blackmoon | 33cf43751b8ccc1776b7fc0c3f8a96cf7924d9b020ce7d5ac4d62cabc14637c2

Analysis

max time kernel
140s
max time network
140s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-12-2024 03:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

33cf43751b8ccc1776b7fc0c3f8a96cf7924d9b020ce7d5ac4d62cabc14637c2.exe
Size

107KB
MD5

4eb4cf8d874a83cd3b36972c7419d817
SHA1

719f9d537a32280c0203b80f54ce0c5083343226
SHA256

33cf43751b8ccc1776b7fc0c3f8a96cf7924d9b020ce7d5ac4d62cabc14637c2
SHA512

4e0704ee6fe9700efde7728d56b6727b5ff599555c795233a0d8cbcc546dceb4223b25b7f4c558386995fc2a55e17dcfe43bd7b34a622f98c77e1fdd208908a2
SSDEEP

1536:qnTCqOpUwDWHpuFFedUSERPfZnmQJYR3iVeO64MDYewM6CbEjZV5MRigHR3S20Z8:0wUw88FeMVmgYR3VO64MEew9rHml3Y

Score

10^/10

blackmoon fatalrat banker discovery infostealer rat trojan vmprotect

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 4 IoCs

resource	yara_rule
behavioral1/memory/3052-3-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackmoon
behavioral1/memory/3052-21-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackmoon
behavioral1/memory/3052-29-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackmoon
behavioral1/memory/3052-71-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackmoon

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat
Fatalrat family
fatalrat

Fatal Rat payload 1 IoCs

rat infostealer

resource	yara_rule
behavioral1/memory/1164-63-0x0000000010000000-0x000000001002D000-memory.dmp	fatalrat

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
2372	spower.exe
2112	upssvc.exe
1164	svchost.exe

Loads dropped DLL 5 IoCs

pid	Process
3052	33cf43751b8ccc1776b7fc0c3f8a96cf7924d9b020ce7d5ac4d62cabc14637c2.exe
3052	33cf43751b8ccc1776b7fc0c3f8a96cf7924d9b020ce7d5ac4d62cabc14637c2.exe
3052	33cf43751b8ccc1776b7fc0c3f8a96cf7924d9b020ce7d5ac4d62cabc14637c2.exe
3052	33cf43751b8ccc1776b7fc0c3f8a96cf7924d9b020ce7d5ac4d62cabc14637c2.exe
3052	33cf43751b8ccc1776b7fc0c3f8a96cf7924d9b020ce7d5ac4d62cabc14637c2.exe

VMProtect packed file 5 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/files/0x0005000000019353-28.dat	vmprotect
behavioral1/memory/2372-44-0x000000013F6D0000-0x000000013F907000-memory.dmp	vmprotect
behavioral1/memory/2372-35-0x000000013F6D0000-0x000000013F907000-memory.dmp	vmprotect
behavioral1/memory/2372-42-0x000000013F6D0000-0x000000013F907000-memory.dmp	vmprotect
behavioral1/memory/3052-52-0x0000000003150000-0x000000000319A000-memory.dmp	vmprotect

