blackmoon | 932f8e8c2938e0d4e0f0fb281a977daef09e0b226579ff6fea60785b202e040d

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24-11-2024 12:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

932f8e8c2938e0d4e0f0fb281a977daef09e0b226579ff6fea60785b202e040d.dll
Size

144KB
MD5

11b9855495b77a991db6e8728bc45f58
SHA1

9af6c0a5d31a9e83f794e8e65debca93582c138d
SHA256

932f8e8c2938e0d4e0f0fb281a977daef09e0b226579ff6fea60785b202e040d
SHA512

a3dfbb7d57b6c6348538f62c55ef09e60a9b6c89136189f3688f8b4a498e3aee9538876cb197b3e0587c3feb8394f5301468d8a1aa988122d7299664042a0077
SSDEEP

3072:S5VK0lTSG9xoC+CQpiU5M+U3mjfv2JxhGtB90N4wU:N0T9xB+CUQmjfvIxhGtBWNs

Score

10^/10

blackmoon gh0strat banker discovery rat trojan upx

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 5 IoCs

resource	yara_rule
behavioral1/memory/2864-25-0x0000000000400000-0x0000000000D25000-memory.dmp	family_blackmoon
behavioral1/memory/2864-53-0x0000000000400000-0x0000000000D25000-memory.dmp	family_blackmoon
behavioral1/memory/2864-13597-0x0000000000400000-0x0000000000D25000-memory.dmp	family_blackmoon
behavioral1/memory/2864-13599-0x0000000000400000-0x0000000000D25000-memory.dmp	family_blackmoon
behavioral1/files/0x0008000000016a66-13600.dat	family_blackmoon

Gh0st RAT payload 6 IoCs

resource	yara_rule
behavioral1/memory/2684-5-0x0000000000400000-0x0000000000409000-memory.dmp	family_gh0strat
behavioral1/memory/2684-3-0x0000000000400000-0x0000000000409000-memory.dmp	family_gh0strat
behavioral1/memory/2684-2-0x0000000000400000-0x0000000000409000-memory.dmp	family_gh0strat
behavioral1/memory/2684-7-0x0000000000400000-0x0000000000409000-memory.dmp	family_gh0strat
behavioral1/memory/2684-9-0x0000000000400000-0x0000000000409000-memory.dmp	family_gh0strat
behavioral1/memory/2684-10-0x0000000000400000-0x0000000000409000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat
Downloads MZ/PE file

Executes dropped EXE 5 IoCs

pid	Process
2864	MpMgSvc.exe
5248	Eternalblue-2.2.0.exe
4816	Eternalblue-2.2.0.exe
5324	Wmicc.exe
7176	GetPassword.exe

Loads dropped DLL 26 IoCs

pid	Process
2684	svchost.exe
2684	svchost.exe
2864	MpMgSvc.exe
2864	MpMgSvc.exe
5248	Eternalblue-2.2.0.exe
5248	Eternalblue-2.2.0.exe
5248	Eternalblue-2.2.0.exe
5248	Eternalblue-2.2.0.exe
5248	Eternalblue-2.2.0.exe
5248	Eternalblue-2.2.0.exe
5248	Eternalblue-2.2.0.exe
5248	Eternalblue-2.2.0.exe
5248	Eternalblue-2.2.0.exe
2864	MpMgSvc.exe
4816	Eternalblue-2.2.0.exe
4816	Eternalblue-2.2.0.exe
4816	Eternalblue-2.2.0.exe
4816	Eternalblue-2.2.0.exe
4816	Eternalblue-2.2.0.exe
4816	Eternalblue-2.2.0.exe
4816	Eternalblue-2.2.0.exe
4816	Eternalblue-2.2.0.exe
4816	Eternalblue-2.2.0.exe
2864	MpMgSvc.exe
2864	MpMgSvc.exe
7196	cmd.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3028 set thread context of 2684	3028	rundll32.exe	30

