blackmoon | e4339d0f2ee61d0118db3713b9e6cbfc2d9ef0bcc97e217123d5379945449ea7

Analysis

max time kernel
112s
max time network
16s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
14/08/2024, 12:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

84ab6cc07b8fbccc1a87f7064b754d90N.exe
Size

44KB
MD5

84ab6cc07b8fbccc1a87f7064b754d90
SHA1

3533a9fd5cc215e651b6ce1900cb99d7bc16f996
SHA256

e4339d0f2ee61d0118db3713b9e6cbfc2d9ef0bcc97e217123d5379945449ea7
SHA512

7b16e13df6014105b063f9d154509a29a78d69bb7f3e7647f4631638bc9d1fae95f544e3ec71a3a203883d280bd590a29fed8b6d1a48ab6dcf7e98c61e230d05
SSDEEP

768:KmZ70XUP0K2I5f6VJiPy6jBZTCRoMUHIYhlDkYi0sDaF8QCFSXbyt/CSF7p97Dp:Kf2V2IOSXQoMUHFhSYr+DQLytpFF

Score

10^/10

blackmoon banker discovery trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 2 IoCs

resource	yara_rule
behavioral1/memory/2260-2-0x0000000000400000-0x000000000042A000-memory.dmp	family_blackmoon
behavioral1/memory/2692-12-0x0000000000400000-0x000000000042A000-memory.dmp	family_blackmoon

Deletes itself 1 IoCs

pid	Process
2692	ffrllrx.exe

Executes dropped EXE 1 IoCs

pid	Process
2692	ffrllrx.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	\??\c:\windows\friendl.dll	ffrllrx.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	84ab6cc07b8fbccc1a87f7064b754d90N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 2692	2260	84ab6cc07b8fbccc1a87f7064b754d90N.exe	30
PID 2260 wrote to memory of 2692	2260	84ab6cc07b8fbccc1a87f7064b754d90N.exe	30
PID 2260 wrote to memory of 2692	2260	84ab6cc07b8fbccc1a87f7064b754d90N.exe	30
PID 2260 wrote to memory of 2692	2260	84ab6cc07b8fbccc1a87f7064b754d90N.exe	30

C:\Users\Admin\AppData\Local\Temp\84ab6cc07b8fbccc1a87f7064b754d90N.exe
"C:\Users\Admin\AppData\Local\Temp\84ab6cc07b8fbccc1a87f7064b754d90N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2260
- \??\c:\ffrllrx.exe
  c:\ffrllrx.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ffrllrx.exe

Filesize
44KB

MD5
00f400b9c9d90bcb38c5083a73f75310

SHA1
bb612592b78417503b91160d77fc86265b676312

SHA256
dd1ccde7fcd2ed554a66a3ac86feceac766f2cb953970d9170d7ed702a8940c0

SHA512
1cace42944df4957a5317fdb896c23ea159144c9475f651da562fff4260593b2bb7f02dd27788adb1b9bbccda1c7bb8243774f7a7a7fa0ffaf267d6e7d862b28

Download Submit
\??\c:\jl

Filesize
71B

MD5
a07f555b0ff4dcc3fc0bc8851ea53265

SHA1
55c196d33b6225b25915b8dee568c56bf5e3a3f7

SHA256
e981a2d7e1a533cda59b6271ad1d59a5991640a60af825210bc6e5a04980beb7

SHA512
4db3e7755f2f8b4044604a73b07fb5bf5b5eac379ac51943fd7d66e9770a0ae82f976d8714d81aa31d42836f5845aa1df8000de22397008d5d52956a48a86947

Download Submit
memory/2260-2-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2692-9-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2692-12-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download