blackmoon | 29af2b05a040d86768bf3b7989072e86531456cc5c20f3f4312122b9c3c3ba6c

General

Target

29af2b05a040d86768bf3b7989072e86531456cc5c20f3f4312122b9c3c3ba6c.exe
Size

1.4MB
MD5

34a77e4ddf8f639ceea79a2b58937ce7
SHA1

94a634690e2fc1739a96dccc6881e84f482b87d8
SHA256

29af2b05a040d86768bf3b7989072e86531456cc5c20f3f4312122b9c3c3ba6c
SHA512

78dcfe80d30c8e3b4d6519c2d8e4f2c200a8b4c772c3a4d995ed4119663433e34bc55bd76afe12dcb30f356b7da5674352cb59273512b32c5e6c7feb92957f29
SSDEEP

24576:WYFbkIsaPiXSVnC7Yp9zkNmZG8RRlnMyzqSuRvHBk35jY+:WYREXSVMDi32JvBcC+

Score

10^/10

blackmoon gh0strat banker persistence rat trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4208-40-0x0000000000400000-0x00000000004F4000-memory.dmp	family_blackmoon

Gh0st RAT payload 1 IoCs

Processes:

resource	yara_rule
C:\Windows\SysWOW64\240599921.bat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

look2.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\svchcst\Parameters\ServiceDll = "C:\\Windows\\system32\\240599921.bat"	look2.exe

Sets file execution options in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

HD_29af2b05a040d86768bf3b7989072e86531456cc5c20f3f4312122b9c3c3ba6c.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\HD_29AF2B05A040D86768BF3B7989072E86531456CC5C20F3F4312122B9C3C3BA6C.EXE	HD_29af2b05a040d86768bf3b7989072e86531456cc5c20f3f4312122b9c3c3ba6c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HD_29af2b05a040d86768bf3b7989072e86531456cc5c20f3f4312122b9c3c3ba6c.exe	HD_29af2b05a040d86768bf3b7989072e86531456cc5c20f3f4312122b9c3c3ba6c.exe

Executes dropped EXE 3 IoCs

Processes:

look2.exeHD_29af2b05a040d86768bf3b7989072e86531456cc5c20f3f4312122b9c3c3ba6c.exesvchcst.exe

pid process

632 look2.exe
4208 HD_29af2b05a040d86768bf3b7989072e86531456cc5c20f3f4312122b9c3c3ba6c.exe
2988 svchcst.exe
Loads dropped DLL 3 IoCs

Processes:

look2.exesvchost.exesvchcst.exe

pid process

632 look2.exe
2348 svchost.exe
2988 svchcst.exe

pid	process
632	look2.exe
4208	HD_29af2b05a040d86768bf3b7989072e86531456cc5c20f3f4312122b9c3c3ba6c.exe
2988	svchcst.exe

pid	process
632	look2.exe
2348	svchost.exe
2988	svchcst.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\HD_29af2b05a040d86768bf3b7989072e86531456cc5c20f3f4312122b9c3c3ba6c.exe	upx
behavioral2/memory/4208-18-0x0000000000400000-0x00000000004F4000-memory.dmp	upx
behavioral2/memory/4208-40-0x0000000000400000-0x00000000004F4000-memory.dmp	upx

Drops file in System32 directory 4 IoCs

Processes:

look2.exesvchost.exe

description	ioc	process
File created	C:\Windows\SysWOW64\240599921.bat	look2.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	look2.exe
File created	C:\Windows\SysWOW64\svchcst.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchcst.exe	svchost.exe

Drops file in Program Files directory 1 IoCs

Processes:

29af2b05a040d86768bf3b7989072e86531456cc5c20f3f4312122b9c3c3ba6c.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	29af2b05a040d86768bf3b7989072e86531456cc5c20f3f4312122b9c3c3ba6c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 3 IoCs

evasion

Processes:

