blackmoon | 21e9dae31345de68175b0cbc8aaf149cf4e86f9e0f11ef5bbef1af75f95b4226

Analysis

max time kernel
131s
max time network
151s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
21-11-2024 21:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21e9dae31345de68175b0cbc8aaf149cf4e86f9e0f11ef5bbef1af75f95b4226.exe
Size

7.1MB
MD5

20deba2f6b306c1970f26bbdf0b0ef2a
SHA1

8ccbba8d4875ba8c9dd4213ef920068e6795d4f3
SHA256

21e9dae31345de68175b0cbc8aaf149cf4e86f9e0f11ef5bbef1af75f95b4226
SHA512

1b79e7f228ad4cec7448e0205d5f71114631481d9c13f189c0758fae30acb33575f14789741480f6e17475fba23414e85ff6b71d6e2a51ebe0b1b2dbfbd8ca32
SSDEEP

98304:Y8MRf8O229UQA/jrXJGkGezFCAM7BuyZV0SRx0p2PauQE22kMqhJ2hG8LD173:Y82829Wj7JGiFDSjn0p2UrhJCG8tL

Score

10^/10

blackmoon banker discovery trojan upx

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\D1Software\Plugins\qvlnk.dll	family_blackmoon

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\D1Software\echs.dll	acprotect

Executes dropped EXE 3 IoCs

Processes:

D1Bin.exeupgrade.exeRepair.exe

pid process

2268 D1Bin.exe
2416 upgrade.exe
2824 Repair.exe
Loads dropped DLL 5 IoCs

Processes:

upgrade.exeRepair.exe

pid process

2416 upgrade.exe
2416 upgrade.exe
2824 Repair.exe
2416 upgrade.exe
2416 upgrade.exe

pid	process
2268	D1Bin.exe
2416	upgrade.exe
2824	Repair.exe

pid	process
2416	upgrade.exe
2416	upgrade.exe
2824	Repair.exe
2416	upgrade.exe
2416	upgrade.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\D1Software\echs.dll	upx
behavioral1/memory/2416-45-0x00000000025A0000-0x0000000002705000-memory.dmp	upx
behavioral1/memory/2416-61-0x00000000025A0000-0x0000000002705000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

upgrade.exeRepair.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	upgrade.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Repair.exe

Modifies registry class 3 IoCs

Processes:

D1Bin.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\myjiemakey	D1Bin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\myjiemakey\myjiemakeydeviceId = "b7b074f53a4e4ec395e877c90c3820d0"	D1Bin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\myjiemakey\myjiemakeyInitInfos = "app.ejiema.com"	D1Bin.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

D1Bin.exe

pid process

2268 D1Bin.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

D1Bin.exe

description pid process

Token: SeDebugPrivilege 2268 D1Bin.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

upgrade.exeRepair.exe

pid process

2416 upgrade.exe
2416 upgrade.exe
2824 Repair.exe

pid	process
2268	D1Bin.exe

description	pid	process
Token: SeDebugPrivilege	2268	D1Bin.exe

pid	process
2416	upgrade.exe
2416	upgrade.exe
2824	Repair.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

21e9dae31345de68175b0cbc8aaf149cf4e86f9e0f11ef5bbef1af75f95b4226.exe

description	pid	process	target process
PID 2332 wrote to memory of 2268	2332	21e9dae31345de68175b0cbc8aaf149cf4e86f9e0f11ef5bbef1af75f95b4226.exe	D1Bin.exe
PID 2332 wrote to memory of 2268	2332	21e9dae31345de68175b0cbc8aaf149cf4e86f9e0f11ef5bbef1af75f95b4226.exe	D1Bin.exe
PID 2332 wrote to memory of 2268	2332	21e9dae31345de68175b0cbc8aaf149cf4e86f9e0f11ef5bbef1af75f95b4226.exe	D1Bin.exe
PID 2332 wrote to memory of 2416	2332	21e9dae31345de68175b0cbc8aaf149cf4e86f9e0f11ef5bbef1af75f95b4226.exe	upgrade.exe
PID 2332 wrote to memory of 2416	2332	21e9dae31345de68175b0cbc8aaf149cf4e86f9e0f11ef5bbef1af75f95b4226.exe	upgrade.exe
PID 2332 wrote to memory of 2416	2332	21e9dae31345de68175b0cbc8aaf149cf4e86f9e0f11ef5bbef1af75f95b4226.exe	upgrade.exe
PID 2332 wrote to memory of 2416	2332	21e9dae31345de68175b0cbc8aaf149cf4e86f9e0f11ef5bbef1af75f95b4226.exe	upgrade.exe
PID 2332 wrote to memory of 2824	2332	21e9dae31345de68175b0cbc8aaf149cf4e86f9e0f11ef5bbef1af75f95b4226.exe	Repair.exe
PID 2332 wrote to memory of 2824	2332	21e9dae31345de68175b0cbc8aaf149cf4e86f9e0f11ef5bbef1af75f95b4226.exe	Repair.exe
PID 2332 wrote to memory of 2824	2332	21e9dae31345de68175b0cbc8aaf149cf4e86f9e0f11ef5bbef1af75f95b4226.exe	Repair.exe
PID 2332 wrote to memory of 2824	2332	21e9dae31345de68175b0cbc8aaf149cf4e86f9e0f11ef5bbef1af75f95b4226.exe	Repair.exe

