blackmoon | 58073c2455e4ddc230a68309ecb830991596572ce76afc715b229c75ed37a10e

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18-12-2024 03:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

58073c2455e4ddc230a68309ecb830991596572ce76afc715b229c75ed37a10e.exe
Size

408KB
MD5

1d9e4bc56c15d5a5e4c8649a1c5dbf19
SHA1

d49a7dccc32e95b83bf8e32261c305e67a82f668
SHA256

58073c2455e4ddc230a68309ecb830991596572ce76afc715b229c75ed37a10e
SHA512

9ca27f6eb510f51fe58ba6bbb74ed44a057841bed1a21af1e2b993686029c1b17f15a38616c38fd63871c34aba25afcff11ee77167ad0ec863c9a5617e8834fd
SSDEEP

6144:K5/YZ58drqrhGcbLhmvjSN6jZhixVK/B/zIydenCG:K5/Q58drihGiLhmGNiZsx0B/zIkenCG

Score

10^/10

blackmoon banker discovery trojan upx

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 5 IoCs

resource	yara_rule
behavioral1/memory/2688-0-0x0000000000400000-0x0000000000469000-memory.dmp	family_blackmoon
behavioral1/memory/2688-29-0x0000000000400000-0x0000000000469000-memory.dmp	family_blackmoon
behavioral1/files/0x0006000000016d3f-42.dat	family_blackmoon
behavioral1/memory/2688-60-0x0000000000400000-0x0000000000469000-memory.dmp	family_blackmoon
behavioral1/memory/3056-68-0x0000000000400000-0x0000000000469000-memory.dmp	family_blackmoon

Executes dropped EXE 1 IoCs

pid	Process
3056	Sysceamuuchj.exe

Loads dropped DLL 2 IoCs

pid	Process
2688	58073c2455e4ddc230a68309ecb830991596572ce76afc715b229c75ed37a10e.exe
2688	58073c2455e4ddc230a68309ecb830991596572ce76afc715b229c75ed37a10e.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2688-0-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2688-29-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/files/0x0006000000016d3f-42.dat	upx
behavioral1/memory/2688-60-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/3056-68-0x0000000000400000-0x0000000000469000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	58073c2455e4ddc230a68309ecb830991596572ce76afc715b229c75ed37a10e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysceamuuchj.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	58073c2455e4ddc230a68309ecb830991596572ce76afc715b229c75ed37a10e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	58073c2455e4ddc230a68309ecb830991596572ce76afc715b229c75ed37a10e.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3056	Sysceamuuchj.exe
3056	Sysceamuuchj.exe
3056	Sysceamuuchj.exe
3056	Sysceamuuchj.exe
3056	Sysceamuuchj.exe
3056	Sysceamuuchj.exe
3056	Sysceamuuchj.exe
3056	Sysceamuuchj.exe
3056	Sysceamuuchj.exe
3056	Sysceamuuchj.exe
3056	Sysceamuuchj.exe
3056	Sysceamuuchj.exe
3056	Sysceamuuchj.exe
3056	Sysceamuuchj.exe
3056	Sysceamuuchj.exe
3056	Sysceamuuchj.exe
3056	Sysceamuuchj.exe
3056	Sysceamuuchj.exe
3056	Sysceamuuchj.exe
3056	Sysceamuuchj.exe
3056	Sysceamuuchj.exe
3056	Sysceamuuchj.exe
3056	Sysceamuuchj.exe
3056	Sysceamuuchj.exe
3056	Sysceamuuchj.exe
3056	Sysceamuuchj.exe
3056	Sysceamuuchj.exe
3056	Sysceamuuchj.exe
3056	Sysceamuuchj.exe
3056	Sysceamuuchj.exe
3056	Sysceamuuchj.exe
3056	Sysceamuuchj.exe
3056	Sysceamuuchj.exe
3056	Sysceamuuchj.exe
3056	Sysceamuuchj.exe
3056	Sysceamuuchj.exe
3056	Sysceamuuchj.exe
3056	Sysceamuuchj.exe
3056	Sysceamuuchj.exe
3056	Sysceamuuchj.exe
3056	Sysceamuuchj.exe
3056	Sysceamuuchj.exe
3056	Sysceamuuchj.exe
3056	Sysceamuuchj.exe
3056	Sysceamuuchj.exe
3056	Sysceamuuchj.exe
3056	Sysceamuuchj.exe
3056	Sysceamuuchj.exe
3056	Sysceamuuchj.exe
3056	Sysceamuuchj.exe
3056	Sysceamuuchj.exe
3056	Sysceamuuchj.exe
3056	Sysceamuuchj.exe
3056	Sysceamuuchj.exe
3056	Sysceamuuchj.exe
3056	Sysceamuuchj.exe
3056	Sysceamuuchj.exe
3056	Sysceamuuchj.exe
3056	Sysceamuuchj.exe
3056	Sysceamuuchj.exe
3056	Sysceamuuchj.exe
3056	Sysceamuuchj.exe
3056	Sysceamuuchj.exe
3056	Sysceamuuchj.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2688 wrote to memory of 3056	2688	58073c2455e4ddc230a68309ecb830991596572ce76afc715b229c75ed37a10e.exe	32
PID 2688 wrote to memory of 3056	2688	58073c2455e4ddc230a68309ecb830991596572ce76afc715b229c75ed37a10e.exe	32
PID 2688 wrote to memory of 3056	2688	58073c2455e4ddc230a68309ecb830991596572ce76afc715b229c75ed37a10e.exe	32
PID 2688 wrote to memory of 3056	2688	58073c2455e4ddc230a68309ecb830991596572ce76afc715b229c75ed37a10e.exe	32

