blackmoon | 21e9dae31345de68175b0cbc8aaf149cf4e86f9e0f11ef5bbef1af75f95b4226

Analysis

max time kernel
141s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 21:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21e9dae31345de68175b0cbc8aaf149cf4e86f9e0f11ef5bbef1af75f95b4226.exe
Size

7.1MB
MD5

20deba2f6b306c1970f26bbdf0b0ef2a
SHA1

8ccbba8d4875ba8c9dd4213ef920068e6795d4f3
SHA256

21e9dae31345de68175b0cbc8aaf149cf4e86f9e0f11ef5bbef1af75f95b4226
SHA512

1b79e7f228ad4cec7448e0205d5f71114631481d9c13f189c0758fae30acb33575f14789741480f6e17475fba23414e85ff6b71d6e2a51ebe0b1b2dbfbd8ca32
SSDEEP

98304:Y8MRf8O229UQA/jrXJGkGezFCAM7BuyZV0SRx0p2PauQE22kMqhJ2hG8LD173:Y82829Wj7JGiFDSjn0p2UrhJCG8tL

Score

10^/10

blackmoon banker discovery trojan upx

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\D1Software\plugins\qvlnk.dll	family_blackmoon

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\D1Software\echs.dll	acprotect

Executes dropped EXE 3 IoCs

Processes:

D1Bin.exeupgrade.exeRepair.exe

pid process

2264 D1Bin.exe
4468 upgrade.exe
1788 Repair.exe
Loads dropped DLL 6 IoCs

Processes:

upgrade.exeRepair.exe

pid process

4468 upgrade.exe
4468 upgrade.exe
4468 upgrade.exe
4468 upgrade.exe
1788 Repair.exe
4468 upgrade.exe

pid	process
2264	D1Bin.exe
4468	upgrade.exe
1788	Repair.exe

pid	process
4468	upgrade.exe
4468	upgrade.exe
4468	upgrade.exe
4468	upgrade.exe
1788	Repair.exe
4468	upgrade.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\D1Software\echs.dll	upx
behavioral2/memory/4468-44-0x0000000002590000-0x00000000026F5000-memory.dmp	upx
behavioral2/memory/4468-63-0x0000000002590000-0x00000000026F5000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

upgrade.exeRepair.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	upgrade.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Repair.exe

Modifies registry class 3 IoCs

Processes:

D1Bin.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\myjiemakey\myjiemakeydeviceId = "844276ccbaa64919b717b4427b5a71c5"	D1Bin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\myjiemakey\myjiemakeyInitInfos = "app.ejiema.com"	D1Bin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\myjiemakey	D1Bin.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

D1Bin.exe

pid process

2264 D1Bin.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

D1Bin.exe

description pid process

Token: SeDebugPrivilege 2264 D1Bin.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

upgrade.exeRepair.exe

pid process

4468 upgrade.exe
4468 upgrade.exe
1788 Repair.exe

pid	process
2264	D1Bin.exe

description	pid	process
Token: SeDebugPrivilege	2264	D1Bin.exe

pid	process
4468	upgrade.exe
4468	upgrade.exe
1788	Repair.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

21e9dae31345de68175b0cbc8aaf149cf4e86f9e0f11ef5bbef1af75f95b4226.exe

description	pid	process	target process
PID 1480 wrote to memory of 2264	1480	21e9dae31345de68175b0cbc8aaf149cf4e86f9e0f11ef5bbef1af75f95b4226.exe	D1Bin.exe
PID 1480 wrote to memory of 2264	1480	21e9dae31345de68175b0cbc8aaf149cf4e86f9e0f11ef5bbef1af75f95b4226.exe	D1Bin.exe
PID 1480 wrote to memory of 4468	1480	21e9dae31345de68175b0cbc8aaf149cf4e86f9e0f11ef5bbef1af75f95b4226.exe	upgrade.exe
PID 1480 wrote to memory of 4468	1480	21e9dae31345de68175b0cbc8aaf149cf4e86f9e0f11ef5bbef1af75f95b4226.exe	upgrade.exe
PID 1480 wrote to memory of 4468	1480	21e9dae31345de68175b0cbc8aaf149cf4e86f9e0f11ef5bbef1af75f95b4226.exe	upgrade.exe
PID 1480 wrote to memory of 1788	1480	21e9dae31345de68175b0cbc8aaf149cf4e86f9e0f11ef5bbef1af75f95b4226.exe	Repair.exe
PID 1480 wrote to memory of 1788	1480	21e9dae31345de68175b0cbc8aaf149cf4e86f9e0f11ef5bbef1af75f95b4226.exe	Repair.exe
PID 1480 wrote to memory of 1788	1480	21e9dae31345de68175b0cbc8aaf149cf4e86f9e0f11ef5bbef1af75f95b4226.exe	Repair.exe