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\360\360sd\360sd.exe	upssvc.exe
File opened for modification	C:\Program Files (x86)\360\360Safe\safemon\360tray.exe	upssvc.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SCHTASKS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	33cf43751b8ccc1776b7fc0c3f8a96cf7924d9b020ce7d5ac4d62cabc14637c2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SCHTASKS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2384	SCHTASKS.exe
1492	SCHTASKS.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3052	33cf43751b8ccc1776b7fc0c3f8a96cf7924d9b020ce7d5ac4d62cabc14637c2.exe
3052	33cf43751b8ccc1776b7fc0c3f8a96cf7924d9b020ce7d5ac4d62cabc14637c2.exe
3052	33cf43751b8ccc1776b7fc0c3f8a96cf7924d9b020ce7d5ac4d62cabc14637c2.exe
3052	33cf43751b8ccc1776b7fc0c3f8a96cf7924d9b020ce7d5ac4d62cabc14637c2.exe
3052	33cf43751b8ccc1776b7fc0c3f8a96cf7924d9b020ce7d5ac4d62cabc14637c2.exe
3052	33cf43751b8ccc1776b7fc0c3f8a96cf7924d9b020ce7d5ac4d62cabc14637c2.exe
3052	33cf43751b8ccc1776b7fc0c3f8a96cf7924d9b020ce7d5ac4d62cabc14637c2.exe
3052	33cf43751b8ccc1776b7fc0c3f8a96cf7924d9b020ce7d5ac4d62cabc14637c2.exe
3052	33cf43751b8ccc1776b7fc0c3f8a96cf7924d9b020ce7d5ac4d62cabc14637c2.exe
3052	33cf43751b8ccc1776b7fc0c3f8a96cf7924d9b020ce7d5ac4d62cabc14637c2.exe
3052	33cf43751b8ccc1776b7fc0c3f8a96cf7924d9b020ce7d5ac4d62cabc14637c2.exe
3052	33cf43751b8ccc1776b7fc0c3f8a96cf7924d9b020ce7d5ac4d62cabc14637c2.exe
3052	33cf43751b8ccc1776b7fc0c3f8a96cf7924d9b020ce7d5ac4d62cabc14637c2.exe
3052	33cf43751b8ccc1776b7fc0c3f8a96cf7924d9b020ce7d5ac4d62cabc14637c2.exe
3052	33cf43751b8ccc1776b7fc0c3f8a96cf7924d9b020ce7d5ac4d62cabc14637c2.exe
3052	33cf43751b8ccc1776b7fc0c3f8a96cf7924d9b020ce7d5ac4d62cabc14637c2.exe
3052	33cf43751b8ccc1776b7fc0c3f8a96cf7924d9b020ce7d5ac4d62cabc14637c2.exe
3052	33cf43751b8ccc1776b7fc0c3f8a96cf7924d9b020ce7d5ac4d62cabc14637c2.exe
3052	33cf43751b8ccc1776b7fc0c3f8a96cf7924d9b020ce7d5ac4d62cabc14637c2.exe
3052	33cf43751b8ccc1776b7fc0c3f8a96cf7924d9b020ce7d5ac4d62cabc14637c2.exe
3052	33cf43751b8ccc1776b7fc0c3f8a96cf7924d9b020ce7d5ac4d62cabc14637c2.exe
3052	33cf43751b8ccc1776b7fc0c3f8a96cf7924d9b020ce7d5ac4d62cabc14637c2.exe
3052	33cf43751b8ccc1776b7fc0c3f8a96cf7924d9b020ce7d5ac4d62cabc14637c2.exe
3052	33cf43751b8ccc1776b7fc0c3f8a96cf7924d9b020ce7d5ac4d62cabc14637c2.exe
3052	33cf43751b8ccc1776b7fc0c3f8a96cf7924d9b020ce7d5ac4d62cabc14637c2.exe
3052	33cf43751b8ccc1776b7fc0c3f8a96cf7924d9b020ce7d5ac4d62cabc14637c2.exe
3052	33cf43751b8ccc1776b7fc0c3f8a96cf7924d9b020ce7d5ac4d62cabc14637c2.exe
3052	33cf43751b8ccc1776b7fc0c3f8a96cf7924d9b020ce7d5ac4d62cabc14637c2.exe
3052	33cf43751b8ccc1776b7fc0c3f8a96cf7924d9b020ce7d5ac4d62cabc14637c2.exe
3052	33cf43751b8ccc1776b7fc0c3f8a96cf7924d9b020ce7d5ac4d62cabc14637c2.exe
3052	33cf43751b8ccc1776b7fc0c3f8a96cf7924d9b020ce7d5ac4d62cabc14637c2.exe
3052	33cf43751b8ccc1776b7fc0c3f8a96cf7924d9b020ce7d5ac4d62cabc14637c2.exe
3052	33cf43751b8ccc1776b7fc0c3f8a96cf7924d9b020ce7d5ac4d62cabc14637c2.exe
3052	33cf43751b8ccc1776b7fc0c3f8a96cf7924d9b020ce7d5ac4d62cabc14637c2.exe
3052	33cf43751b8ccc1776b7fc0c3f8a96cf7924d9b020ce7d5ac4d62cabc14637c2.exe
2112	upssvc.exe
2112	upssvc.exe
2112	upssvc.exe
2112	upssvc.exe
2112	upssvc.exe
2112	upssvc.exe
2112	upssvc.exe
2112	upssvc.exe
3052	33cf43751b8ccc1776b7fc0c3f8a96cf7924d9b020ce7d5ac4d62cabc14637c2.exe
3052	33cf43751b8ccc1776b7fc0c3f8a96cf7924d9b020ce7d5ac4d62cabc14637c2.exe
3052	33cf43751b8ccc1776b7fc0c3f8a96cf7924d9b020ce7d5ac4d62cabc14637c2.exe
3052	33cf43751b8ccc1776b7fc0c3f8a96cf7924d9b020ce7d5ac4d62cabc14637c2.exe
3052	33cf43751b8ccc1776b7fc0c3f8a96cf7924d9b020ce7d5ac4d62cabc14637c2.exe
