Analysis Overview

score

10^/10

SHA256

f1eab71c6163bd6804c4d6427187252e49779dff8c0a58a176bb252e6f55c694

Threat Level: Known bad

The file QY1.exe was found to be: Known bad.

Malicious Activity Summary

blackmoon banker trojan upx

Blackmoon, KrBanker

Detect Blackmoon payload

UPX packed file

Unsigned PE

Suspicious use of SetWindowsHookEx

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-15 05:03

Signatures

UPX packed file

upx

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A

Unsigned PE

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-15 05:03

Reported

2024-06-15 05:05

Platform

win10v2004-20240611-en

Max time kernel

141s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\QY1.exe"

Signatures

Blackmoon, KrBanker

trojan banker blackmoon

Detect Blackmoon payload

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

UPX packed file

upx

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Suspicious use of SetWindowsHookEx

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\QY1.exe	N/A

Processes

C:\Users\Admin\AppData\Local\Temp\QY1.exe

"C:\Users\Admin\AppData\Local\Temp\QY1.exe"

Network

Country	Destination	Domain	Proto
CN	222.186.172.42:8080		tcp
US	8.8.8.8:53	g.bing.com	udp
US	204.79.197.237:443	g.bing.com	tcp
NL	23.62.61.194:443	www.bing.com	tcp
US	8.8.8.8:53	8.8.8.8.in-addr.arpa	udp
US	8.8.8.8:53	67.31.126.40.in-addr.arpa	udp
US	8.8.8.8:53	0.204.248.87.in-addr.arpa	udp
US	8.8.8.8:53	194.61.62.23.in-addr.arpa	udp
US	8.8.8.8:53	26.35.223.20.in-addr.arpa	udp
US	8.8.8.8:53	86.23.85.13.in-addr.arpa	udp
US	8.8.8.8:53	56.126.166.20.in-addr.arpa	udp
US	8.8.8.8:53	36.56.20.217.in-addr.arpa	udp
US	8.8.8.8:53	240.197.17.2.in-addr.arpa	udp
US	8.8.8.8:53	172.214.232.199.in-addr.arpa	udp
US	8.8.8.8:53	14.227.111.52.in-addr.arpa	udp

Files

memory/4192-0-0x0000000000400000-0x00000000004D3000-memory.dmp

memory/4192-1-0x0000000000400000-0x00000000004D3000-memory.dmp

memory/4192-2-0x0000000000400000-0x00000000004D3000-memory.dmp

memory/4192-3-0x0000000000400000-0x00000000004D3000-memory.dmp

memory/4192-4-0x0000000000400000-0x00000000004D3000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 05:03

Reported

2024-06-15 05:05

Platform

win7-20240611-en

Max time kernel

140s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\QY1.exe"

Signatures

Blackmoon, KrBanker

trojan banker blackmoon

Detect Blackmoon payload

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

UPX packed file

upx

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Suspicious use of SetWindowsHookEx

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\QY1.exe	N/A

Processes

C:\Users\Admin\AppData\Local\Temp\QY1.exe

"C:\Users\Admin\AppData\Local\Temp\QY1.exe"

Network

Country	Destination	Domain	Proto
CN	222.186.172.42:8080		tcp

Files

memory/3024-0-0x0000000000400000-0x00000000004D3000-memory.dmp

memory/3024-1-0x0000000000400000-0x00000000004D3000-memory.dmp

memory/3024-3-0x0000000000400000-0x00000000004D3000-memory.dmp

Sample ID	240615-fppleatbrn
Target	QY1.exe
SHA256	f1eab71c6163bd6804c4d6427187252e49779dff8c0a58a176bb252e6f55c694
Tags	blackmoon banker trojan upx

Malware Analysis Report

2024-09-11 19:04

Table of Contents

Analysis Overview

Threat Level: Known bad

Malicious Activity Summary

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files