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0036000000016560-15.dat	upx
behavioral1/memory/2864-25-0x0000000000400000-0x0000000000D25000-memory.dmp	upx
behavioral1/memory/2864-53-0x0000000000400000-0x0000000000D25000-memory.dmp	upx
behavioral1/memory/2864-13597-0x0000000000400000-0x0000000000D25000-memory.dmp	upx
behavioral1/memory/2864-13599-0x0000000000400000-0x0000000000D25000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eternalblue-2.2.0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wmicc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MpMgSvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eternalblue-2.2.0.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2864	MpMgSvc.exe
2864	MpMgSvc.exe
2864	MpMgSvc.exe
2864	MpMgSvc.exe
2864	MpMgSvc.exe
2864	MpMgSvc.exe
2864	MpMgSvc.exe
2864	MpMgSvc.exe
2864	MpMgSvc.exe
7176	GetPassword.exe
7176	GetPassword.exe
7176	GetPassword.exe
7176	GetPassword.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	7176	GetPassword.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2864	MpMgSvc.exe
2864	MpMgSvc.exe
5324	Wmicc.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 2684	3028	rundll32.exe	30
PID 3028 wrote to memory of 2684	3028	rundll32.exe	30
PID 3028 wrote to memory of 2684	3028	rundll32.exe	30
PID 3028 wrote to memory of 2684	3028	rundll32.exe	30
PID 3028 wrote to memory of 2684	3028	rundll32.exe	30
PID 3028 wrote to memory of 2684	3028	rundll32.exe	30
PID 3028 wrote to memory of 2684	3028	rundll32.exe	30
PID 3028 wrote to memory of 2684	3028	rundll32.exe	30
PID 3028 wrote to memory of 2684	3028	rundll32.exe	30
PID 2684 wrote to memory of 2864	2684	svchost.exe	33
PID 2684 wrote to memory of 2864	2684	svchost.exe	33
PID 2684 wrote to memory of 2864	2684	svchost.exe	33
PID 2684 wrote to memory of 2864	2684	svchost.exe	33
PID 2864 wrote to memory of 5248	2864	MpMgSvc.exe	34
PID 2864 wrote to memory of 5248	2864	MpMgSvc.exe	34
PID 2864 wrote to memory of 5248	2864	MpMgSvc.exe	34
PID 2864 wrote to memory of 5248	2864	MpMgSvc.exe	34
PID 2864 wrote to memory of 4816	2864	MpMgSvc.exe	36
PID 2864 wrote to memory of 4816	2864	MpMgSvc.exe	36
PID 2864 wrote to memory of 4816	2864	MpMgSvc.exe	36
PID 2864 wrote to memory of 4816	2864	MpMgSvc.exe	36
PID 2864 wrote to memory of 5324	2864	MpMgSvc.exe	38
PID 2864 wrote to memory of 5324	2864	MpMgSvc.exe	38
PID 2864 wrote to memory of 5324	2864	MpMgSvc.exe	38
PID 2864 wrote to memory of 5324	2864	MpMgSvc.exe	38
PID 5324 wrote to memory of 7196	5324	Wmicc.exe	39
PID 5324 wrote to memory of 7196	5324	Wmicc.exe	39
PID 5324 wrote to memory of 7196	5324	Wmicc.exe	39
PID 5324 wrote to memory of 7196	5324	Wmicc.exe	39
PID 7196 wrote to memory of 7176	7196	cmd.exe	41
PID 7196 wrote to memory of 7176	7196	cmd.exe	41
PID 7196 wrote to memory of 7176	7196	cmd.exe	41
PID 7196 wrote to memory of 7176	7196	cmd.exe	41

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\932f8e8c2938e0d4e0f0fb281a977daef09e0b226579ff6fea60785b202e040d.dll,#1
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\SysWOW64\svchost.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\WINDOWS\Temp\MpMgSvc.exe
    "C:\WINDOWS\Temp\MpMgSvc.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2864
  - - C:\WINDOWS\Temp\Eternalblue-2.2.0.exe
      Eternalblue-2.2.0.exe --TargetIp 10.127.0.192 --Target WIN72K8R2 --TargetPort 445 --VerifyTarget True --VerifyBackdoor True --MaxExploitAttempts 3 --GroomAllocations 12 --OutConfig LOG.txt
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:5248
  - - C:\WINDOWS\Temp\Eternalblue-2.2.0.exe
      Eternalblue-2.2.0.exe --TargetIp 10.127.0.192 --Target WIN72K8R2 --TargetPort 445 --VerifyTarget True --VerifyBackdoor True --MaxExploitAttempts 3 --GroomAllocations 12 --OutConfig LOG.txt
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:4816
  - - C:\Windows\Temp\Wmicc.exe
      "C:\Windows\Temp\Wmicc.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:5324
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c C:\Windows\Temp\GetPassword.exe >C:\Windows\Temp\PWD.txt
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:7196
      - C:\Windows\Temp\GetPassword.exe
        
        C:\Windows\Temp\GetPassword.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:7176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\Eternalblue-2.2.0.xml

Filesize
7KB

MD5
497080fed2000e8b49ee2e97e54036b1

SHA1
4af3fae881a80355dd09df6e736203c30c4faac5

SHA256
756f44f1d667132b043bfd3da16b91c9f6681e5d778c5f07bb031d62ff00d380

SHA512
4f8bd09f9d8d332c436beb8164eec90b0e260b69230f102565298beff0db37265be1ae5eb70acf60e77d5589c61c7ee7f01a02d2a30ac72d794a04efef6f25df