C:\Users\Admin\AppData\Local\Temp\21e9dae31345de68175b0cbc8aaf149cf4e86f9e0f11ef5bbef1af75f95b4226.exe
"C:\Users\Admin\AppData\Local\Temp\21e9dae31345de68175b0cbc8aaf149cf4e86f9e0f11ef5bbef1af75f95b4226.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Users\Admin\AppData\Roaming\D1Software\D1Bin.exe
  C:\Users\Admin\AppData\Roaming\D1Software\D1Bin.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2264
- C:\Users\Admin\AppData\Roaming\D1Software\upgrade.exe
  C:\Users\Admin\AppData\Roaming\D1Software\upgrade.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4468
- C:\Users\Admin\AppData\Roaming\D1Software\Repair.exe
  C:\Users\Admin\AppData\Roaming\D1Software\Repair.exe -Ho9LN
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\D1Software\D1Bin.exe

Filesize
1.9MB

MD5
fde7a5d4a846e1f9a6f5fbd8bd968ea5

SHA1
ca1b727404bb76180df8b35989845f29c740301b

SHA256
95aa01457ba31bb5c5c0d9a37916caca22b6ab3c5e3b2cb7d0da9965f0bc8224

SHA512
d0af43ecacd6ae7bb5769443d16067665c00c5d476d24f2e2d793465caf6852ef32afe01731191f46afe6faececaeca67c0fe1abd0fa355bbf09bb511f815f6f

Download Submit
C:\Users\Admin\AppData\Roaming\D1Software\HPSocket4C.dll

Filesize
2.1MB

MD5
c83247fac0840125db662eb3e27ac6a3

SHA1
6d7a24b3d1c10516232a6f3ac4aed8d69da56568

SHA256
2dc7b369e5e3d8c828e2fe947e79df7d4ed60cdb1a004e8e94bf2bf38698cdb2

SHA512
f3359e7ddd3fceeb442ba0b847ac9f744f9df01f02e0cda20078d4ad0af404a53e6151f8d908ad54f0c7d3469769d39c833f34d448f6b9c566a4f413ef41a50f

Download Submit
C:\Users\Admin\AppData\Roaming\D1Software\Repair.exe

Filesize
108KB

MD5
7c47b63e458fc168bb0bf6c062597b43

SHA1
be13ca069d69055e7db3d6a883d08058a1f2c633

SHA256
b7db785c19b5a77421cb7f2c0c64b368bc1349b336fbd1191dee877faa81eca2

SHA512
a1e4d591fb58bc22c93ee2cdc04d380d6724df52e6530901d5dfa39ec869a1cf33994dcfd09d0237e00407d056a8ee84826ab40fb43fbf169ea1e6c45570f461

Download Submit
C:\Users\Admin\AppData\Roaming\D1Software\config.ini

Filesize
126B

MD5
7fa83d1b30f853a5ac1b01111925158d

SHA1
503f3b22185ced0af02304e9bff3fc93556bcf9e

SHA256
b1840ba418f596a402cb5b2f139d39402f7d1ae85bd5de46edfcef1447d86d33

SHA512
65141abe793495576b40b2ece293bd4ac336096474a97a55a45b715d6e1c2e9f6d49c89327c06686107fc5c948c1d2fdb7728b18c33fb8ee7a8cf23fad807be9

Download Submit
C:\Users\Admin\AppData\Roaming\D1Software\echs.dll

Filesize
421KB

MD5
8e5dc64def28aee0032ed0c878127c39

SHA1
ad9685100b71f0fd4f2b3d65f62894beba1937de

SHA256
c121eb7c37949d789f5c4b7fcd4445057f70ab23befde95929e63e3db9c43e9a

SHA512
a337bb678534d93f74cdbd46728d87b3c8d4b3d5f5713f176ef4bf6d23d09c636c378fefd992e088611ec62cc559ebd4640a4ea61842a8edee39feffc8e8fab8

Download Submit
C:\Users\Admin\AppData\Roaming\D1Software\encode.dat

Filesize
3.9MB

MD5
013d85cf626e32fbc89daa124e10f7f0

SHA1
b3722239f268ee9a6d3408193081633daac6b05b

SHA256
74a5437c4f76f6d88628afc8dfbe7bbd6c2fd6f846cf957ea6262156eb76163c

SHA512
952c317ee5e54c2f55ec646cd1d7241f7a4270eccb8d53fdc6cd99963486bcedb9d66f46c099086de12872e95a515922f4bfc47294e6d58e202a425ef42c538a

Download Submit
C:\Users\Admin\AppData\Roaming\D1Software\krnln.fnr

Filesize
1.2MB

MD5
a6a397b67ebac717e7ec095bf9b597ee

SHA1
80c7459654f3564c0cb74a47398d48e0f02cb82f

SHA256
847fbe068ff90112d9b76c04587439ee3a3866d8c60466bb4673491d94ddfd89

SHA512
0eb5528a4aad4458feddbefb5347d0e2cd84d6240a341ccc425d6ed98d15d8588d8635f21d30af389a2af5ac9537bea56a1d97530ac90e965989e296f1c5d8c8

