blackmoon | 932f8e8c2938e0d4e0f0fb281a977daef09e0b226579ff6fea60785b202e040d

General

Target

932f8e8c2938e0d4e0f0fb281a977daef09e0b226579ff6fea60785b202e040d.dll
Size

144KB
MD5

11b9855495b77a991db6e8728bc45f58
SHA1

9af6c0a5d31a9e83f794e8e65debca93582c138d
SHA256

932f8e8c2938e0d4e0f0fb281a977daef09e0b226579ff6fea60785b202e040d
SHA512

a3dfbb7d57b6c6348538f62c55ef09e60a9b6c89136189f3688f8b4a498e3aee9538876cb197b3e0587c3feb8394f5301468d8a1aa988122d7299664042a0077
SSDEEP

3072:S5VK0lTSG9xoC+CQpiU5M+U3mjfv2JxhGtB90N4wU:N0T9xB+CUQmjfvIxhGtBWNs

Score

10^/10

blackmoon gh0strat banker discovery rat trojan upx

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1988-50-0x0000000000400000-0x0000000000D25000-memory.dmp	family_blackmoon
behavioral2/memory/1988-13551-0x0000000000400000-0x0000000000D25000-memory.dmp	family_blackmoon
behavioral2/memory/1988-13553-0x0000000000400000-0x0000000000D25000-memory.dmp	family_blackmoon
C:\Windows\Temp\Wmicc.exe	family_blackmoon
behavioral2/memory/1988-13562-0x0000000000400000-0x0000000000D25000-memory.dmp	family_blackmoon

Gh0st RAT payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2992-0-0x0000000000400000-0x0000000000409000-memory.dmp	family_gh0strat
behavioral2/memory/2992-2-0x0000000000400000-0x0000000000409000-memory.dmp	family_gh0strat
behavioral2/memory/2992-4-0x0000000000400000-0x0000000000409000-memory.dmp	family_gh0strat
behavioral2/memory/2992-8-0x0000000000400000-0x0000000000409000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

MpMgSvc.exeWmicc.exeGetPassword.exe

pid process

1988 MpMgSvc.exe
3980 Wmicc.exe
8340 GetPassword.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

pid	process
1988	MpMgSvc.exe
3980	Wmicc.exe
8340	GetPassword.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 2168 set thread context of 2992	2168	rundll32.exe	svchost.exe
PID 2168 set thread context of 3176	2168	rundll32.exe	svchost.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\Temp\MpMgSvc.exe	upx
behavioral2/memory/1988-23-0x0000000000400000-0x0000000000D25000-memory.dmp	upx
behavioral2/memory/1988-50-0x0000000000400000-0x0000000000D25000-memory.dmp	upx
behavioral2/memory/1988-13551-0x0000000000400000-0x0000000000D25000-memory.dmp	upx
behavioral2/memory/1988-13553-0x0000000000400000-0x0000000000D25000-memory.dmp	upx
behavioral2/memory/1988-13562-0x0000000000400000-0x0000000000D25000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

svchost.exeMpMgSvc.exeWmicc.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MpMgSvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wmicc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

MpMgSvc.exeGetPassword.exe

pid process

1988 MpMgSvc.exe
1988 MpMgSvc.exe
1988 MpMgSvc.exe
1988 MpMgSvc.exe
1988 MpMgSvc.exe
1988 MpMgSvc.exe
8340 GetPassword.exe
8340 GetPassword.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

GetPassword.exe

description pid process

Token: SeDebugPrivilege 8340 GetPassword.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

MpMgSvc.exeWmicc.exe

pid process

1988 MpMgSvc.exe
1988 MpMgSvc.exe
3980 Wmicc.exe

pid	process
1988	MpMgSvc.exe
1988	MpMgSvc.exe
1988	MpMgSvc.exe
1988	MpMgSvc.exe
1988	MpMgSvc.exe
1988	MpMgSvc.exe
8340	GetPassword.exe
8340	GetPassword.exe

description	pid	process
Token: SeDebugPrivilege	8340	GetPassword.exe

pid	process
1988	MpMgSvc.exe
1988	MpMgSvc.exe
3980	Wmicc.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