Download Submit
C:\Windows\Temp\GetPassword.exe

Filesize
494KB

MD5
5b6a804db0c5733d331eb126048ca73b

SHA1
f18c5acae63457ad26565d663467fa5a7fbfbee4

SHA256
5bec6b3bc6f8cbda50a8c5195a488cc82d2e00f18ec75640db31b2376a6db9f9

SHA512
ba6424051ab9f650967cc2ba428fd6a02ccda8f99d8b8e3f5f321a5e6bbf79a22bfc9cdd582c44980470ebbb7aea1b811fd69aab6bf51466a803c7c722fcde26

Download Submit
C:\Windows\Temp\MpMgSvc.exe

Filesize
3.2MB

MD5
3809c59565787ee7398fe9222d4bd669

SHA1
68842768c9ae9deb1d1d7ed2b27846c392b47103

SHA256
c751d97251cd67604c0256b779fabac87d4ed2d647ce0d830e2a1670cd3616c6

SHA512
2f78ad26acfe15f4682b69090704fa8ebb24938c8a58b8d343ef0993e8234897aed53dfcea4119168f915384fe545d2cbb16bc12339d0600dafae06deefc9098

Download Submit
C:\Windows\Temp\ip.txt

Filesize
6KB

MD5
e00a3b120741f4590bdbf352ed4c7854

SHA1
99806a97c9fcc9015f63dec02bfbc1add4d199e2

SHA256
397cd43bb45cb1237bc17d1ef44ba15c0baa0bfa88ebbe65d105b961f0b9f160

SHA512
af39bb2a1329322fbf4206625104f383d88439b611bc3d18a00d19ff0a29f9b8ba9f5f6942ccf01c0fc87cf5218ced800d05015bdf8a40dc159e9406ff592f2b

Download Submit
C:\Windows\Temp\ip.txt

Filesize
818B

MD5
db37fe2c0d82bad06d41d530093bd350

SHA1
f59120a5c84462a8857103b4ba6fa7de8b987226

SHA256
517c60d2b4478ca0cf42f70b39837f6fd3cec9a0b7eda9d2e2555ff298ca2e83

SHA512
079a5a5f43b63eac12b8781ea7e246a821652868357603189504abb9dd11a6cdb727a230402be539c1c7db1353916ca64fe784fa55a39519380c91ebcecd502c

Download Submit
\Windows\Temp\Eternalblue-2.2.0.exe

Filesize
126KB

MD5
8c80dd97c37525927c1e549cb59bcbf3

SHA1
4e80fa7d98c8e87facecdef0fc7de0d957d809e1

SHA256
85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5

SHA512
50e9a3b950bbd56ff9654f9c2758721b181e7891384fb37e4836cf78422399a07e6b0bfab16350e35eb2a13c4d07b5ce8d4192fd864fb9aaa9602c7978d2d35e

Download Submit
\Windows\Temp\Wmicc.exe

Filesize
1.4MB

MD5
4935b75f2a23d38527cf3821c9d9dac3

SHA1
f17aa56215ab7b90da00f048fe30d39a2d671b5d

SHA256
dd2d7b07e9091590ae60b42022956319bbbbd51b457ea214fb475ecc3e9156f8

SHA512
348e041104de20b0850b19db1ebb88ae0b65ecd1695f1ade47e099d62da9cec983a1a73e7fc657509b4fc58496784e0c1681bf46265477b75fdfab440c41acbd

Download Submit
\Windows\Temp\coli-0.dll

Filesize
15KB

MD5
3c2fe2dbdf09cfa869344fdb53307cb2

SHA1
b67a8475e6076a24066b7cb6b36d307244bb741f

SHA256
0439628816cabe113315751e7113a9e9f720d7e499ffdd78acbac1ed8ba35887

SHA512
d6b819643108446b1739cbcb8d5c87e05875d7c1989d03975575c7d808f715ddcce94480860828210970cec8b775c14ee955f99bd6e16f9a32b1d5dafd82dc8c

Download Submit
\Windows\Temp\exma-1.dll

Filesize
10KB

MD5
ba629216db6cf7c0c720054b0c9a13f3

SHA1
37bb800b2bb812d4430e2510f14b5b717099abaa

SHA256
15292172a83f2e7f07114693ab92753ed32311dfba7d54fe36cc7229136874d9

SHA512
c4f116701798f210d347726680419fd85880a8dc12bf78075be6b655f056a17e0a940b28bbc9a5a78fac99e3bb99003240948ed878d75b848854d1f9e5768ec9

Download Submit
\Windows\Temp\libxml2.dll

Filesize
807KB

MD5
9a5cec05e9c158cbc51cdc972693363d

SHA1
ca4d1bb44c64a85871944f3913ca6ccddfa2dc04

SHA256
aceb27720115a63b9d47e737fd878a61c52435ea4ec86ba8e58ee744bc85c4f3

SHA512
8af997c3095d728fe95eeedfec23b5d4a9f2ea0a8945f8c136cda3128c17acb0a6e45345637cf1d7a5836aaa83641016c50dbb59461a5a3fb7b302c2c60dfc94

