blackmoon | 08659f2cc61c104f9eb6289bd07ae1a75bfce2425094026e0767f224805b976a

Analysis

max time kernel
119s
max time network
100s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
23-11-2024 18:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

08659f2cc61c104f9eb6289bd07ae1a75bfce2425094026e0767f224805b976a.exe
Size

407KB
MD5

ea674bd1692f4fb8a0cd801bcef0d469
SHA1

f422c27a1ab1c73d1eb426169eb858ead0184019
SHA256

08659f2cc61c104f9eb6289bd07ae1a75bfce2425094026e0767f224805b976a
SHA512

5ff2f47a7d23f6dfe38e79371c22fd2e0571a9a56dab5e87c9a79c4176840f6e6026264446768206ae7bd684fb8931cd86778c4592d3c9feebfbe31ca8cbc4ea
SSDEEP

6144:K5/YZ58drqrhGcbLhmvjSN6jZhixVK/B/zIydenCU:K5/Q58drihGiLhmGNiZsx0B/zIkenCU

Score

10^/10

blackmoon banker discovery trojan upx

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2892-0-0x0000000000400000-0x0000000000469000-memory.dmp	family_blackmoon
behavioral1/memory/2892-29-0x0000000000400000-0x0000000000469000-memory.dmp	family_blackmoon
behavioral1/files/0x000500000001a03c-36.dat	family_blackmoon
behavioral1/memory/2892-57-0x0000000000400000-0x0000000000469000-memory.dmp	family_blackmoon
behavioral1/memory/2024-67-0x0000000000400000-0x0000000000469000-memory.dmp	family_blackmoon

Executes dropped EXE 1 IoCs

Processes:

Sysceamrilvz.exe

pid	Process
2024	Sysceamrilvz.exe

Loads dropped DLL 2 IoCs

Processes:

08659f2cc61c104f9eb6289bd07ae1a75bfce2425094026e0767f224805b976a.exe

pid	Process
2892	08659f2cc61c104f9eb6289bd07ae1a75bfce2425094026e0767f224805b976a.exe
2892	08659f2cc61c104f9eb6289bd07ae1a75bfce2425094026e0767f224805b976a.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2892-0-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2892-29-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/files/0x000500000001a03c-36.dat	upx
behavioral1/memory/2892-57-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2024-67-0x0000000000400000-0x0000000000469000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

08659f2cc61c104f9eb6289bd07ae1a75bfce2425094026e0767f224805b976a.exeSysceamrilvz.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	08659f2cc61c104f9eb6289bd07ae1a75bfce2425094026e0767f224805b976a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysceamrilvz.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

08659f2cc61c104f9eb6289bd07ae1a75bfce2425094026e0767f224805b976a.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	08659f2cc61c104f9eb6289bd07ae1a75bfce2425094026e0767f224805b976a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	08659f2cc61c104f9eb6289bd07ae1a75bfce2425094026e0767f224805b976a.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Sysceamrilvz.exe

pid	Process
2024	Sysceamrilvz.exe
2024	Sysceamrilvz.exe
2024	Sysceamrilvz.exe
2024	Sysceamrilvz.exe
2024	Sysceamrilvz.exe
2024	Sysceamrilvz.exe
2024	Sysceamrilvz.exe
2024	Sysceamrilvz.exe
2024	Sysceamrilvz.exe
2024	Sysceamrilvz.exe
2024	Sysceamrilvz.exe
2024	Sysceamrilvz.exe
2024	Sysceamrilvz.exe
2024	Sysceamrilvz.exe
2024	Sysceamrilvz.exe
2024	Sysceamrilvz.exe
2024	Sysceamrilvz.exe
2024	Sysceamrilvz.exe
2024	Sysceamrilvz.exe
2024	Sysceamrilvz.exe
2024	Sysceamrilvz.exe
2024	Sysceamrilvz.exe
2024	Sysceamrilvz.exe
2024	Sysceamrilvz.exe
2024	Sysceamrilvz.exe
2024	Sysceamrilvz.exe
2024	Sysceamrilvz.exe
2024	Sysceamrilvz.exe
2024	Sysceamrilvz.exe
2024	Sysceamrilvz.exe
2024	Sysceamrilvz.exe
2024	Sysceamrilvz.exe
2024	Sysceamrilvz.exe
2024	Sysceamrilvz.exe
2024	Sysceamrilvz.exe
2024	Sysceamrilvz.exe
2024	Sysceamrilvz.exe
2024	Sysceamrilvz.exe
2024	Sysceamrilvz.exe
2024	Sysceamrilvz.exe
2024	Sysceamrilvz.exe
2024	Sysceamrilvz.exe
2024	Sysceamrilvz.exe
2024	Sysceamrilvz.exe
2024	Sysceamrilvz.exe
2024	Sysceamrilvz.exe
2024	Sysceamrilvz.exe
2024	Sysceamrilvz.exe
2024	Sysceamrilvz.exe
2024	Sysceamrilvz.exe
2024	Sysceamrilvz.exe
2024	Sysceamrilvz.exe
2024	Sysceamrilvz.exe
2024	Sysceamrilvz.exe
2024	Sysceamrilvz.exe
2024	Sysceamrilvz.exe
2024	Sysceamrilvz.exe
2024	Sysceamrilvz.exe
2024	Sysceamrilvz.exe
2024	Sysceamrilvz.exe
2024	Sysceamrilvz.exe
2024	Sysceamrilvz.exe
2024	Sysceamrilvz.exe
2024	Sysceamrilvz.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

08659f2cc61c104f9eb6289bd07ae1a75bfce2425094026e0767f224805b976a.exe

description	pid	Process	procid_target
PID 2892 wrote to memory of 2024	2892	08659f2cc61c104f9eb6289bd07ae1a75bfce2425094026e0767f224805b976a.exe	31
PID 2892 wrote to memory of 2024	2892	08659f2cc61c104f9eb6289bd07ae1a75bfce2425094026e0767f224805b976a.exe	31
PID 2892 wrote to memory of 2024	2892	08659f2cc61c104f9eb6289bd07ae1a75bfce2425094026e0767f224805b976a.exe	31
PID 2892 wrote to memory of 2024	2892	08659f2cc61c104f9eb6289bd07ae1a75bfce2425094026e0767f224805b976a.exe	31

C:\Users\Admin\AppData\Local\Temp\08659f2cc61c104f9eb6289bd07ae1a75bfce2425094026e0767f224805b976a.exe
"C:\Users\Admin\AppData\Local\Temp\08659f2cc61c104f9eb6289bd07ae1a75bfce2425094026e0767f224805b976a.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2892
- C:\Users\Admin\AppData\Local\Temp\Sysceamrilvz.exe
  "C:\Users\Admin\AppData\Local\Temp\Sysceamrilvz.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475

Filesize
1KB

MD5
5a4c0fd5d1eba994934539e997d0c905

SHA1
be11fecbbbb4f1a743b147267186220c635fc99c

SHA256
1ab20cdd5171ca71b45820d3007362656a4688ad3e24a307aa21efcf1e19c4d6

SHA512
a48f8b011fe1da57723efaeeb2fee18527a419fd94efa3868c9878a7c0e2a044c555841294626af26fef26b40fe61cdab2eacf32ea9e9d42bf9408499267d6eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C

Filesize
471B

MD5
46f7b237bbb75ef043afad3d23908529

SHA1
d5499c1a4f2a6dd24eb24514a213013718034141

SHA256
a10541ed19a2ab59d094527e04de33f0eb5ace547d65287c300745d1b6b31dd2

SHA512
0d84281bc79bbfd2e81f001227c8eeac24e33806e66e2589050420b2694b67aa3170d0a9aa26d075e8b6a24f22808a66fc4b919b3af4a8ce745e046fe7a1f77e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_A0B760D8ABF6F649D185B46E3E114CC2

Filesize
471B

MD5
fb5feb48eafcb383086dca8aca4025f6

SHA1
97084d331e2e419a59dc39d5c7ed598e1ebb79f2

SHA256
6a6960a25637c3b8482de1c3b478252202d8e9b46d51e175d4b8ec1e43b616d6

SHA512
c8614c044cbc3fd462849253acf982fe8309b46ed38d9e84c3995faf4c977f50d5793a4d5cc3fddce5dd13210b142d71015af47a156933289d32e8084a0c29d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CF14D1855652602540DFCFECD21854DB_54BE0F4A529F65D13ED30F3AD0874E58

Filesize
1KB

MD5
5c8a1edf01986ababf189a2c80b73b43

SHA1
9d55b37038a34f1df9d1ab8e92f4a7083d0bcb9e

SHA256
6c2db32803a6e378106fcc6143fdb61a072d4197b755ac61165bded0b15c608c

SHA512
30692b1dac4d64064cb85b6548c4fcecd9c489a968b9ce7f8d09948ac7bf9349fd908c7592cc5f575b01636edeb800b4222423c91dab01c3c7c45368c31b57fe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475

