blackmoon | b0e84ed89cc8acf538542824d322d5bc91f893324489331430eb54af39fc2ef4

Analysis

max time kernel
118s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-12-2024 08:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b0e84ed89cc8acf538542824d322d5bc91f893324489331430eb54af39fc2ef4N.exe
Size

357KB
MD5

aefeb74729763b0a94dd5710b8101560
SHA1

c496cd8ffe2214bcd20fb232c90e00f9567435e1
SHA256

b0e84ed89cc8acf538542824d322d5bc91f893324489331430eb54af39fc2ef4
SHA512

14ee7f16588ab5ecc3f59648382ba8571dff2913d01c852fffb656da0f5e72436ac4ebe8338e04dd3aaa00a79eb335e9f76f73aaea0fab493bc0ec8ff5d6b620
SSDEEP

6144:mvk3Q5ibjnNuuXckaL7pbRBkce97aw/N4L7oJ:mvMQ5ibjnwka3pbRC19Gw/NsoJ

Score

10^/10

blackmoon banker discovery trojan

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000700000001746c-7.dat	family_blackmoon

Deletes itself 1 IoCs

pid	Process
2808	Systemsixen.exe

Executes dropped EXE 1 IoCs

pid	Process
2808	Systemsixen.exe

Loads dropped DLL 2 IoCs

pid	Process
1752	b0e84ed89cc8acf538542824d322d5bc91f893324489331430eb54af39fc2ef4N.exe
1752	b0e84ed89cc8acf538542824d322d5bc91f893324489331430eb54af39fc2ef4N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b0e84ed89cc8acf538542824d322d5bc91f893324489331430eb54af39fc2ef4N.exe

Suspicious behavior: EnumeratesProcesses 59 IoCs

pid	Process
1752	b0e84ed89cc8acf538542824d322d5bc91f893324489331430eb54af39fc2ef4N.exe
1752	b0e84ed89cc8acf538542824d322d5bc91f893324489331430eb54af39fc2ef4N.exe
1752	b0e84ed89cc8acf538542824d322d5bc91f893324489331430eb54af39fc2ef4N.exe
1752	b0e84ed89cc8acf538542824d322d5bc91f893324489331430eb54af39fc2ef4N.exe
1752	b0e84ed89cc8acf538542824d322d5bc91f893324489331430eb54af39fc2ef4N.exe
1752	b0e84ed89cc8acf538542824d322d5bc91f893324489331430eb54af39fc2ef4N.exe
2808	Systemsixen.exe
2808	Systemsixen.exe
2808	Systemsixen.exe
2808	Systemsixen.exe
2808	Systemsixen.exe
2808	Systemsixen.exe
2808	Systemsixen.exe
2808	Systemsixen.exe
2808	Systemsixen.exe
2808	Systemsixen.exe
2808	Systemsixen.exe
2808	Systemsixen.exe
2808	Systemsixen.exe
2808	Systemsixen.exe
2808	Systemsixen.exe
2808	Systemsixen.exe
2808	Systemsixen.exe
2808	Systemsixen.exe
2808	Systemsixen.exe
2808	Systemsixen.exe
2808	Systemsixen.exe
2808	Systemsixen.exe
2808	Systemsixen.exe
2808	Systemsixen.exe
2808	Systemsixen.exe
2808	Systemsixen.exe
2808	Systemsixen.exe
2808	Systemsixen.exe
2808	Systemsixen.exe
2808	Systemsixen.exe
2808	Systemsixen.exe
2808	Systemsixen.exe
2808	Systemsixen.exe
2808	Systemsixen.exe
2808	Systemsixen.exe
2808	Systemsixen.exe
2808	Systemsixen.exe
2808	Systemsixen.exe
2808	Systemsixen.exe
2808	Systemsixen.exe
2808	Systemsixen.exe
2808	Systemsixen.exe
2808	Systemsixen.exe
2808	Systemsixen.exe
2808	Systemsixen.exe
2808	Systemsixen.exe
2808	Systemsixen.exe
2808	Systemsixen.exe
2808	Systemsixen.exe
2808	Systemsixen.exe
2808	Systemsixen.exe
2808	Systemsixen.exe
2808	Systemsixen.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 2808	1752	b0e84ed89cc8acf538542824d322d5bc91f893324489331430eb54af39fc2ef4N.exe	32
PID 1752 wrote to memory of 2808	1752	b0e84ed89cc8acf538542824d322d5bc91f893324489331430eb54af39fc2ef4N.exe	32
PID 1752 wrote to memory of 2808	1752	b0e84ed89cc8acf538542824d322d5bc91f893324489331430eb54af39fc2ef4N.exe	32
PID 1752 wrote to memory of 2808	1752	b0e84ed89cc8acf538542824d322d5bc91f893324489331430eb54af39fc2ef4N.exe	32

C:\Users\Admin\AppData\Local\Temp\b0e84ed89cc8acf538542824d322d5bc91f893324489331430eb54af39fc2ef4N.exe
"C:\Users\Admin\AppData\Local\Temp\b0e84ed89cc8acf538542824d322d5bc91f893324489331430eb54af39fc2ef4N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1752
- C:\Users\Admin\AppData\Local\Temp\Systemsixen.exe
  "C:\Users\Admin\AppData\Local\Temp\Systemsixen.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fpath.ini

Filesize
103B

MD5
ce973d9f21a7dccd9a7c48e32eb75ce9

SHA1
fb8da5cf3f53860ca858ba82f005187d55e46b2d

SHA256
8e44d60646c1ba29c801ad038f662c45d39f164b69129915248563b71d38c611

SHA512
8dfab83a3a3a49fd57e56c5230b26bde141db61b0fe37d5c676364c6acf3f4ee90625b45c6306dd9f919db1a38a3cbe336383eafc63c5abc8cf046383554a479

Download Submit
\Users\Admin\AppData\Local\Temp\Systemsixen.exe

Filesize
357KB

MD5
5c7c8099d4799ffe52a33a9c3434978b

SHA1
041f70bbe2d7a047ba8f34c1aaf4ad5e1b3f4ad4

SHA256
38a72691cfab91795dee6c282067e3bbfc95e69649aec58c9d888651406834a4

SHA512
66342688a20d933543282ddc4a16ffca8ebd064cd3ea8559db6af7a0f274d0b67f9f5525d49856320106c58fc2d294d3ebd4489513c4e55ec52897ec35819872

Download Submit