blackmoon | 471f3fb1a953fab38be3081eb835574694bc72b94f239edc400d1ce3d7a8ecb0

Sharing

Copy URL

Twitter E-mail

General

Target

Batch_4.zip
Size

8.6MB
Sample

241122-lbq5zatqbp
MD5

3179e3edf25f87e78f2fd054faf6ae60
SHA1

7648fb854c73c9a191b935278bcefd58cc5ad3fc
SHA256

471f3fb1a953fab38be3081eb835574694bc72b94f239edc400d1ce3d7a8ecb0
SHA512

b7d25a1a9008d363058192cd353fdd58c504db313bbcd9bf1090688c8af735f696c8a0551b3023f948de66f9f33c20c5cee18bde680afe7b2e2b60074f8abab7
SSDEEP

196608:ttxPNvdJy9CNBi63RgR+itIShWmG9E6rHm5F2T97o:Vh7iCNveR+ipWmNEBo

Score

10^/10

Malware Config

Targets

- Target
  
  757e3242f6a2685ed9957c9e66235af889a7accead5719514719106d0b3c6fb4.exe
- Size
  
  18KB
- MD5
  
  d8e99fcae9a469c2081e7ff01675c361
- SHA1
  
  ef7c4358717ec9d04b9adc8e40b1eb928885ebf0
- SHA256
  
  757e3242f6a2685ed9957c9e66235af889a7accead5719514719106d0b3c6fb4
- SHA512
  
  cd75242646dde33b7c792e9bf9fe976ce7f2dd1b02c5c97a4cf2f9f80cfae1bd44463fc2b0f9e002d17087358fafa298ca0d4dc4aff17405df95f13099c79b02
- SSDEEP
  
  384:rd7gYWDhghSmeSQjkCg3St1bVz1LTwbZxssimS8dHDT:6lg/eLjkCwQQFx8SHX
Score

9^/10

ransomware spyware stealer
- Renames multiple (786) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Drops file in Drivers directory
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops file in System32 directory
behavioral1 behavioral2
- Target
  
  76fe72e0ecdc389b5749df5fe406cb70110b1ef8b64e51cf0a96da2fa2ec5eb2_not_packed_maybe_useless.exe
- Size
  
  89KB
- MD5
  
  0af473977e2b58a3630dc2bd59245127
- SHA1
  
  6b1086070e0918c428b4f6688fe2760c9ab9dfea
- SHA256
  
  76fe72e0ecdc389b5749df5fe406cb70110b1ef8b64e51cf0a96da2fa2ec5eb2
- SHA512
  
  d2f001ed413538368597585483c6745ab1bec058e227ada41937b75435f9456135b876e0ce40249389448b9769a37c3c06233c0d648cfaf9f613e42ad0b92450
- SSDEEP
  
  1536:ef/SovFSSZtDgN+DpDkDEFtC+YF8965L+v:I/zv0SZtDgN+Dp+ErYF896W
Score

10^/10

persistence discovery
- Modifies WinLogon for persistence
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
behavioral3 behavioral4
- Target
  
  78d4cf8df6fe5717a0f4bad6cbfce6546fb59a45ee0ac3797b264b28e24ddc0b_Dumped_TDS=4F9911B3.exe
- Size
  
  116KB
- MD5
  
  5a580ab3f5b3806da853459e9ef7b368
- SHA1
  
  df93c0f0dd694ab49646b539418b67d83eafccb5
- SHA256
  
  5f60eed8e27867c843387fe7fece3af688586a40c8d3dd2c27647b23cc200fdc
- SHA512
  
  91ecd8f00f4cd6c7d199eb365cb7cfa414bcab41b144fe7a5f43529e560201a81284cdb3a3d18d252e2eb4429a67f2db5718eacc8bf1eeb072958c0a4be20a3b
- SSDEEP
  
  1536:tf/YvFSSZtDgN+DrDkDEFtCwbfF89lGL+vpCYC:Z/Yv0SZtDgN+Dr+ErbfF89llpTC
Score

10^/10

persistence discovery
- Modifies WinLogon for persistence
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
behavioral5 behavioral6
- Target
  
  78d4cf8df6fe5717a0f4bad6cbfce6546fb59a45ee0ac3797b264b28e24ddc0b_TDS=4FA04B59.exe
- Size
  
