blackmoon | 977e96e9ae5faa6f44902dadddec67871aede5d7edef4e4be60b70146269b23d

Analysis

max time kernel
133s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29-05-2024 07:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

068fb7605542cd8350ed34ec2d767856.exe
Size

3.8MB
MD5

068fb7605542cd8350ed34ec2d767856
SHA1

0c3edb958e306394cd1203e731dc781155ab2e70
SHA256

977e96e9ae5faa6f44902dadddec67871aede5d7edef4e4be60b70146269b23d
SHA512

70328066f04c2a5250de300e8ca4445cee381c13e417f2516fc3dc739b56808971ef622afb962fbefc19689e079b78080065c653aaf28c1cbb0e5f398380f29d
SSDEEP

98304:ykLI1vX2oBOOsQ0UfDZ5IyvJZxeaxt29s4C1eH94:dI1vnyUfDZ5nhZvxt5o94

Score

10^/10

blackmoon gh0strat banker persistence rat trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 4 IoCs

resource	yara_rule
behavioral1/memory/2508-97-0x0000000002E40000-0x0000000002F2C000-memory.dmp	family_blackmoon
behavioral1/memory/2508-96-0x0000000002E40000-0x0000000002F2C000-memory.dmp	family_blackmoon
behavioral1/memory/2508-142-0x0000000002E40000-0x0000000002F2C000-memory.dmp	family_blackmoon
behavioral1/memory/2508-140-0x0000000002E40000-0x0000000002F2C000-memory.dmp	family_blackmoon

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral1/memory/2508-128-0x0000000010000000-0x0000000010017000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 2 IoCs

pid	Process
1256	068fb7605542cd8350ed34ec2d767856.tmp
2508	isnnf.exe

Loads dropped DLL 5 IoCs

pid	Process
2352	068fb7605542cd8350ed34ec2d767856.exe
1256	068fb7605542cd8350ed34ec2d767856.tmp
2596	cmd.exe
2596	cmd.exe
2508	isnnf.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\qdatem = "C:\\Users\\Public\\06430938\\Applicationbembu.exe"	isnnf.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	isnnf.exe
File opened (read-only)	\??\J:	isnnf.exe
File opened (read-only)	\??\N:	isnnf.exe
File opened (read-only)	\??\O:	isnnf.exe
File opened (read-only)	\??\Q:	isnnf.exe
File opened (read-only)	\??\R:	isnnf.exe
File opened (read-only)	\??\G:	isnnf.exe
File opened (read-only)	\??\L:	isnnf.exe
File opened (read-only)	\??\P:	isnnf.exe
File opened (read-only)	\??\U:	isnnf.exe
File opened (read-only)	\??\B:	isnnf.exe
File opened (read-only)	\??\I:	isnnf.exe
File opened (read-only)	\??\K:	isnnf.exe
File opened (read-only)	\??\S:	isnnf.exe
File opened (read-only)	\??\T:	isnnf.exe
File opened (read-only)	\??\X:	isnnf.exe
File opened (read-only)	\??\E:	isnnf.exe
File opened (read-only)	\??\M:	isnnf.exe
File opened (read-only)	\??\V:	isnnf.exe
File opened (read-only)	\??\W:	isnnf.exe
File opened (read-only)	\??\Y:	isnnf.exe
File opened (read-only)	\??\Z:	isnnf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	isnnf.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	isnnf.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2812	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 43 IoCs

pid	Process
1256	068fb7605542cd8350ed34ec2d767856.tmp
1256	068fb7605542cd8350ed34ec2d767856.tmp
2508	isnnf.exe
2508	isnnf.exe
2508	isnnf.exe
2508	isnnf.exe
2508	isnnf.exe
2508	isnnf.exe
2508	isnnf.exe
2508	isnnf.exe
2508	isnnf.exe
2508	isnnf.exe
2508	isnnf.exe
2508	isnnf.exe
2508	isnnf.exe
2508	isnnf.exe
2508	isnnf.exe
2508	isnnf.exe
2508	isnnf.exe
2508	isnnf.exe
2508	isnnf.exe
2508	isnnf.exe
2508	isnnf.exe
2508	isnnf.exe
2508	isnnf.exe
2508	isnnf.exe
2508	isnnf.exe
2508	isnnf.exe
2508	isnnf.exe
2508	isnnf.exe
2508	isnnf.exe
2508	isnnf.exe
2508	isnnf.exe
2508	isnnf.exe
2508	isnnf.exe
2508	isnnf.exe
2508	isnnf.exe
2508	isnnf.exe
2508	isnnf.exe
2508	isnnf.exe
2508	isnnf.exe
2508	isnnf.exe
2508	isnnf.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	2508	isnnf.exe
Token: SeIncBasePriorityPrivilege	2508	isnnf.exe
Token: 33	2508	isnnf.exe
Token: SeIncBasePriorityPrivilege	2508	isnnf.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1256	068fb7605542cd8350ed34ec2d767856.tmp

