Analysis Overview

score

10^/10

SHA256

a63282f61da56f276a230da6556d105168b94e652b560b1a7193244b29be9829

Threat Level: Known bad

The file QY2.exe was found to be: Known bad.

Malicious Activity Summary

upx blackmoon banker trojan

Blackmoon, KrBanker

Detect Blackmoon payload

UPX packed file

Unsigned PE

Suspicious use of SetWindowsHookEx

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-15 05:10

Signatures

UPX packed file

upx

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A

Unsigned PE

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 05:10

Reported

2024-06-15 05:12

Platform

win7-20240508-en

Max time kernel

140s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\QY2.exe"

Signatures

Blackmoon, KrBanker

trojan banker blackmoon

Detect Blackmoon payload

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

UPX packed file

upx

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Suspicious use of SetWindowsHookEx

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\QY2.exe	N/A

Processes

C:\Users\Admin\AppData\Local\Temp\QY2.exe

"C:\Users\Admin\AppData\Local\Temp\QY2.exe"

Network

Country	Destination	Domain	Proto
CN	222.186.172.42:8080		tcp

Files

memory/1424-0-0x0000000000400000-0x000000000097B000-memory.dmp

memory/1424-1-0x0000000000400000-0x000000000097B000-memory.dmp

memory/1424-3-0x0000000000400000-0x000000000097B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-15 05:10

Reported

2024-06-15 05:12

Platform

win10v2004-20240611-en

Max time kernel

141s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\QY2.exe"

Signatures

Blackmoon, KrBanker

trojan banker blackmoon

Detect Blackmoon payload

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

UPX packed file

upx

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Suspicious use of SetWindowsHookEx

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\QY2.exe	N/A

Processes

C:\Users\Admin\AppData\Local\Temp\QY2.exe

"C:\Users\Admin\AppData\Local\Temp\QY2.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3976,i,11049150160560877369,2866371920339304689,262144 --variations-seed-version --mojo-platform-channel-handle=4216 /prefetch:8

Network

Country	Destination	Domain	Proto
CN	222.186.172.42:8080		tcp
US	8.8.8.8:53	8.8.8.8.in-addr.arpa	udp
US	8.8.8.8:53	4.159.190.20.in-addr.arpa	udp
NL	23.62.61.194:443	www.bing.com	tcp
US	8.8.8.8:53	172.214.232.199.in-addr.arpa	udp
US	8.8.8.8:53	26.35.223.20.in-addr.arpa	udp
US	8.8.8.8:53	194.61.62.23.in-addr.arpa	udp
US	8.8.8.8:53	86.23.85.13.in-addr.arpa	udp
US	8.8.8.8:53	171.39.242.20.in-addr.arpa	udp
US	8.8.8.8:53	35.15.31.184.in-addr.arpa	udp
US	8.8.8.8:53	14.227.111.52.in-addr.arpa	udp
US	8.8.8.8:53	249.197.17.2.in-addr.arpa	udp

Files

memory/4068-0-0x0000000000400000-0x000000000097B000-memory.dmp

memory/4068-1-0x0000000000400000-0x000000000097B000-memory.dmp

memory/4068-3-0x0000000000400000-0x000000000097B000-memory.dmp

Sample ID	240615-ftpf7szcld
Target	QY2.exe
SHA256	a63282f61da56f276a230da6556d105168b94e652b560b1a7193244b29be9829
Tags	upx blackmoon banker trojan

Malware Analysis Report

2024-09-11 19:04

Table of Contents

Analysis Overview

Threat Level: Known bad

Malicious Activity Summary

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files