  72KB
- MD5
  
  f0b567179d42d5d4f27d6d9a7fcf183f
- SHA1
  
  fb91a4f85ad3576110cdb476b0eb94c2e14a4e1b
- SHA256
  
  78d4cf8df6fe5717a0f4bad6cbfce6546fb59a45ee0ac3797b264b28e24ddc0b
- SHA512
  
  ca5afd8671f79d1ee55d51aa75330daac87e4cb116b5b8f60d5be2ed1f21a1e0cbd9e4c613a3c20850bfd0bba78358e4289258f010b6d3c8c169b7a80998c64c
- SSDEEP
  
  768:Xf+vj1VHjoFW+gh2vHa0uTbPKYlNnYVbUnWfTMuRqj2O4sO2ieFZ0F:G71NoFhDHaT/CukbUWdfO4LFeP0F
Score

7^/10

discovery persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
behavioral7 behavioral8
- Target
  
  78db508226ccacd363fc0f02b3ae326a2bdd0baed3ae51ddf59c3fc0fcf60669.exe
- Size
  
  865KB
- MD5
  
  dbf3707a9cd090853a11dda9cfa78ff0
- SHA1
  
  5af5403d8e003812a34c7b085d878680d7130ad5
- SHA256
  
  78db508226ccacd363fc0f02b3ae326a2bdd0baed3ae51ddf59c3fc0fcf60669
- SHA512
  
  68b1627ed20e6980c32c44df3560fc3eeed37db2c47caaf8db86461c594a5d040a7404be777374af512fe05fcdc2f15a6014a914b1445c2e23adb741db68c7e0
- SSDEEP
  
  12288:SCdOy3vVrKxR5CXbNjAOxK/j2n+4YG/6c1mFFja3mXgcjfRlgsUBga+Q9bN9jQl:SCdxte/80jYLT3U1jfsWa+QpN9jQl
Score

9^/10

discovery persistence ransomware spyware stealer
- Renames multiple (340) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
behavioral10 behavioral9
- Target
  
  7965f6adf3261e8820fe583e94dcb2d17dc665efa0442743e47d27c989fcb05f_not_packed_maybe_useless.exe
- Size
  
  54KB
- MD5
  
  e0c70373ea59baa4422771dde804a21c
- SHA1
  
  d9708f709a0e7ad070ee34b4065437e400e5bdd9
- SHA256
  
  7965f6adf3261e8820fe583e94dcb2d17dc665efa0442743e47d27c989fcb05f
- SHA512
  
  c9a6b94d091a48d1a294953226fca00089dbf266f81fa60481f9ca468f7c3e9a2460bdd384b070dd6ae8bb778fb0737e196a1870e6f550645b9192f78e9763fa
- SSDEEP
  
  768:zchho/bbYYwktIZwTUtv3h12jG6hdYWnXAjpWTbBbIKP077hPIxPaq77ti:wjoDMYwEINR8j/Yu2pqOd77hPl
Score

7^/10

discovery
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral11 behavioral12
- Target
  
  7B75B33BCF4ECF013B93F84ED98B3FB5.exe
- Size
  
  214KB
- MD5
  
  7b75b33bcf4ecf013b93f84ed98b3fb5
- SHA1
  
  7be5f5dcf6b9519c0f8c8071503b7f5dd66b6386
- SHA256
  
  74aa7b73b46d7bd7bc53cb44add9ec8172f2de7831d045e33db06e2d6b916edf
- SHA512
  
  96e1253358db1f724b381f9e1e416cc35bf44d94505e8b86508676f997b44be65d3c33c22df9c004652a34170e48805f9b7ba6f2703dd287e8c770cb426c5114
- SSDEEP
  
  3072:5W1M+lmsolAIrRuw+mqv9j1MWLQFPBCM+lmsolAIrRuw+mqv9j1MWLQlL:5J+lDAAIv+lDAAmL
Score

1^/10
behavioral13 behavioral14
- Target
  
  7E3903944EAB7B61B495572BAA60FB72.EXE
- Size
  
  228KB
- MD5
  
  7e3903944eab7b61b495572baa60fb72
- SHA1
  
  116930517baab6bdb0829990a43af54d155f5332
- SHA256
  
  06e921abf28c4b260c59d61d84a74c3a5dc12ac99a34110ca5480ce61689385c
- SHA512
  
  0e29eaea245dd0068d44ff016c5da65396e5ad94aa79fcbe3cb187666b7b21890b22e2a13ac57e4bcfcf39436a7c5fa53a5470a8fae6de7215f297b82ea62ad5
- SSDEEP
  
  3072:RKR+u1vFeb+pknH46ZjbVxltW8wylYJiocMor+ROYJPR+9RbA8D79qiNFwEQ7:R4Z19dknH4yFhtocMO+kYlI9tdJmr
Score