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2508	isnnf.exe
2508	isnnf.exe
2508	isnnf.exe
2508	isnnf.exe
2508	isnnf.exe
2508	isnnf.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2508	isnnf.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 1256	2352	068fb7605542cd8350ed34ec2d767856.exe	28
PID 2352 wrote to memory of 1256	2352	068fb7605542cd8350ed34ec2d767856.exe	28
PID 2352 wrote to memory of 1256	2352	068fb7605542cd8350ed34ec2d767856.exe	28
PID 2352 wrote to memory of 1256	2352	068fb7605542cd8350ed34ec2d767856.exe	28
PID 2352 wrote to memory of 1256	2352	068fb7605542cd8350ed34ec2d767856.exe	28
PID 2352 wrote to memory of 1256	2352	068fb7605542cd8350ed34ec2d767856.exe	28
PID 2352 wrote to memory of 1256	2352	068fb7605542cd8350ed34ec2d767856.exe	28
PID 1256 wrote to memory of 2596	1256	068fb7605542cd8350ed34ec2d767856.tmp	29
PID 1256 wrote to memory of 2596	1256	068fb7605542cd8350ed34ec2d767856.tmp	29
PID 1256 wrote to memory of 2596	1256	068fb7605542cd8350ed34ec2d767856.tmp	29
PID 1256 wrote to memory of 2596	1256	068fb7605542cd8350ed34ec2d767856.tmp	29
PID 2596 wrote to memory of 2508	2596	cmd.exe	31
PID 2596 wrote to memory of 2508	2596	cmd.exe	31
PID 2596 wrote to memory of 2508	2596	cmd.exe	31
PID 2596 wrote to memory of 2508	2596	cmd.exe	31
PID 2508 wrote to memory of 2812	2508	isnnf.exe	32
PID 2508 wrote to memory of 2812	2508	isnnf.exe	32
PID 2508 wrote to memory of 2812	2508	isnnf.exe	32
PID 2508 wrote to memory of 2812	2508	isnnf.exe	32

C:\Users\Admin\AppData\Local\Temp\068fb7605542cd8350ed34ec2d767856.exe
"C:\Users\Admin\AppData\Local\Temp\068fb7605542cd8350ed34ec2d767856.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Users\Admin\AppData\Local\Temp\is-21C4H.tmp\068fb7605542cd8350ed34ec2d767856.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-21C4H.tmp\068fb7605542cd8350ed34ec2d767856.tmp" /SL5="$400F6,3138430,832512,C:\Users\Admin\AppData\Local\Temp\068fb7605542cd8350ed34ec2d767856.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1256
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\hnsstei\shhd.bat" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2596
  - - \??\c:\hnsstei\isnnf.exe
      isnnf.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Enumerates connected drives
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of UnmapMainImage
      Suspicious use of WriteProcessMemory
      PID:2508
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\isnnf.txt
        5⤵
        Opens file in notepad (likely ransom note)
        
        PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\isnnf.txt

Filesize
649KB

MD5
d504f3e79833f38f69ab0696a9ed8205

SHA1
88ca3e8ec7886048102125539b22b2e7d3ec3dc5

SHA256
174c0c0d80346d35c31674baf20f06040341ebd6b5103c762e64fb7e1b4a244c

SHA512
bc28d5566b5569f3a69ceb6b7c6db200aa22d6fcc41d4c03b18472143a44b58e8e4afa7d445c573d75f2cd3d375ae3cf568bc23f13e342cc80ee9f84c74638c1

Download Submit
C:\Users\Public\Documents\sjsw.log

Filesize
184B

MD5
d4bb416e72d3cef0169a2385f7236915

SHA1
98ad6b534457aa679d3a8e009bcce2d006976693

SHA256
e1e6f1df9da503c4e20df829366dcb6d82f0ac1dab44f02f79477ffc467e05a5

SHA512
33e79b28e6ad9f9c1bef655f875f74bbd680d31fb6c2f2d0f0182a1367b2f263d81dfc1dac2ee69cacae2c0cd3c02f6fbc926a2c7c15e1ad970f618b936e5bf4

Download Submit
C:\hnsstei\AndrowsLauncher.exe

Filesize
1.0MB

MD5
bcba8ef8b4270277d00052389a55bb2c

SHA1
b519b25a6e7ada9aa9ecda80551cf4a24c137f6f

SHA256
21fbc2c9bf15508c778bdbc4d4c1bae0232c5a87a02322dab3039ebeb24a0bc6

SHA512
15443f90968b0c3e9b0d277d7d72a45bd6f180a1ecdab869042d0b0dd45de0b17e26c0f2eb147fd47b776914640754198c830587872b892a68c144488b51fd82