3052	33cf43751b8ccc1776b7fc0c3f8a96cf7924d9b020ce7d5ac4d62cabc14637c2.exe
3052	33cf43751b8ccc1776b7fc0c3f8a96cf7924d9b020ce7d5ac4d62cabc14637c2.exe
3052	33cf43751b8ccc1776b7fc0c3f8a96cf7924d9b020ce7d5ac4d62cabc14637c2.exe
3052	33cf43751b8ccc1776b7fc0c3f8a96cf7924d9b020ce7d5ac4d62cabc14637c2.exe
3052	33cf43751b8ccc1776b7fc0c3f8a96cf7924d9b020ce7d5ac4d62cabc14637c2.exe
3052	33cf43751b8ccc1776b7fc0c3f8a96cf7924d9b020ce7d5ac4d62cabc14637c2.exe
3052	33cf43751b8ccc1776b7fc0c3f8a96cf7924d9b020ce7d5ac4d62cabc14637c2.exe
3052	33cf43751b8ccc1776b7fc0c3f8a96cf7924d9b020ce7d5ac4d62cabc14637c2.exe
3052	33cf43751b8ccc1776b7fc0c3f8a96cf7924d9b020ce7d5ac4d62cabc14637c2.exe
3052	33cf43751b8ccc1776b7fc0c3f8a96cf7924d9b020ce7d5ac4d62cabc14637c2.exe
3052	33cf43751b8ccc1776b7fc0c3f8a96cf7924d9b020ce7d5ac4d62cabc14637c2.exe
3052	33cf43751b8ccc1776b7fc0c3f8a96cf7924d9b020ce7d5ac4d62cabc14637c2.exe
3052	33cf43751b8ccc1776b7fc0c3f8a96cf7924d9b020ce7d5ac4d62cabc14637c2.exe
3052	33cf43751b8ccc1776b7fc0c3f8a96cf7924d9b020ce7d5ac4d62cabc14637c2.exe
3052	33cf43751b8ccc1776b7fc0c3f8a96cf7924d9b020ce7d5ac4d62cabc14637c2.exe
3052	33cf43751b8ccc1776b7fc0c3f8a96cf7924d9b020ce7d5ac4d62cabc14637c2.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1164	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3052	33cf43751b8ccc1776b7fc0c3f8a96cf7924d9b020ce7d5ac4d62cabc14637c2.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 2384	3052	33cf43751b8ccc1776b7fc0c3f8a96cf7924d9b020ce7d5ac4d62cabc14637c2.exe	31
PID 3052 wrote to memory of 2384	3052	33cf43751b8ccc1776b7fc0c3f8a96cf7924d9b020ce7d5ac4d62cabc14637c2.exe	31
PID 3052 wrote to memory of 2384	3052	33cf43751b8ccc1776b7fc0c3f8a96cf7924d9b020ce7d5ac4d62cabc14637c2.exe	31
PID 3052 wrote to memory of 2384	3052	33cf43751b8ccc1776b7fc0c3f8a96cf7924d9b020ce7d5ac4d62cabc14637c2.exe	31
PID 3052 wrote to memory of 2372	3052	33cf43751b8ccc1776b7fc0c3f8a96cf7924d9b020ce7d5ac4d62cabc14637c2.exe	34
PID 3052 wrote to memory of 2372	3052	33cf43751b8ccc1776b7fc0c3f8a96cf7924d9b020ce7d5ac4d62cabc14637c2.exe	34
PID 3052 wrote to memory of 2372	3052	33cf43751b8ccc1776b7fc0c3f8a96cf7924d9b020ce7d5ac4d62cabc14637c2.exe	34
PID 3052 wrote to memory of 2372	3052	33cf43751b8ccc1776b7fc0c3f8a96cf7924d9b020ce7d5ac4d62cabc14637c2.exe	34
PID 3052 wrote to memory of 2112	3052	33cf43751b8ccc1776b7fc0c3f8a96cf7924d9b020ce7d5ac4d62cabc14637c2.exe	35
PID 3052 wrote to memory of 2112	3052	33cf43751b8ccc1776b7fc0c3f8a96cf7924d9b020ce7d5ac4d62cabc14637c2.exe	35
PID 3052 wrote to memory of 2112	3052	33cf43751b8ccc1776b7fc0c3f8a96cf7924d9b020ce7d5ac4d62cabc14637c2.exe	35
PID 3052 wrote to memory of 2112	3052	33cf43751b8ccc1776b7fc0c3f8a96cf7924d9b020ce7d5ac4d62cabc14637c2.exe	35
PID 3052 wrote to memory of 1164	3052	33cf43751b8ccc1776b7fc0c3f8a96cf7924d9b020ce7d5ac4d62cabc14637c2.exe	37
PID 3052 wrote to memory of 1164	3052	33cf43751b8ccc1776b7fc0c3f8a96cf7924d9b020ce7d5ac4d62cabc14637c2.exe	37
PID 3052 wrote to memory of 1164	3052	33cf43751b8ccc1776b7fc0c3f8a96cf7924d9b020ce7d5ac4d62cabc14637c2.exe	37
PID 3052 wrote to memory of 1164	3052	33cf43751b8ccc1776b7fc0c3f8a96cf7924d9b020ce7d5ac4d62cabc14637c2.exe	37
PID 3052 wrote to memory of 1492	3052	33cf43751b8ccc1776b7fc0c3f8a96cf7924d9b020ce7d5ac4d62cabc14637c2.exe	38
PID 3052 wrote to memory of 1492	3052	33cf43751b8ccc1776b7fc0c3f8a96cf7924d9b020ce7d5ac4d62cabc14637c2.exe	38
PID 3052 wrote to memory of 1492	3052	33cf43751b8ccc1776b7fc0c3f8a96cf7924d9b020ce7d5ac4d62cabc14637c2.exe	38
PID 3052 wrote to memory of 1492	3052	33cf43751b8ccc1776b7fc0c3f8a96cf7924d9b020ce7d5ac4d62cabc14637c2.exe	38