7^/10

discovery
- Deletes itself
- Drops file in System32 directory
behavioral15 behavioral16
- Target
  
  7dd93123078b383ec179c4c381f9119f4eac4efb287fe8f538a82e7336dfa4ca.exe
- Size
  
  602KB
- MD5
  
  ae38213715e758e3c296715f1ec25aea
- SHA1
  
  bf0d7b7d8ab11536e25235f7c18901c9be65fae1
- SHA256
  
  7dd93123078b383ec179c4c381f9119f4eac4efb287fe8f538a82e7336dfa4ca
- SHA512
  
  fd0bbeaff08301f6e26c878ef59d7be964533075f1b1c6f93f3a03bee048f4587f44fef96cffe709f5f0511b81edeb4d64878be7b6852f5a14aa3318c9ed15e7
- SSDEEP
  
  12288:6oHEHblpWz0jPLhEfgP6WMDoEuY7jVWv:6vZPLWffWMDo+7Jc
Score

3^/10

discovery
behavioral17 behavioral18
- Target
  
  7e4c9a7e391be4367d79bd1ab92b748d440e13fd5ca6c0820b30e6e9c670871f.exe
- Size
  
  161KB
- MD5
  
  517d709b1b99fa87ddfe61950a93cf5c
- SHA1
  
  2b6da3641ad3c13be272c7e66c938afd5879d65f
- SHA256
  
  7e4c9a7e391be4367d79bd1ab92b748d440e13fd5ca6c0820b30e6e9c670871f
- SHA512
  
  e23c60821e71704ab77ed8031b025b6ec9065479b766ca9fce2d4e93f1e4e66f7ed821d161890dfd87306408917c82514aaf96506cfc335e2c0bd1166fd1809f
- SSDEEP
  
  3072:+dhOdhhyAbz6XdKWf4xEE1ODDl9oz4ilUEPllLBDlWz:+dhw1CZJEQXl9o05EDLBlWz
Score

9^/10

defense_evasion discovery execution impact persistence ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Drops startup file
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral19 behavioral20
- Target
  
  80eb72d78175761e34378e06a5ca13b26edd6c47ee18e0d222fa068a249785f2_Dumped_TDS=4F9911B3.exe
- Size
  
  116KB
- MD5
  
  5a580ab3f5b3806da853459e9ef7b368
- SHA1
  
  df93c0f0dd694ab49646b539418b67d83eafccb5
- SHA256
  
  5f60eed8e27867c843387fe7fece3af688586a40c8d3dd2c27647b23cc200fdc
- SHA512
  
  91ecd8f00f4cd6c7d199eb365cb7cfa414bcab41b144fe7a5f43529e560201a81284cdb3a3d18d252e2eb4429a67f2db5718eacc8bf1eeb072958c0a4be20a3b
- SSDEEP
  
  1536:tf/YvFSSZtDgN+DrDkDEFtCwbfF89lGL+vpCYC:Z/Yv0SZtDgN+Dr+ErbfF89llpTC
Score

10^/10

persistence discovery
- Modifies WinLogon for persistence
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
behavioral21 behavioral22
- Target
  
  80eb72d78175761e34378e06a5ca13b26edd6c47ee18e0d222fa068a249785f2_TDS=4FAAF59A.exe
- Size
  
  68KB
- MD5
  
  b1024afccaf9847146e611beab995356
- SHA1
  
  310a31da48325cea02182158efe0daa2ac6b451d
- SHA256
  
  80eb72d78175761e34378e06a5ca13b26edd6c47ee18e0d222fa068a249785f2
- SHA512
  
  164d5b81008251a454e0cc18ebbaaa3c1ce9f3dd24d45650359db5e4b30f00bd889f88333b2290e86667aa00296dea57f7b016d85f79ba12ea38eb6bd1342244
- SSDEEP
  
  1536:h3C4HGFE94jwEG/eO5VEx70AwAWkH+/z13+QDmsrxwSX:hNoESj8p5OeFAWp7p+Qbxr
Score

7^/10

discovery persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
behavioral23 behavioral24
- Target
  
  845263c86931440e934cf40f4461dc14903a474f6f5eab4773482842855ba1c8.exe
- Size
  
  246KB
- MD5
  
  7f61ab7160ccea4f69fed025fbbfdb30
- SHA1
  
  88d06d4124bca680bf28dde09cc1c3995002eef3
- SHA256
  
  845263c86931440e934cf40f4461dc14903a474f6f5eab4773482842855ba1c8
- SHA512
  
  8ff46db7d1bfddef6bab676c1439207a7b755280720bf83406d95a700eac364ef667978a7e538cc3d6e2836487b38ddc34df288100b510e32d16f013ffd07d98
- SSDEEP
  