Download Submit
\Windows\Temp\posh-0.dll

Filesize
11KB

MD5
2f0a52ce4f445c6e656ecebbcaceade5

SHA1
35493e06b0b2cdab2211c0fc02286f45d5e2606d

SHA256
cde45f7ff05f52b7215e4b0ea1f2f42ad9b42031e16a3be9772aa09e014bacdb

SHA512
88151ce5c89c96c4bb086d188f044fa2d66d64d0811e622f35dceaadfa2c7c7c084dd8afb5f774e8ad93ca2475cc3cba60ba36818b5cfb4a472fc9ceef1b9da1

Download Submit
\Windows\Temp\tibe-2.dll

Filesize
232KB

MD5
f0881d5a7f75389deba3eff3f4df09ac

SHA1
8404f2776fa8f7f8eaffb7a1859c19b0817b147a

SHA256
ca63dbb99d9da431bf23aca80dc787df67bb01104fb9358a7813ed2fce479362

SHA512
f266baecae0840c365fe537289a8bf05323d048ef3451ebffbe75129719c1856022b4bddd225b85b6661bbe4b2c7ac336aa9efdeb26a91a0be08c66a9e3fe97e

Download Submit
\Windows\Temp\trch-1.dll

Filesize
58KB

MD5
838ceb02081ac27de43da56bec20fc76

SHA1
972ab587cdb63c8263eb977f10977fd7d27ecf7b

SHA256
0259d41720f7084716a3b2bbe34ac6d3021224420f81a4e839b0b3401e5ef29f

SHA512
bcca9e1e2f84929bf513f26cc2a7dc91f066e775ef1d34b0fb00a54c8521de55ef8c81f796c7970d5237cdeab4572dedfd2b138d21183cb19d2225bdb0362a22

Download Submit
\Windows\Temp\trfo-2.dll

Filesize
29KB

MD5
3e89c56056e5525bf4d9e52b28fbbca7

SHA1
08f93ab25190a44c4e29bee5e8aacecc90dab80c

SHA256
b2a3172a1d676f00a62df376d8da805714553bb3221a8426f9823a8a5887daaa

SHA512
32487c6bca48a989d48fa7b362381fadd0209fdcc8e837f2008f16c4b52ab4830942b2e0aa1fb18dbec7fce189bb9a6d40f362a6c2b4f44649bd98557ecddbb6

Download Submit
\Windows\Temp\tucl-1.dll

Filesize
9KB

MD5
83076104ae977d850d1e015704e5730a

SHA1
776e7079734bc4817e3af0049f42524404a55310

SHA256
cf25bdc6711a72713d80a4a860df724a79042be210930dcbfc522da72b39bb12

SHA512
bd1e6c99308c128a07fbb0c05e3a09dbcf4cec91326148439210077d09992ebf25403f6656a49d79ad2151c2e61e6532108fed12727c41103df3d7a2b1ba82f8

Download Submit
\Windows\Temp\ucl.dll

Filesize
57KB

MD5
6b7276e4aa7a1e50735d2f6923b40de4

SHA1
db8603ac6cac7eb3690f67af7b8d081aa9ce3075

SHA256
f0df80978b3a563077def7ba919e2f49e5883d24176e6b3371a8eef1efe2b06a

SHA512
58e65ce3a5bcb65f056856cfda06462d3fbce4d625a76526107977fd7a44d93cfc16de5f9952b8fcff7049a7556b0d35de0aa02de736f0daeec1e41d02a20daa

Download Submit
memory/2684-7-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2684-52-0x0000000003300000-0x0000000003C25000-memory.dmp

Filesize
9.1MB

Download
memory/2684-2-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2684-23-0x0000000003300000-0x0000000003C25000-memory.dmp

Filesize
9.1MB

Download
memory/2684-4-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2684-0-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2684-5-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2684-3-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2684-9-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2684-1-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2684-10-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2684-24-0x0000000003300000-0x0000000003C25000-memory.dmp

Filesize
9.1MB

Download
memory/2864-13599-0x0000000000400000-0x0000000000D25000-memory.dmp

Filesize
9.1MB

Download
memory/2864-13597-0x0000000000400000-0x0000000000D25000-memory.dmp

Filesize
9.1MB

Download
memory/2864-53-0x0000000000400000-0x0000000000D25000-memory.dmp

Filesize
9.1MB

Download
memory/2864-25-0x0000000000400000-0x0000000000D25000-memory.dmp

Filesize
9.1MB

Download
memory/4816-13596-0x0000000000100000-0x0000000000111000-memory.dmp

Filesize
68KB

Download
memory/5248-13580-0x0000000000070000-0x0000000000081000-memory.dmp

Filesize
68KB

Download