blackmoon | 07d86214624da3c6c4950007aaa0c6478a832e4d6e6448ac47193ffea95f67f2

Analysis

max time kernel
119s
max time network
91s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-12-2024 20:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07d86214624da3c6c4950007aaa0c6478a832e4d6e6448ac47193ffea95f67f2N.exe
Size

407KB
MD5

fdc869aeb52b9265e66d31245ab9f430
SHA1

0e6577954b7319b9b178a2f4ce2cf9b897864830
SHA256

07d86214624da3c6c4950007aaa0c6478a832e4d6e6448ac47193ffea95f67f2
SHA512

a675b211b0b78cc2743625d10eeece285bd11677874a7aac43dfaadf29770c37565b041d4dee876ed8cc93c7ba1e6c0f8e84304b0d4a2b90f623631151072594
SSDEEP

6144:K5/YZ58drqrhGcbLhmvjSN6jZhixVK/B/zIydenCW:K5/Q58drihGiLhmGNiZsx0B/zIkenCW

Score

10^/10

blackmoon banker discovery trojan upx

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 6 IoCs

resource	yara_rule
behavioral1/memory/2488-0-0x0000000000400000-0x0000000000469000-memory.dmp	family_blackmoon
behavioral1/memory/2488-27-0x0000000000400000-0x0000000000469000-memory.dmp	family_blackmoon
behavioral1/files/0x0005000000019217-34.dat	family_blackmoon
behavioral1/memory/2700-42-0x0000000000400000-0x0000000000469000-memory.dmp	family_blackmoon
behavioral1/memory/2488-57-0x0000000000400000-0x0000000000469000-memory.dmp	family_blackmoon
behavioral1/memory/2700-65-0x0000000000400000-0x0000000000469000-memory.dmp	family_blackmoon

Executes dropped EXE 1 IoCs

pid	Process
2700	Sysceamogybf.exe

Loads dropped DLL 2 IoCs

pid	Process
2488	07d86214624da3c6c4950007aaa0c6478a832e4d6e6448ac47193ffea95f67f2N.exe
2488	07d86214624da3c6c4950007aaa0c6478a832e4d6e6448ac47193ffea95f67f2N.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2488-0-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2488-27-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/files/0x0005000000019217-34.dat	upx
behavioral1/memory/2700-42-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2488-57-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2700-65-0x0000000000400000-0x0000000000469000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	07d86214624da3c6c4950007aaa0c6478a832e4d6e6448ac47193ffea95f67f2N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysceamogybf.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	07d86214624da3c6c4950007aaa0c6478a832e4d6e6448ac47193ffea95f67f2N.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	07d86214624da3c6c4950007aaa0c6478a832e4d6e6448ac47193ffea95f67f2N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2700	Sysceamogybf.exe
2700	Sysceamogybf.exe
2700	Sysceamogybf.exe
2700	Sysceamogybf.exe
2700	Sysceamogybf.exe
2700	Sysceamogybf.exe
2700	Sysceamogybf.exe
2700	Sysceamogybf.exe
2700	Sysceamogybf.exe
2700	Sysceamogybf.exe
2700	Sysceamogybf.exe
2700	Sysceamogybf.exe
2700	Sysceamogybf.exe
2700	Sysceamogybf.exe
2700	Sysceamogybf.exe
2700	Sysceamogybf.exe
2700	Sysceamogybf.exe
2700	Sysceamogybf.exe
2700	Sysceamogybf.exe
2700	Sysceamogybf.exe
2700	Sysceamogybf.exe
2700	Sysceamogybf.exe
2700	Sysceamogybf.exe
2700	Sysceamogybf.exe
2700	Sysceamogybf.exe
2700	Sysceamogybf.exe
2700	Sysceamogybf.exe
2700	Sysceamogybf.exe
2700	Sysceamogybf.exe
2700	Sysceamogybf.exe
2700	Sysceamogybf.exe
2700	Sysceamogybf.exe
2700	Sysceamogybf.exe
2700	Sysceamogybf.exe
2700	Sysceamogybf.exe
2700	Sysceamogybf.exe
2700	Sysceamogybf.exe
2700	Sysceamogybf.exe
2700	Sysceamogybf.exe
2700	Sysceamogybf.exe
2700	Sysceamogybf.exe
2700	Sysceamogybf.exe
2700	Sysceamogybf.exe
2700	Sysceamogybf.exe
2700	Sysceamogybf.exe
2700	Sysceamogybf.exe
2700	Sysceamogybf.exe
2700	Sysceamogybf.exe
2700	Sysceamogybf.exe
2700	Sysceamogybf.exe
2700	Sysceamogybf.exe
2700	Sysceamogybf.exe
2700	Sysceamogybf.exe
2700	Sysceamogybf.exe
2700	Sysceamogybf.exe
2700	Sysceamogybf.exe
2700	Sysceamogybf.exe
2700	Sysceamogybf.exe
2700	Sysceamogybf.exe
2700	Sysceamogybf.exe
2700	Sysceamogybf.exe
2700	Sysceamogybf.exe
2700	Sysceamogybf.exe
2700	Sysceamogybf.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 2700	2488	07d86214624da3c6c4950007aaa0c6478a832e4d6e6448ac47193ffea95f67f2N.exe	32
PID 2488 wrote to memory of 2700	2488	07d86214624da3c6c4950007aaa0c6478a832e4d6e6448ac47193ffea95f67f2N.exe	32
PID 2488 wrote to memory of 2700	2488	07d86214624da3c6c4950007aaa0c6478a832e4d6e6448ac47193ffea95f67f2N.exe	32
PID 2488 wrote to memory of 2700	2488	07d86214624da3c6c4950007aaa0c6478a832e4d6e6448ac47193ffea95f67f2N.exe	32