C:\Users\Admin\AppData\Local\Temp\33cf43751b8ccc1776b7fc0c3f8a96cf7924d9b020ce7d5ac4d62cabc14637c2.exe
"C:\Users\Admin\AppData\Local\Temp\33cf43751b8ccc1776b7fc0c3f8a96cf7924d9b020ce7d5ac4d62cabc14637c2.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Windows\SysWOW64\SCHTASKS.exe
  SCHTASKS /Create /SC ONLOGON /TN WindowsUpdata /F /RL HIGHEST /TR C:\Users\Public\Picturesibnxdzz0\CCCef3Render.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2384
- C:\Users\Admin\AppData\Local\Temp\ibnxdzz01tchmjl\spower.exe
  C:\Users\Admin\AppData\Local\Temp\ibnxdzz01tchmjl\spower.exe
  2⤵
  - Executes dropped EXE
  PID:2372
- C:\Users\Admin\AppData\Local\Temp\ibnxdzz01tchmjl\upssvc.exe
  C:\Users\Admin\AppData\Local\Temp\ibnxdzz01tchmjl\upssvc.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2112
- C:\ProgramData\NVIDIARV\svchost.exe
  C:\ProgramData\NVIDIARV\svchost.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1164
- C:\Windows\SysWOW64\SCHTASKS.exe
  SCHTASKS /Create /SC ONLOGON /TN WindowsUpdata /F /RL HIGHEST /TR C:\Users\Public\Picturesibnxdzz0\CCCef3Render.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:1492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ibnxdzz01tchmjl\upssvc.exe

