blackmoon | d47ccf05f2aa6bb319c18b321377b21609e94613879cc500d73c8e92bdeea1fe

Analysis

max time kernel
149s
max time network
135s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
26-12-2024 02:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d47ccf05f2aa6bb319c18b321377b21609e94613879cc500d73c8e92bdeea1fe.exe
Size

69KB
MD5

26aafcb37ad64fd9b71ae85cf33c3494
SHA1

0542cefc8f008f0f21f5ea6b7c29331337a6def6
SHA256

d47ccf05f2aa6bb319c18b321377b21609e94613879cc500d73c8e92bdeea1fe
SHA512

3e1f84f1eafc2fca85bc73e2898263f43bd5496911619a099261c81adb68f708a0a7b5e68bb9db96cdf791cb18198d9a305b90c64f74bb7b9e4ef4c18535bd07
SSDEEP

1536:TPyr5BWPJgzJrQsA4MJ8SS5gq9a2pJ+jZOb4W9nouy8a0:T6DJrXAnHmgMJ+dOnFouta0

Score

10^/10

blackmoon banker discovery trojan upx

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 3 IoCs

resource	yara_rule
behavioral1/memory/388-27-0x0000000000400000-0x0000000000468000-memory.dmp	family_blackmoon
behavioral1/memory/388-56-0x0000000000400000-0x0000000000468000-memory.dmp	family_blackmoon
behavioral1/memory/2632-64-0x0000000000400000-0x0000000000468000-memory.dmp	family_blackmoon

Executes dropped EXE 1 IoCs

pid	Process
2632	Sysceambidyx.exe

Loads dropped DLL 2 IoCs

pid	Process
388	d47ccf05f2aa6bb319c18b321377b21609e94613879cc500d73c8e92bdeea1fe.exe
388	d47ccf05f2aa6bb319c18b321377b21609e94613879cc500d73c8e92bdeea1fe.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/388-0-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/388-27-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/files/0x0005000000019d69-34.dat	upx
behavioral1/memory/388-36-0x0000000004240000-0x00000000042A8000-memory.dmp	upx
behavioral1/memory/388-56-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2632-64-0x0000000000400000-0x0000000000468000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d47ccf05f2aa6bb319c18b321377b21609e94613879cc500d73c8e92bdeea1fe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysceambidyx.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	d47ccf05f2aa6bb319c18b321377b21609e94613879cc500d73c8e92bdeea1fe.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	d47ccf05f2aa6bb319c18b321377b21609e94613879cc500d73c8e92bdeea1fe.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2632	Sysceambidyx.exe
2632	Sysceambidyx.exe
2632	Sysceambidyx.exe
2632	Sysceambidyx.exe
2632	Sysceambidyx.exe
2632	Sysceambidyx.exe
2632	Sysceambidyx.exe
2632	Sysceambidyx.exe
2632	Sysceambidyx.exe
2632	Sysceambidyx.exe
2632	Sysceambidyx.exe
2632	Sysceambidyx.exe
2632	Sysceambidyx.exe
2632	Sysceambidyx.exe
2632	Sysceambidyx.exe
2632	Sysceambidyx.exe
2632	Sysceambidyx.exe
2632	Sysceambidyx.exe
2632	Sysceambidyx.exe
2632	Sysceambidyx.exe
2632	Sysceambidyx.exe
2632	Sysceambidyx.exe
2632	Sysceambidyx.exe
2632	Sysceambidyx.exe
2632	Sysceambidyx.exe
2632	Sysceambidyx.exe
2632	Sysceambidyx.exe
2632	Sysceambidyx.exe
2632	Sysceambidyx.exe
2632	Sysceambidyx.exe
2632	Sysceambidyx.exe
2632	Sysceambidyx.exe
2632	Sysceambidyx.exe
2632	Sysceambidyx.exe
2632	Sysceambidyx.exe
2632	Sysceambidyx.exe
2632	Sysceambidyx.exe
2632	Sysceambidyx.exe
2632	Sysceambidyx.exe
2632	Sysceambidyx.exe
2632	Sysceambidyx.exe
2632	Sysceambidyx.exe
2632	Sysceambidyx.exe
2632	Sysceambidyx.exe
2632	Sysceambidyx.exe
2632	Sysceambidyx.exe
2632	Sysceambidyx.exe
2632	Sysceambidyx.exe
2632	Sysceambidyx.exe
2632	Sysceambidyx.exe
2632	Sysceambidyx.exe
2632	Sysceambidyx.exe
2632	Sysceambidyx.exe
2632	Sysceambidyx.exe
2632	Sysceambidyx.exe
2632	Sysceambidyx.exe
2632	Sysceambidyx.exe
2632	Sysceambidyx.exe
2632	Sysceambidyx.exe
2632	Sysceambidyx.exe
2632	Sysceambidyx.exe
2632	Sysceambidyx.exe
2632	Sysceambidyx.exe
2632	Sysceambidyx.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 388 wrote to memory of 2632	388	d47ccf05f2aa6bb319c18b321377b21609e94613879cc500d73c8e92bdeea1fe.exe	32
PID 388 wrote to memory of 2632	388	d47ccf05f2aa6bb319c18b321377b21609e94613879cc500d73c8e92bdeea1fe.exe	32
PID 388 wrote to memory of 2632	388	d47ccf05f2aa6bb319c18b321377b21609e94613879cc500d73c8e92bdeea1fe.exe	32
PID 388 wrote to memory of 2632	388	d47ccf05f2aa6bb319c18b321377b21609e94613879cc500d73c8e92bdeea1fe.exe	32