C:\Users\Admin\AppData\Local\Temp\07d86214624da3c6c4950007aaa0c6478a832e4d6e6448ac47193ffea95f67f2N.exe
"C:\Users\Admin\AppData\Local\Temp\07d86214624da3c6c4950007aaa0c6478a832e4d6e6448ac47193ffea95f67f2N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Users\Admin\AppData\Local\Temp\Sysceamogybf.exe
  "C:\Users\Admin\AppData\Local\Temp\Sysceamogybf.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475

Filesize
1KB

MD5
ad981bda8550a85e82b3dd1f52e39270

SHA1
f2eaf4b5fb6016291adc88b970d217c69af43e5f

SHA256
77e4fcc15b6f1918c654e729f6f1c8fd400b70f7833eb1ef004ab7ad35a2c07f

SHA512
a2b6de329f2e86d767e6fe6cf44adef9967ae9d8011f9bbb0be8c9b5b98c98acca2d7c42491b618ade7da25a8067aaaa58510ffd4b6205dcac57ef2c6ae4acf2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C

Filesize
471B

MD5
9caf7a3f2e9656525e95e3b84282ccef

SHA1
4a1f2a4ab3c0618811a4ea98256247710449a105

SHA256
2b775f163168fb6fb5ed11f9f105471ae96b0c9a01bad98e28ddc9b74371fa97

SHA512
dcf4979e058e8481a2bd25210e601dc7f7dd6c19adbffebb4217bf95909c34a84988cbc9fe648a5381428b7609a01baad8c7e920dfda7835e663d658a73d773e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_A0B760D8ABF6F649D185B46E3E114CC2

Filesize
471B

MD5
b5f07da0c85c2974f7f4aacf4e7e8ed3

SHA1
47f94874fc9cfcb224c382058d51ac083f3f56a1

SHA256
aa39f84f77a8c354dfc742914351fa5eaffc591e5f98615265ddc001125f0e2f

SHA512
1971cf9f25e81d126606ab33ed9a27857cee2a47396654bb8f0c9d780fbb209742ec87c45e6efb37d3095afa67e50ac23e2ae7066a417945f92da43807b31143

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CF14D1855652602540DFCFECD21854DB_54BE0F4A529F65D13ED30F3AD0874E58

