blackmoon | 61bde78faff2f15db4a32cec6b3b9cee53de0d854fb58579c00873ed8c8aea25

Analysis

max time kernel
140s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11/09/2024, 15:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Butterfly Rome.exe
Size

896KB
MD5

6600d3aad5ae54f1c929c73ad76b1a19
SHA1

e84808a2d71e084fce9406163b0008c5e5b2fa6e
SHA256

e2c98d04803606509f4b7f2fb612c00a8b4550cce24966988ddd29168b24b6e6
SHA512

52ec4266d21e246fa04a63d14fac4c5a18c0d21b5be218c8591377c718dc738cde43835b7b5169b964df976e4548d4d38f1e660702ead7458574bf3d9922044e
SSDEEP

12288:hEN/CKPbje87uR3Deiw+nB1qjzzHxD2r770yHLe75pfY/6tMIPTohQ17rPKM6I+B:hVUb7+s+B1qTxD2zy7Yitzt1iI+X6JY

Score

10^/10

blackmoon banker discovery trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 2 IoCs

resource	yara_rule
behavioral1/memory/2360-10-0x0000000010000000-0x0000000010054000-memory.dmp	family_blackmoon
behavioral1/memory/2360-14-0x0000000010000000-0x0000000010054000-memory.dmp	family_blackmoon

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2360	Butterfly Rome.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Butterfly Rome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2360	Butterfly Rome.exe
2360	Butterfly Rome.exe

C:\Users\Admin\AppData\Local\Temp\Butterfly Rome.exe
"C:\Users\Admin\AppData\Local\Temp\Butterfly Rome.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2360-0-0x0000000000400000-0x00000000006D0000-memory.dmp

Filesize
2.8MB

Download
memory/2360-1-0x0000000000400000-0x00000000006D0000-memory.dmp

Filesize
2.8MB

Download
memory/2360-11-0x0000000000230000-0x0000000000232000-memory.dmp

Filesize
8KB

Download
memory/2360-12-0x0000000010001000-0x0000000010010000-memory.dmp

Filesize
60KB

Download
memory/2360-10-0x0000000010000000-0x0000000010054000-memory.dmp

Filesize
336KB

Download
memory/2360-9-0x0000000010000000-0x0000000010054000-memory.dmp

Filesize
336KB

Download
memory/2360-8-0x0000000010000000-0x0000000010054000-memory.dmp

Filesize
336KB

Download
memory/2360-6-0x0000000000250000-0x0000000000274000-memory.dmp

Filesize
144KB

Download
memory/2360-5-0x0000000000250000-0x0000000000274000-memory.dmp

Filesize
144KB

Download
memory/2360-4-0x0000000010000000-0x0000000010054000-memory.dmp

Filesize
336KB

Download
memory/2360-7-0x0000000010000000-0x0000000010054000-memory.dmp

Filesize
336KB

Download
memory/2360-13-0x0000000000400000-0x00000000006D0000-memory.dmp

Filesize
2.8MB

Download
memory/2360-14-0x0000000010000000-0x0000000010054000-memory.dmp

Filesize
336KB

Download
memory/2360-15-0x0000000000250000-0x0000000000274000-memory.dmp

Filesize
144KB

Download