C:\Users\Admin\AppData\Local\Temp\58073c2455e4ddc230a68309ecb830991596572ce76afc715b229c75ed37a10e.exe
"C:\Users\Admin\AppData\Local\Temp\58073c2455e4ddc230a68309ecb830991596572ce76afc715b229c75ed37a10e.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Users\Admin\AppData\Local\Temp\Sysceamuuchj.exe
  "C:\Users\Admin\AppData\Local\Temp\Sysceamuuchj.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475

Filesize
1KB

MD5
3aff13f0f493f6f5aa948bc6c4c596f5

SHA1
ec06ad3561d5603b15e26280513ed5a0604630af

SHA256
aa4fe3439351d9f7df0804b9eabfb001ba08e9cbd32de78d0159f9941f4826c8

SHA512
d4f18751b3da048884c5334c48a777202582627ef05208247f08eef6639a4b94b266ecbab89235b1184579b24a525c090062cd690f84f332d15ab1402eaa8886

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C

Filesize
471B

MD5
9caf7a3f2e9656525e95e3b84282ccef

SHA1
4a1f2a4ab3c0618811a4ea98256247710449a105

SHA256
2b775f163168fb6fb5ed11f9f105471ae96b0c9a01bad98e28ddc9b74371fa97

SHA512
dcf4979e058e8481a2bd25210e601dc7f7dd6c19adbffebb4217bf95909c34a84988cbc9fe648a5381428b7609a01baad8c7e920dfda7835e663d658a73d773e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_A0B760D8ABF6F649D185B46E3E114CC2

Filesize
471B

MD5
b5f07da0c85c2974f7f4aacf4e7e8ed3

SHA1
47f94874fc9cfcb224c382058d51ac083f3f56a1

SHA256
aa39f84f77a8c354dfc742914351fa5eaffc591e5f98615265ddc001125f0e2f

SHA512
1971cf9f25e81d126606ab33ed9a27857cee2a47396654bb8f0c9d780fbb209742ec87c45e6efb37d3095afa67e50ac23e2ae7066a417945f92da43807b31143

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CF14D1855652602540DFCFECD21854DB_54BE0F4A529F65D13ED30F3AD0874E58

Filesize
1KB

MD5
805a3f9532f126a477721783d417252d

SHA1
33a11dbc6bcdecf7d666953352f437f92b9c6e2b

SHA256
79c4b919799c1b148bb0b87b1fa6da98f9c931290ae3a2e8d8ca7d69c0b2679a

SHA512
e7439c734b48fb60f432d24d7df29244efcce2e876e2660cdfd42f21626a59fd769caa365ba2fadf4b940d71271a0148af0a6cafe198b183817fcf07d42b9cb3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475

