blackmoon | 1625a81d76c3f8065e555cd559af95d634cbc9fb6dbd13512a5129d9e019d242

Analysis

max time kernel
110s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14-08-2024 01:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f69ddb46c1df9e900d546bd47de80770N.exe
Size

44KB
MD5

f69ddb46c1df9e900d546bd47de80770
SHA1

980371474edc41890b02b4d6796dd4952701bcdc
SHA256

1625a81d76c3f8065e555cd559af95d634cbc9fb6dbd13512a5129d9e019d242
SHA512

f98d107dcea53b6b8a549935193e29e2994d755d00e884d84d0599cc61e285d5dd14a47bc28c67be8a90fb8dea2fe18429d01d41462ecba45a8d22aa00ee6cb3
SSDEEP

768:KmZ70XUP0K2I5f6VJiPy6jBZTCRoMUHIYhlDkYi0sDaF8QCFSXbyt/CSF7p97Dg:Kf2V2IOSXQoMUHFhSYr+DQLytpF0

Score

10^/10

blackmoon banker discovery trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 2 IoCs

resource	yara_rule
behavioral2/memory/5064-9-0x0000000000400000-0x000000000042A000-memory.dmp	family_blackmoon
behavioral2/memory/3992-10-0x0000000000400000-0x000000000042A000-memory.dmp	family_blackmoon

Executes dropped EXE 1 IoCs

pid	Process
3992	xxxfflf.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	\??\c:\windows\friendl.dll	xxxfflf.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f69ddb46c1df9e900d546bd47de80770N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xxxfflf.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5064 wrote to memory of 3992	5064	f69ddb46c1df9e900d546bd47de80770N.exe	84
PID 5064 wrote to memory of 3992	5064	f69ddb46c1df9e900d546bd47de80770N.exe	84
PID 5064 wrote to memory of 3992	5064	f69ddb46c1df9e900d546bd47de80770N.exe	84

C:\Users\Admin\AppData\Local\Temp\f69ddb46c1df9e900d546bd47de80770N.exe
"C:\Users\Admin\AppData\Local\Temp\f69ddb46c1df9e900d546bd47de80770N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5064
- \??\c:\xxxfflf.exe
  c:\xxxfflf.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:3992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\xxxfflf.exe

Filesize
44KB

MD5
887c8eca26b40c6867b381266d33a2d5

SHA1
df017cdc9394ce025f64e4af1a6395af5407a92b

SHA256
c816c58d2eb0a97b2eee58492375cb04bb6e210dba3e043b753072fe3621b466

SHA512
50d871b3e61860f1469943251f6f55b3ce5c24d8224f504eecf215e0363b90a88c5db3ed978a59ad163d38723560428b2755d3251e70178f2200ddd7fdeaed30

Download Submit
\??\c:\jl

Filesize
71B

MD5
2b6f399f590a37cda76a7924609f4935

SHA1
9e69b9dca9273d771a631fa69d42e2c1ff386876

SHA256
0ab277f36acfa0f006b2267f24f1575f6923f58b4eae5f92e23e9073a04f3d55

SHA512
e5d5c180a07bc37feeeac46225a43026bc68224e235e93c48b109f5e0c2b2621dba5713ef7af6dab73db1cc245ed2b86b61a9293dfbb4b1efefc8d38e9fbcddc

Download Submit
memory/3992-10-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/5064-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/5064-9-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download