C:\Users\Admin\AppData\Local\Temp\21e9dae31345de68175b0cbc8aaf149cf4e86f9e0f11ef5bbef1af75f95b4226.exe
"C:\Users\Admin\AppData\Local\Temp\21e9dae31345de68175b0cbc8aaf149cf4e86f9e0f11ef5bbef1af75f95b4226.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Users\Admin\AppData\Roaming\D1Software\D1Bin.exe
  C:\Users\Admin\AppData\Roaming\D1Software\D1Bin.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2268
- C:\Users\Admin\AppData\Roaming\D1Software\upgrade.exe
  C:\Users\Admin\AppData\Roaming\D1Software\upgrade.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2416
- C:\Users\Admin\AppData\Roaming\D1Software\Repair.exe
  C:\Users\Admin\AppData\Roaming\D1Software\Repair.exe -Ho9LN
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\D1Software\D1Bin.exe

Filesize
1.9MB

MD5
fde7a5d4a846e1f9a6f5fbd8bd968ea5

SHA1
ca1b727404bb76180df8b35989845f29c740301b

SHA256
95aa01457ba31bb5c5c0d9a37916caca22b6ab3c5e3b2cb7d0da9965f0bc8224

SHA512
d0af43ecacd6ae7bb5769443d16067665c00c5d476d24f2e2d793465caf6852ef32afe01731191f46afe6faececaeca67c0fe1abd0fa355bbf09bb511f815f6f

Download Submit
C:\Users\Admin\AppData\Roaming\D1Software\HPSocket4C.dll

Filesize
2.1MB

MD5
c83247fac0840125db662eb3e27ac6a3

SHA1
6d7a24b3d1c10516232a6f3ac4aed8d69da56568

SHA256
2dc7b369e5e3d8c828e2fe947e79df7d4ed60cdb1a004e8e94bf2bf38698cdb2

SHA512
f3359e7ddd3fceeb442ba0b847ac9f744f9df01f02e0cda20078d4ad0af404a53e6151f8d908ad54f0c7d3469769d39c833f34d448f6b9c566a4f413ef41a50f

Download Submit
C:\Users\Admin\AppData\Roaming\D1Software\Plugins\qvlnk.dll

Filesize
492KB

MD5
001db37c243710301a862d8dd8a025e0

SHA1
7e4fc33b58dae290861712e4194e855923ebde1a

SHA256
5e6c4b35329f48fcf8fb7ec5dc13d6a4f41c8d58da1849ec5a761b4af86fbbeb

SHA512
7edee439741daa58e6fc108e28b177f2ac87fc8492dec52f4392df095c187ddd1bace043cdc0a2c0b8c9ddb8f86e7add2f8f822f53c5e25b758b69894f576a16

Download Submit
C:\Users\Admin\AppData\Roaming\D1Software\Repair.exe

Filesize
108KB

MD5
7c47b63e458fc168bb0bf6c062597b43

SHA1
be13ca069d69055e7db3d6a883d08058a1f2c633

SHA256
b7db785c19b5a77421cb7f2c0c64b368bc1349b336fbd1191dee877faa81eca2

SHA512
a1e4d591fb58bc22c93ee2cdc04d380d6724df52e6530901d5dfa39ec869a1cf33994dcfd09d0237e00407d056a8ee84826ab40fb43fbf169ea1e6c45570f461

Download Submit
C:\Users\Admin\AppData\Roaming\D1Software\VCRUNTIME140.dll

Filesize
82KB

MD5
d0520569180accd7e17ed9697711d6ec

SHA1
46cb7e2db7efda70b9a5b75b2fe0bb6038499008

SHA256
13026df002b3575564f32927b7f791d59b4cc571f30ccc28075c4edb4afef67c

SHA512
86e96f5648d714914469a576693a656390291a547ea9dd5903c85853ac63c68f69129e54f95e5fc7aec781b883232ffaf0d5a536302226f4243d1f2e517e2034