  6144:clmE5hV/XRG4FmeAs32AcNhunE+AWTWk6+wv:2/XRG4FdAs32AeOWk
Score

9^/10

discovery persistence ransomware
- Renames multiple (153) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral25 behavioral26
- Target
  
  85242241870190a81b55d0ea723c25391fff14140bac149a32630c5f892a3a8f.exe
- Size
  
  56KB
- MD5
  
  a865cae4f9a553fa100932e8786b80be
- SHA1
  
  1c691b07fa9c59c1eb6a993723887a9ac08b301c
- SHA256
  
  85242241870190a81b55d0ea723c25391fff14140bac149a32630c5f892a3a8f
- SHA512
  
  df149155fc97c72f9401826f614dfb16edbf982b64c6fb3d7302526cd9c4ee8368dcfdc666c1c1fe2a522115176042f135723e9390ed4755fb35b4ebddc263e2
- SSDEEP
  
  768:9Wf9/O9lXRyz4M9XyTm/O94NOYXkGQ40d4Wg/i+Pet+F/O9LiAU3UF3333efYZCz:9EmRyz4gOmxNOYXF+yzTPSwjH33wk
Score

6^/10

discovery persistence
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral27 behavioral28
- Target
  
  86be3831f5d8a975b0924168117fc7fcd1f5067ac5935c657efbb4798cb6a439.exe
- Size
  
  37KB
- MD5
  
  406588f62853601a4f0381ad537b51ca
- SHA1
  
  a4a5602c1446a61c653a7bf8ad89558b4761ce71
- SHA256
  
  86be3831f5d8a975b0924168117fc7fcd1f5067ac5935c657efbb4798cb6a439
- SHA512
  
  28e019a091c309bb732fa0f3782c763a333ae95e7cfed86424950dac658297e862d707de1328fe50dc8ac2372832c93e6e131db79bf9c9fa91ae58da1fba0bfc
- SSDEEP
  
  768:hLNLdNY8E+pRqAyQ3ipHbEMsm/IqJRDftP5IM05kHZnJ6zZQufB9wZOKh2h1:Ij+pRqAyQ3ipHbEMsm/IqJR3IP54JhA9
Score

6^/10

discovery persistence
- Adds Run key to start application
  persistence
behavioral29 behavioral30
- Target
  
  8791931bac7d8afbb30dc1d32a4dd54ee59a2160580a83d822a927039d8ca98f_Dumped_TDS=4F83FCDA.exe
- Size
  
  116KB
- MD5
  
  3444e41067c52192e3ee1e5f57ddd393
- SHA1
  
  cccd89e09c2391f7e6bb8cb972c364bc27cad61d
- SHA256
  
  d03d3d4eab25c38eef57493c7494d3a1ffd0147e1fcb2730a97d9b826e15e799
- SHA512
  
  81a6729a11b5626fc49bbcdc2988a2a1de0fe9b1805d5ac9271666a12b81a40f4ce932b51014a21f262fd677773a010894deae3b7bc13ab85d142647662b281e
- SSDEEP
  
  1536:MnUfv0+ZXqm3S+DQNn1Bp/GpL7F6iCINF8nqZULCYk:Mn6v0+ZX5S+DQ11Bx67FZNF8nqWLTk
Score

10^/10

discovery persistence
- Modifies WinLogon for persistence
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
behavioral31 behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Tasks

Sharing

General

Malware Config

Targets

Renames multiple (786) files with added filename extension

Drops file in Drivers directory

Drops startup file

Reads user/profile data of web browsers

Drops file in System32 directory

Modifies WinLogon for persistence

Checks computer location settings

Adds Run key to start application

Modifies WinLogon for persistence

Checks computer location settings

Adds Run key to start application

Checks computer location settings

Adds Run key to start application

Renames multiple (340) files with added filename extension

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Adds Run key to start application

Enumerates connected drives

AutoIT Executable

Checks computer location settings

Deletes itself

Drops file in System32 directory

Deletes shadow copies

Drops startup file

Adds Run key to start application

Suspicious use of SetThreadContext

Modifies WinLogon for persistence

Checks computer location settings

Adds Run key to start application

Checks computer location settings

Adds Run key to start application

Renames multiple (153) files with added filename extension

Checks computer location settings

Deletes itself

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Adds Run key to start application

Looks up external IP address via web service

Adds Run key to start application

Modifies WinLogon for persistence

Checks computer location settings

Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28