blackmoon | ef23a1299d2f236b23ca10fd35287d44461b98bd7208a036c2889319877efb5b

Analysis

max time kernel
120s
max time network
97s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
26-12-2024 20:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef23a1299d2f236b23ca10fd35287d44461b98bd7208a036c2889319877efb5bN.exe
Size

69KB
MD5

e2e9d741195093c978039f30f8bca360
SHA1

82f1fcfb90b923d0ba407a1b7a5211bbb4a96a7b
SHA256

ef23a1299d2f236b23ca10fd35287d44461b98bd7208a036c2889319877efb5b
SHA512

fe933113c9a1fa7a9d7d1c1b8a68b2ba57e0e7c5f62d1aab1b97e0df910ccf39a2f759008fda32394a69cb8b56c1b513590982cee7d0e2a058867c6c670e4a19
SSDEEP

1536:TPyr5BWPJgzJrQsA4MJ8SS5gq9a2pJ+jZOb4W9nouy8a0:T6DJrXAnHmgMJ+dOnFouta0

Score

10^/10

blackmoon banker discovery trojan upx

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 3 IoCs

resource	yara_rule
behavioral1/memory/2236-29-0x0000000000400000-0x0000000000468000-memory.dmp	family_blackmoon
behavioral1/memory/2236-60-0x0000000000400000-0x0000000000468000-memory.dmp	family_blackmoon
behavioral1/memory/2832-68-0x0000000000400000-0x0000000000468000-memory.dmp	family_blackmoon

Executes dropped EXE 1 IoCs

pid	Process
2832	Sysceamutqxx.exe

Loads dropped DLL 2 IoCs

pid	Process
2236	ef23a1299d2f236b23ca10fd35287d44461b98bd7208a036c2889319877efb5bN.exe
2236	ef23a1299d2f236b23ca10fd35287d44461b98bd7208a036c2889319877efb5bN.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2236-0-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2236-29-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/files/0x000500000001975a-38.dat	upx
behavioral1/memory/2832-44-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2236-60-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2832-68-0x0000000000400000-0x0000000000468000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ef23a1299d2f236b23ca10fd35287d44461b98bd7208a036c2889319877efb5bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysceamutqxx.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	ef23a1299d2f236b23ca10fd35287d44461b98bd7208a036c2889319877efb5bN.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	ef23a1299d2f236b23ca10fd35287d44461b98bd7208a036c2889319877efb5bN.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2832	Sysceamutqxx.exe
2832	Sysceamutqxx.exe
2832	Sysceamutqxx.exe
2832	Sysceamutqxx.exe
2832	Sysceamutqxx.exe
2832	Sysceamutqxx.exe
2832	Sysceamutqxx.exe
2832	Sysceamutqxx.exe
2832	Sysceamutqxx.exe
2832	Sysceamutqxx.exe
2832	Sysceamutqxx.exe
2832	Sysceamutqxx.exe
2832	Sysceamutqxx.exe
2832	Sysceamutqxx.exe
2832	Sysceamutqxx.exe
2832	Sysceamutqxx.exe
2832	Sysceamutqxx.exe
2832	Sysceamutqxx.exe
2832	Sysceamutqxx.exe
2832	Sysceamutqxx.exe
2832	Sysceamutqxx.exe
2832	Sysceamutqxx.exe
2832	Sysceamutqxx.exe
2832	Sysceamutqxx.exe
2832	Sysceamutqxx.exe
2832	Sysceamutqxx.exe
2832	Sysceamutqxx.exe
2832	Sysceamutqxx.exe
2832	Sysceamutqxx.exe
2832	Sysceamutqxx.exe
2832	Sysceamutqxx.exe
2832	Sysceamutqxx.exe
2832	Sysceamutqxx.exe
2832	Sysceamutqxx.exe
2832	Sysceamutqxx.exe
2832	Sysceamutqxx.exe
2832	Sysceamutqxx.exe
2832	Sysceamutqxx.exe
2832	Sysceamutqxx.exe
2832	Sysceamutqxx.exe
2832	Sysceamutqxx.exe
2832	Sysceamutqxx.exe
2832	Sysceamutqxx.exe
2832	Sysceamutqxx.exe
2832	Sysceamutqxx.exe
2832	Sysceamutqxx.exe
2832	Sysceamutqxx.exe
2832	Sysceamutqxx.exe
2832	Sysceamutqxx.exe
2832	Sysceamutqxx.exe
2832	Sysceamutqxx.exe
2832	Sysceamutqxx.exe
2832	Sysceamutqxx.exe
2832	Sysceamutqxx.exe
2832	Sysceamutqxx.exe
2832	Sysceamutqxx.exe
2832	Sysceamutqxx.exe
2832	Sysceamutqxx.exe
2832	Sysceamutqxx.exe
2832	Sysceamutqxx.exe
2832	Sysceamutqxx.exe
2832	Sysceamutqxx.exe
2832	Sysceamutqxx.exe
2832	Sysceamutqxx.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2832	2236	ef23a1299d2f236b23ca10fd35287d44461b98bd7208a036c2889319877efb5bN.exe	30
PID 2236 wrote to memory of 2832	2236	ef23a1299d2f236b23ca10fd35287d44461b98bd7208a036c2889319877efb5bN.exe	30
PID 2236 wrote to memory of 2832	2236	ef23a1299d2f236b23ca10fd35287d44461b98bd7208a036c2889319877efb5bN.exe	30
PID 2236 wrote to memory of 2832	2236	ef23a1299d2f236b23ca10fd35287d44461b98bd7208a036c2889319877efb5bN.exe	30

