blackmoon | eece8f6aa859eec0d58fde08b08d6716d0df66aacd180d102b4df5b4896bc23e

Analysis

max time kernel
125s
max time network
140s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-09-2024 16:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

exe.exe
Size

406KB
MD5

c1105b325208b94c7f2a054901ee7122
SHA1

6d43a222928259afed09081427cea7efbe64cd33
SHA256

eece8f6aa859eec0d58fde08b08d6716d0df66aacd180d102b4df5b4896bc23e
SHA512

760efa89bd317d9383aae85f41f6d090461e21522cd8e4f4c5c90503ba9e0d4ec265fbdfa8c76fd32c1305c51128f27ea7a246b180fd5d574af64f0966093142
SSDEEP

3072:hR3TSduMAhgamPis0/iR8mbeUUHoYOooc422f2c+2XF9HQjMR:hRjJhgaAis0/28mbVUHoQMj

Score

10^/10

blackmoon fatalrat banker discovery infostealer rat trojan vmprotect

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 12 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2456-3-0x0000000000400000-0x00000000004A7000-memory.dmp	family_blackmoon
behavioral1/memory/2456-2-0x0000000000400000-0x00000000004A7000-memory.dmp	family_blackmoon
behavioral1/memory/2456-1-0x0000000000400000-0x00000000004A7000-memory.dmp	family_blackmoon
behavioral1/memory/2456-5-0x0000000000400000-0x00000000004A7000-memory.dmp	family_blackmoon
behavioral1/memory/2456-20-0x0000000000400000-0x00000000004A7000-memory.dmp	family_blackmoon
behavioral1/memory/2456-23-0x0000000000400000-0x00000000004A7000-memory.dmp	family_blackmoon
behavioral1/memory/2456-27-0x0000000000400000-0x00000000004A7000-memory.dmp	family_blackmoon
behavioral1/memory/2456-32-0x0000000000400000-0x00000000004A7000-memory.dmp	family_blackmoon
behavioral1/memory/2456-35-0x0000000000400000-0x00000000004A7000-memory.dmp	family_blackmoon
behavioral1/memory/2456-38-0x0000000000400000-0x00000000004A7000-memory.dmp	family_blackmoon
behavioral1/memory/2456-80-0x0000000000400000-0x00000000004A7000-memory.dmp	family_blackmoon
behavioral1/memory/2456-102-0x0000000000400000-0x00000000004A7000-memory.dmp	family_blackmoon

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 1 IoCs

rat infostealer

Processes:

resource	yara_rule
behavioral1/memory/1880-95-0x0000000010000000-0x000000001002D000-memory.dmp	fatalrat

Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

mesvc.exeupssvc.exespower.exesvchost.exe

pid process

2620 mesvc.exe
2920 upssvc.exe
2944 spower.exe
1880 svchost.exe

pid	process
2620	mesvc.exe
2920	upssvc.exe
2944	spower.exe
1880	svchost.exe

Loads dropped DLL 14 IoCs

Processes:

mesvc.exeexe.exe

pid	process
1212
1212
2620	mesvc.exe
2620	mesvc.exe
2620	mesvc.exe
2620	mesvc.exe
2620	mesvc.exe
2620	mesvc.exe
2620	mesvc.exe
2456	exe.exe
2456	exe.exe
2456	exe.exe
2456	exe.exe
2456	exe.exe

VMProtect packed file 5 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\8lzwrz7fevekc6c\spower.exe	vmprotect
behavioral1/memory/2456-65-0x0000000003CC0000-0x0000000003EFA000-memory.dmp	vmprotect
behavioral1/memory/2944-71-0x000000013FB10000-0x000000013FD4A000-memory.dmp	vmprotect
behavioral1/memory/2944-73-0x000000013FB10000-0x000000013FD4A000-memory.dmp	vmprotect
behavioral1/memory/2944-84-0x000000013FB10000-0x000000013FD4A000-memory.dmp	vmprotect

Drops file in Program Files directory 10 IoCs

Processes:

exe.exeupssvc.exe

description	ioc	process
File created	C:\Program Files\Microvirt\MEmuHyperv\mesvc.exe	exe.exe
File created	C:\Program Files\Microvirt\MEmuHyperv\libcrypto-1_1-x64.dll	exe.exe
File created	C:\Program Files\Microvirt\MEmuHyperv\libcurl.dll	exe.exe
File created	C:\Program Files\Microvirt\MEmuHyperv\libssl-1_1-x64.dll	exe.exe
File opened for modification	C:\Program Files (x86)\360\360Safe\safemon\360tray.exe	upssvc.exe
File created	C:\Program Files\Microvirt\MEmuHyperv\MEmuDDU.dll	exe.exe
File created	C:\Program Files\Microvirt\MEmuHyperv\MEmuRT.dll	exe.exe
File created	C:\Program Files\Microvirt\MEmuHyperv\MSVCP100.dll	exe.exe
File created	C:\Program Files\Microvirt\MEmuHyperv\MSVCR100.dll	exe.exe
File opened for modification	C:\Program Files (x86)\360\360sd\360sd.exe	upssvc.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

