blackmoon | 8a937a9e7155c41000b719fbe7fb814a756b5460278665fae0cee3d2858b4746

Analysis

max time kernel
119s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
23-11-2024 20:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8a937a9e7155c41000b719fbe7fb814a756b5460278665fae0cee3d2858b4746.exe
Size

428KB
MD5

57d9cd802b072b498a6ba575d0c3bcf7
SHA1

b84e7b8058c12740a2d17f07c791f9a14717ff17
SHA256

8a937a9e7155c41000b719fbe7fb814a756b5460278665fae0cee3d2858b4746
SHA512

91b1ea7f456077422527b7c7460f7b877f00ec7cfa1aac13d20197d82cebc57b370c000b03e3a9921e80387a8391106463b01c033888a480a753003efe4b6291
SSDEEP

6144:kvk3Q5ibjnNuuXckaL7pbRBkce97awj7L7orT/V:kvMQ5ibjnwka3pbRC19Gwj7orT/V

Score

10^/10

blackmoon banker discovery trojan upx

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2580-0-0x0000000000400000-0x000000000046D000-memory.dmp	family_blackmoon
behavioral1/memory/2580-7-0x0000000000400000-0x000000000046D000-memory.dmp	family_blackmoon
behavioral1/files/0x0007000000018b50-9.dat	family_blackmoon
behavioral1/memory/2712-18-0x0000000000400000-0x000000000046D000-memory.dmp	family_blackmoon

Deletes itself 1 IoCs

Processes:

Systemswrof.exe

pid	Process
2712	Systemswrof.exe

Executes dropped EXE 1 IoCs

Processes:

Systemswrof.exe

pid	Process
2712	Systemswrof.exe

Loads dropped DLL 2 IoCs

Processes:

8a937a9e7155c41000b719fbe7fb814a756b5460278665fae0cee3d2858b4746.exe

pid	Process
2580	8a937a9e7155c41000b719fbe7fb814a756b5460278665fae0cee3d2858b4746.exe
2580	8a937a9e7155c41000b719fbe7fb814a756b5460278665fae0cee3d2858b4746.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2580-0-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/2580-7-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/files/0x0007000000018b50-9.dat	upx
behavioral1/memory/2712-18-0x0000000000400000-0x000000000046D000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

8a937a9e7155c41000b719fbe7fb814a756b5460278665fae0cee3d2858b4746.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8a937a9e7155c41000b719fbe7fb814a756b5460278665fae0cee3d2858b4746.exe

Suspicious behavior: EnumeratesProcesses 59 IoCs

Processes:

8a937a9e7155c41000b719fbe7fb814a756b5460278665fae0cee3d2858b4746.exeSystemswrof.exe

pid	Process
2580	8a937a9e7155c41000b719fbe7fb814a756b5460278665fae0cee3d2858b4746.exe
2580	8a937a9e7155c41000b719fbe7fb814a756b5460278665fae0cee3d2858b4746.exe
2580	8a937a9e7155c41000b719fbe7fb814a756b5460278665fae0cee3d2858b4746.exe
2580	8a937a9e7155c41000b719fbe7fb814a756b5460278665fae0cee3d2858b4746.exe
2580	8a937a9e7155c41000b719fbe7fb814a756b5460278665fae0cee3d2858b4746.exe
2580	8a937a9e7155c41000b719fbe7fb814a756b5460278665fae0cee3d2858b4746.exe
2712	Systemswrof.exe
2712	Systemswrof.exe
2712	Systemswrof.exe
2712	Systemswrof.exe
2712	Systemswrof.exe
2712	Systemswrof.exe
2712	Systemswrof.exe
2712	Systemswrof.exe
2712	Systemswrof.exe
2712	Systemswrof.exe
2712	Systemswrof.exe
2712	Systemswrof.exe
2712	Systemswrof.exe
2712	Systemswrof.exe
2712	Systemswrof.exe
2712	Systemswrof.exe
2712	Systemswrof.exe
2712	Systemswrof.exe
2712	Systemswrof.exe
2712	Systemswrof.exe
2712	Systemswrof.exe
2712	Systemswrof.exe
2712	Systemswrof.exe
2712	Systemswrof.exe
2712	Systemswrof.exe
2712	Systemswrof.exe
2712	Systemswrof.exe
2712	Systemswrof.exe
2712	Systemswrof.exe
2712	Systemswrof.exe
2712	Systemswrof.exe
2712	Systemswrof.exe
2712	Systemswrof.exe
2712	Systemswrof.exe
2712	Systemswrof.exe
2712	Systemswrof.exe
2712	Systemswrof.exe
2712	Systemswrof.exe
2712	Systemswrof.exe
2712	Systemswrof.exe
2712	Systemswrof.exe
2712	Systemswrof.exe
2712	Systemswrof.exe
2712	Systemswrof.exe
2712	Systemswrof.exe
2712	Systemswrof.exe
2712	Systemswrof.exe
2712	Systemswrof.exe
2712	Systemswrof.exe
2712	Systemswrof.exe
2712	Systemswrof.exe
2712	Systemswrof.exe
2712	Systemswrof.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

8a937a9e7155c41000b719fbe7fb814a756b5460278665fae0cee3d2858b4746.exe

description	pid	Process	procid_target
PID 2580 wrote to memory of 2712	2580	8a937a9e7155c41000b719fbe7fb814a756b5460278665fae0cee3d2858b4746.exe	31
PID 2580 wrote to memory of 2712	2580	8a937a9e7155c41000b719fbe7fb814a756b5460278665fae0cee3d2858b4746.exe	31
PID 2580 wrote to memory of 2712	2580	8a937a9e7155c41000b719fbe7fb814a756b5460278665fae0cee3d2858b4746.exe	31
PID 2580 wrote to memory of 2712	2580	8a937a9e7155c41000b719fbe7fb814a756b5460278665fae0cee3d2858b4746.exe	31

C:\Users\Admin\AppData\Local\Temp\8a937a9e7155c41000b719fbe7fb814a756b5460278665fae0cee3d2858b4746.exe
"C:\Users\Admin\AppData\Local\Temp\8a937a9e7155c41000b719fbe7fb814a756b5460278665fae0cee3d2858b4746.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2580
- C:\Users\Admin\AppData\Local\Temp\Systemswrof.exe
  "C:\Users\Admin\AppData\Local\Temp\Systemswrof.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fpath.ini

Filesize
102B

MD5
53c04b0893f3e0f0a72009bec45e9a96

SHA1
9a72dee664cbe3fe54618187c15aba50b178a0cc

SHA256
eb232d650eb05100e5e24fac9d375a836b33643037626da1e0e81d6f43288fbc

SHA512
21e10de9e20ec0323dda76d9657e833715875052740eb2a320efdece6dafadfbf9f497fc0f3d22a9e18617a5f50048587b6daa1530ed69471b7aa118de484009

Download Submit
\Users\Admin\AppData\Local\Temp\Systemswrof.exe

Filesize
428KB

MD5
6cdcb96f901c39d6097ba55961021a80

SHA1
0f42c9fc0e69d892b9626260be39a477bcd6b2fd

SHA256
80b483b86457b27c9b5a7611a303cb304bae86067dfe76bdd3475d318a18bc2c

SHA512
16c0f24152a7660009fa7d3db58bcda68f8a0b2c5ada00e6e6f909bcfe5592ce94c3434ff3252f730ea8bcac81f67f7c9e17da355175b82048cc398a236cd2c8

Download Submit
memory/2580-0-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2580-7-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2712-18-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download