Malware Analysis Report

2024-11-16 15:42

Sample ID 240606-eafjhsgg66
Target af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab
SHA256 af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab
Tags
blackmoon banker spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab

Threat Level: Known bad

The file af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab was found to be: Known bad.

Malicious Activity Summary

blackmoon banker spyware stealer trojan

Blackmoon, KrBanker

Blackmoon family

Detect Blackmoon payload

Reads user/profile data of web browsers

Loads dropped DLL

Executes dropped EXE

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-06 03:44

Signatures

Blackmoon family

blackmoon

Detect Blackmoon payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-06 03:43

Reported

2024-06-06 03:51

Platform

win7-20240221-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exe"

Signatures

Blackmoon, KrBanker

trojan banker blackmoon

Detect Blackmoon payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1692 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exe C:\Users\Admin\AppData\Roaming\Ì츮¼¤Çé\af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exe
PID 1692 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exe C:\Users\Admin\AppData\Roaming\Ì츮¼¤Çé\af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exe
PID 1692 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exe C:\Users\Admin\AppData\Roaming\Ì츮¼¤Çé\af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exe
PID 1692 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exe C:\Users\Admin\AppData\Roaming\Ì츮¼¤Çé\af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exe
PID 1936 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Roaming\Ì츮¼¤Çé\af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exe C:\Users\Admin\AppData\Roaming\Ì츮¼¤Çé\577B781B16B43518D26314CEA1E10DB3.exe
PID 1936 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Roaming\Ì츮¼¤Çé\af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exe C:\Users\Admin\AppData\Roaming\Ì츮¼¤Çé\577B781B16B43518D26314CEA1E10DB3.exe
PID 1936 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Roaming\Ì츮¼¤Çé\af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exe C:\Users\Admin\AppData\Roaming\Ì츮¼¤Çé\577B781B16B43518D26314CEA1E10DB3.exe
PID 1936 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Roaming\Ì츮¼¤Çé\af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exe C:\Users\Admin\AppData\Roaming\Ì츮¼¤Çé\577B781B16B43518D26314CEA1E10DB3.exe

Processes

C:\Users\Admin\AppData\Local\Temp\af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exe

"C:\Users\Admin\AppData\Local\Temp\af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exe"

C:\Users\Admin\AppData\Roaming\Ì츮¼¤Çé\af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exe

"C:\Users\Admin\AppData\Roaming\Ì츮¼¤Çé\af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exe"

C:\Users\Admin\AppData\Roaming\Ì츮¼¤Çé\577B781B16B43518D26314CEA1E10DB3.exe

"C:\Users\Admin\AppData\Roaming\Ì츮¼¤Çé\577B781B16B43518D26314CEA1E10DB3.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip3.qsdun.com udp
US 8.8.8.8:53 dsfurl.qsdun.com udp
US 8.8.8.8:53 www.j1608.com udp
CN 103.40.13.188:10002 dsfurl.qsdun.com tcp
CN 103.40.13.188:2020 dsfurl.qsdun.com tcp
FR 176.31.163.146:80 www.j1608.com tcp
CN 103.40.13.188:10002 dsfurl.qsdun.com tcp
US 8.8.8.8:53 ip1.qsdun.com udp
CN 103.40.13.188:10000 ip1.qsdun.com tcp
US 8.8.8.8:53 ip2.qsdun.com udp
CN 103.40.13.188:10001 ip2.qsdun.com tcp
CN 103.40.13.188:10002 ip2.qsdun.com tcp
CN 103.40.13.188:10000 ip2.qsdun.com tcp
CN 103.40.13.188:10002 ip2.qsdun.com tcp

Files

\Users\Admin\AppData\Roaming\Ì츮¼¤Çé\af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exe

MD5 345249335a7c76d74167220ff2ba174c
SHA1 ff77a6bf471762b2f5977421ad87e9ee0fbac5d8
SHA256 e704e4986c00df2273a2e518e0e1501f978012e30d1c76e6caafc20a8f99115f
SHA512 685eb287b6e0a444b1ab6c786d78b8192e364a72cdc2cd8b04980be4540e826cc19cb235c23a0e1851522360003f0168de4e1b0ed3f2dba3ceaaad85391bad9f

\Users\Admin\AppData\Roaming\Ì츮¼¤Çé\af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exe

MD5 0b63a5a045d0a417272cd9db1472e76b
SHA1 6131e93e5a834d9cee1fae2291587d51e310a1a1
SHA256 f5c6d1a192b1e6aac61cc5ba935b88080b4d0bf72bfa38f9a942b2e719613830
SHA512 97e913567012eed258c6b7d4170d32b1289e8438c8568a9adf3c7960a0ac590361e70d537578d74842465dbe502ae7068f7ead5c4e2847f906a518563417638d

C:\Users\Admin\Desktop\Ì츮¼¤Çé.lnk

MD5 58b93c3ea5cae739341a35cfc9ad9913
SHA1 b52ae60d6e5e0c596a3c2a67e4eb8e3bffb63263
SHA256 135844a7e956799ebd5cb74a91bd5c130fde42aba98cb2da0d2fec8921b806cd
SHA512 ea648c94eda34520aa0522c65140611760d26db79f2830837fbe31c82750878cf83d469385a8d5bba3933b561e0bf5e628dd3b579328ae32a32ab487fb374f3a

C:\Users\Admin\AppData\Roaming\Ì츮¼¤Çé\577B781B16B43518D26314CEA1E10DB3.exe

MD5 ea19bf9f47d2608536b727009e1656bf
SHA1 057b7295cd114d29f7850219ac2d7e3345ea8cbb
SHA256 277402646f33acd8cc2c671044f60f71678cfa9664a450a2784d3dbb116c4328
SHA512 25f3b3d6c7931823046e5b8be6388f5d64f06989383c6445a70ccffcc5fd3e13a01a97b859eb835468d0eb30dfc9e3afc2905cf3ddb6527ec60469131d59174c

\Users\Admin\AppData\Roaming\Ì츮¼¤Çé\577B781B16B43518D26314CEA1E10DB3.exe

MD5 24f33d75b01f0b81a0e9f98551c483f2
SHA1 6f217bf5025cfb69d65f28c08c16d97ae5f6c926
SHA256 b50fe6dfd6db993906d16c6645bf378f8c34894d49456ba5fce1ccf6d11cdcf8
SHA512 9601ed152c8d2c9fdbf2e710ff71f106e69210957c65ea7227a40f5d3ce4771c6b8798baaeecba99b17e2fc69571114181db95e1777ee707f975a1665a44376e

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-06 03:43

Reported

2024-06-06 03:51

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

165s

Command Line

"C:\Users\Admin\AppData\Local\Temp\af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exe"

Signatures

Blackmoon, KrBanker

trojan banker blackmoon

Detect Blackmoon payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1196 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exe C:\Users\Admin\AppData\Roaming\Ì츮¼¤Çé\af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exe
PID 1196 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exe C:\Users\Admin\AppData\Roaming\Ì츮¼¤Çé\af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exe
PID 1196 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exe C:\Users\Admin\AppData\Roaming\Ì츮¼¤Çé\af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exe
PID 4088 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Roaming\Ì츮¼¤Çé\af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exe C:\Users\Admin\AppData\Roaming\Ì츮¼¤Çé\577B781B16B43518D26314CEA1E10DB3.exe
PID 4088 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Roaming\Ì츮¼¤Çé\af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exe C:\Users\Admin\AppData\Roaming\Ì츮¼¤Çé\577B781B16B43518D26314CEA1E10DB3.exe
PID 4088 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Roaming\Ì츮¼¤Çé\af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exe C:\Users\Admin\AppData\Roaming\Ì츮¼¤Çé\577B781B16B43518D26314CEA1E10DB3.exe

Processes

C:\Users\Admin\AppData\Local\Temp\af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exe

"C:\Users\Admin\AppData\Local\Temp\af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exe"

C:\Users\Admin\AppData\Roaming\Ì츮¼¤Çé\af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exe

"C:\Users\Admin\AppData\Roaming\Ì츮¼¤Çé\af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exe"