SCHTASKS.exeexe.exesvchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SCHTASKS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

SCHTASKS.exe

pid process

1740 SCHTASKS.exe

pid	process
1740	SCHTASKS.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

exe.exe

pid	process
2456	exe.exe
2456	exe.exe
2456	exe.exe
2456	exe.exe
2456	exe.exe
2456	exe.exe
2456	exe.exe
2456	exe.exe
2456	exe.exe
2456	exe.exe
2456	exe.exe
2456	exe.exe
2456	exe.exe
2456	exe.exe
2456	exe.exe
2456	exe.exe
2456	exe.exe
2456	exe.exe
2456	exe.exe
2456	exe.exe
2456	exe.exe
2456	exe.exe
2456	exe.exe
2456	exe.exe
2456	exe.exe
2456	exe.exe
2456	exe.exe
2456	exe.exe
2456	exe.exe
2456	exe.exe
2456	exe.exe
2456	exe.exe
2456	exe.exe
2456	exe.exe
2456	exe.exe
2456	exe.exe
2456	exe.exe
2456	exe.exe
2456	exe.exe
2456	exe.exe
2456	exe.exe
2456	exe.exe
2456	exe.exe
2456	exe.exe
2456	exe.exe
2456	exe.exe
2456	exe.exe
2456	exe.exe
2456	exe.exe
2456	exe.exe
2456	exe.exe
2456	exe.exe
2456	exe.exe
2456	exe.exe
2456	exe.exe
2456	exe.exe
2456	exe.exe
2456	exe.exe
2456	exe.exe
2456	exe.exe
2456	exe.exe
2456	exe.exe
2456	exe.exe
2456	exe.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

svchost.exe

description pid process

Token: SeDebugPrivilege 1880 svchost.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

exe.exe

pid process

2456 exe.exe
2456 exe.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

exe.exe

pid process

2456 exe.exe

description	pid	process
Token: SeDebugPrivilege	1880	svchost.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

exe.exe

description	pid	process	target process
PID 2456 wrote to memory of 2944	2456	exe.exe	spower.exe
PID 2456 wrote to memory of 2944	2456	exe.exe	spower.exe
PID 2456 wrote to memory of 2944	2456	exe.exe	spower.exe
PID 2456 wrote to memory of 2944	2456	exe.exe	spower.exe
PID 2456 wrote to memory of 2920	2456	exe.exe	upssvc.exe
PID 2456 wrote to memory of 2920	2456	exe.exe	upssvc.exe
PID 2456 wrote to memory of 2920	2456	exe.exe	upssvc.exe
PID 2456 wrote to memory of 2920	2456	exe.exe	upssvc.exe
PID 2456 wrote to memory of 1880	2456	exe.exe	svchost.exe
PID 2456 wrote to memory of 1880	2456	exe.exe	svchost.exe
PID 2456 wrote to memory of 1880	2456	exe.exe	svchost.exe
PID 2456 wrote to memory of 1880	2456	exe.exe	svchost.exe
PID 2456 wrote to memory of 1740	2456	exe.exe	SCHTASKS.exe
PID 2456 wrote to memory of 1740	2456	exe.exe	SCHTASKS.exe
PID 2456 wrote to memory of 1740	2456	exe.exe	SCHTASKS.exe
PID 2456 wrote to memory of 1740	2456	exe.exe	SCHTASKS.exe

C:\Users\Admin\AppData\Local\Temp\exe.exe
"C:\Users\Admin\AppData\Local\Temp\exe.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2456
- C:\Users\Admin\AppData\Local\Temp\8lzwrz7fevekc6c\spower.exe
  C:\Users\Admin\AppData\Local\Temp\8lzwrz7fevekc6c\spower.exe
  2⤵
  - Executes dropped EXE
  PID:2944
- C:\Users\Admin\AppData\Local\Temp\8lzwrz7fevekc6c\upssvc.exe
  C:\Users\Admin\AppData\Local\Temp\8lzwrz7fevekc6c\upssvc.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2920
- C:\ProgramData\NVIDIARV\svchost.exe
  C:\ProgramData\NVIDIARV\svchost.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:1880
- C:\Windows\SysWOW64\SCHTASKS.exe
  SCHTASKS /Create /SC ONLOGON /TN WindowsUpdata /F /RL HIGHEST /TR C:\Users\Public\Pictures8lzwrz7f\CCCef3Render.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:1740

