blackmoon | e4339d0f2ee61d0118db3713b9e6cbfc2d9ef0bcc97e217123d5379945449ea7

Analysis

max time kernel
110s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/08/2024, 12:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

84ab6cc07b8fbccc1a87f7064b754d90N.exe
Size

44KB
MD5

84ab6cc07b8fbccc1a87f7064b754d90
SHA1

3533a9fd5cc215e651b6ce1900cb99d7bc16f996
SHA256

e4339d0f2ee61d0118db3713b9e6cbfc2d9ef0bcc97e217123d5379945449ea7
SHA512

7b16e13df6014105b063f9d154509a29a78d69bb7f3e7647f4631638bc9d1fae95f544e3ec71a3a203883d280bd590a29fed8b6d1a48ab6dcf7e98c61e230d05
SSDEEP

768:KmZ70XUP0K2I5f6VJiPy6jBZTCRoMUHIYhlDkYi0sDaF8QCFSXbyt/CSF7p97Dp:Kf2V2IOSXQoMUHFhSYr+DQLytpFF

Score

10^/10

blackmoon banker discovery trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 2 IoCs

resource	yara_rule
behavioral2/memory/3608-6-0x0000000000400000-0x000000000042A000-memory.dmp	family_blackmoon
behavioral2/memory/764-10-0x0000000000400000-0x000000000042A000-memory.dmp	family_blackmoon

Deletes itself 1 IoCs

pid	Process
764	fxxrffr.exe

Executes dropped EXE 1 IoCs

pid	Process
764	fxxrffr.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	\??\c:\windows\friendl.dll	fxxrffr.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	84ab6cc07b8fbccc1a87f7064b754d90N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fxxrffr.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3608 wrote to memory of 764	3608	84ab6cc07b8fbccc1a87f7064b754d90N.exe	83
PID 3608 wrote to memory of 764	3608	84ab6cc07b8fbccc1a87f7064b754d90N.exe	83
PID 3608 wrote to memory of 764	3608	84ab6cc07b8fbccc1a87f7064b754d90N.exe	83

C:\Users\Admin\AppData\Local\Temp\84ab6cc07b8fbccc1a87f7064b754d90N.exe
"C:\Users\Admin\AppData\Local\Temp\84ab6cc07b8fbccc1a87f7064b754d90N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3608
- \??\c:\fxxrffr.exe
  c:\fxxrffr.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\fxxrffr.exe

Filesize
44KB

MD5
737263c6acd82a583dbcc1a9abae4ea1

SHA1
3241951dbf37cea32d2385d1362c9f1b70d7c4d9

SHA256
dee89afe9677c6145a75dc2515205590b66624f11af300cbd06df3be145af297

SHA512
632715cbcbca335e55ef514925b8b1e34477f36a563b493ef79cbc2c714282bea6e65e8e137db3cf61512fc6cc095b756479029d1e25f58faf605ebc16893864

Download Submit
\??\c:\jl

Filesize
71B

MD5
a07f555b0ff4dcc3fc0bc8851ea53265

SHA1
55c196d33b6225b25915b8dee568c56bf5e3a3f7

SHA256
e981a2d7e1a533cda59b6271ad1d59a5991640a60af825210bc6e5a04980beb7

SHA512
4db3e7755f2f8b4044604a73b07fb5bf5b5eac379ac51943fd7d66e9770a0ae82f976d8714d81aa31d42836f5845aa1df8000de22397008d5d52956a48a86947

Download Submit
memory/764-10-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3608-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3608-6-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download