C:\Users\Admin\AppData\Local\Temp\d47ccf05f2aa6bb319c18b321377b21609e94613879cc500d73c8e92bdeea1fe.exe
"C:\Users\Admin\AppData\Local\Temp\d47ccf05f2aa6bb319c18b321377b21609e94613879cc500d73c8e92bdeea1fe.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:388
- C:\Users\Admin\AppData\Local\Temp\Sysceambidyx.exe
  "C:\Users\Admin\AppData\Local\Temp\Sysceambidyx.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475

Filesize
1KB

MD5
bf1d5b0df977add0a71af75cd105abba

SHA1
aa043f630b333fb6338fc6a52f99a80685d7933d

SHA256
a19eebe94a8e2d2dd13dc7e33a1625e51b6b9ada9bb28e9d8852b78eaf11d1d2

SHA512
1048ca2d8e314d471fadb034be1835663955578c13a5a863771a39780794ff87d37f2b11b9295d9e1e635521a8bda3a2cd17f7709674f15efa8c06e96e72f0ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C

Filesize
471B

MD5
be2ae8a9d738667774406810e9474047

SHA1
abb5d75fbcfbf8fbfae4cbf00a8998a527e01f7e

SHA256
f38efc0a7fffa5640e03bf0adbb8388225e7580f5d01e6630bb6d83109187a68

SHA512
e5e10da017d491467f27fa7211eea836c6f1c2e383cf5d3d121e710b6ae8ee6570abb7fb9de20c897982497025da716e4eee21b501aa237f380984fad74cbf3f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_A0B760D8ABF6F649D185B46E3E114CC2

Filesize
471B

MD5
011ddb737cff5db5a6c49b4b76524753

SHA1
7661adacc256199dedc2710f16d0a87a42ef22fe

SHA256
7e737c5606dd1bcea7cee237c4ffaa3d72e055794b8fd8dca99b4f15fbc0e5a5

SHA512
3c694ff56719783d966fc4a29cf7d2e15b0626b5a276f5ee703af717ddf013d8b7068092a47a9563816c6c2b00283150a997a5d864a9c09af2fb93f9c5535b77

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CF14D1855652602540DFCFECD21854DB_54BE0F4A529F65D13ED30F3AD0874E58

