blackmoon | c2d2fe410aa7215bdaa21ce7fcc30292a2051683de12afd447a6bf476d58354b

Analysis

max time kernel
111s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 10:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c2d2fe410aa7215bdaa21ce7fcc30292a2051683de12afd447a6bf476d58354b.exe
Size

44KB
MD5

a3275fd4af5efc528c157a45673c7721
SHA1

3c126c3094315876a87ac76e3256a619d4ab83fb
SHA256

c2d2fe410aa7215bdaa21ce7fcc30292a2051683de12afd447a6bf476d58354b
SHA512

c7bdad4a2b83a14431da61e756e22997d8f7f61d49764b213a1c54db694d9e01caa105d078239ef5ed3b45c4e9fe2139dbacb01ecec34899900829bc7588164e
SSDEEP

768:KmZ70XUP0K2I5f6VJiPy6jBZTCRoMUHIYhlDkYi0sDaF8QCFSXbyt/CSF7p97Dl:Kf2V2IOSXQoMUHFhSYr+DQLytpFx

Score

10^/10

blackmoon banker discovery trojan

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 2 IoCs

resource	yara_rule
behavioral2/memory/1788-7-0x0000000000400000-0x000000000042A000-memory.dmp	family_blackmoon
behavioral2/memory/960-10-0x0000000000400000-0x000000000042A000-memory.dmp	family_blackmoon

Deletes itself 1 IoCs

pid	Process
960	xxllxrl.exe

Executes dropped EXE 1 IoCs

pid	Process
960	xxllxrl.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	\??\c:\windows\friendl.dll	xxllxrl.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c2d2fe410aa7215bdaa21ce7fcc30292a2051683de12afd447a6bf476d58354b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xxllxrl.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1788 wrote to memory of 960	1788	c2d2fe410aa7215bdaa21ce7fcc30292a2051683de12afd447a6bf476d58354b.exe	83
PID 1788 wrote to memory of 960	1788	c2d2fe410aa7215bdaa21ce7fcc30292a2051683de12afd447a6bf476d58354b.exe	83
PID 1788 wrote to memory of 960	1788	c2d2fe410aa7215bdaa21ce7fcc30292a2051683de12afd447a6bf476d58354b.exe	83

C:\Users\Admin\AppData\Local\Temp\c2d2fe410aa7215bdaa21ce7fcc30292a2051683de12afd447a6bf476d58354b.exe
"C:\Users\Admin\AppData\Local\Temp\c2d2fe410aa7215bdaa21ce7fcc30292a2051683de12afd447a6bf476d58354b.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1788
- \??\c:\xxllxrl.exe
  c:\xxllxrl.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\xxllxrl.exe

Filesize
44KB

MD5
0d3e3afdc6a07116c7d37bf0e6a36cf3

SHA1
2f3e98dbf2db89d018f658df268010b5fcd10ef6

SHA256
c9f41fb0ea8839b3415d45d8dadf3b2a286d80187a364a38ee1abcf468aa98a4

SHA512
100ed7013f9ec04e0ff0c226a0d9a9a2fb3b5acf40e589d08b250584230604cc4cfcf8d8d1dff0a5eeb32266a92c6c1fcd23e0fc42057ff0356d5c9023f06206

Download Submit
\??\c:\jl

Filesize
102B

MD5
992b84b4c0c2f2b88ed9b49e1945c083

SHA1
45274cfc15098d3ed22fc1e9c5917896564c96f2

SHA256
05132acde98a2cee1994733a3801da5e4dbe3e22c43b169586a1ed7544205ce3

SHA512
a29f6c35049b875d125e32c60d8d1f03130a0e2e72c90ddd4c0bd0850e216ebe260b2ad52227df8bbda2f6b2492dc806eb2066775b082ccbf326ac9a0865a666

Download Submit
memory/960-10-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1788-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1788-7-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download