Malware Analysis Report

2024-11-16 13:52

Sample ID 240620-d3zmes1ckn
Target 653088440fbf81578d570d8a6b9568b42f2238613a56bc659b7fd74338dd4e45
SHA256 653088440fbf81578d570d8a6b9568b42f2238613a56bc659b7fd74338dd4e45
Tags
blackmoon banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

653088440fbf81578d570d8a6b9568b42f2238613a56bc659b7fd74338dd4e45

Threat Level: Known bad

The file 653088440fbf81578d570d8a6b9568b42f2238613a56bc659b7fd74338dd4e45 was found to be: Known bad.

Malicious Activity Summary

blackmoon banker trojan

Detect Blackmoon payload

Blackmoon, KrBanker

Executes dropped EXE

Loads dropped DLL

Enumerates connected drives

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-20 03:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 03:32

Reported

2024-06-20 03:35

Platform

win7-20240220-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\653088440fbf81578d570d8a6b9568b42f2238613a56bc659b7fd74338dd4e45.exe"

Signatures

Blackmoon, KrBanker

trojan banker blackmoon

Detect Blackmoon payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\1.85¤£ÓñÍÃ\41226653088440fbf81578d570d8a6b9568b42f2238613a56bc659b7fd74338dd4e45.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\653088440fbf81578d570d8a6b9568b42f2238613a56bc659b7fd74338dd4e45.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\653088440fbf81578d570d8a6b9568b42f2238613a56bc659b7fd74338dd4e45.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\653088440fbf81578d570d8a6b9568b42f2238613a56bc659b7fd74338dd4e45.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\653088440fbf81578d570d8a6b9568b42f2238613a56bc659b7fd74338dd4e45.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\653088440fbf81578d570d8a6b9568b42f2238613a56bc659b7fd74338dd4e45.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\653088440fbf81578d570d8a6b9568b42f2238613a56bc659b7fd74338dd4e45.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\653088440fbf81578d570d8a6b9568b42f2238613a56bc659b7fd74338dd4e45.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\653088440fbf81578d570d8a6b9568b42f2238613a56bc659b7fd74338dd4e45.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\653088440fbf81578d570d8a6b9568b42f2238613a56bc659b7fd74338dd4e45.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\653088440fbf81578d570d8a6b9568b42f2238613a56bc659b7fd74338dd4e45.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\653088440fbf81578d570d8a6b9568b42f2238613a56bc659b7fd74338dd4e45.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\653088440fbf81578d570d8a6b9568b42f2238613a56bc659b7fd74338dd4e45.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\653088440fbf81578d570d8a6b9568b42f2238613a56bc659b7fd74338dd4e45.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\653088440fbf81578d570d8a6b9568b42f2238613a56bc659b7fd74338dd4e45.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\653088440fbf81578d570d8a6b9568b42f2238613a56bc659b7fd74338dd4e45.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\653088440fbf81578d570d8a6b9568b42f2238613a56bc659b7fd74338dd4e45.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\653088440fbf81578d570d8a6b9568b42f2238613a56bc659b7fd74338dd4e45.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\653088440fbf81578d570d8a6b9568b42f2238613a56bc659b7fd74338dd4e45.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\653088440fbf81578d570d8a6b9568b42f2238613a56bc659b7fd74338dd4e45.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\653088440fbf81578d570d8a6b9568b42f2238613a56bc659b7fd74338dd4e45.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\653088440fbf81578d570d8a6b9568b42f2238613a56bc659b7fd74338dd4e45.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\653088440fbf81578d570d8a6b9568b42f2238613a56bc659b7fd74338dd4e45.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\653088440fbf81578d570d8a6b9568b42f2238613a56bc659b7fd74338dd4e45.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\1.85¤£ÓñÍÃ\41226653088440fbf81578d570d8a6b9568b42f2238613a56bc659b7fd74338dd4e45.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\653088440fbf81578d570d8a6b9568b42f2238613a56bc659b7fd74338dd4e45.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\653088440fbf81578d570d8a6b9568b42f2238613a56bc659b7fd74338dd4e45.exe

"C:\Users\Admin\AppData\Local\Temp\653088440fbf81578d570d8a6b9568b42f2238613a56bc659b7fd74338dd4e45.exe"

C:\1.85¤£ÓñÍÃ\41226653088440fbf81578d570d8a6b9568b42f2238613a56bc659b7fd74338dd4e45.exe

C:\1.85¤£ÓñÍÃ\41226653088440fbf81578d570d8a6b9568b42f2238613a56bc659b7fd74338dd4e45.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 stday.wodebd.com udp
US 8.8.8.8:53 www.rxcqlb1688.cn udp
US 8.8.8.8:53 www.rxcqlb1688.cn udp
US 76.223.67.189:3798 stday.wodebd.com tcp
CN 222.186.58.154:2001 www.rxcqlb1688.cn tcp
CN 222.186.58.154:2001 www.rxcqlb1688.cn tcp