rundll32.exesvchost.exeMpMgSvc.exeWmicc.execmd.exe

description	pid	process	target process
PID 2168 wrote to memory of 1084	2168	rundll32.exe	svchost.exe
PID 2168 wrote to memory of 1084	2168	rundll32.exe	svchost.exe
PID 2168 wrote to memory of 1084	2168	rundll32.exe	svchost.exe
PID 2168 wrote to memory of 2992	2168	rundll32.exe	svchost.exe
PID 2168 wrote to memory of 2992	2168	rundll32.exe	svchost.exe
PID 2168 wrote to memory of 2992	2168	rundll32.exe	svchost.exe
PID 2168 wrote to memory of 2992	2168	rundll32.exe	svchost.exe
PID 2168 wrote to memory of 2992	2168	rundll32.exe	svchost.exe
PID 2168 wrote to memory of 2992	2168	rundll32.exe	svchost.exe
PID 2168 wrote to memory of 2992	2168	rundll32.exe	svchost.exe
PID 2168 wrote to memory of 2992	2168	rundll32.exe	svchost.exe
PID 2168 wrote to memory of 3176	2168	rundll32.exe	svchost.exe
PID 2168 wrote to memory of 3176	2168	rundll32.exe	svchost.exe
PID 2168 wrote to memory of 3176	2168	rundll32.exe	svchost.exe
PID 2168 wrote to memory of 3176	2168	rundll32.exe	svchost.exe
PID 2168 wrote to memory of 3176	2168	rundll32.exe	svchost.exe
PID 2168 wrote to memory of 3176	2168	rundll32.exe	svchost.exe
PID 2168 wrote to memory of 3176	2168	rundll32.exe	svchost.exe
PID 2168 wrote to memory of 3176	2168	rundll32.exe	svchost.exe
PID 2992 wrote to memory of 1988	2992	svchost.exe	MpMgSvc.exe
PID 2992 wrote to memory of 1988	2992	svchost.exe	MpMgSvc.exe
PID 2992 wrote to memory of 1988	2992	svchost.exe	MpMgSvc.exe
PID 1988 wrote to memory of 3980	1988	MpMgSvc.exe	Wmicc.exe
PID 1988 wrote to memory of 3980	1988	MpMgSvc.exe	Wmicc.exe
PID 1988 wrote to memory of 3980	1988	MpMgSvc.exe	Wmicc.exe
PID 3980 wrote to memory of 7964	3980	Wmicc.exe	cmd.exe
PID 3980 wrote to memory of 7964	3980	Wmicc.exe	cmd.exe
PID 3980 wrote to memory of 7964	3980	Wmicc.exe	cmd.exe
PID 7964 wrote to memory of 8340	7964	cmd.exe	GetPassword.exe
PID 7964 wrote to memory of 8340	7964	cmd.exe	GetPassword.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\932f8e8c2938e0d4e0f0fb281a977daef09e0b226579ff6fea60785b202e040d.dll,#1
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\SysWOW64\svchost.exe"
  2⤵
  PID:1084
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\SysWOW64\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\WINDOWS\Temp\MpMgSvc.exe
    "C:\WINDOWS\Temp\MpMgSvc.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1988
  - - C:\Windows\Temp\Wmicc.exe
      "C:\Windows\Temp\Wmicc.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3980
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c C:\Windows\Temp\GetPassword.exe >C:\Windows\Temp\PWD.txt
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:7964
      - C:\Windows\Temp\GetPassword.exe
        
        C:\Windows\Temp\GetPassword.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:8340
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\SysWOW64\svchost.exe"
  2⤵
  PID:3176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

1

T1046

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\GetPassword.exe

Filesize
494KB

MD5
5b6a804db0c5733d331eb126048ca73b

SHA1
f18c5acae63457ad26565d663467fa5a7fbfbee4

SHA256
5bec6b3bc6f8cbda50a8c5195a488cc82d2e00f18ec75640db31b2376a6db9f9

SHA512
ba6424051ab9f650967cc2ba428fd6a02ccda8f99d8b8e3f5f321a5e6bbf79a22bfc9cdd582c44980470ebbb7aea1b811fd69aab6bf51466a803c7c722fcde26