Download Submit
C:\Users\Admin\AppData\Roaming\D1Software\config.ini

Filesize
126B

MD5
fdb1fbe7b0423799b2c2f78e214b50f3

SHA1
eff0217dcb1769f310d70bdede93f3a923007215

SHA256
aa9294bbdb15149badf52073c3a010ce63a8786d7b7c343d2d8acf4d80f4a1e6

SHA512
6cc135a06905065ee64534ae6e9dd4fe190e3a4b92f782416609a27d7658273bd41c43411ac4cd67fedcc4d0fc1b4a281b54bed832949fcc0aacd3389afb031c

Download Submit
C:\Users\Admin\AppData\Roaming\D1Software\echs.dll

Filesize
421KB

MD5
8e5dc64def28aee0032ed0c878127c39

SHA1
ad9685100b71f0fd4f2b3d65f62894beba1937de

SHA256
c121eb7c37949d789f5c4b7fcd4445057f70ab23befde95929e63e3db9c43e9a

SHA512
a337bb678534d93f74cdbd46728d87b3c8d4b3d5f5713f176ef4bf6d23d09c636c378fefd992e088611ec62cc559ebd4640a4ea61842a8edee39feffc8e8fab8

Download Submit
C:\Users\Admin\AppData\Roaming\D1Software\encode.dat

Filesize
3.9MB

MD5
013d85cf626e32fbc89daa124e10f7f0

SHA1
b3722239f268ee9a6d3408193081633daac6b05b

SHA256
74a5437c4f76f6d88628afc8dfbe7bbd6c2fd6f846cf957ea6262156eb76163c

SHA512
952c317ee5e54c2f55ec646cd1d7241f7a4270eccb8d53fdc6cd99963486bcedb9d66f46c099086de12872e95a515922f4bfc47294e6d58e202a425ef42c538a

Download Submit
C:\Users\Admin\AppData\Roaming\D1Software\krnln.fnr

Filesize
1.2MB

MD5
a6a397b67ebac717e7ec095bf9b597ee

SHA1
80c7459654f3564c0cb74a47398d48e0f02cb82f

SHA256
847fbe068ff90112d9b76c04587439ee3a3866d8c60466bb4673491d94ddfd89

SHA512
0eb5528a4aad4458feddbefb5347d0e2cd84d6240a341ccc425d6ed98d15d8588d8635f21d30af389a2af5ac9537bea56a1d97530ac90e965989e296f1c5d8c8

Download Submit
C:\Users\Admin\AppData\Roaming\D1Software\upgrade.exe

Filesize
314KB

MD5
dfee4c679663ffb566a7150bbc1768c7

SHA1
8f8144d26b141d097df742e4ef4d5c85bba685a3

SHA256
f0a82dba182ef5d8fe32bd358473cc7e9ec0d07e0f4a33f50c49d7cccbb5bc7a

SHA512
23ff4b55e4d01d7712a3313f9aecd69331cb4fb5fce8b2d8610332a1e7b3ced19bdab64ef37ab2d335179844e176e6bd5a2f5c6562c61451c02b37cb2e58da52

Download Submit
memory/2268-51-0x0000000000080000-0x0000000000262000-memory.dmp

Filesize
1.9MB

Download
memory/2268-28-0x0000000077280000-0x0000000077429000-memory.dmp

Filesize
1.7MB

Download
memory/2268-59-0x0000000077280000-0x0000000077429000-memory.dmp

Filesize
1.7MB

Download
memory/2332-50-0x0000000077280000-0x0000000077429000-memory.dmp

Filesize
1.7MB

Download
memory/2332-18-0x0000000077280000-0x0000000077429000-memory.dmp

Filesize
1.7MB

Download
memory/2332-25-0x0000000077280000-0x0000000077429000-memory.dmp

Filesize
1.7MB

Download
memory/2332-0-0x0000000140000000-0x00000001400F6000-memory.dmp

Filesize
984KB

Download
memory/2332-49-0x0000000140000000-0x00000001400F6000-memory.dmp

Filesize
984KB

Download
memory/2332-3-0x0000000077280000-0x0000000077429000-memory.dmp

Filesize
1.7MB

Download
memory/2332-2-0x0000000077280000-0x0000000077429000-memory.dmp

Filesize
1.7MB

Download
memory/2332-1-0x00000000772D1000-0x00000000772D2000-memory.dmp

Filesize
4KB

Download
memory/2332-24-0x0000000077280000-0x0000000077429000-memory.dmp

Filesize
1.7MB

Download
memory/2416-45-0x00000000025A0000-0x0000000002705000-memory.dmp

Filesize
1.4MB

Download
memory/2416-61-0x00000000025A0000-0x0000000002705000-memory.dmp

Filesize
1.4MB

Download
memory/2824-43-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2824-57-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download