blackmoon | a3779fc0e5cc0845faab56b3bd00bcc4dfbc289ba8f645d4d4fc4ae6834248fc

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30-10-2024 23:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a3779fc0e5cc0845faab56b3bd00bcc4dfbc289ba8f645d4d4fc4ae6834248fcN.exe
Size

3.8MB
MD5

606b97ece0952eaa2da4cffa96e1fab0
SHA1

12054550a8c1fc0bd9458d82abc2a0d93286fd5e
SHA256

a3779fc0e5cc0845faab56b3bd00bcc4dfbc289ba8f645d4d4fc4ae6834248fc
SHA512

13c271574f6c647eb9065b2ab20290aa60fb76f61b0c12162ffecf9eb784e6c65d48d6d2a573c8de981b27dd692ee8ce5c8e5d072b6c8d76501bad7f3ca43b01
SSDEEP

49152:IsCOfN6X5tLLQTg20ITS/PPs/1kS4eKRL/SRsj0Zuur1T75YqVUrmNF98F:76XLq/qPPslzKx/dJg1ErmNC

Score

10^/10

blackmoon njrat banker discovery trojan upx

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 4 IoCs

resource	yara_rule
behavioral1/memory/2888-0-0x0000000000400000-0x0000000000428000-memory.dmp	family_blackmoon
behavioral1/memory/2888-3-0x0000000000220000-0x0000000000248000-memory.dmp	family_blackmoon
behavioral1/files/0x000b000000012259-7.dat	family_blackmoon
behavioral1/memory/2888-8-0x0000000000400000-0x0000000000428000-memory.dmp	family_blackmoon

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 1 IoCs

pid	Process
1720	rlrxlrx.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2888-0-0x0000000000400000-0x0000000000428000-memory.dmp	upx
behavioral1/memory/2888-3-0x0000000000220000-0x0000000000248000-memory.dmp	upx
behavioral1/files/0x000b000000012259-7.dat	upx
behavioral1/memory/2888-8-0x0000000000400000-0x0000000000428000-memory.dmp	upx

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2348	1720	WerFault.exe	31

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a3779fc0e5cc0845faab56b3bd00bcc4dfbc289ba8f645d4d4fc4ae6834248fcN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rlrxlrx.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2888 wrote to memory of 1720	2888	a3779fc0e5cc0845faab56b3bd00bcc4dfbc289ba8f645d4d4fc4ae6834248fcN.exe	31
PID 2888 wrote to memory of 1720	2888	a3779fc0e5cc0845faab56b3bd00bcc4dfbc289ba8f645d4d4fc4ae6834248fcN.exe	31
PID 2888 wrote to memory of 1720	2888	a3779fc0e5cc0845faab56b3bd00bcc4dfbc289ba8f645d4d4fc4ae6834248fcN.exe	31
PID 2888 wrote to memory of 1720	2888	a3779fc0e5cc0845faab56b3bd00bcc4dfbc289ba8f645d4d4fc4ae6834248fcN.exe	31
PID 1720 wrote to memory of 2348	1720	rlrxlrx.exe	32
PID 1720 wrote to memory of 2348	1720	rlrxlrx.exe	32
PID 1720 wrote to memory of 2348	1720	rlrxlrx.exe	32
PID 1720 wrote to memory of 2348	1720	rlrxlrx.exe	32

C:\Users\Admin\AppData\Local\Temp\a3779fc0e5cc0845faab56b3bd00bcc4dfbc289ba8f645d4d4fc4ae6834248fcN.exe
"C:\Users\Admin\AppData\Local\Temp\a3779fc0e5cc0845faab56b3bd00bcc4dfbc289ba8f645d4d4fc4ae6834248fcN.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2888
- \??\c:\rlrxlrx.exe
  c:\rlrxlrx.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1720
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 36
    3⤵
    - Program crash
    PID:2348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\rlrxlrx.exe

Filesize
3.8MB

MD5
0f742ae47c8aa44ed0781fe4305f3154

SHA1
bcd3b59a305d2cc7dd42cfb1c03a6527c70f8966

SHA256
c3dafcaab62b8795c63f43bcc5e206f21ef3098855665731529dd40ff5da5aad

SHA512
98a1ff7f77d85fe65108fafc75d498faf97b839d7a5efdd0ed6b94ae6b32e1607d09f46d87d4f53e2fb2b21502c94590810e47b412c4887b3f10b567ebb3ae7a

Download Submit
memory/2888-0-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2888-3-0x0000000000220000-0x0000000000248000-memory.dmp

Filesize
160KB

Download
memory/2888-8-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download