Download Submit
C:\Windows\Temp\MpMgSvc.exe

Filesize
3.2MB

MD5
3809c59565787ee7398fe9222d4bd669

SHA1
68842768c9ae9deb1d1d7ed2b27846c392b47103

SHA256
c751d97251cd67604c0256b779fabac87d4ed2d647ce0d830e2a1670cd3616c6

SHA512
2f78ad26acfe15f4682b69090704fa8ebb24938c8a58b8d343ef0993e8234897aed53dfcea4119168f915384fe545d2cbb16bc12339d0600dafae06deefc9098

Download Submit
C:\Windows\Temp\PWD.txt

Filesize
16B

MD5
f4ee302afbce0b94cd33c6b3941d19e2

SHA1
75f98857186248ac2f9cbd0c3f07d1118b49ee10

SHA256
dfb23411a6872447e75541e6b3067026d10ebc8f76f427a5f69d795498e117f9

SHA512
ca202ca2caf8a1e9596f1187a82cd02a650aea316c9a6bf58c59a23b4922098fe3720301dbe3268514e977a5964dc746f38c862ce4cdc63573d0e69254ea0e77

Download Submit
C:\Windows\Temp\Wmicc.exe

Filesize
1.4MB

MD5
4935b75f2a23d38527cf3821c9d9dac3

SHA1
f17aa56215ab7b90da00f048fe30d39a2d671b5d

SHA256
dd2d7b07e9091590ae60b42022956319bbbbd51b457ea214fb475ecc3e9156f8

SHA512
348e041104de20b0850b19db1ebb88ae0b65ecd1695f1ade47e099d62da9cec983a1a73e7fc657509b4fc58496784e0c1681bf46265477b75fdfab440c41acbd

Download Submit
C:\Windows\Temp\ip.txt

Filesize
180KB

MD5
d9e3466959a8923a2dc3b2e22645804e

SHA1
0e74c646511cd7fde2183016e82ab4f855974d05

SHA256
861882aca2abb7719ee329521f3047e7152c410cf365d4d2ff8d91efe377a9fb

SHA512
8fe842beb27e13b67a3b4196090cffa2aaf44ecf6de4bdf0ca768c435e9b3b109b388077604df0bb1410f2fc333cc694718079dd542198ee4ef4fa1207576625

Download Submit
C:\Windows\Temp\ip.txt

Filesize
4KB

MD5
b1aea2f7173fbe9cc309735c8c3431fc

SHA1
72db68ff75bc554db18494cffa0662349bbf8e21

SHA256
ccc7f7f80b1c6bf9fcf1d18814a3106315d46031b6c3884c110c0a9a2300f097

SHA512
6b0b718ad026884fe995602700c941db4cd65d252bf99f8349d88790ecb7e15dcbb7e4456a5b05f1e8060294a0b4c7bf10f0014ff808720190b972453a66932e

Download Submit
C:\Windows\Temp\ip.txt

Filesize
355B

MD5
bc365afb684b50308bc678b7a00207a2

SHA1
1b3e87b35f0da50ef52d0d2921833e80342899b2

SHA256
db23e2f1e8689b73305787e4f3ac5aa570164aed902d815e1f35f664c1c5eca8

SHA512
03f87d05106e9f20f91a5d69acad18426bbebc9479ac2b7cf8c28b1825b6d8d4984311d3fd8f9d58eeaa20faf7428ae4f38a9ee2c4866dce3912d5f2cfa71329

Download Submit
memory/1988-23-0x0000000000400000-0x0000000000D25000-memory.dmp

Filesize
9.1MB

Download
memory/1988-13551-0x0000000000400000-0x0000000000D25000-memory.dmp

Filesize
9.1MB

Download
memory/1988-13553-0x0000000000400000-0x0000000000D25000-memory.dmp

Filesize
9.1MB

Download
memory/1988-50-0x0000000000400000-0x0000000000D25000-memory.dmp

Filesize
9.1MB

Download
memory/1988-13562-0x0000000000400000-0x0000000000D25000-memory.dmp

Filesize
9.1MB

Download
memory/2992-4-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2992-2-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2992-0-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2992-8-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads