blackmoon | ca53fd3df37b262fde8f174e0efd2d4f57de6f0130e009748fcf669c3fae6461

Analysis

max time kernel
149s
max time network
136s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-12-2024 02:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca53fd3df37b262fde8f174e0efd2d4f57de6f0130e009748fcf669c3fae6461.exe
Size

69KB
MD5

6c5ef20154f58186bdf0917529d01b67
SHA1

1909dca5a05d243739dd01819fc6e16e9089b340
SHA256

ca53fd3df37b262fde8f174e0efd2d4f57de6f0130e009748fcf669c3fae6461
SHA512

6a25b372b99c108277faed251fd02c68405096b5b092862c7966082f6ec5df8165519b001053aeb4a82a6d81fcb3900749ba11c503455194926a49b617910aa1
SSDEEP

1536:TPyr5BWPJgzJrQsA4MJ8SS5gq9a2pJ+jZOb4W9nouy8a8:T6DJrXAnHmgMJ+dOnFouta8

Score

10^/10

blackmoon banker discovery trojan upx

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 5 IoCs

resource	yara_rule
behavioral1/memory/2072-16-0x0000000000400000-0x0000000000468000-memory.dmp	family_blackmoon
behavioral1/memory/2072-27-0x0000000000400000-0x0000000000468000-memory.dmp	family_blackmoon
behavioral1/memory/2072-56-0x0000000000400000-0x0000000000468000-memory.dmp	family_blackmoon
behavioral1/memory/2432-63-0x0000000000400000-0x0000000000468000-memory.dmp	family_blackmoon
behavioral1/memory/2432-73-0x0000000000400000-0x0000000000468000-memory.dmp	family_blackmoon

Executes dropped EXE 1 IoCs

pid	Process
2432	Sysceamsifpb.exe

Loads dropped DLL 2 IoCs

pid	Process
2072	ca53fd3df37b262fde8f174e0efd2d4f57de6f0130e009748fcf669c3fae6461.exe
2072	ca53fd3df37b262fde8f174e0efd2d4f57de6f0130e009748fcf669c3fae6461.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2072-0-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2072-16-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2072-27-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/files/0x000300000000b3e1-40.dat	upx
behavioral1/memory/2072-56-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2432-63-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2432-73-0x0000000000400000-0x0000000000468000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ca53fd3df37b262fde8f174e0efd2d4f57de6f0130e009748fcf669c3fae6461.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysceamsifpb.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	ca53fd3df37b262fde8f174e0efd2d4f57de6f0130e009748fcf669c3fae6461.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	ca53fd3df37b262fde8f174e0efd2d4f57de6f0130e009748fcf669c3fae6461.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2432	Sysceamsifpb.exe
2432	Sysceamsifpb.exe
2432	Sysceamsifpb.exe
2432	Sysceamsifpb.exe
2432	Sysceamsifpb.exe
2432	Sysceamsifpb.exe
2432	Sysceamsifpb.exe
2432	Sysceamsifpb.exe
2432	Sysceamsifpb.exe
2432	Sysceamsifpb.exe
2432	Sysceamsifpb.exe
2432	Sysceamsifpb.exe
2432	Sysceamsifpb.exe
2432	Sysceamsifpb.exe
2432	Sysceamsifpb.exe
2432	Sysceamsifpb.exe
2432	Sysceamsifpb.exe
2432	Sysceamsifpb.exe
2432	Sysceamsifpb.exe
2432	Sysceamsifpb.exe
2432	Sysceamsifpb.exe
2432	Sysceamsifpb.exe
2432	Sysceamsifpb.exe
2432	Sysceamsifpb.exe
2432	Sysceamsifpb.exe
2432	Sysceamsifpb.exe
2432	Sysceamsifpb.exe
2432	Sysceamsifpb.exe
2432	Sysceamsifpb.exe
2432	Sysceamsifpb.exe
2432	Sysceamsifpb.exe
2432	Sysceamsifpb.exe
2432	Sysceamsifpb.exe
2432	Sysceamsifpb.exe
2432	Sysceamsifpb.exe
2432	Sysceamsifpb.exe
2432	Sysceamsifpb.exe
2432	Sysceamsifpb.exe
2432	Sysceamsifpb.exe
2432	Sysceamsifpb.exe
2432	Sysceamsifpb.exe
2432	Sysceamsifpb.exe
2432	Sysceamsifpb.exe
2432	Sysceamsifpb.exe
2432	Sysceamsifpb.exe
2432	Sysceamsifpb.exe
2432	Sysceamsifpb.exe
2432	Sysceamsifpb.exe
2432	Sysceamsifpb.exe
2432	Sysceamsifpb.exe
2432	Sysceamsifpb.exe
2432	Sysceamsifpb.exe
2432	Sysceamsifpb.exe
2432	Sysceamsifpb.exe
2432	Sysceamsifpb.exe
2432	Sysceamsifpb.exe
2432	Sysceamsifpb.exe
2432	Sysceamsifpb.exe
2432	Sysceamsifpb.exe
2432	Sysceamsifpb.exe
2432	Sysceamsifpb.exe
2432	Sysceamsifpb.exe
2432	Sysceamsifpb.exe
2432	Sysceamsifpb.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 2432	2072	ca53fd3df37b262fde8f174e0efd2d4f57de6f0130e009748fcf669c3fae6461.exe	32
PID 2072 wrote to memory of 2432	2072	ca53fd3df37b262fde8f174e0efd2d4f57de6f0130e009748fcf669c3fae6461.exe	32
PID 2072 wrote to memory of 2432	2072	ca53fd3df37b262fde8f174e0efd2d4f57de6f0130e009748fcf669c3fae6461.exe	32
PID 2072 wrote to memory of 2432	2072	ca53fd3df37b262fde8f174e0efd2d4f57de6f0130e009748fcf669c3fae6461.exe	32

C:\Users\Admin\AppData\Local\Temp\ca53fd3df37b262fde8f174e0efd2d4f57de6f0130e009748fcf669c3fae6461.exe
"C:\Users\Admin\AppData\Local\Temp\ca53fd3df37b262fde8f174e0efd2d4f57de6f0130e009748fcf669c3fae6461.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Users\Admin\AppData\Local\Temp\Sysceamsifpb.exe
  "C:\Users\Admin\AppData\Local\Temp\Sysceamsifpb.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475

Filesize
1KB

MD5
e7ac07161833c2c3e11a4f1e6dc42c32

SHA1
ba246e113bc53efb725474d7a28d9523a0e650ce

SHA256
c03a6e6209601b013c394611453fb82d2d742f0c9f89ba0d7878c161a7b1b3dc

SHA512
a798a524291fe0acf11ba3b7eaaadcaeb3c6397e620a63d7fdb7787031e8f51174c5da4d9944f2e7de375113eb943794ab2ea4d2f7bb51c46f7ca48a9ab769e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C

Filesize
471B

MD5
14c87bd922addc5dec6234127cb9c662

SHA1
376105e0babe9cf6236a1158b81d8923b4a80af0

SHA256
04b497675ab2dc4096956f6ea978858a5fbb80701f42ce1e6903e6d948cb2d61

SHA512
0f0ca6c06618e309e1b5fac2ee29611ef9afa71f86af3e743a7f824535914a6bac4462835efde958fcd6b4d23606a21db10225adb41b4850fae067ca3690236d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_A0B760D8ABF6F649D185B46E3E114CC2

Filesize
471B

MD5
d21ff713d14d30e2676cf9b5961f5706

SHA1
f3b0d97dc3b8f20968e55b274f20b6b6f615b607

SHA256
4701dfa959ebffd913f9b3909daf52874cff995aafc145b4408d9bcf8b34ec78

SHA512
99fa73a0eae74b7e8248f6d13f10a1e1ee41eb0e5bf519b27f98d05e40bc73e9a815c0843f96199b0f2f2f7d4459a123c012ce88b5f1fb9e98381864d2ea1483

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CF14D1855652602540DFCFECD21854DB_54BE0F4A529F65D13ED30F3AD0874E58