Files

memory/2040-0-0x0000000000400000-0x00000000009FA000-memory.dmp

memory/2040-1-0x0000000000230000-0x0000000000233000-memory.dmp

memory/2040-5-0x00000000004FF000-0x0000000000500000-memory.dmp

memory/2040-6-0x0000000000400000-0x00000000009FA000-memory.dmp

memory/2040-10-0x0000000000400000-0x00000000009FA000-memory.dmp

memory/2040-9-0x0000000000400000-0x00000000009FA000-memory.dmp

memory/2040-8-0x0000000000400000-0x00000000009FA000-memory.dmp

memory/2040-7-0x0000000000400000-0x00000000009FA000-memory.dmp

memory/2040-12-0x0000000000400000-0x00000000009FA000-memory.dmp

memory/2040-11-0x0000000000400000-0x00000000009FA000-memory.dmp

\1.85¤£ÓñÍÃ\41226653088440fbf81578d570d8a6b9568b42f2238613a56bc659b7fd74338dd4e45.exe

MD5 7bf43324bfd6d721946285e451920b8a
SHA1 712b1ab99e76fdb137c17dbe1cd49b95d39a4ba9
SHA256 653088440fbf81578d570d8a6b9568b42f2238613a56bc659b7fd74338dd4e45
SHA512 a3a33e06055595cf94aefe0a00011009e606fff915608d16bdec60b371b8ca225d32f7a504db55bc1774286b7a50215d6823b8e3b229a9d7bf1810cd295b85b2

memory/2040-48-0x0000000000400000-0x00000000009FA000-memory.dmp

memory/2372-50-0x0000000000400000-0x00000000009FA000-memory.dmp

memory/2040-49-0x000000000C290000-0x000000000C88A000-memory.dmp

memory/2040-47-0x0000000000230000-0x0000000000233000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4ba9be64cc2662b5179056bf664540e3.txt

MD5 8b3e5ce9ede09d967d68516792b027c6
SHA1 18d3fd73a904e545555fd1cebe3696f6587ede83
SHA256 11f48738b794024d5f42e7a48b99f9510a00d540a0899062e6a56e0116407bf3
SHA512 c641ad1586a00abfeff8f61cbf4cabab7885cd6abcbecb5d35be955392badcd736c748a0bd605ce697cdbb74c50837b7606070ada5435a62a964c76f133498d8

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I819HQXH\errorPageStrings[1]

MD5 e3e4a98353f119b80b323302f26b78fa
SHA1 20ee35a370cdd3a8a7d04b506410300fd0a6a864
SHA256 9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66
SHA512 d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RSAB58HZ\httpErrorPagesScripts[1]

MD5 3f57b781cb3ef114dd0b665151571b7b
SHA1 ce6a63f996df3a1cccb81720e21204b825e0238c
SHA256 46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad
SHA512 8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

memory/2372-78-0x0000000000400000-0x00000000009FA000-memory.dmp

memory/2372-79-0x0000000000400000-0x00000000009FA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 03:32

Reported

2024-06-20 03:35

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\653088440fbf81578d570d8a6b9568b42f2238613a56bc659b7fd74338dd4e45.exe"