Filesize
149KB

MD5
864489e91cfa1bc4cb7ce23b3d923d44

SHA1
438c0ac69bd93d110bc0a8d1516593c2eb65f473

SHA256
89f90dfe08c97c4a397a715cee4e49f0892ff3f3b42e34d48837cadf766f7d4f

SHA512
358e0f49569b41687accbde8d67e899fcfe3d34c5a17107dc132a5706e47bcb6ea41e900d30a5b2b45aa792ddaf089c507f6e3c3d235a4bde997c31165f4227d

Download Submit
\ProgramData\NVIDIARV\svchost.exe

Filesize
3.4MB

MD5
94ed4dfe17ddc0b571873aca8323d455

SHA1
068cbdc24be00d84e9f271369fbb95a7d53583e0

SHA256
d57b68baeb9c6a55b11fb5670f2b0b02caecf6b613abc294bfbb90ba5594cde7

SHA512
0906893bb018144129e67ac7239ca0d566e3df6346beeef8433d94e37b4f13869bce231a7b6726690c4ba6f398542965804e5eac074fe7a9d50fdef28bd098f4

Download Submit
\Users\Admin\AppData\Local\Temp\ibnxdzz01tchmjl\spower.exe

Filesize
1.1MB

MD5
f89e772299c153a4b8d8e7b1fa299264

SHA1
e48c541024e6a0858a4b31fc823181ef17c3d935

SHA256
2e32a47e57813d56dffd76582e3a99bcbc697990b5e257f6171a818ac6327841

SHA512
058c75f843742beca4ea8546005466dfdb0f50c6eb7cf0da721d90883534b331bae9629f75e33cd9956ad0829c05bb219e2eba8876bd89056ef99c7053095e35

Download Submit
memory/1164-63-0x0000000010000000-0x000000001002D000-memory.dmp

Filesize
180KB

Download
memory/1164-61-0x0000000000400000-0x000000000090F000-memory.dmp

Filesize
5.1MB

Download
memory/2112-48-0x000000013F580000-0x000000013F5CA000-memory.dmp

Filesize
296KB

Download
memory/2112-50-0x000000013F580000-0x000000013F5CA000-memory.dmp

Filesize
296KB

Download
memory/2112-46-0x000000013F580000-0x000000013F5CA000-memory.dmp

Filesize
296KB

Download
memory/2372-35-0x000000013F6D0000-0x000000013F907000-memory.dmp

Filesize
2.2MB

Download
memory/2372-42-0x000000013F6D0000-0x000000013F907000-memory.dmp

Filesize
2.2MB

Download
memory/2372-44-0x000000013F6D0000-0x000000013F907000-memory.dmp

Filesize
2.2MB

Download
memory/3052-36-0x0000000003150000-0x000000000319A000-memory.dmp

Filesize
296KB

Download
memory/3052-0-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3052-34-0x0000000003A50000-0x0000000003C87000-memory.dmp

Filesize
2.2MB

Download
memory/3052-45-0x0000000003150000-0x000000000319A000-memory.dmp

Filesize
296KB

Download
memory/3052-51-0x0000000003150000-0x000000000319A000-memory.dmp

Filesize
296KB

Download
memory/3052-52-0x0000000003150000-0x000000000319A000-memory.dmp

Filesize
296KB

Download
memory/3052-29-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3052-21-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3052-3-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3052-71-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download