blackmoon | c16eb6670f29ff6665dfb026e4438c119c0c55e7b5d5d66aee9311a989615512

Analysis

max time kernel
119s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 08:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c16eb6670f29ff6665dfb026e4438c119c0c55e7b5d5d66aee9311a989615512N.exe
Size

80KB
MD5

8cfa8e7334c202857fb9677243a91c20
SHA1

2934bd7a067cce381bd1dda9e31bdcdb37f81553
SHA256

c16eb6670f29ff6665dfb026e4438c119c0c55e7b5d5d66aee9311a989615512
SHA512

af56a36b9ec45874db3435a817f5d1b6eb10396e5f0dc82cb648413d083faa925ac2c9fdbc8b4699135afe1e48150584d7ca8c8886e900da99de7fa2b2ac2886
SSDEEP

1536:ITJxjZZ29Up2U7O0Ov15+o46zqMi9G7WXnQQvaWh3zWKfx/t126a63H:SHZ2up5JkH+o46LuRXnLdpzp/tg6Z3H

Score

10^/10

blackmoon banker discovery trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 2 IoCs

resource	yara_rule
behavioral2/memory/3356-14-0x0000000000400000-0x000000000046E000-memory.dmp	family_blackmoon
behavioral2/memory/4560-16-0x0000000000400000-0x000000000046E000-memory.dmp	family_blackmoon

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	c16eb6670f29ff6665dfb026e4438c119c0c55e7b5d5d66aee9311a989615512N.exe

Deletes itself 1 IoCs

pid	Process
4560	Syslemsunux.exe

Executes dropped EXE 1 IoCs

pid	Process
4560	Syslemsunux.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3356-0-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral2/files/0x000600000001da0e-9.dat	upx
behavioral2/memory/3356-14-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral2/memory/4560-16-0x0000000000400000-0x000000000046E000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c16eb6670f29ff6665dfb026e4438c119c0c55e7b5d5d66aee9311a989615512N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Syslemsunux.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3356	c16eb6670f29ff6665dfb026e4438c119c0c55e7b5d5d66aee9311a989615512N.exe
3356	c16eb6670f29ff6665dfb026e4438c119c0c55e7b5d5d66aee9311a989615512N.exe
3356	c16eb6670f29ff6665dfb026e4438c119c0c55e7b5d5d66aee9311a989615512N.exe
3356	c16eb6670f29ff6665dfb026e4438c119c0c55e7b5d5d66aee9311a989615512N.exe
3356	c16eb6670f29ff6665dfb026e4438c119c0c55e7b5d5d66aee9311a989615512N.exe
3356	c16eb6670f29ff6665dfb026e4438c119c0c55e7b5d5d66aee9311a989615512N.exe
3356	c16eb6670f29ff6665dfb026e4438c119c0c55e7b5d5d66aee9311a989615512N.exe
3356	c16eb6670f29ff6665dfb026e4438c119c0c55e7b5d5d66aee9311a989615512N.exe
3356	c16eb6670f29ff6665dfb026e4438c119c0c55e7b5d5d66aee9311a989615512N.exe
3356	c16eb6670f29ff6665dfb026e4438c119c0c55e7b5d5d66aee9311a989615512N.exe
3356	c16eb6670f29ff6665dfb026e4438c119c0c55e7b5d5d66aee9311a989615512N.exe
3356	c16eb6670f29ff6665dfb026e4438c119c0c55e7b5d5d66aee9311a989615512N.exe
3356	c16eb6670f29ff6665dfb026e4438c119c0c55e7b5d5d66aee9311a989615512N.exe
3356	c16eb6670f29ff6665dfb026e4438c119c0c55e7b5d5d66aee9311a989615512N.exe
3356	c16eb6670f29ff6665dfb026e4438c119c0c55e7b5d5d66aee9311a989615512N.exe
3356	c16eb6670f29ff6665dfb026e4438c119c0c55e7b5d5d66aee9311a989615512N.exe
4560	Syslemsunux.exe
4560	Syslemsunux.exe
4560	Syslemsunux.exe
4560	Syslemsunux.exe
4560	Syslemsunux.exe
4560	Syslemsunux.exe
4560	Syslemsunux.exe
4560	Syslemsunux.exe
4560	Syslemsunux.exe
4560	Syslemsunux.exe
4560	Syslemsunux.exe
4560	Syslemsunux.exe
4560	Syslemsunux.exe
4560	Syslemsunux.exe
4560	Syslemsunux.exe
4560	Syslemsunux.exe
4560	Syslemsunux.exe
4560	Syslemsunux.exe
4560	Syslemsunux.exe
4560	Syslemsunux.exe
4560	Syslemsunux.exe
4560	Syslemsunux.exe
4560	Syslemsunux.exe
4560	Syslemsunux.exe
4560	Syslemsunux.exe
4560	Syslemsunux.exe
4560	Syslemsunux.exe
4560	Syslemsunux.exe
4560	Syslemsunux.exe
4560	Syslemsunux.exe
4560	Syslemsunux.exe
4560	Syslemsunux.exe
4560	Syslemsunux.exe
4560	Syslemsunux.exe
4560	Syslemsunux.exe
4560	Syslemsunux.exe
4560	Syslemsunux.exe
4560	Syslemsunux.exe
4560	Syslemsunux.exe
4560	Syslemsunux.exe
4560	Syslemsunux.exe
4560	Syslemsunux.exe
4560	Syslemsunux.exe
4560	Syslemsunux.exe
4560	Syslemsunux.exe
4560	Syslemsunux.exe
4560	Syslemsunux.exe
4560	Syslemsunux.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3356 wrote to memory of 4560	3356	c16eb6670f29ff6665dfb026e4438c119c0c55e7b5d5d66aee9311a989615512N.exe	91
PID 3356 wrote to memory of 4560	3356	c16eb6670f29ff6665dfb026e4438c119c0c55e7b5d5d66aee9311a989615512N.exe	91
PID 3356 wrote to memory of 4560	3356	c16eb6670f29ff6665dfb026e4438c119c0c55e7b5d5d66aee9311a989615512N.exe	91