Download Submit
C:\hnsstei\cc.dat

Filesize
293KB

MD5
b885742712636ca83ea600ed3d28204e

SHA1
eb8a7d45767d5aa9ce915851fc1d2175d026aa20

SHA256
6259f60a25b765e00c8841213a4d6dde209f479dbe0cb0aee6efdee3b0ad477d

SHA512
6b9a3c0722c2a17e6b724d7fb1dd5fc3fd4363bb8b4c3dad565be1556e596975d57bd9b17532aa1e03ff9d0b4c40ee59ceafb7653d2599c5225e4cf03fcc9e63

Download Submit
C:\hnsstei\clientconf.ini

Filesize
2B

MD5
ac6ad5d9b99757c3a878f2d275ace198

SHA1
439baa1b33514fb81632aaf44d16a9378c5664fc

SHA256
9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d

SHA512
bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b

Download Submit
C:\hnsstei\shhd.bat

Filesize
301B

MD5
9b6781897497ff28846d414b8429e861

SHA1
074427de2cb11afc3827ff57dcc0c6c0da574cd4

SHA256
d9ce56bb859d7cd337d715b231e37662e7072c332ea6d03c8d25cbd9462fc6c0

SHA512
1c0806c9173b19e6d738683d1468fe247ff99881e45519d9dd97d5efd290e55ef0ae43f4939bc3b74fa0e2e407f1dccabcf8af6e56be9bd0ffd27d11df6d8b12

Download Submit
C:\hnsstei\zy.txt

Filesize
91KB

MD5
cc9c899532a615399aa07b081aefebfd

SHA1
412f92e1ea43cc56afaecd81f789b7b178968d2c

SHA256
38bf2cd7b502208c03d67a2b34d72d2a538769a3a5b11007c79d355c331213e8

SHA512
5190c51c77d83b772aeb60dffd2899f2fdbc4ee7ec2a1dae0e76c5aa6fa649dfebb7cd11585ad4803797fe91265d41bccfb3e246f916fbe998e5f69e2cc61958

Download Submit
\Users\Admin\AppData\Local\Temp\is-21C4H.tmp\068fb7605542cd8350ed34ec2d767856.tmp

Filesize
3.1MB

MD5
d3c02246c96a2fdd800b3f087f166c99

SHA1
9a711be14f30769e0156558f680199f30291d846

SHA256
b89b0c9764496cd69ed3686cfa0128cf05acf7c73077828bebb5ef9db0271fa7

SHA512
495e25823ba560bf0f6e943ae5d79b027ad920db5166cf397f44a616e44e4e7f2d69d84232779cde919117c234a55a8056f7c371e23d76b38334d05f82d02dc3

Download Submit
\Users\Public\Documents\fth.dll

Filesize
2KB

MD5
7943effe67a4647e06def2348949020e

SHA1
eabd561f0639a975de259633f63896d82c3f878d

SHA256
3fac47db92d581b2daef7a4f9493be2fe441041e5158101d80873d05808d5cfa

SHA512
c9db1962e7457c94426c2a5c7f439736697d4399db6982c45357459d58805daa4a9d297912135488b6990e265ffa59d687fd5ba43717aab46ccc212083ef5003

Download Submit
\hnsstei\isnnf.exe

Filesize
293KB

MD5
c865c1ee1d569b8c9878509be159d582

SHA1
35f071918a4c663ee730efe1894a540b1f368c72

SHA256
7f8ec1c1a9e1310ec502b8b6a1f9d18ece4b03e1080a6622d68239f88434205e

SHA512
08211437a5d4bdca476a0eb173f7cf48ff26d6b6e9988f18cae3e296a834475c0558213a490efa3585def8bf899e632a81f30e6c07fdb05cccf80d370b8fc08e

Download Submit
memory/1256-9-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/1256-75-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2352-77-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2352-0-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2352-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/2508-97-0x0000000002E40000-0x0000000002F2C000-memory.dmp

Filesize
944KB

Download
memory/2508-96-0x0000000002E40000-0x0000000002F2C000-memory.dmp

Filesize
944KB

Download
memory/2508-90-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2508-89-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2508-122-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2508-124-0x0000000003EE0000-0x0000000003FD6000-memory.dmp

Filesize
984KB

Download
memory/2508-123-0x0000000003EE0000-0x0000000003FD6000-memory.dmp

Filesize
984KB

Download
memory/2508-125-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2508-126-0x0000000003EE0000-0x0000000003FD6000-memory.dmp

Filesize
984KB

Download
memory/2508-128-0x0000000010000000-0x0000000010017000-memory.dmp

Filesize
92KB

Download
memory/2508-130-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2508-142-0x0000000002E40000-0x0000000002F2C000-memory.dmp

Filesize
944KB

Download
memory/2508-140-0x0000000002E40000-0x0000000002F2C000-memory.dmp

Filesize
944KB

Download
memory/2508-143-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download