Filesize
500B

MD5
a333e70d7942a6a9702cebeac3ebe596

SHA1
0a50cff62dca92f35d214b94e186bb3ad1458ab7

SHA256
33a8cdc74b75367a3f2e8ec70837e3e0eb1340a60a9a4c13090e40643bda754b

SHA512
70c96a90e511d0394078982c9f76d70d446af873ab7abb508a8677a221704c967f22f9fbb531914151b103a428fd8e30af26764e4adc69891d5aa327875d26db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C

Filesize
398B

MD5
ea537625e5d63be6984cf7604cff9085

SHA1
45398568ca59b2fd9b9e144224ce5b3c1dd357a3

SHA256
c0f82b0454ecf7286396466196c42d005ba29979745dca94b31e08182b698f7c

SHA512
e585995d554180a63c7dde607987d9e0552c5359eaf3813587650ee4cf3c087d71424e3475d06a73f5983cf2869e3df45bed5417750dc5ae9cbd2b2490f13c6c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7a884ab4cca9dc7379e45fe79284b911

SHA1
183f0fc2793528f3a84682cead8d47b1e86b1b43

SHA256
79222fdb749724be698c5ec741bdb87d9fc66f80274d089951e40904a0c24b39

SHA512
cd451814681f9e7717784e54daa6e1df0bcd9270a386e8e6a8394b57985f73d8e6d28af16436c66e854dffd7d9f888f952008dd78aedcf1bc5d839fec3d956bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AD5F118F7897046E8CA970AE6A6AB70B_A0B760D8ABF6F649D185B46E3E114CC2

Filesize
410B

MD5
cf6b959f77560aaf71a7bf8c3a77491f

SHA1
0ddf3b20073d9e90541ed16e29a4c78919497cc3

SHA256
aad9104d8cc24434bc614c71603f0d24ead1cd5fadbd02b6d4bbc8316fb941ec

SHA512
29193d3bfcfb27315bd25b2bc1be09407351f28a6c87edfdbef9202566b6a7a2e977d10a1bfe3a80e1c37e8039e36858a6af5583e6bbaeb8c44fb22643024fb9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CF14D1855652602540DFCFECD21854DB_54BE0F4A529F65D13ED30F3AD0874E58

Filesize
536B

MD5
4370e780dd7e19d56eebd17242c1fa63

SHA1
0953e2863ce20753167564d67148cf069365f87b

SHA256
b98972d31293101d23690004066c27b51117cb6fd00462a2b67192a403b37771

SHA512
16c6a90439d095eed53d403c2a0fb56a94916d83a0b009dd215c9815d5d84a352b1ab4e8b63c6f684494f5db07ca21ae5956af39cfbc7cf6b620d72d429ab109

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1E3A.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysceamuuchj.exe

Filesize
408KB

MD5
4e54b74b04bc18fa65dfa8c95a725319

SHA1
6703db19c720a8422108dea0e16ef6235d33e770

SHA256
23f122f952c69f746950695aba7b3015853028e832bf2b9e46c2d7dec08d8c97

SHA512
6bf7ddd542bf13652db1327d44bb3c7b419fc87321a372ff53a98d1e05723f2c68ecd361c9198ea2621943ebb171225034aa6b6f1427233bfa54cbb33ed75fec

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpath.ini

Filesize
102B

MD5
e7a9fb06912b813ced3a5267c0cb0aa7

SHA1
901ceb47a6c80271faebc4f356f725d5b80f2d36

SHA256
ef8bc7fe2cac4fc2a798977b1c4e5e88c09023c1e23f37b85c126a32a238b96f

SHA512
957cae831856084a46dd7a24dc560ffd996f5393bbf8eab86f3ee81f2aebbbcb640be76a437d86c8e6dd6d4d26979861228a8df69b14d539ab1108434a53457b

Download Submit
memory/2688-43-0x0000000004140000-0x00000000041A9000-memory.dmp

Filesize
420KB

Download
memory/2688-60-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2688-0-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2688-44-0x0000000004140000-0x00000000041A9000-memory.dmp

Filesize
420KB

Download
memory/2688-29-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/3056-68-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download