C:\Users\Admin\AppData\Roaming\Ì츮¼¤Çé\577B781B16B43518D26314CEA1E10DB3.exe

"C:\Users\Admin\AppData\Roaming\Ì츮¼¤Çé\577B781B16B43518D26314CEA1E10DB3.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip1.qsdun.com udp
US 8.8.8.8:53 dsfurl.qsdun.com udp
US 8.8.8.8:53 www.j1608.com udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
CN 103.40.13.188:2020 dsfurl.qsdun.com tcp
CN 103.40.13.188:10000 dsfurl.qsdun.com tcp
FR 176.31.163.146:80 www.j1608.com tcp
US 8.8.8.8:53 146.163.31.176.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 ip3.qsdun.com udp
CN 103.40.13.188:10002 ip3.qsdun.com tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
CN 103.40.13.188:10000 ip3.qsdun.com tcp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 ip2.qsdun.com udp
CN 103.40.13.188:10001 ip2.qsdun.com tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
CN 103.40.13.188:10002 ip2.qsdun.com tcp
CN 103.40.13.188:10000 ip2.qsdun.com tcp
CN 103.40.13.188:10002 ip2.qsdun.com tcp

Files

C:\Users\Admin\AppData\Roaming\Ì츮¼¤Çé\af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exe

MD5 5ef94ef5517c0afc8a80eaf4c1e5cd66
SHA1 b7277b1415d6321f40404557c2167f22799a51db
SHA256 297b6f984553c6b98d506c75e1686b261a9af9f999d1ddda1d469705deeb61a0
SHA512 33188472ca81e145a0a37a1c3c18ef3ceb1c446566a811be8e74ed7a3371219523c005f8819234d1bb74db185d3115fed4129d9a1ef254452450ef9ea54c0fe1

C:\Users\Admin\AppData\Roaming\Ì츮¼¤Çé\af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exe

MD5 a6b72f4ad8a7bf6936fb2017073dd997
SHA1 954be16fbe70e17b53a5748ab387b499b574bdf1
SHA256 795e315cdaec8416356ab5d9c5f725f1d9922b1cdbfb03524b75c4255cf5692a
SHA512 f435fa3b554f3f8a5e6022ec2d37bc35dfd6fd9308593b6c6b47fc008756d882f17490dbdc5dfe8ec04b1b614273fa8f43e1e6834926c6168124450892689aa1

C:\Users\Admin\AppData\Roaming\Ì츮¼¤Çé\af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exe

MD5 14251ceebcad319d8bee80476beca7cd
SHA1 abe50c7c5b46feaa6f6b8728a376000870b4a15d
SHA256 856fba7008b3ac184772eb924cfe8ab4187157fdbc94b01f565adb2a1ed7e248
SHA512 ff96351c10b924ad3e8e73be5ca0fe1bb2fea13aebc1bb7fb059b620fb60cd7c8145dd70a563ca33869a8473e87d9b402f300c62a83e37ca43e933efd4d4dff7

C:\Users\Admin\Desktop\Ì츮¼¤Çé.lnk

MD5 e3eb14a9f69db92238858b0cea65c43b
SHA1 c3abb1f352d1b81658aee9ec2df06e1c323f1d42
SHA256 7bf70e4c36dbaa390c6162647e9fd90bbeebb4a0719814320580d6ce559a8983
SHA512 e6c1ff094289627af0277c3003be60bed46810a3615b26ec572a25ad784e8da86931ac89823c90193592594119bdf16ab1e86bf2b7ec6d48d5c9346d5748a647

C:\Users\Admin\AppData\Roaming\Ì츮¼¤Çé\577B781B16B43518D26314CEA1E10DB3.exe

MD5 e7c82562e9abc48341a48785841553c2
SHA1 dbbb824cd9e01411d2bca10c2ce21fab2ace7d9d
SHA256 c139a9b15b4d28387f254d613532a191b182e3e953d363673fdbe6028231a046
SHA512 dc5b0c5b5ec9600932e74c81edd2792a1e08613f58393cec6c48812a27380241404b673b64205ef9f198682e4f96743c14c64920d5dc59dff9d6ebee4b0329a8

C:\Users\Admin\AppData\Roaming\Ì츮¼¤Çé\577B781B16B43518D26314CEA1E10DB3.exe

MD5 fd862833faa4b48eb028edab0da39e84
SHA1 ee59134dbb7a4cd01b4aebb4baa1adf00b6a6dbe
SHA256 84438cd7423aa910a79be9e1018e35763c17c4715090a23f72503ec800c9fa0e
SHA512 6e6480b50559f94823b2d567c2d0e12a1a63ff6b667337107aa27ea26cc27398336c3020cd7327345baa462a4a7c55e61f61fd459717dff7efbb4c703e580067