Filesize
1KB

MD5
23371d3cf9429c724ac291c14f429126

SHA1
b7f438199bbaf4b1d67ad85fd83ae20d2f496f0b

SHA256
a8fbce78410cc672d4f0e0acc317a0cd8998f3d2c855177586a79f9271d11c08

SHA512
6a3192671c6e6c48befe3e0178f6930fa70a80bc0f7bda9f79d9259f09f20363ba87f5b084f8edb3b539799dd3eef13d8b766bb06130ea889f1c1c00f28c39fe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475

Filesize
500B

MD5
c795e6463e71a88cf9622369348f77be

SHA1
076d52b1d532e7babe182b5294116b2d5c7859c0

SHA256
b5ab100dad00ab6e17383542d4066f9e5cd5d40994665b09cb5e4dac3b3124ba

SHA512
bd7708c927cb853e8a1b39109b85e3cc51ba511c204f97dd83b49f54f0eb28f6345c6e9ecb75e12e8960a607265d50d92dcff7aed856bf38878f4937fadff1fb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C

Filesize
398B

MD5
2474634fd7a7a5c335d0592c85ace85a

SHA1
4b08a11997830a0ef0954ba4143308c1222c7d81

SHA256
774ce8d0f3bcc5e1bf20d7e4fcbd9d1e43853cec5655a763630bf72fe494895d

SHA512
89f439a0e5ce5525206de2375d13010920c9c626823f206f9722c3259ce27f849507ed0366ad0cd770aae3a46514aa73d914b25e1954008801479b2e24e1d29b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AD5F118F7897046E8CA970AE6A6AB70B_A0B760D8ABF6F649D185B46E3E114CC2

Filesize
410B

MD5
05ddd5819ac7be5b27ad9a033099406f

SHA1
19bcaf293aee988463ad97be64856c7bd719258e

SHA256
bb48b18017c1bf23936d80ac78715b8e438838b5378a5d30776a8991111690e0

SHA512
6be3b88d62f323f46a45bdd2e91592511f59c3054af98b8b9ea9a4151b7e9dcd7be66da3c97b3e10a886e2c39c4b1924c99d983cc20cf5f521ded2a06615272b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CF14D1855652602540DFCFECD21854DB_54BE0F4A529F65D13ED30F3AD0874E58

Filesize
536B

MD5
21c48849b7cf36ec432aca2ff7b8182d

SHA1
a69a30487f60bd206b50d969d5613296c03d71d7

SHA256
5e14edc54bfa2cbcd247ad3e5df6ebe6f0e05f7d8d908638128bb4e09fd0c0dd

SHA512
5407fc260e9635d5065a359648e8893e8eb2c06f9055a4eb24179f57b36e97ab2d127ea3fc3d95e302f158bf79c6fc207cac0413ba2063d311b507f3606d459c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab95BA.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysceamsifpb.exe

Filesize
69KB

MD5
60335716b59cfb3999017e6803b97ded

SHA1
94c4da29e934ff9c5948ca88edc159012b383fb4

SHA256
ae7e97481f4a0f0b3cd56f9bad324e5c2cb9b21250473515000978bd209ced62

SHA512
2d5dd4f707640683d7a6a9d2e0670747e856e3fa4c51cb7747ae8a723bde862e737c606c009407a8aa51a19e58787bc4cd0879113816a98681e8c0f6e10386d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpath.ini

Filesize
102B

MD5
1dc58af8a28643f60283396153557759

SHA1
b05382f6992bdc0b5f1b0f627c1c564718793785

SHA256
f15c139a6e3607a0b4fb5cf74b66d88395ff32d23798a1bf0f6166127b16f378

SHA512
b3363b03550a6681bc24797fe741e515954036ecd5fbc1069f1c5cb6024f8b4685237bbbf65278eb0861ac6fafd30dab0346aa35f2509bf214cf6d59386fbba6

Download Submit
memory/2072-0-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2072-56-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2072-27-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2072-41-0x0000000004410000-0x0000000004478000-memory.dmp

Filesize
416KB

Download
memory/2072-16-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2432-63-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2432-73-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download