe24bca3991667

SHA256
8fc1780c2a30ffd38002497a7b5f4440cf46bd8400f2f1e30349686ff23edaa2

SHA512
4d807b459473451c3768313012a3bc92ba920a043a33dd57d8bfd11fa9c45d77dac756f7ac1f42b937d1ec464699eacbab25e9102b91d93ada08909b60364606

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_cde81ba02034985566a467f68769929420ac55b65792b4abb56cd5bea16c1fb3.exe
Filesize
13.0MB

MD5
43920d1836f15875181e7a8bebc1a2e6

SHA1
d34deeaad77c4fb3290ec213af8369128704d1ab

SHA256
5f855e37af978982982c9d63b6349f3dd06f2e077818d195c54d97f557ad54e1

SHA512
d71ed34965cbc68e4aa4c78d2489bf833a8057ac49ef4ef957d62d19e4ec00730de3d4fdc169ea4da813512d758df772ca2ab76376015a796a8c836763eba484

Download Submit
C:\Users\Admin\AppData\Local\Temp\look2.exe
Filesize
337KB

MD5
2f3b6f16e33e28ad75f3fdaef2567807

SHA1
85e907340faf1edfc9210db85a04abd43d21b741

SHA256
86492ebf2d6f471a5ee92977318d099b3ea86175b5b7ae522237ae01d07a4857

SHA512
db17e99e2df918cfc9ccbe934adfe73f0777ce1ce9f28b57a4b24ecd821efe2e0b976a634853247b77b16627d2bb3af4ba20306059d1d25ef38ffada7da3e3a4

Download Submit
C:\Users\Admin\AppData\Roaming\Downloader\aria2.conf
Filesize
55KB

MD5
be2848313251cc4bdc3f4d83fbb678ee

SHA1
1e43738b25f0abcb6288e12b7e8d01b3e8666e8a

SHA256
35a633ec422857ce9d27f0e6b948d8b871af90c0430754bdd3f7ca70970e866d

SHA512
7093a99574544973a2c4ea9abebeefdb8b463bb42514a5d06dc29bff6cdd34381f10e394f79a8a5af1b27b86b5a31a71a48e569a2c76a20d4f982a5df61b3932

Download Submit
C:\Users\Admin\AppData\Roaming\Downloader\aria2c.exe
Filesize
4.8MB

MD5
a5c047f169471bd325552c255d6c04af

SHA1
e313cff2f3d668ec5d0e90920bd622b0f38aed9d

SHA256
cec8bb942475690363c1558fdf55e3cf59f29607967a822a626d4976a348334a

SHA512
6cf929d36ea0c95815d3218a3b11f0c8f539a6113c368642a70d41379145ba7ace9aed1e5b78836a4cd2ca861d9bcd10fea3e7fc126adb85822ed4cf4f762f0d

Download Submit
C:\Users\Admin\AppData\Roaming\Downloader\libcurl.dll
Filesize
1.7MB

MD5
c827add774456c759d2a7b35a2ae3525

SHA1
e6817d1b5c62460bdfd4aa3cd3941a6e7ecdc533

SHA256
5eb7c4723acab028d8bfea807cae6dad1f38d2c21b11586d77a69a716fbc4f2a

SHA512
5febaf93c07eb86b2dd9a228fe18e55ba57183d7300c07da802ddf7d381c3138e20601386744e92caed15e183fa793969ce47fa799e9f124c3f09e0b2c1da22d

Download Submit
C:\Windows\SysWOW64\240594937.bat
Filesize
51KB

MD5
517b0fb664581edf784c75ceddf4e570

SHA1
9597971b8cbe92047f0e9dcf0ed2a42193ec2967

SHA256
83fcccde56a1a4e06093b9066227912a822aaae57c21e9780c7a38f1a5b554b6

SHA512
4e4504909bfcbb27422e9311f6b49a93c86e3f5729aef893388c10066ab1b2871027d57a48586beef53ad685af0d7a77dfeb701d7e70c366029a77c8b5e9b66c

Download Submit
C:\Windows\SysWOW64\svchcst.exe
Filesize
60KB

MD5
889b99c52a60dd49227c5e485a016679

SHA1
8fa889e456aa646a4d0a4349977430ce5fa5e2d7

SHA256
6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

SHA512
08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

Download Submit
memory/3364-69-0x0000000009D00000-0x0000000009D10000-memory.dmp

Filesize
64KB

Download
memory/3364-74-0x0000000009D00000-0x0000000009D10000-memory.dmp

Filesize
64KB

Download
memory/3364-35-0x0000000006C50000-0x00000000071F1000-memory.dmp

Filesize
5.6MB

Download
memory/3364-18-0x0000000000400000-0x0000000001D81000-memory.dmp

Filesize
25.5MB

Download
memory/3364-19-0x0000000010000000-0x0000000010116000-memory.dmp

Filesize
1.1MB

Download
memory/3364-70-0x0000000009D00000-0x0000000009D10000-memory.dmp

Filesize
64KB

Download
memory/3364-72-0x0000000009D00000-0x0000000009D10000-memory.dmp

Filesize
64KB

Download
memory/3364-36-0x0000000007540000-0x00000000075FE000-memory.dmp

Filesize
760KB

Download
memory/3364-73-0x0000000009D00000-0x0000000009D10000-memory.dmp

Filesize
64KB

Download
memory/3364-71-0x0000000009D00000-0x0000000009D10000-memory.dmp

Filesize
64KB

Download
memory/3364-75-0x0000000009D00000-0x0000000009D10000-memory.dmp

Filesize
64KB

Download
memory/3364-76-0x0000000009D00000-0x0000000009D10000-memory.dmp

Filesize
64KB

Download
memory/3364-79-0x0000000000400000-0x0000000001D81000-memory.dmp

Filesize
25.5MB

Download
memory/4312-80-0x0000000000400000-0x00000000008CE000-memory.dmp

Filesize
4.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads