blackmoon | 6131f6137485449cb0f06db7c3ab3b63b1c1194996cbe911f819d6e1d592879d

Resubmissions

24-11-2024 01:25

241124-btevjssrar 10

24-11-2024 01:23

241124-brw12ssqck 10

Analysis

max time kernel
119s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2024 01:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6131f6137485449cb0f06db7c3ab3b63b1c1194996cbe911f819d6e1d592879dN.exe
Size

432KB
MD5

2b5b05df13edf4365db93eb3f5825120
SHA1

1f9058c9ea15ccd423083d840393f76562ea6bd1
SHA256

6131f6137485449cb0f06db7c3ab3b63b1c1194996cbe911f819d6e1d592879d
SHA512

e00685b2118540be29fd7d8c74294938a9b42e0e1241101064792d403ec73f302d2ef30ccacc500b058c699822f33b1a3d1d0c0203ec088551920885b980a802
SSDEEP

3072:TVmHpJqu0Vh6jw/fmZmRMpVuWwP5tOcQfgdVqYHKjoS1HwZCFjTPG1UFNE2XCKUc:TcHpJfHElepVuWwP5YcQfg8J+ojCKC+N

Score

10^/10

blackmoon banker discovery trojan

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023b97-8.dat	family_blackmoon

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	6131f6137485449cb0f06db7c3ab3b63b1c1194996cbe911f819d6e1d592879dN.exe

Deletes itself 1 IoCs

pid	Process
2384	Systemharwx.exe

Executes dropped EXE 1 IoCs

pid	Process
2384	Systemharwx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6131f6137485449cb0f06db7c3ab3b63b1c1194996cbe911f819d6e1d592879dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Systemharwx.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3444	6131f6137485449cb0f06db7c3ab3b63b1c1194996cbe911f819d6e1d592879dN.exe
3444	6131f6137485449cb0f06db7c3ab3b63b1c1194996cbe911f819d6e1d592879dN.exe
3444	6131f6137485449cb0f06db7c3ab3b63b1c1194996cbe911f819d6e1d592879dN.exe
3444	6131f6137485449cb0f06db7c3ab3b63b1c1194996cbe911f819d6e1d592879dN.exe
3444	6131f6137485449cb0f06db7c3ab3b63b1c1194996cbe911f819d6e1d592879dN.exe
3444	6131f6137485449cb0f06db7c3ab3b63b1c1194996cbe911f819d6e1d592879dN.exe
3444	6131f6137485449cb0f06db7c3ab3b63b1c1194996cbe911f819d6e1d592879dN.exe
3444	6131f6137485449cb0f06db7c3ab3b63b1c1194996cbe911f819d6e1d592879dN.exe
3444	6131f6137485449cb0f06db7c3ab3b63b1c1194996cbe911f819d6e1d592879dN.exe
3444	6131f6137485449cb0f06db7c3ab3b63b1c1194996cbe911f819d6e1d592879dN.exe
3444	6131f6137485449cb0f06db7c3ab3b63b1c1194996cbe911f819d6e1d592879dN.exe
3444	6131f6137485449cb0f06db7c3ab3b63b1c1194996cbe911f819d6e1d592879dN.exe
3444	6131f6137485449cb0f06db7c3ab3b63b1c1194996cbe911f819d6e1d592879dN.exe
3444	6131f6137485449cb0f06db7c3ab3b63b1c1194996cbe911f819d6e1d592879dN.exe
3444	6131f6137485449cb0f06db7c3ab3b63b1c1194996cbe911f819d6e1d592879dN.exe
3444	6131f6137485449cb0f06db7c3ab3b63b1c1194996cbe911f819d6e1d592879dN.exe
2384	Systemharwx.exe
2384	Systemharwx.exe
2384	Systemharwx.exe
2384	Systemharwx.exe
2384	Systemharwx.exe
2384	Systemharwx.exe
2384	Systemharwx.exe
2384	Systemharwx.exe
2384	Systemharwx.exe
2384	Systemharwx.exe
2384	Systemharwx.exe
2384	Systemharwx.exe
2384	Systemharwx.exe
2384	Systemharwx.exe
2384	Systemharwx.exe
2384	Systemharwx.exe
2384	Systemharwx.exe
2384	Systemharwx.exe
2384	Systemharwx.exe
2384	Systemharwx.exe
2384	Systemharwx.exe
2384	Systemharwx.exe
2384	Systemharwx.exe
2384	Systemharwx.exe
2384	Systemharwx.exe
2384	Systemharwx.exe
2384	Systemharwx.exe
2384	Systemharwx.exe
2384	Systemharwx.exe
2384	Systemharwx.exe
2384	Systemharwx.exe
2384	Systemharwx.exe
2384	Systemharwx.exe
2384	Systemharwx.exe
2384	Systemharwx.exe
2384	Systemharwx.exe
2384	Systemharwx.exe
2384	Systemharwx.exe
2384	Systemharwx.exe
2384	Systemharwx.exe
2384	Systemharwx.exe
2384	Systemharwx.exe
2384	Systemharwx.exe
2384	Systemharwx.exe
2384	Systemharwx.exe
2384	Systemharwx.exe
2384	Systemharwx.exe
2384	Systemharwx.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3444 wrote to memory of 2384	3444	6131f6137485449cb0f06db7c3ab3b63b1c1194996cbe911f819d6e1d592879dN.exe	88
PID 3444 wrote to memory of 2384	3444	6131f6137485449cb0f06db7c3ab3b63b1c1194996cbe911f819d6e1d592879dN.exe	88
PID 3444 wrote to memory of 2384	3444	6131f6137485449cb0f06db7c3ab3b63b1c1194996cbe911f819d6e1d592879dN.exe	88

C:\Users\Admin\AppData\Local\Temp\6131f6137485449cb0f06db7c3ab3b63b1c1194996cbe911f819d6e1d592879dN.exe
"C:\Users\Admin\AppData\Local\Temp\6131f6137485449cb0f06db7c3ab3b63b1c1194996cbe911f819d6e1d592879dN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3444
- C:\Users\Admin\AppData\Local\Temp\Systemharwx.exe
  "C:\Users\Admin\AppData\Local\Temp\Systemharwx.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Systemharwx.exe

Filesize
432KB

MD5
78cfd0f8b8a0f7444463d809206c36ad

SHA1
0f3be45b66efe4dda163d67837e83590cf746daf

SHA256
4a649ddf6832d35fa5a0cafc9d05a2427ed4cf449b11faeca5c9e757560e152e

SHA512
eea3216ca115d5a5e9f065648918e8c38b2e9c074ff23efcccb5f01780ac71c2e49795eaba4d41cd309cfa480ab1d6349ae25c41a82aefbabe4b5a37b7ad4777

Download Submit
C:\Users\Admin\AppData\Local\Temp\path.ini

Filesize
103B

MD5
5b5ad41fa3e0f5d5368609493778c565

SHA1
9bb8e293e8225f420dbc99e8368abaceca03ecbe

SHA256
b122c2d3a1a3e1a65070416dc788c83dd964792d7e4a050f461d0f4562e4b7ba

SHA512
13c64374c62395572b8ee1ef736ecbe41f009297bda4ae92386def80e47d96c62b4fd7b0c23976df3410111b691c43c3565ef72658f9266673a0f3a246f94442

Download Submit