Filesize
1KB

MD5
d80a5fd04121759597a061a4497bae08

SHA1
1c54ab2c23f568ed21f33c683e8f9c6366d9a86b

SHA256
1221d49fd40c3c58089a3988b96be848de8327bda9fe19fb4e4c715c31337c68

SHA512
dca4ef77afc48d1a49b60bdc82aee16bf93228c957b47d6406f9330a380d84b68476ce4aca5a23b24461033e281620af5d1a3a90741dfb64d18b61a92649bcaf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475

Filesize
500B

MD5
ffd892f1f094a34c9f905e6dac8547ef

SHA1
d118ae389ba244c48a7aa07ff0d3b623bcbb840e

SHA256
fedec62ddfe36d665283b7d4f7d49f6e47daac332f3a9e7d4d0325ba6f15b172

SHA512
4c3434a7bc5dcc892f0c16278e8403ffebbb261bfedb685d7f817b3a4dbfa3c4de1c8d30ab3d482e0f7390fe16629dc4ee2908f933053b76853c2a205b06329e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C

Filesize
398B

MD5
5a7ee637b0387d2851f8b50b9ed00089

SHA1
f44ff5d20a9a0552d9023d4ba660ec70ed1313a9

SHA256
cb7c0d3460077231de615ebecb73b4bfff1206b362bb5e38915ac5805a0d5617

SHA512
d164663d522623d1c0fe196ba59ca1f36d13a76442af7001b1a750afb6dd64f4a2fd4d6518105fa2c7394c94c5eba8af1176bf392a56c7ecad28ead09d06121a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AD5F118F7897046E8CA970AE6A6AB70B_A0B760D8ABF6F649D185B46E3E114CC2

Filesize
410B

MD5
3c4db3194eb5102cce1a9964b2739b23

SHA1
91b8990954e732d3fa29883bfdd4fc13c146de1c

SHA256
4a4b93fcb1d6654402a10ac76012f436240eef93f2f4db018e8bbb67ddf2754c

SHA512
539432fee101867afa54ddc33bbea03b955a8804d39315b9723f668bcc0487ab3289ddfc78c073f5216bca152f0db8c1787156082b655a9eec2f2f94aa5245c1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CF14D1855652602540DFCFECD21854DB_54BE0F4A529F65D13ED30F3AD0874E58

Filesize
536B

MD5
343dc40f918edd65c0c5903818055ed2

SHA1
af4782c3a05793daa8d6484972b2d4498e5fb6fd

SHA256
7c7c392522474b5c4d80c2eace655792d6f11309f393fcd777771452d7413dc3

SHA512
75d48ab107a91c21813175d2246e64b863dbfaa98841b77773e16803e9f8d329e54f6416626f6953bfb3fd00f77d32d6ef461e60c5a9d4f311b74d46bdf5ea4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE82.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpath.ini

Filesize
103B

MD5
74cd22751849e75d04904ad5da4b8c69

SHA1
44125cd313d382338c2574d7241425b6a8ecc855

SHA256
acb3272b715a075fac0f3054beecf55ba28babcfcee1b977af0a0c080402de50

SHA512
7a08eb9439fd71c8136c003c3301dd5cf207cac7843787f12ff838668b4c32a1af443c92ee6e29c3342b72829a214b02ad0f7298f6d0947f97c09349668a3748

Download Submit
\Users\Admin\AppData\Local\Temp\Sysceamogybf.exe

Filesize
408KB

MD5
66ba11494a0b8fd81c54e7934b21968e

SHA1
e8699dbc5832652829b7eb3bc4fa60dd3a798e89

SHA256
c3665c12a5b49bd62545b5ae0a49397f8198247e2c22b0143517afeef519473b

SHA512
3da550143e2bf71fc5a0cc2c002fc74f4639a4c241edcc8274a01570c3f61e2c9ae8fd67c713eff4404afe8d4452b499123c50c6bb5a462133dfceef7b0405e0

Download Submit
memory/2488-0-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2488-57-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2488-40-0x0000000003E50000-0x0000000003EB9000-memory.dmp

Filesize
420KB

Download
memory/2488-27-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2700-42-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2700-65-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download