HD_29af2b05a040d86768bf3b7989072e86531456cc5c20f3f4312122b9c3c3ba6c.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop	HD_29af2b05a040d86768bf3b7989072e86531456cc5c20f3f4312122b9c3c3ba6c.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\LanguageConfiguration	HD_29af2b05a040d86768bf3b7989072e86531456cc5c20f3f4312122b9c3c3ba6c.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\CONTROL PANEL\DESKTOP\LANGUAGECONFIGURATION	HD_29af2b05a040d86768bf3b7989072e86531456cc5c20f3f4312122b9c3c3ba6c.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

29af2b05a040d86768bf3b7989072e86531456cc5c20f3f4312122b9c3c3ba6c.exe

pid	process
5036	29af2b05a040d86768bf3b7989072e86531456cc5c20f3f4312122b9c3c3ba6c.exe
5036	29af2b05a040d86768bf3b7989072e86531456cc5c20f3f4312122b9c3c3ba6c.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

HD_29af2b05a040d86768bf3b7989072e86531456cc5c20f3f4312122b9c3c3ba6c.exe

description	pid	process
Token: SeBackupPrivilege	4208	HD_29af2b05a040d86768bf3b7989072e86531456cc5c20f3f4312122b9c3c3ba6c.exe
Token: SeRestorePrivilege	4208	HD_29af2b05a040d86768bf3b7989072e86531456cc5c20f3f4312122b9c3c3ba6c.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

29af2b05a040d86768bf3b7989072e86531456cc5c20f3f4312122b9c3c3ba6c.exe

pid	process
5036	29af2b05a040d86768bf3b7989072e86531456cc5c20f3f4312122b9c3c3ba6c.exe
5036	29af2b05a040d86768bf3b7989072e86531456cc5c20f3f4312122b9c3c3ba6c.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

29af2b05a040d86768bf3b7989072e86531456cc5c20f3f4312122b9c3c3ba6c.exesvchost.exe

description	pid	process	target process
PID 5036 wrote to memory of 632	5036	29af2b05a040d86768bf3b7989072e86531456cc5c20f3f4312122b9c3c3ba6c.exe	look2.exe
PID 5036 wrote to memory of 632	5036	29af2b05a040d86768bf3b7989072e86531456cc5c20f3f4312122b9c3c3ba6c.exe	look2.exe
PID 5036 wrote to memory of 632	5036	29af2b05a040d86768bf3b7989072e86531456cc5c20f3f4312122b9c3c3ba6c.exe	look2.exe
PID 5036 wrote to memory of 4208	5036	29af2b05a040d86768bf3b7989072e86531456cc5c20f3f4312122b9c3c3ba6c.exe	HD_29af2b05a040d86768bf3b7989072e86531456cc5c20f3f4312122b9c3c3ba6c.exe
PID 5036 wrote to memory of 4208	5036	29af2b05a040d86768bf3b7989072e86531456cc5c20f3f4312122b9c3c3ba6c.exe	HD_29af2b05a040d86768bf3b7989072e86531456cc5c20f3f4312122b9c3c3ba6c.exe
PID 5036 wrote to memory of 4208	5036	29af2b05a040d86768bf3b7989072e86531456cc5c20f3f4312122b9c3c3ba6c.exe	HD_29af2b05a040d86768bf3b7989072e86531456cc5c20f3f4312122b9c3c3ba6c.exe
PID 2348 wrote to memory of 2988	2348	svchost.exe	svchcst.exe
PID 2348 wrote to memory of 2988	2348	svchost.exe	svchcst.exe
PID 2348 wrote to memory of 2988	2348	svchost.exe	svchcst.exe

C:\Users\Admin\AppData\Local\Temp\29af2b05a040d86768bf3b7989072e86531456cc5c20f3f4312122b9c3c3ba6c.exe
"C:\Users\Admin\AppData\Local\Temp\29af2b05a040d86768bf3b7989072e86531456cc5c20f3f4312122b9c3c3ba6c.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5036

C:\Users\Admin\AppData\Local\Temp\look2.exe
C:\Users\Admin\AppData\Local\Temp\\look2.exe
2⤵
- Sets DLL path for service in the registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:632