Download Submit
C:\Users\Admin\AppData\Roaming\D1Software\plugins\qvlnk.dll

Filesize
492KB

MD5
001db37c243710301a862d8dd8a025e0

SHA1
7e4fc33b58dae290861712e4194e855923ebde1a

SHA256
5e6c4b35329f48fcf8fb7ec5dc13d6a4f41c8d58da1849ec5a761b4af86fbbeb

SHA512
7edee439741daa58e6fc108e28b177f2ac87fc8492dec52f4392df095c187ddd1bace043cdc0a2c0b8c9ddb8f86e7add2f8f822f53c5e25b758b69894f576a16

Download Submit
C:\Users\Admin\AppData\Roaming\D1Software\upgrade.exe

Filesize
314KB

MD5
dfee4c679663ffb566a7150bbc1768c7

SHA1
8f8144d26b141d097df742e4ef4d5c85bba685a3

SHA256
f0a82dba182ef5d8fe32bd358473cc7e9ec0d07e0f4a33f50c49d7cccbb5bc7a

SHA512
23ff4b55e4d01d7712a3313f9aecd69331cb4fb5fce8b2d8610332a1e7b3ced19bdab64ef37ab2d335179844e176e6bd5a2f5c6562c61451c02b37cb2e58da52

Download Submit
C:\Users\Admin\AppData\Roaming\D1Software\vcruntime140.dll

Filesize
82KB

MD5
d0520569180accd7e17ed9697711d6ec

SHA1
46cb7e2db7efda70b9a5b75b2fe0bb6038499008

SHA256
13026df002b3575564f32927b7f791d59b4cc571f30ccc28075c4edb4afef67c

SHA512
86e96f5648d714914469a576693a656390291a547ea9dd5903c85853ac63c68f69129e54f95e5fc7aec781b883232ffaf0d5a536302226f4243d1f2e517e2034

Download Submit
memory/1480-6-0x00007FF93CEF0000-0x00007FF93D0E5000-memory.dmp

Filesize
2.0MB

Download
memory/1480-3-0x00007FF93CEF0000-0x00007FF93D0E5000-memory.dmp

Filesize
2.0MB

Download
memory/1480-5-0x00007FF93CEF0000-0x00007FF93D0E5000-memory.dmp

Filesize
2.0MB

Download
memory/1480-28-0x00007FF93CEF0000-0x00007FF93D0E5000-memory.dmp

Filesize
2.0MB

Download
memory/1480-14-0x00007FF93CEF0000-0x00007FF93D0E5000-memory.dmp

Filesize
2.0MB

Download
memory/1480-55-0x0000000140000000-0x00000001400F6000-memory.dmp

Filesize
984KB

Download
memory/1480-4-0x00007FF93CEF0000-0x00007FF93D0E5000-memory.dmp

Filesize
2.0MB

Download
memory/1480-12-0x00007FF93CEF0000-0x00007FF93D0E5000-memory.dmp

Filesize
2.0MB

Download
memory/1480-1-0x00007FF93CF8D000-0x00007FF93CF8E000-memory.dmp

Filesize
4KB

Download
memory/1480-21-0x00007FF93CEF0000-0x00007FF93D0E5000-memory.dmp

Filesize
2.0MB

Download
memory/1480-56-0x00007FF93CEF0000-0x00007FF93D0E5000-memory.dmp

Filesize
2.0MB

Download
memory/1480-7-0x00007FF93CEF0000-0x00007FF93D0E5000-memory.dmp

Filesize
2.0MB

Download
memory/1480-2-0x00007FF93CEF0000-0x00007FF93D0E5000-memory.dmp

Filesize
2.0MB

Download
memory/1480-0-0x0000000140000000-0x00000001400F6000-memory.dmp

Filesize
984KB

Download
memory/1788-49-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1788-61-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2264-25-0x0000015860C30000-0x0000015860E12000-memory.dmp

Filesize
1.9MB

Download
memory/2264-31-0x00007FF93CEF0000-0x00007FF93D0E5000-memory.dmp

Filesize
2.0MB

Download
memory/2264-30-0x00007FF93CEF0000-0x00007FF93D0E5000-memory.dmp

Filesize
2.0MB

Download
memory/2264-62-0x00007FF93CEF0000-0x00007FF93D0E5000-memory.dmp

Filesize
2.0MB

Download
memory/2264-64-0x000001587D650000-0x000001587D752000-memory.dmp

Filesize
1.0MB

Download
memory/4468-44-0x0000000002590000-0x00000000026F5000-memory.dmp

Filesize
1.4MB

Download
memory/4468-63-0x0000000002590000-0x00000000026F5000-memory.dmp

Filesize
1.4MB

Download