blackmoon | e9bbbb9f58a7b3bf1415cfe153254ebb0748afd897aec938f6e87cdf00027d5e

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
20/11/2024, 03:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e9bbbb9f58a7b3bf1415cfe153254ebb0748afd897aec938f6e87cdf00027d5e.exe
Size

436KB
MD5

be57979dcc44b1d0e3d22c7a524c2fda
SHA1

bec2683275447573039d51223ef6f2e3d716f8d5
SHA256

e9bbbb9f58a7b3bf1415cfe153254ebb0748afd897aec938f6e87cdf00027d5e
SHA512

7ab2dde10945e52b511797f43efa12d3067ee3e9084984e9c1842762a236f9dc4c3b280b095770d4a6f156de81f09bfca29cc3a2d3b809e4e5311ebc89722186
SSDEEP

6144:dGdR+Yk/N8duBmG6t+UnRsRCQ/OJZOg7u:doR+Y4NSG6oUnRsdOJZOg7u

Score

10^/10

blackmoon banker discovery trojan

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000016d3b-7.dat	family_blackmoon

Deletes itself 1 IoCs

pid	Process
2740	Syslemcsfcl.exe

Executes dropped EXE 1 IoCs

pid	Process
2740	Syslemcsfcl.exe

Loads dropped DLL 2 IoCs

pid	Process
2252	e9bbbb9f58a7b3bf1415cfe153254ebb0748afd897aec938f6e87cdf00027d5e.exe
2252	e9bbbb9f58a7b3bf1415cfe153254ebb0748afd897aec938f6e87cdf00027d5e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e9bbbb9f58a7b3bf1415cfe153254ebb0748afd897aec938f6e87cdf00027d5e.exe

Suspicious behavior: EnumeratesProcesses 61 IoCs

pid	Process
2252	e9bbbb9f58a7b3bf1415cfe153254ebb0748afd897aec938f6e87cdf00027d5e.exe
2252	e9bbbb9f58a7b3bf1415cfe153254ebb0748afd897aec938f6e87cdf00027d5e.exe
2252	e9bbbb9f58a7b3bf1415cfe153254ebb0748afd897aec938f6e87cdf00027d5e.exe
2252	e9bbbb9f58a7b3bf1415cfe153254ebb0748afd897aec938f6e87cdf00027d5e.exe
2252	e9bbbb9f58a7b3bf1415cfe153254ebb0748afd897aec938f6e87cdf00027d5e.exe
2252	e9bbbb9f58a7b3bf1415cfe153254ebb0748afd897aec938f6e87cdf00027d5e.exe
2252	e9bbbb9f58a7b3bf1415cfe153254ebb0748afd897aec938f6e87cdf00027d5e.exe
2252	e9bbbb9f58a7b3bf1415cfe153254ebb0748afd897aec938f6e87cdf00027d5e.exe
2740	Syslemcsfcl.exe
2740	Syslemcsfcl.exe
2740	Syslemcsfcl.exe
2740	Syslemcsfcl.exe
2740	Syslemcsfcl.exe
2740	Syslemcsfcl.exe
2740	Syslemcsfcl.exe
2740	Syslemcsfcl.exe
2740	Syslemcsfcl.exe
2740	Syslemcsfcl.exe
2740	Syslemcsfcl.exe
2740	Syslemcsfcl.exe
2740	Syslemcsfcl.exe
2740	Syslemcsfcl.exe
2740	Syslemcsfcl.exe
2740	Syslemcsfcl.exe
2740	Syslemcsfcl.exe
2740	Syslemcsfcl.exe
2740	Syslemcsfcl.exe
2740	Syslemcsfcl.exe
2740	Syslemcsfcl.exe
2740	Syslemcsfcl.exe
2740	Syslemcsfcl.exe
2740	Syslemcsfcl.exe
2740	Syslemcsfcl.exe
2740	Syslemcsfcl.exe
2740	Syslemcsfcl.exe
2740	Syslemcsfcl.exe
2740	Syslemcsfcl.exe
2740	Syslemcsfcl.exe
2740	Syslemcsfcl.exe
2740	Syslemcsfcl.exe
2740	Syslemcsfcl.exe
2740	Syslemcsfcl.exe
2740	Syslemcsfcl.exe
2740	Syslemcsfcl.exe
2740	Syslemcsfcl.exe
2740	Syslemcsfcl.exe
2740	Syslemcsfcl.exe
2740	Syslemcsfcl.exe
2740	Syslemcsfcl.exe
2740	Syslemcsfcl.exe
2740	Syslemcsfcl.exe
2740	Syslemcsfcl.exe
2740	Syslemcsfcl.exe
2740	Syslemcsfcl.exe
2740	Syslemcsfcl.exe
2740	Syslemcsfcl.exe
2740	Syslemcsfcl.exe
2740	Syslemcsfcl.exe
2740	Syslemcsfcl.exe
2740	Syslemcsfcl.exe
2740	Syslemcsfcl.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 2740	2252	e9bbbb9f58a7b3bf1415cfe153254ebb0748afd897aec938f6e87cdf00027d5e.exe	32
PID 2252 wrote to memory of 2740	2252	e9bbbb9f58a7b3bf1415cfe153254ebb0748afd897aec938f6e87cdf00027d5e.exe	32
PID 2252 wrote to memory of 2740	2252	e9bbbb9f58a7b3bf1415cfe153254ebb0748afd897aec938f6e87cdf00027d5e.exe	32
PID 2252 wrote to memory of 2740	2252	e9bbbb9f58a7b3bf1415cfe153254ebb0748afd897aec938f6e87cdf00027d5e.exe	32

C:\Users\Admin\AppData\Local\Temp\e9bbbb9f58a7b3bf1415cfe153254ebb0748afd897aec938f6e87cdf00027d5e.exe
"C:\Users\Admin\AppData\Local\Temp\e9bbbb9f58a7b3bf1415cfe153254ebb0748afd897aec938f6e87cdf00027d5e.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Users\Admin\AppData\Local\Temp\Syslemcsfcl.exe
  "C:\Users\Admin\AppData\Local\Temp\Syslemcsfcl.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lpath.ini

Filesize
102B

MD5
7892fd2a20a5339f5c4217c731b58515

SHA1
6ce46ebddf0e5d31bffdf6c52e5b816b8d0f1262

SHA256
3cdcb52bb8b8aa20253be35fcc874e47a8839b4f3694a854e8c4f5b442e6a4bf

SHA512
0ef09a90ec55e320826b2670055ca3b7b45b9b01eca787f72cd92dc837e332e2cc0bdf0e8a7e78c396fe5e3791d6ec8bab856707470c3f4d5109d57377d72736

Download Submit
\Users\Admin\AppData\Local\Temp\Syslemcsfcl.exe

Filesize
436KB

MD5
7e2671810d2caaef4f9b27b2a722bd65

SHA1
40f0addd5139c6594d89f4e448a447d93fed44ef

SHA256
a1c75da4fd7f7840bc0c034da74ca676629ede1f30a3808d4577b3581d865419

SHA512
25a749959c8abf433c6a04a02951d89a63c7bb0d7f6441c31fa72baf15422dd390f735ab17373b541f745d2a857ece769ed60c8809ec9bebca5532332847b0dd

Download Submit