C:\Users\Admin\AppData\Local\Temp\HD_29af2b05a040d86768bf3b7989072e86531456cc5c20f3f4312122b9c3c3ba6c.exe
C:\Users\Admin\AppData\Local\Temp\HD_29af2b05a040d86768bf3b7989072e86531456cc5c20f3f4312122b9c3c3ba6c.exe
2⤵
- Sets file execution options in registry
- Executes dropped EXE
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
PID:4208

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "svchcst"
1⤵
PID:3520

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "svchcst"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2348

C:\Windows\SysWOW64\svchcst.exe
C:\Windows\system32\svchcst.exe "c:\windows\system32\240599921.bat",MainThread
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HD_29af2b05a040d86768bf3b7989072e86531456cc5c20f3f4312122b9c3c3ba6c.exe

Filesize
290KB

MD5
114f288351b141d648032638f6265998

SHA1
3611654f8bd21e6a9636c8bdb1935ab2f15e9953

SHA256
919642460e814fc07b2783b66c9415c8a927ad54473624b0a761ca1394c330fc

SHA512
4fc3d761906c17138da763ecb7f432b2a7e76bfe2998b885f779030c4ce3b5a59d7fa43d44afd08ac7d7cd21462c9a1eaf849c469186cbba52af9e7eed7f36bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_X.dat

Filesize
1.1MB

MD5
ad92c0db80ec5bb70f8471628d7dbf2c

SHA1
7da664265fd79ac7aca2b7ba0c1004c0d8d9e35c

SHA256
8ff3b94b8d3e1d5d93a0e1a90e32fc2ede5438a7bb42a5d797daf539eecb6afa

SHA512
253b8c073445af83e45a480d413e93bc28762539e783e3986336f76a1f572ae85aeb4f32dda0f3e8f2161dbc4f532ac5cf785d05c90341a7cafd9859ec11946b

Download Submit
C:\Users\Admin\AppData\Local\Temp\look2.exe

Filesize
337KB

MD5
2f3b6f16e33e28ad75f3fdaef2567807

SHA1
85e907340faf1edfc9210db85a04abd43d21b741

SHA256
86492ebf2d6f471a5ee92977318d099b3ea86175b5b7ae522237ae01d07a4857

SHA512
db17e99e2df918cfc9ccbe934adfe73f0777ce1ce9f28b57a4b24ecd821efe2e0b976a634853247b77b16627d2bb3af4ba20306059d1d25ef38ffada7da3e3a4

Download Submit
C:\Windows\SysWOW64\240599921.bat

Filesize
51KB

MD5
0f41ee86c6c02d7bd9eef55028a361bf

SHA1
564f296d9d1e6f5365fd6ee4e7c2f7bad3196ddf

SHA256
24fe85c2c8d330d43d24d1abd562c939f368ee8949318f8f4fb286abe35dcd89

SHA512
7d99004e129fcb6cc2ac6a57a4e4add8188ce97d85bed93dea7b5d672dfa9b0d28100f74d4aeaf5ab0b0309c6f46e575aa13ec7ac3a978c85c9fbf689c1fc8d7

Download Submit
C:\Windows\SysWOW64\svchcst.exe

Filesize
60KB

MD5
889b99c52a60dd49227c5e485a016679

SHA1
8fa889e456aa646a4d0a4349977430ce5fa5e2d7

SHA256
6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

SHA512
08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

Download Submit
memory/4208-18-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download
memory/4208-19-0x000000006F170000-0x000000006F180000-memory.dmp

Filesize
64KB

Download
memory/4208-21-0x00000000022B0000-0x00000000022BA000-memory.dmp

Filesize
40KB

Download
memory/4208-22-0x0000000077182000-0x0000000077183000-memory.dmp

Filesize
4KB

Download
memory/4208-23-0x0000000077183000-0x0000000077184000-memory.dmp

Filesize
4KB

Download
memory/4208-40-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads