Malware Analysis Report

2024-09-11 19:02

Sample ID 240615-jgdeyssele
Target Nu.exe
SHA256 35083d29c840025e95d9e6e262ef81e55c510530924ff2500b0c454552cb0a84
Tags
upx blackmoon banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

35083d29c840025e95d9e6e262ef81e55c510530924ff2500b0c454552cb0a84

Threat Level: Known bad

The file Nu.exe was found to be: Known bad.

Malicious Activity Summary

upx blackmoon banker trojan

Blackmoon, KrBanker

Detect Blackmoon payload

UPX packed file

Unsigned PE

Suspicious use of SetWindowsHookEx

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-15 07:38

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 07:38

Reported

2024-06-15 07:40

Platform

win7-20240221-en

Max time kernel

140s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Nu.exe"

Signatures

Blackmoon, KrBanker

trojan banker blackmoon

Detect Blackmoon payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nu.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Nu.exe

"C:\Users\Admin\AppData\Local\Temp\Nu.exe"

Network

Country Destination Domain Proto
CN 222.186.172.42:8080 tcp

Files

memory/2388-0-0x0000000000400000-0x00000000004D3000-memory.dmp

memory/2388-1-0x0000000000400000-0x00000000004D3000-memory.dmp

memory/2388-3-0x0000000000400000-0x00000000004D3000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-15 07:38

Reported

2024-06-15 07:40

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Nu.exe"

Signatures

Blackmoon, KrBanker

trojan banker blackmoon

Detect Blackmoon payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nu.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Nu.exe

"C:\Users\Admin\AppData\Local\Temp\Nu.exe"

Network

Country Destination Domain Proto
CN 222.186.172.42:8080 tcp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
BE 88.221.83.203:443 www.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 203.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 57.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/4824-0-0x0000000000400000-0x00000000004D3000-memory.dmp

memory/4824-1-0x0000000000400000-0x00000000004D3000-memory.dmp

memory/4824-2-0x0000000000400000-0x00000000004D3000-memory.dmp

memory/4824-3-0x0000000000400000-0x00000000004D3000-memory.dmp