Malware Analysis Report

2024-11-13 18:01

Sample ID 241109-24wtxsxjgj
Target 6bf26697c7c6aa6106d731848b79efe0a91b1bc39ce2543925ac372b18cd926f
SHA256 6bf26697c7c6aa6106d731848b79efe0a91b1bc39ce2543925ac372b18cd926f
Tags
blackmoon banker discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6bf26697c7c6aa6106d731848b79efe0a91b1bc39ce2543925ac372b18cd926f

Threat Level: Known bad

The file 6bf26697c7c6aa6106d731848b79efe0a91b1bc39ce2543925ac372b18cd926f was found to be: Known bad.

Malicious Activity Summary

blackmoon banker discovery trojan

Blackmoon family

Blackmoon, KrBanker

Detect Blackmoon payload

Deletes itself

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 23:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 23:08

Reported

2024-11-09 23:11

Platform

win7-20240903-en

Max time kernel

141s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6bf26697c7c6aa6106d731848b79efe0a91b1bc39ce2543925ac372b18cd926f.exe"

Signatures

Blackmoon family

blackmoon

Blackmoon, KrBanker

trojan banker blackmoon

Detect Blackmoon payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A \??\c:\rrxfflr.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\rrxfflr.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created \??\c:\windows\friendl.dll \??\c:\rrxfflr.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6bf26697c7c6aa6106d731848b79efe0a91b1bc39ce2543925ac372b18cd926f.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6bf26697c7c6aa6106d731848b79efe0a91b1bc39ce2543925ac372b18cd926f.exe

"C:\Users\Admin\AppData\Local\Temp\6bf26697c7c6aa6106d731848b79efe0a91b1bc39ce2543925ac372b18cd926f.exe"

\??\c:\rrxfflr.exe

c:\rrxfflr.exe

Network

N/A

Files

memory/2656-0-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2656-8-0x0000000000400000-0x000000000042A000-memory.dmp

C:\rrxfflr.exe

MD5 db3ae2daaa4303b6ee96580ddfb819c7
SHA1 c4b0b1172afb86f8b1b4d7f820a89e32ba6c0d83
SHA256 36c6b41da2b32d1acb91875960feffaf9c22d50fe5f5c6cb3a74e9eb539e0d5c
SHA512 6987e04d9a9cbc8b1dc604417e29802ffb39bf5120106b3da8a5633766ee71f46d0700ed23e6c3bcd2ca280a088c0b8adf745fe380d997eb2430bdf0c39fe60e

memory/2676-12-0x0000000000400000-0x000000000042A000-memory.dmp

\??\c:\jl

MD5 c72435f0134385f41d2fc24c8f4a7687
SHA1 2d5dbc00256e7dc918570f8acc9f266c5cb0ae7e
SHA256 8cae4f978fcc9faf02a2472cd92e0b3fbccc4b54f8f660bad15fc23e2b29bcf6
SHA512 d2b72ba8e2260e4a8cee7b7235bd618c4bc759b46d2b6ab6b11462b82d2ccde8d43324a7655ba15c59970eaac96b93cd3ab330226b2b89c46c888093ed31d87c

memory/2676-13-0x0000000000400000-0x000000000042A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 23:08

Reported

2024-11-09 23:11

Platform

win10v2004-20241007-en

Max time kernel

140s

Max time network

134s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6bf26697c7c6aa6106d731848b79efe0a91b1bc39ce2543925ac372b18cd926f.exe"

Signatures

Blackmoon family

blackmoon

Blackmoon, KrBanker

trojan banker blackmoon

Detect Blackmoon payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A \??\c:\ttnhhh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\ttnhhh.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created \??\c:\windows\friendl.dll \??\c:\ttnhhh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6bf26697c7c6aa6106d731848b79efe0a91b1bc39ce2543925ac372b18cd926f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\ttnhhh.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6bf26697c7c6aa6106d731848b79efe0a91b1bc39ce2543925ac372b18cd926f.exe

"C:\Users\Admin\AppData\Local\Temp\6bf26697c7c6aa6106d731848b79efe0a91b1bc39ce2543925ac372b18cd926f.exe"

\??\c:\ttnhhh.exe

c:\ttnhhh.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 107.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/5080-0-0x0000000000400000-0x000000000042A000-memory.dmp

C:\ttnhhh.exe

MD5 7405cc2fa74288f60071b79ca8a3bd05
SHA1 f155ede9c87d0f6c550c72651a62cf8ae625b064
SHA256 66a9d399557093243b0fe97545d4cd87059f20fcef2eabe6acae38cc142d9631
SHA512 cc50efef0e434a1b8deb63377d3fc16f17adc8bd23c7e8aa5b06827d6a06c82177eeb57b86e308c8ad25edd90e2e606de5fbee086de7a87c4bd9379e5f7dd83e

memory/5080-7-0x0000000000400000-0x000000000042A000-memory.dmp

\??\c:\jl

MD5 c72435f0134385f41d2fc24c8f4a7687
SHA1 2d5dbc00256e7dc918570f8acc9f266c5cb0ae7e
SHA256 8cae4f978fcc9faf02a2472cd92e0b3fbccc4b54f8f660bad15fc23e2b29bcf6
SHA512 d2b72ba8e2260e4a8cee7b7235bd618c4bc759b46d2b6ab6b11462b82d2ccde8d43324a7655ba15c59970eaac96b93cd3ab330226b2b89c46c888093ed31d87c

memory/4188-10-0x0000000000400000-0x000000000042A000-memory.dmp