C:\Program Files\Microvirt\MEmuHyperv\mesvc.exe
"C:\Program Files\Microvirt\MEmuHyperv\mesvc.exe" -Embedding
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8lzwrz7fevekc6c\upssvc.exe

Filesize
146KB

MD5
5645f4739313841c6af76fa40d1a2d95

SHA1
1fdf5d9e098fba6d49893b89eb8ca6a3ec7b8477

SHA256
fcdf15c6c5100c37876317cb678b4b2021dfa502e0d9872600c3060a3fc284c4

SHA512
038e74667a280be2ed4b9d3afb0711d6574a1316b73dd6a578e3e3066080d166d0e66755b150f4f77cd8b471c1d7a84bb023d4ac34d5cd380ce350b3ae570916

Download Submit
C:\Users\Public\Pictures\temp.tmp

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Program Files\Microvirt\MEmuHyperv\MEmuDDU.dll

Filesize
355KB

MD5
ce98c3cbd7bfcca2755b35e77a2bceb2

SHA1
c12c20bb69e7858682ab6bb21ca3971880efdc07

SHA256
1ec46488b2db690f6f769c6cfa7e3021ee6f88096303f04be43f3f2150d8c946

SHA512
dfc4f4b300cd2dc0d0f19b415da157b15ce666e1927266feb7a445ffb9199620bb7fc55746239f81fd3f79133c64c8d41822ccddc625288a33a6737a062faee5

Download Submit
\Program Files\Microvirt\MEmuHyperv\MEmuRT.dll

Filesize
3.8MB

MD5
56719cc92af72f56f46a5798b1430d9e

SHA1
497456e1b225a541058c8d7f96f2a3ef082d147c

SHA256
ca5e9919a5b3612a2faaab0f08f3e95db69e3d88d821a706c5d68d3f0d86d060

SHA512
5ca3fd7d6f86c5969949e55669c315287084633ccd42aae45cef170bce4fb05071637aaf6a9fce973cdb32003fdf02e184c8dc5aa3c327a17d3889084e07637a

Download Submit
\Program Files\Microvirt\MEmuHyperv\MSVCP100.dll

Filesize
612KB

MD5
89acd78f8c6d92947b3fcc78c7493036

SHA1
3317bd26eda9a7a0d49dfcfe27673d96b2873c95

SHA256
e7675926ff8f230e3ce88de65e47ab3fd6f8d617a93e062dd9ecc4226e9d16c0

SHA512
08ddb16ab60ea0f531f7853dc6a66a7a2302516e1b54258f2884528a4304cb05111b073d15387702c359f00bd96156043cadddd2b230bfa8bd288b578a11225f

Download Submit
\Program Files\Microvirt\MEmuHyperv\MSVCR100.dll

Filesize
830KB

MD5
34b2d5ad1c7c600f9d24660928a03382

SHA1
ab9621342ada12b355ea5fcd76b666193898c11b

SHA256
d7d6ff911503e848ffc6c0ba43382cc2e1e00b367d55ffdb883c54b688c5c28e

SHA512
0d86a396f81864c9ce5a57090fd45745f8c66a28f78fb469a6d62ce01c519f6a0c58d904afa99baef2f74ae4fe2308dc710c901d0394779837b82748679363fa

Download Submit
\Program Files\Microvirt\MEmuHyperv\libcrypto-1_1-x64.dll

Filesize
2.6MB

MD5
6def652fd7e5207c374fc51534bda953

SHA1
ee23eab28dd67ce96e7799a31801580c824cde5f

SHA256
80677a75588101ca6da2a22b74c02bd5b91aba2a62d1bce20d07370a9ddf0118

SHA512
f3284532571bfb83a622b019040e4882866941c66a06a9c83da23a1a820b940c48ffedd1d109c799b64d6bd30775cdb9ea1067869f565116653988bd763552a8