Signatures

Blackmoon, KrBanker

trojan banker blackmoon

Detect Blackmoon payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\1.85¤£ÓñÍÃ\27101653088440fbf81578d570d8a6b9568b42f2238613a56bc659b7fd74338dd4e45.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\653088440fbf81578d570d8a6b9568b42f2238613a56bc659b7fd74338dd4e45.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\653088440fbf81578d570d8a6b9568b42f2238613a56bc659b7fd74338dd4e45.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\653088440fbf81578d570d8a6b9568b42f2238613a56bc659b7fd74338dd4e45.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\653088440fbf81578d570d8a6b9568b42f2238613a56bc659b7fd74338dd4e45.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\653088440fbf81578d570d8a6b9568b42f2238613a56bc659b7fd74338dd4e45.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\653088440fbf81578d570d8a6b9568b42f2238613a56bc659b7fd74338dd4e45.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\653088440fbf81578d570d8a6b9568b42f2238613a56bc659b7fd74338dd4e45.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\653088440fbf81578d570d8a6b9568b42f2238613a56bc659b7fd74338dd4e45.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\653088440fbf81578d570d8a6b9568b42f2238613a56bc659b7fd74338dd4e45.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\653088440fbf81578d570d8a6b9568b42f2238613a56bc659b7fd74338dd4e45.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\653088440fbf81578d570d8a6b9568b42f2238613a56bc659b7fd74338dd4e45.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\653088440fbf81578d570d8a6b9568b42f2238613a56bc659b7fd74338dd4e45.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\653088440fbf81578d570d8a6b9568b42f2238613a56bc659b7fd74338dd4e45.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\653088440fbf81578d570d8a6b9568b42f2238613a56bc659b7fd74338dd4e45.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\653088440fbf81578d570d8a6b9568b42f2238613a56bc659b7fd74338dd4e45.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\653088440fbf81578d570d8a6b9568b42f2238613a56bc659b7fd74338dd4e45.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\653088440fbf81578d570d8a6b9568b42f2238613a56bc659b7fd74338dd4e45.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\653088440fbf81578d570d8a6b9568b42f2238613a56bc659b7fd74338dd4e45.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\653088440fbf81578d570d8a6b9568b42f2238613a56bc659b7fd74338dd4e45.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\653088440fbf81578d570d8a6b9568b42f2238613a56bc659b7fd74338dd4e45.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\653088440fbf81578d570d8a6b9568b42f2238613a56bc659b7fd74338dd4e45.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\653088440fbf81578d570d8a6b9568b42f2238613a56bc659b7fd74338dd4e45.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\653088440fbf81578d570d8a6b9568b42f2238613a56bc659b7fd74338dd4e45.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\653088440fbf81578d570d8a6b9568b42f2238613a56bc659b7fd74338dd4e45.exe

"C:\Users\Admin\AppData\Local\Temp\653088440fbf81578d570d8a6b9568b42f2238613a56bc659b7fd74338dd4e45.exe"

C:\1.85¤£ÓñÍÃ\27101653088440fbf81578d570d8a6b9568b42f2238613a56bc659b7fd74338dd4e45.exe

C:\1.85¤£ÓñÍÃ\27101653088440fbf81578d570d8a6b9568b42f2238613a56bc659b7fd74338dd4e45.exe

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 stday.wodebd.com udp
US 13.248.213.45:3798 stday.wodebd.com tcp
US 8.8.8.8:53 www.rxcqlb1688.cn udp
CN 222.186.58.154:2001 www.rxcqlb1688.cn tcp
CN 222.186.58.154:2001 www.rxcqlb1688.cn tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
CN 222.186.58.154:2001 www.rxcqlb1688.cn tcp
CN 222.186.58.154:2001 www.rxcqlb1688.cn tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
CN 222.186.58.154:2001 www.rxcqlb1688.cn tcp
CN 222.186.58.154:2001 www.rxcqlb1688.cn tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/2308-1-0x0000000000A20000-0x0000000000A23000-memory.dmp

memory/2308-0-0x0000000000400000-0x00000000009FA000-memory.dmp

memory/2308-7-0x00000000041D0000-0x00000000041D1000-memory.dmp

memory/2308-6-0x0000000003C40000-0x0000000003C41000-memory.dmp

memory/2308-5-0x00000000041C0000-0x00000000041C1000-memory.dmp

C:\1.85¤£ÓñÍÃ\27101653088440fbf81578d570d8a6b9568b42f2238613a56bc659b7fd74338dd4e45.exe

MD5 7bf43324bfd6d721946285e451920b8a
SHA1 712b1ab99e76fdb137c17dbe1cd49b95d39a4ba9
SHA256 653088440fbf81578d570d8a6b9568b42f2238613a56bc659b7fd74338dd4e45
SHA512 a3a33e06055595cf94aefe0a00011009e606fff915608d16bdec60b371b8ca225d32f7a504db55bc1774286b7a50215d6823b8e3b229a9d7bf1810cd295b85b2

memory/2308-17-0x0000000000400000-0x00000000009FA000-memory.dmp

memory/2308-16-0x0000000000A20000-0x0000000000A23000-memory.dmp

memory/2008-14-0x0000000000B30000-0x0000000000B33000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4ba9be64cc2662b5179056bf664540e3.txt

MD5 8b3e5ce9ede09d967d68516792b027c6
SHA1 18d3fd73a904e545555fd1cebe3696f6587ede83
SHA256 11f48738b794024d5f42e7a48b99f9510a00d540a0899062e6a56e0116407bf3
SHA512 c641ad1586a00abfeff8f61cbf4cabab7885cd6abcbecb5d35be955392badcd736c748a0bd605ce697cdbb74c50837b7606070ada5435a62a964c76f133498d8

memory/2008-46-0x0000000000400000-0x00000000009FA000-memory.dmp

memory/2008-48-0x0000000000B30000-0x0000000000B33000-memory.dmp