Filesize
1KB

MD5
b9f866a192d8f03fea9753d9e3ce9e61

SHA1
1a25348795f02be5377b7f2bc521f77b906170f7

SHA256
f9a5be03b672a7a6f1ada443d04659be25fe9b3527d76c315f17e6036d64c154

SHA512
6cd2eb4bab51d071cc7042d6703a9f15f9c57676ef2e08c8895383b7852412cc2f787897abdac7910135289a50d04396ed0dd90dfe1d2292a1884ef0880e37bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475

Filesize
500B

MD5
39ae472db6f8524d16aa1f6d31f7ca65

SHA1
f06072a03bcdae1d6952b8bffd750a045a748787

SHA256
07438b0c9574c3ce38198d2fb27917e1f0a0ce780c629b3a231514fdb4c34646

SHA512
291f8baa58586bc6a2f7b00492cb673d4ecd991fe54981bdf98baf3d4991395d3588b6d0c5c6e94411cf4d032727e34da6d7e8c146e8b76e40efd12a1bdb027d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C

Filesize
398B

MD5
85e7993161232b3f83342287e5cda7f2

SHA1
73c8810a348699671c90662803aca8b6c9d1c650

SHA256
02d21051d0aea86457e22a9cabf87a095ee12b81a1b425e57fbadc0e18ae24e4

SHA512
6ef9b4749a167f537bfd9347ad2b8190792c00e50446201f5507bfdb9af4297414b391bcf00423006e03a76fdb3baa7b2046164d80022a9ecb7b03ec36f6ab49

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AD5F118F7897046E8CA970AE6A6AB70B_A0B760D8ABF6F649D185B46E3E114CC2

Filesize
410B

MD5
ca7521971763e7ec88015b8d83c69b9c

SHA1
2431ebe11f4eb8239118511b2a350432a2b68f92

SHA256
169a663afd7d3cb6c426e8072115f0fedb406d6c3790ea8b3f4c629b1ee7b556

SHA512
100d576884d7638629b9ea1c389fe132f885fcfb90decf77546b50f7869b334ebe416dcb9916cad04bfe953c90733376890d0991fa6139bb01ce7ec1a81ac319

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CF14D1855652602540DFCFECD21854DB_54BE0F4A529F65D13ED30F3AD0874E58

Filesize
536B

MD5
7840f7b79ebad97b3677f856d10f11a6

SHA1
ba5e0c25d9607f468f9443499b111e55241c62b4

SHA256
9c818d3d644b99e5749251628a58ee8f5fbd6be183142aaa49d42c4dde395f04

SHA512
e856f59bc1b6dff1cdb33f702503329c11241424948be28a45c7b0e67c8d23117fa58bc2c673e7a50f80f1f0b33f070c2ec32633888e20eb9ff7ccdde012d50d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1017.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpath.ini

Filesize
102B

MD5
29d3892a72c8e40a2d6ce8d09f7f17dd

SHA1
b79c3014b1b63e20326f0273c9ac612e6c4fa9d4

SHA256
538dbd2e3556dbf15cce32c33c3e015dcff313cc50e8b58f3739b7ddbdef81de

SHA512
20c8df7851a095307e413d74e70c0017462308f153e8c43ae077a76af714eb97847f7799faf78a067e70c4715b7d2fbe86c3613c0405245f56d2283c84cac963

Download Submit
\Users\Admin\AppData\Local\Temp\Sysceambidyx.exe

Filesize
69KB

MD5
cd29e6032f60db3a257e8ffd2c9d7795

SHA1
747220e4c0ee65c0a9ee6b301c583edbb7b63d38

SHA256
5b94a727df8bc919c05c0657f9aa07e3d1735e83c84d1a17d232f289bdde0075

SHA512
fe57b5aff6c3beeeea55a74aa9d776555bd1bbdb538debb7e2f1657c2f951cce30391e77afe1467aae1fdd6b9feda08ce61b155ffcc3346d7c676bacb4d1523e

Download Submit
memory/388-56-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/388-27-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/388-0-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/388-36-0x0000000004240000-0x00000000042A8000-memory.dmp

Filesize
416KB

Download
memory/2632-64-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download