blackmoon | 758c2c807802282b562ce8b7174709292d7cb5aee2aa13195a3080d5412b7b57

Analysis

max time kernel
141s
max time network
143s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14/09/2024, 20:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

758c2c807802282b562ce8b7174709292d7cb5aee2aa13195a3080d5412b7b57.exe
Size

560KB
MD5

cbf54780cdd334b9caf10f4980172192
SHA1

50a2ee1b0e15b5a39f9ec7a826ccb4f98c465995
SHA256

758c2c807802282b562ce8b7174709292d7cb5aee2aa13195a3080d5412b7b57
SHA512

f7b2aedb9f3130ed976da7ca583f66fe38e3d48909055c9af309d4b12325216958f406b9afc1ee3ae71c9b60e1789e748c6f4d7262e00ac5265f65e446a53941
SSDEEP

6144:Ig3oBabKfY+R9VGLj10B7F8zekO+nZd2G4cLUh2q/+Km//v0o+:VogOfY+R9VGLj10B7F8ywZdX45H+Kmn

Score

10^/10

blackmoon banker discovery evasion trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 14 IoCs

resource	yara_rule
behavioral1/memory/2652-18-0x0000000000400000-0x00000000004A5000-memory.dmp	family_blackmoon
behavioral1/memory/2652-19-0x0000000000400000-0x00000000004A5000-memory.dmp	family_blackmoon
behavioral1/memory/2652-20-0x0000000000400000-0x00000000004A5000-memory.dmp	family_blackmoon
behavioral1/memory/2652-21-0x0000000000400000-0x00000000004A5000-memory.dmp	family_blackmoon
behavioral1/memory/2652-22-0x0000000000400000-0x00000000004A5000-memory.dmp	family_blackmoon
behavioral1/memory/2652-23-0x0000000000400000-0x00000000004A5000-memory.dmp	family_blackmoon
behavioral1/memory/2652-24-0x0000000000400000-0x00000000004A5000-memory.dmp	family_blackmoon
behavioral1/memory/2652-25-0x0000000000400000-0x00000000004A5000-memory.dmp	family_blackmoon
behavioral1/memory/2652-26-0x0000000000400000-0x00000000004A5000-memory.dmp	family_blackmoon
behavioral1/memory/2652-27-0x0000000000400000-0x00000000004A5000-memory.dmp	family_blackmoon
behavioral1/memory/2652-28-0x0000000000400000-0x00000000004A5000-memory.dmp	family_blackmoon
behavioral1/memory/2652-29-0x0000000000400000-0x00000000004A5000-memory.dmp	family_blackmoon
behavioral1/memory/2652-30-0x0000000000400000-0x00000000004A5000-memory.dmp	family_blackmoon
behavioral1/memory/2652-31-0x0000000000400000-0x00000000004A5000-memory.dmp	family_blackmoon

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
2944	attrib.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mode.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mode.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	758c2c807802282b562ce8b7174709292d7cb5aee2aa13195a3080d5412b7b57.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mode.com