Download Submit
\Program Files\Microvirt\MEmuHyperv\libcurl.dll

Filesize
365KB

MD5
75b9bbfcf9581252474a5d1daa6e6641

SHA1
0fb1cfa16bf68fb13ba9816c2354af358bded167

SHA256
c78b0aa24630b35dfd3030626f873a89a39944ffa620b6afb42ae50eb1618f4b

SHA512
ed527526fd6053425fcefdfa5174d7dfa3b3b3601f33f8019b1215c9f1b85d823910f5a02c9bdd296d70058a516f9d464f42e712903144315e17f4ce7ad17561

Download Submit
\Program Files\Microvirt\MEmuHyperv\libssl-1_1-x64.dll

Filesize
639KB

MD5
2b242983d5fc098515105268eb22f0b7

SHA1
6a660eae893f16b988b44ec943a8dacf808f467e

SHA256
1679808a0a410e73d7807c1facfd0ce0ee1e6270b35d29dcdf0a8977c17418ac

SHA512
905b01240f92124f71acd61a075887d89a83699681f585a246aa44b9d514829adec5ab827d720c7c7eccd8392698ee3f18fe9b2f7fcd81000cb0f40caa28ff06

Download Submit
\Program Files\Microvirt\MEmuHyperv\mesvc.exe

Filesize
4.6MB

MD5
8c1eca3e2fe8f5fd1a0ce4b4a8cf4409

SHA1
8d45e044cbdcf645fe359864bc700b2568032687

SHA256
6ef47689ea1309e43869ec59861a677fe4e40cf03eb89386fc7d32fc516e9671

SHA512
4bf03b1453fa1f1bed14cb133c01c7b9b348f82da775bbbeaefc7867d348928c265b6b38623ced8b711138876365d63a669955920a5b5ae119975184297fe54f

Download Submit
\ProgramData\NVIDIARV\svchost.exe

Filesize
3.3MB

MD5
3670adfc30d5b2719002b7dfce6192b5

SHA1
23b4956a4ee353153a8ceda6b14079d26303cc78

SHA256
56c03d3a3e962ad2c0167b1baa48f309a368f1c132e4b9b10142eeb2b862679a

SHA512
1648e62c7ba77618e60066ef245af255a1df968b5b7b75a484a16aa0540b50252fc8461156d8b9a4d756cd7ed6567364d21d4c0093633787d310e943caf6712e

Download Submit
\Users\Admin\AppData\Local\Temp\8lzwrz7fevekc6c\spower.exe

Filesize
1.1MB

MD5
3c124149591abc905e07753ad7bf5a35

SHA1
c8d0fe2de8882bd26c394b7e602142f6c9674e43

SHA256
1520fa7e27eb0b310bc83946594251b570f1d4042345eea243010260e7676ac6

SHA512
67e30eda7eb311a7778c6cde5f1fbec7cd72e00a650f89e2930135ce8861c5128ddc1e463d225eb011bf5359d1f16571f1c6f42ce629c3a76fe586268624911e

Download Submit
memory/1880-95-0x0000000010000000-0x000000001002D000-memory.dmp

Filesize
180KB

Download
memory/1880-93-0x0000000000400000-0x000000000090F000-memory.dmp

Filesize
5.1MB

Download
memory/2456-67-0x0000000003220000-0x0000000003269000-memory.dmp

Filesize
292KB

Download
memory/2456-80-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/2456-5-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/2456-1-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/2456-0-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/2456-38-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/2456-2-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/2456-102-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/2456-23-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/2456-66-0x0000000003220000-0x0000000003269000-memory.dmp

Filesize
292KB

Download
memory/2456-65-0x0000000003CC0000-0x0000000003EFA000-memory.dmp

Filesize
2.2MB

Download
memory/2456-27-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/2456-32-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/2456-3-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/2456-35-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/2456-83-0x0000000003220000-0x0000000003269000-memory.dmp

Filesize
292KB

Download
memory/2456-20-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/2456-82-0x0000000003CC0000-0x0000000003EFA000-memory.dmp

Filesize
2.2MB

Download
memory/2920-79-0x000000013FBD0000-0x000000013FC19000-memory.dmp

Filesize
292KB

Download
memory/2920-77-0x000000013FBD0000-0x000000013FC19000-memory.dmp

Filesize
292KB

Download
memory/2920-69-0x000000013FBD0000-0x000000013FC19000-memory.dmp

Filesize
292KB

Download
memory/2944-84-0x000000013FB10000-0x000000013FD4A000-memory.dmp

Filesize
2.2MB

Download
memory/2944-73-0x000000013FB10000-0x000000013FD4A000-memory.dmp

Filesize
2.2MB

Download
memory/2944-71-0x000000013FB10000-0x000000013FD4A000-memory.dmp

Filesize
2.2MB

Download