C:\Users\Admin\AppData\Local\Temp\ef23a1299d2f236b23ca10fd35287d44461b98bd7208a036c2889319877efb5bN.exe
"C:\Users\Admin\AppData\Local\Temp\ef23a1299d2f236b23ca10fd35287d44461b98bd7208a036c2889319877efb5bN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Users\Admin\AppData\Local\Temp\Sysceamutqxx.exe
  "C:\Users\Admin\AppData\Local\Temp\Sysceamutqxx.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475

Filesize
1KB

MD5
6a133e0e8bba27fe05f02ad775e8b843

SHA1
dbd3c1202c50c3469ae5787ae19e432da1046d40

SHA256
79d2783e02fc43128367a3621b138bd5c83e8a839ce82c830cd6015d02dc8ef1

SHA512
8719badd813827086e3ad2ea49057d6d2fe7a340c1dd6c55e3fa0eaedf01ad497875043028fd1e867ce2a6a69f89694afa477a308e3d41026d77bf0ac7ae4812

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C

Filesize
471B

MD5
741bc9b4dd8fcc14c29eb7e58a9b0f47

SHA1
f373b5afd5e68ba8c4fcb43a0e4ad85f7be09582

SHA256
eb401c00eca47569fde8c18ec6dfc2d50af19eb043c7878e3866ed235ef0e9e7

SHA512
f717b0634f3f56a7061e30c01e817f720ad1216cea01feeb70c56f37c914b32b07de030a85837c96a6114efc473ddd1189382f38e606fc70b1704c38cd780edf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_A0B760D8ABF6F649D185B46E3E114CC2

Filesize
471B

MD5
34a31dff4a06599d613e8903b8ec356a

SHA1
b373ac1759e6774481625c22c1b804c45e18ac31

SHA256
f9a7cc1d76b34269792cf9107112b927aebf88249795acb101faaa13622d5844

SHA512
a47a95288a1a86978e71dffa5623f6b696846bc23e5f2b26812f174972553476c680300356181ae8087fda21b95b0f847efc02f0b027bc9af50acb2e464f4514

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CF14D1855652602540DFCFECD21854DB_54BE0F4A529F65D13ED30F3AD0874E58

Filesize
1KB

MD5
39e36760b0b773b688df5e24175fa481

SHA1
7a21e781658937b8e906b0b8bb461e5c626f65fe

SHA256
087101e8f43a2cfbe47d6d12a835b31b72ff6401b66b47a7eabac4e35ce6f6cd

SHA512
5e4d61a464ab5fa2a36ced836eb6034b9a63c6ee3d4c06edfdeb54bf5f25003d2fe89f701df8f9376785536885799b56e5cf8462e32970c19dd0d042fbaa6108