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2652	758c2c807802282b562ce8b7174709292d7cb5aee2aa13195a3080d5412b7b57.exe
2652	758c2c807802282b562ce8b7174709292d7cb5aee2aa13195a3080d5412b7b57.exe
2652	758c2c807802282b562ce8b7174709292d7cb5aee2aa13195a3080d5412b7b57.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2652	758c2c807802282b562ce8b7174709292d7cb5aee2aa13195a3080d5412b7b57.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2652	758c2c807802282b562ce8b7174709292d7cb5aee2aa13195a3080d5412b7b57.exe
Token: SeDebugPrivilege	2652	758c2c807802282b562ce8b7174709292d7cb5aee2aa13195a3080d5412b7b57.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2652	758c2c807802282b562ce8b7174709292d7cb5aee2aa13195a3080d5412b7b57.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 2760	2652	758c2c807802282b562ce8b7174709292d7cb5aee2aa13195a3080d5412b7b57.exe	30
PID 2652 wrote to memory of 2760	2652	758c2c807802282b562ce8b7174709292d7cb5aee2aa13195a3080d5412b7b57.exe	30
PID 2652 wrote to memory of 2760	2652	758c2c807802282b562ce8b7174709292d7cb5aee2aa13195a3080d5412b7b57.exe	30
PID 2652 wrote to memory of 2760	2652	758c2c807802282b562ce8b7174709292d7cb5aee2aa13195a3080d5412b7b57.exe	30
PID 2760 wrote to memory of 2720	2760	cmd.exe	32
PID 2760 wrote to memory of 2720	2760	cmd.exe	32
PID 2760 wrote to memory of 2720	2760	cmd.exe	32
PID 2760 wrote to memory of 2720	2760	cmd.exe	32
PID 2760 wrote to memory of 2136	2760	cmd.exe	33
PID 2760 wrote to memory of 2136	2760	cmd.exe	33
PID 2760 wrote to memory of 2136	2760	cmd.exe	33
PID 2760 wrote to memory of 2136	2760	cmd.exe	33
PID 2136 wrote to memory of 1924	2136	cmd.exe	35
PID 2136 wrote to memory of 1924	2136	cmd.exe	35
PID 2136 wrote to memory of 1924	2136	cmd.exe	35
PID 2136 wrote to memory of 1924	2136	cmd.exe	35
PID 2652 wrote to memory of 2596	2652	758c2c807802282b562ce8b7174709292d7cb5aee2aa13195a3080d5412b7b57.exe	36
PID 2652 wrote to memory of 2596	2652	758c2c807802282b562ce8b7174709292d7cb5aee2aa13195a3080d5412b7b57.exe	36
PID 2652 wrote to memory of 2596	2652	758c2c807802282b562ce8b7174709292d7cb5aee2aa13195a3080d5412b7b57.exe	36
PID 2652 wrote to memory of 2596	2652	758c2c807802282b562ce8b7174709292d7cb5aee2aa13195a3080d5412b7b57.exe	36
PID 2596 wrote to memory of 2836	2596	cmd.exe	38
PID 2596 wrote to memory of 2836	2596	cmd.exe	38
PID 2596 wrote to memory of 2836	2596	cmd.exe	38
PID 2596 wrote to memory of 2836	2596	cmd.exe	38
PID 2596 wrote to memory of 2944	2596	cmd.exe	39
PID 2596 wrote to memory of 2944	2596	cmd.exe	39
PID 2596 wrote to memory of 2944	2596	cmd.exe	39
PID 2596 wrote to memory of 2944	2596	cmd.exe	39

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2944	attrib.exe

C:\Users\Admin\AppData\Local\Temp\758c2c807802282b562ce8b7174709292d7cb5aee2aa13195a3080d5412b7b57.exe
"C:\Users\Admin\AppData\Local\Temp\758c2c807802282b562ce8b7174709292d7cb5aee2aa13195a3080d5412b7b57.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\1122.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Windows\SysWOW64\mode.com
    mode con cols=15 lines=3
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2720
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c C:\Users\Admin\AppData\Local\Temp\1122.bat p
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2136
  - - C:\Windows\SysWOW64\mode.com
      mode con cols=15 lines=3
      4⤵
      System Location Discovery: System Language Discovery
      PID:1924
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\1133.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Windows\SysWOW64\mode.com
    mode con cols=15 lines=3
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2836
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +a +h +r "C:\test"
    3⤵
    - Sets file to hidden
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1122.bat

Filesize
197B

MD5
b4292e00eff53ec1da95e7225285e779

SHA1
695289b0ffaa5ee7b4084304c976045806687ddd

SHA256
dc4a1e18e67015e250c8bd71dcbce8d2234e73219b7dfcf8fd13d0733e4c2030

SHA512
00dc64420d7b8fda21873e4dfe9ec5fc0aec15a296385ca801641f6a8894692f6aeada71445ef54330f1acf4be6ab436e4ad99f24933e844baa6055efd02f1b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1133.bat

Filesize
146B

MD5
d61001211982ac769bbb185be1950976

SHA1
c856d74768d978bed799edfc07819fc28ba8f604

SHA256
03d8643c798c6d1f7c25e3dde6f9a3cb17015295456e099af2681b4ba7895b27

SHA512
7080a7d2c54d927960d42063eeea3514ada396c680108d3345660b69149daa446c38848f64138ec075cc7bc9c39112147fabda3fdd7826e763e1b6d1b87f23f1

Download Submit
memory/2652-22-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/2652-23-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/2652-18-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/2652-19-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/2652-20-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/2652-21-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/2652-2-0x0000000010000000-0x0000000010017000-memory.dmp

Filesize
92KB

Download
memory/2652-1-0x0000000050000000-0x0000000050109000-memory.dmp

Filesize
1.0MB

Download
memory/2652-24-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/2652-25-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/2652-26-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/2652-27-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/2652-28-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/2652-29-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/2652-30-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/2652-31-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download