Malware Analysis Report

2024-11-16 15:42

Sample ID 240606-hgzgrabf42
Target d42b007dfd55dc0a583f47e0f10a6543204b3f5ad735d907ba7205b128fd2c3f
SHA256 d42b007dfd55dc0a583f47e0f10a6543204b3f5ad735d907ba7205b128fd2c3f
Tags
upx blackmoon banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d42b007dfd55dc0a583f47e0f10a6543204b3f5ad735d907ba7205b128fd2c3f

Threat Level: Known bad

The file d42b007dfd55dc0a583f47e0f10a6543204b3f5ad735d907ba7205b128fd2c3f was found to be: Known bad.

Malicious Activity Summary

upx blackmoon banker trojan

Blackmoon family

Detect Blackmoon payload

UPX dump on OEP (original entry point)

Blackmoon, KrBanker

UPX dump on OEP (original entry point)

UPX packed file

Unsigned PE

Enumerates physical storage devices

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-06 06:43

Signatures

Blackmoon family

blackmoon

Detect Blackmoon payload

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-06 06:43

Reported

2024-06-06 07:00

Platform

win7-20240220-en

Max time kernel

11s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d42b007dfd55dc0a583f47e0f10a6543204b3f5ad735d907ba7205b128fd2c3f.exe"

Signatures

Blackmoon, KrBanker

trojan banker blackmoon

Detect Blackmoon payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\d42b007dfd55dc0a583f47e0f10a6543204b3f5ad735d907ba7205b128fd2c3f.exe

"C:\Users\Admin\AppData\Local\Temp\d42b007dfd55dc0a583f47e0f10a6543204b3f5ad735d907ba7205b128fd2c3f.exe"

C:\Users\Admin\AppData\Local\Temp\elxploreriothu.exe

"C:\Users\Admin\AppData\Local\Temp\elxploreriothu.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 i2.tietuku.com udp
US 8.8.8.8:53 aq.qq.com udp
HK 203.205.234.112:80 aq.qq.com tcp
HK 203.205.234.112:443 aq.qq.com tcp
US 8.8.8.8:53 ocsp.digicert.cn udp
US 163.181.154.232:80 ocsp.digicert.cn tcp

Files

memory/2080-0-0x0000000000400000-0x0000000000473000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\elxploreriothu.exe

MD5 d536441acbd266db6c8a893b52084b26
SHA1 990fbbec0ca4b25f18da8cc313ac96485668e02a
SHA256 269b1ab0b598d2ae5bbefd8a86a2ebd0bb83abe17d36edc08ffd621afdf98f14
SHA512 8864770837a3004ab44123e6637057ef64b6fbeb926d3064ef5b1a9c29796c4bce64ffa07304e0dec152adc54c194260edc51f3c475a84c94bae5f84d83ca0ef

memory/2684-21-0x0000000000400000-0x0000000000473000-memory.dmp

memory/2080-20-0x0000000003BB0000-0x0000000003C23000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\elxploreriothu.exe

MD5 2d8b2f1e79fbd9bb922649afe2fd91e4
SHA1 ed2593c5497a844787525d20aeb08206fac7cf71
SHA256 173cad168d1e4064098a002c523030f3cc4bb997c8e5a743fce87d9a0cb60dd0
SHA512 dd40e9e79e0e1eccf4265c47bc06dcfc812199fcc333d046aed67a716df1dc779b4638a31f61001a275f944da58d43eee84e82b99fd6518f5e5d2387e53dd24e

memory/2080-25-0x0000000000400000-0x0000000000473000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lpath.ini

MD5 6fa22cbe209fe66f58fae365dc1394a1
SHA1 64782510384216673e2ab2f4261bca5ca2aaa3e7
SHA256 ea4c428dd784b4e57a40cbe966153fde96f577ca17ee6ad36e608a5c387287af
SHA512 8a2858cf6c06a7d1a5834a20337f4fbe3297e1db57b6fcbbc0a04bc4321742d344253bb55102df64a8b291e0eede67c4114d5da2feb9eba470f3e6c2a7adfff2

memory/2684-44-0x0000000000400000-0x0000000000473000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-06 06:43

Reported

2024-06-06 07:01

Platform

win10v2004-20240426-en

Max time kernel

4s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d42b007dfd55dc0a583f47e0f10a6543204b3f5ad735d907ba7205b128fd2c3f.exe"

Signatures

Blackmoon, KrBanker

trojan banker blackmoon

Detect Blackmoon payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\d42b007dfd55dc0a583f47e0f10a6543204b3f5ad735d907ba7205b128fd2c3f.exe

"C:\Users\Admin\AppData\Local\Temp\d42b007dfd55dc0a583f47e0f10a6543204b3f5ad735d907ba7205b128fd2c3f.exe"

C:\Users\Admin\AppData\Local\Temp\elxplorerttidx.exe

"C:\Users\Admin\AppData\Local\Temp\elxplorerttidx.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 i2.tietuku.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 aq.qq.com udp
HK 203.205.234.112:80 aq.qq.com tcp
HK 203.205.234.112:443 aq.qq.com tcp
US 8.8.8.8:53 ocsp.digicert.cn udp
US 163.181.154.236:80 ocsp.digicert.cn tcp
US 8.8.8.8:53 236.154.181.163.in-addr.arpa udp
US 8.8.8.8:53 112.234.205.203.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 63.141.182.52.in-addr.arpa udp

Files

memory/4540-0-0x0000000000400000-0x0000000000473000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\elxplorerttidx.exe

MD5 9eb1b8eead61ed69f041c8919254e8d6
SHA1 5cd208d80844c755c8fef1b66acba9add36d43ea
SHA256 eb52477d9c09e110da435b114de9a5b1893a6d2b8c528e942f27a2f419204801
SHA512 27d58ff6f6fbdd9348d091393e1961d53fe8dc69b58e5e0d75ac84e4840cf3c65e4ecb0bccb5bb2673113c654f73147c40c70f6b09dff8899c96149628112858

memory/3484-43-0x0000000000400000-0x0000000000473000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\elxplorerttidx.exe

MD5 2d8b2f1e79fbd9bb922649afe2fd91e4
SHA1 ed2593c5497a844787525d20aeb08206fac7cf71
SHA256 173cad168d1e4064098a002c523030f3cc4bb997c8e5a743fce87d9a0cb60dd0
SHA512 dd40e9e79e0e1eccf4265c47bc06dcfc812199fcc333d046aed67a716df1dc779b4638a31f61001a275f944da58d43eee84e82b99fd6518f5e5d2387e53dd24e

memory/4540-50-0x0000000000400000-0x0000000000473000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lpath.ini

MD5 6fa22cbe209fe66f58fae365dc1394a1
SHA1 64782510384216673e2ab2f4261bca5ca2aaa3e7
SHA256 ea4c428dd784b4e57a40cbe966153fde96f577ca17ee6ad36e608a5c387287af
SHA512 8a2858cf6c06a7d1a5834a20337f4fbe3297e1db57b6fcbbc0a04bc4321742d344253bb55102df64a8b291e0eede67c4114d5da2feb9eba470f3e6c2a7adfff2

memory/3484-56-0x0000000000400000-0x0000000000473000-memory.dmp