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475

Filesize
500B

MD5
4441880465155f480ff3c63cbe8fa66f

SHA1
a2680326c6d2e89caf6978196b295bf407c12109

SHA256
22357652c605397d6bd40c16889f3362560fd23639c4a705d32e0ac1fc926e6a

SHA512
c07e90ca52328bc10217cd917f3d5c42107c4b54b0e0b138e03dd88e27ab4c14c8af97b2449665b325a61af5d65e34e6fb6e9537a8d1c605e65ab6225653df66

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C

Filesize
398B

MD5
53e24a2d4dbfe4a15a97a8d3c856d16f

SHA1
9af6e7107b307dab7133ff47beee0aa2b38cdfdd

SHA256
ecd1d0199838c4dd99943c29e11c8bce0de86593456b01ef317a862d49294c06

SHA512
516762d4625ba272c7d227b25b64bdf92df1f8d876f37cccb608806cabdfd04909dc48e11f8a643d98ef31fcf5dc9463d0d89080414ca9ae81b1c31e7cac4f6f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
74fb2f9d19ee3265b016a7c125135a09

SHA1
436d105a9862dabfdf5b4cb00d55a5bcd6ecf1ea

SHA256
8c5bea09625a0fd7fb417fabd94596d0ddce58ed676d31c652f9b9dc302e22a2

SHA512
c2f0a895ae13e19f820a98d5088fe0edb7fa1f0d3cdda29bf262fa8493ee0e242bd2919ddc95557ec47fd1f470417540541011bab91295cc102de9994f98773a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AD5F118F7897046E8CA970AE6A6AB70B_A0B760D8ABF6F649D185B46E3E114CC2

Filesize
410B

MD5
89df29092b14d72048096ca705b6c468

SHA1
60f1aae5c7b9fd94a7022bd8f2cf9b1833b647f2

SHA256
6ae8322f21c54c666bee91d34bf64979eccbf4f16e40f3a5f4fd06c482bce04a

SHA512
850bebee591dfb48259c62b2c7c9db2f4b6ea659b0bb0b699e97ebb6285734bcd666607852aee9b3ab2658cae52f63e0ab97fc4f8214ea3b65cf9afdec267e7f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CF14D1855652602540DFCFECD21854DB_54BE0F4A529F65D13ED30F3AD0874E58

Filesize
536B

MD5
2fb2826836e374a5998a46c22cac5158

SHA1
d37e93a15bd277c1a969a4954ce0c20c130ec874

SHA256
fa3aa2bd907c8b967bdc6304773348bfaeeac236322e35e127a35395a66cef65

SHA512
9d88917fe1b0fb604833fe4505cfdc8ed0add3f794e68865835f6791eb28bd296d4234a756b39a078649425b63c053115275a416fb00b920ecdaab5862f8fed4

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabFDB0.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpath.ini

Filesize
103B

MD5
4b6ec0b9eaf0ed934757a2961673fc85

SHA1
9eec40491bdd520ee3f88802026fc8cea118637c

SHA256
78ad9bc49374b8feaec1a42bbe5ad30d4c3a0db5d8b18e40b5eb96eda548c84c

SHA512
0b7e55fbc2881a308bd689c88e853bd95fa2ea9b07480360b17566d65caa30f39a2de94ef9c26d08e87b7ff674f5535ec72575f7804f3823e72d5c3b9e32bff0

Download Submit
\Users\Admin\AppData\Local\Temp\Sysceamutqxx.exe

Filesize
69KB

MD5
2caa289f48980cdb3eb493173e88b700

SHA1
4a6c62e8d99a9c95ecd244b94eafb64c7697120e

SHA256
da9697fa83de27eb1152cb1ae80da29f5e16fe364470a174e89bdd9e02b37d59

SHA512
d3e299e2af91478251ec5fc3b43c2fe1a6c0a6b380a9c1b57fdc92a545a7592f6e443e9af4a14936ff5e089c3504b9ba714b43a6b2eb8a3be7d32281d6cfd3bb

Download Submit
memory/2236-0-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2236-60-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2236-43-0x0000000003DD0000-0x0000000003E38000-memory.dmp

Filesize
416KB

Download
memory/2236-29-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2832-44-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2832-68-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download