Filesize
500B

MD5
8c5b836b667e46d835de9c73f33c11e2

SHA1
4e6b059397ccb863d61871e9bae4061fecb7e7a3

SHA256
06ccff4e8ad81dac582b2c37cb030f600868887fff0b07ad7d0572decb2ce442

SHA512
305ebd82b161acd7b99be58af555f6931b75ca1f5b403268ea393503a01dc110a403934ce0e5a82f4686a1219cc3bd159090af78eb3aac9653c9aac83e6fb5fe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C

Filesize
398B

MD5
dc874303cc8b797ede0160a66e064ded

SHA1
06daafddecb6601af1d89038e3590f0603e35faf

SHA256
8e8f419944aa122df3bb1dc16d94de3034c4557b669dfc989a0929643acc531f

SHA512
67041cda1a0086a6d3f1655b5aad541e6a6571509faf4aab816b5f8432e03966cca291decfd9b8093d16bdf253d0408171a5b16d9a3699d3f8defa98fa8a2aae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c772bb12a100dabcf5a3072c3f84817a

SHA1
b61f8d9200ac8b3050ba293755c79b0828ce4c68

SHA256
2cd27c08ae2c30b96b01bddc70fd60b8c4c5b0517a0521ce1c7a97e861961dcc

SHA512
f46298ca3527377a51f61ae307770cf950f003e955f5be8cb6e1ad535c988f173d1dfa81fb0a008bef9ee1ab9d3381427f3212ff888d982255881c8e747f5379

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AD5F118F7897046E8CA970AE6A6AB70B_A0B760D8ABF6F649D185B46E3E114CC2

Filesize
410B

MD5
5ff1cf05414fcedc84a6bd1546b0457b

SHA1
4e1c6e4591c71a1daa13f271ebe3bbfa7cdd3a32

SHA256
01be8621dff483ed2ab3b6bcaf5017d12545ff68785ea2b356449a352a64678d

SHA512
24532592ee1a9e05b57531244ad41ade8ebf131e6b32de955a36d2e37e3dd7a26678566c313eb4a3b20db934a371db93259ce4ce02dcba26117344478345d938

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CF14D1855652602540DFCFECD21854DB_54BE0F4A529F65D13ED30F3AD0874E58

Filesize
536B

MD5
8707a451e50bfd610e47697c3b699690

SHA1
6cb1189e926266b16fec6ac0574a51daf297eb2f

SHA256
1346631db1911277bef7f95a896cc69d1be6415d68ee5c0494ff0137d3ad172f

SHA512
9d4970ae73f2c7c00f4ff8ec0f54dec91b7ed5a4694ca60afc85ae6c6dc9046b363bfb8ebf3335dfdcf66b4117c79fa2ee5d8a76a01fe2202213ab7aae15b433

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA2C5.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpath.ini

Filesize
102B

MD5
cc98b9dbfcbd0dc77cc761187366936c

SHA1
d53cb8343edec65b0477f6259bfedef7c5a058cc

SHA256
aa96018c74edf48e6f350ce38ef988cf8b511dc5e49263d3ba08f318bdcd0189

SHA512
d695bd348fac90e7f69d9aa144cba9d2b7f1bc513275b5e5d04e6dd98be27cedf6890fcad3d69a9b86c9d490838fbeab8ec6bf22dd9323cb763eab70ac33eadb

Download Submit
\Users\Admin\AppData\Local\Temp\Sysceamrilvz.exe

Filesize
407KB

MD5
26fb198b790ad6cc5ca2f50ad40d1d36

SHA1
cc61e0b6d409ad9da91ac3bee02f99c4cf7af1f9

SHA256
c6c988f46c4038f2d19a4d28957866e6d9d06e423563fc745a218db56774033d

SHA512
060c64ddf1e4f553b5ce50bc33e1abe9fe4bc47f91ce2ed4c1eead5650bb37d443f9d27c94a580934c31af157a13a8165474f02b7fcca18a7bd4182ee4f3e735

Download Submit
memory/2024-67-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2892-0-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2892-42-0x0000000003D80000-0x0000000003DE9000-memory.dmp

Filesize
420KB

Download
memory/2892-57-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2892-29-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download