C:\Users\Admin\AppData\Local\Temp\c16eb6670f29ff6665dfb026e4438c119c0c55e7b5d5d66aee9311a989615512N.exe
"C:\Users\Admin\AppData\Local\Temp\c16eb6670f29ff6665dfb026e4438c119c0c55e7b5d5d66aee9311a989615512N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3356
- C:\Users\Admin\AppData\Local\Temp\Syslemsunux.exe
  "C:\Users\Admin\AppData\Local\Temp\Syslemsunux.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Syslemsunux.exe

Filesize
80KB

MD5
a1da8ef954dbca80687321cf8067a371

SHA1
9cbed8463ce02364eaf547840e2d9e85861adc69

SHA256
a43e9de1c7aa5bdf2a6f9ce5d373bc4e46bfecbce74b8dd80c5e66004b536eaf

SHA512
5f0bcf8522d27ad84d13ec6ceb001eb0178824924dcba0a183b47c42403e6e24a1a552ea86b7f694832b8a3f713eb92e479b75cbdee6315d81cd3623d144d6d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpath.ini

Filesize
103B

MD5
fe345ad5f8b23717307b0722b2e6be11

SHA1
1b898ac380f34691c357daa9d746df8060fb115d

SHA256
dc3a6784497c84c75af526c02a22e0de7ac29b5315ed6077a74fbce81a86e8ce

SHA512
fd76b0d9e282a1a42a583fe4b388fe39797c83106e01d8b68407cc21b71e24ae925e76fd66bf9a2d5320dd65630841474da0e7dfa93f31648e935a541efab317

Download Submit
memory/3356-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3356-14-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4560-16-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download