blackmoon | 78039aab990bf932170e0ef08a73923948d7c93389a61fc5fd1f5ee5ca78398a

Analysis

max time kernel
120s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-12-2024 04:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

78039aab990bf932170e0ef08a73923948d7c93389a61fc5fd1f5ee5ca78398a.exe
Size

366KB
MD5

d38fe2c1df43af863869a2ef1583691e
SHA1

fb90b302b1664840560b2920955f2eff4bccd50c
SHA256

78039aab990bf932170e0ef08a73923948d7c93389a61fc5fd1f5ee5ca78398a
SHA512

19ff4a33ba4648607bdbc5362ed55603b15248bf6fa7491c968c9fbe12fe3b9819d45cb39eaf46db640d8ffa1e29f24f37ad2fe753e509ace63cb21bd372cf59
SSDEEP

6144:BSfSHl+gv5gY1F53Aul/Egv4+E6qnwEGvIkJ7G9P1m:B2SHl+gv5gY1b5Eo4+EsEEIkJ7G9P1m

Score

10^/10

blackmoon banker discovery trojan

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000015ec9-7.dat	family_blackmoon

Deletes itself 1 IoCs

pid	Process
2724	Syslemboodd.exe

Executes dropped EXE 1 IoCs

pid	Process
2724	Syslemboodd.exe

Loads dropped DLL 2 IoCs

pid	Process
3000	78039aab990bf932170e0ef08a73923948d7c93389a61fc5fd1f5ee5ca78398a.exe
3000	78039aab990bf932170e0ef08a73923948d7c93389a61fc5fd1f5ee5ca78398a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	78039aab990bf932170e0ef08a73923948d7c93389a61fc5fd1f5ee5ca78398a.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
3000	78039aab990bf932170e0ef08a73923948d7c93389a61fc5fd1f5ee5ca78398a.exe
3000	78039aab990bf932170e0ef08a73923948d7c93389a61fc5fd1f5ee5ca78398a.exe
3000	78039aab990bf932170e0ef08a73923948d7c93389a61fc5fd1f5ee5ca78398a.exe
3000	78039aab990bf932170e0ef08a73923948d7c93389a61fc5fd1f5ee5ca78398a.exe
3000	78039aab990bf932170e0ef08a73923948d7c93389a61fc5fd1f5ee5ca78398a.exe
3000	78039aab990bf932170e0ef08a73923948d7c93389a61fc5fd1f5ee5ca78398a.exe
3000	78039aab990bf932170e0ef08a73923948d7c93389a61fc5fd1f5ee5ca78398a.exe
3000	78039aab990bf932170e0ef08a73923948d7c93389a61fc5fd1f5ee5ca78398a.exe
2724	Syslemboodd.exe
2724	Syslemboodd.exe
2724	Syslemboodd.exe
2724	Syslemboodd.exe
2724	Syslemboodd.exe
2724	Syslemboodd.exe
2724	Syslemboodd.exe
2724	Syslemboodd.exe
2724	Syslemboodd.exe
2724	Syslemboodd.exe
2724	Syslemboodd.exe
2724	Syslemboodd.exe
2724	Syslemboodd.exe
2724	Syslemboodd.exe
2724	Syslemboodd.exe
2724	Syslemboodd.exe
2724	Syslemboodd.exe
2724	Syslemboodd.exe
2724	Syslemboodd.exe
2724	Syslemboodd.exe
2724	Syslemboodd.exe
2724	Syslemboodd.exe
2724	Syslemboodd.exe
2724	Syslemboodd.exe
2724	Syslemboodd.exe
2724	Syslemboodd.exe
2724	Syslemboodd.exe
2724	Syslemboodd.exe
2724	Syslemboodd.exe
2724	Syslemboodd.exe
2724	Syslemboodd.exe
2724	Syslemboodd.exe
2724	Syslemboodd.exe
2724	Syslemboodd.exe
2724	Syslemboodd.exe
2724	Syslemboodd.exe
2724	Syslemboodd.exe
2724	Syslemboodd.exe
2724	Syslemboodd.exe
2724	Syslemboodd.exe
2724	Syslemboodd.exe
2724	Syslemboodd.exe
2724	Syslemboodd.exe
2724	Syslemboodd.exe
2724	Syslemboodd.exe
2724	Syslemboodd.exe
2724	Syslemboodd.exe
2724	Syslemboodd.exe
2724	Syslemboodd.exe
2724	Syslemboodd.exe
2724	Syslemboodd.exe
2724	Syslemboodd.exe
2724	Syslemboodd.exe
2724	Syslemboodd.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3000 wrote to memory of 2724	3000	78039aab990bf932170e0ef08a73923948d7c93389a61fc5fd1f5ee5ca78398a.exe	32
PID 3000 wrote to memory of 2724	3000	78039aab990bf932170e0ef08a73923948d7c93389a61fc5fd1f5ee5ca78398a.exe	32
PID 3000 wrote to memory of 2724	3000	78039aab990bf932170e0ef08a73923948d7c93389a61fc5fd1f5ee5ca78398a.exe	32
PID 3000 wrote to memory of 2724	3000	78039aab990bf932170e0ef08a73923948d7c93389a61fc5fd1f5ee5ca78398a.exe	32

C:\Users\Admin\AppData\Local\Temp\78039aab990bf932170e0ef08a73923948d7c93389a61fc5fd1f5ee5ca78398a.exe
"C:\Users\Admin\AppData\Local\Temp\78039aab990bf932170e0ef08a73923948d7c93389a61fc5fd1f5ee5ca78398a.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Users\Admin\AppData\Local\Temp\Syslemboodd.exe
  "C:\Users\Admin\AppData\Local\Temp\Syslemboodd.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lpath.ini

Filesize
102B

MD5
0f745da084eab2f2e3c4842edbd64610

SHA1
5ccdeb6473e725df023e17bcbc460289a2ffb31b

SHA256
1e7aa2f8793a9956c38b6d5cfc76e9a4f16dfe2b4edbe121cf2e7b2819990e4c

SHA512
5f87f5d2dc0dd5e7249bd593bc47335923d901b3a23d1a066f658771e8de804ff0244ae3e72889ec5ece3bfe4bdfd0e0f965b0898d0c08f5b30b081991778477

Download Submit
\Users\Admin\AppData\Local\Temp\Syslemboodd.exe

Filesize
366KB

MD5
daac49001e1b5f5b0333ff60ef716c52

SHA1
46fc20f3ab719e121f7b17ec7090fa10eb1e9dba

SHA256
a93bbc7ee9257b32cd42025e5ace86db2381c8091c6a5d02af0a4f2cf6a12327

SHA512
617550329371d0185ef085641992a4fe3e4511cab487fd450274f885eca83d6c9c67fb5df3ff7c9ad6d231b7cb271d7ebae721db723183c2254210aeb266cf5d

Download Submit