blackmoon | a57d34dc6a58c9c775ae4b49a7b430bbbbd24096aec0155d6213cad85b1df917

Analysis

max time kernel
148s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27/12/2024, 01:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a57d34dc6a58c9c775ae4b49a7b430bbbbd24096aec0155d6213cad85b1df917.exe
Size

74KB
MD5

ac4c0bebe3916f45cc61474b7a471038
SHA1

d82e238ef725eb5e5d65dc0da7433a23f5f829af
SHA256

a57d34dc6a58c9c775ae4b49a7b430bbbbd24096aec0155d6213cad85b1df917
SHA512

0cb1584534a4b345df1116dd584a5f33952c49851394711692e70dd1790015076a811aa26cc5fce050b688c5ad5284fb4e6146fbcda0f6ec64249d070ec3ae90
SSDEEP

1536:IyfIcT9U1tPrgQvhLopacl1TsQk0NJP/PAjgas/3VUN0YWZPnouy8B:VfIS2vhLoz5sQkqgjg1YWZfoutB

Score

10^/10

blackmoon banker discovery trojan upx

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 2 IoCs

resource	yara_rule
behavioral1/memory/2948-7-0x0000000000400000-0x000000000046F000-memory.dmp	family_blackmoon
behavioral1/memory/2732-19-0x0000000000400000-0x000000000046F000-memory.dmp	family_blackmoon

Deletes itself 1 IoCs

pid	Process
2732	Syslemsmlhi.exe

Executes dropped EXE 1 IoCs

pid	Process
2732	Syslemsmlhi.exe

Loads dropped DLL 2 IoCs

pid	Process
2948	a57d34dc6a58c9c775ae4b49a7b430bbbbd24096aec0155d6213cad85b1df917.exe
2948	a57d34dc6a58c9c775ae4b49a7b430bbbbd24096aec0155d6213cad85b1df917.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2948-0-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral1/memory/2948-7-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral1/files/0x00070000000174ac-9.dat	upx
behavioral1/memory/2732-19-0x0000000000400000-0x000000000046F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a57d34dc6a58c9c775ae4b49a7b430bbbbd24096aec0155d6213cad85b1df917.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2948	a57d34dc6a58c9c775ae4b49a7b430bbbbd24096aec0155d6213cad85b1df917.exe
2948	a57d34dc6a58c9c775ae4b49a7b430bbbbd24096aec0155d6213cad85b1df917.exe
2948	a57d34dc6a58c9c775ae4b49a7b430bbbbd24096aec0155d6213cad85b1df917.exe
2948	a57d34dc6a58c9c775ae4b49a7b430bbbbd24096aec0155d6213cad85b1df917.exe
2948	a57d34dc6a58c9c775ae4b49a7b430bbbbd24096aec0155d6213cad85b1df917.exe
2948	a57d34dc6a58c9c775ae4b49a7b430bbbbd24096aec0155d6213cad85b1df917.exe
2948	a57d34dc6a58c9c775ae4b49a7b430bbbbd24096aec0155d6213cad85b1df917.exe
2948	a57d34dc6a58c9c775ae4b49a7b430bbbbd24096aec0155d6213cad85b1df917.exe
2732	Syslemsmlhi.exe
2732	Syslemsmlhi.exe
2732	Syslemsmlhi.exe
2732	Syslemsmlhi.exe
2732	Syslemsmlhi.exe
2732	Syslemsmlhi.exe
2732	Syslemsmlhi.exe
2732	Syslemsmlhi.exe
2732	Syslemsmlhi.exe
2732	Syslemsmlhi.exe
2732	Syslemsmlhi.exe
2732	Syslemsmlhi.exe
2732	Syslemsmlhi.exe
2732	Syslemsmlhi.exe
2732	Syslemsmlhi.exe
2732	Syslemsmlhi.exe
2732	Syslemsmlhi.exe
2732	Syslemsmlhi.exe
2732	Syslemsmlhi.exe
2732	Syslemsmlhi.exe
2732	Syslemsmlhi.exe
2732	Syslemsmlhi.exe
2732	Syslemsmlhi.exe
2732	Syslemsmlhi.exe
2732	Syslemsmlhi.exe
2732	Syslemsmlhi.exe
2732	Syslemsmlhi.exe
2732	Syslemsmlhi.exe
2732	Syslemsmlhi.exe
2732	Syslemsmlhi.exe
2732	Syslemsmlhi.exe
2732	Syslemsmlhi.exe
2732	Syslemsmlhi.exe
2732	Syslemsmlhi.exe
2732	Syslemsmlhi.exe
2732	Syslemsmlhi.exe
2732	Syslemsmlhi.exe
2732	Syslemsmlhi.exe
2732	Syslemsmlhi.exe
2732	Syslemsmlhi.exe
2732	Syslemsmlhi.exe
2732	Syslemsmlhi.exe
2732	Syslemsmlhi.exe
2732	Syslemsmlhi.exe
2732	Syslemsmlhi.exe
2732	Syslemsmlhi.exe
2732	Syslemsmlhi.exe
2732	Syslemsmlhi.exe
2732	Syslemsmlhi.exe
2732	Syslemsmlhi.exe
2732	Syslemsmlhi.exe
2732	Syslemsmlhi.exe
2732	Syslemsmlhi.exe
2732	Syslemsmlhi.exe
2732	Syslemsmlhi.exe
2732	Syslemsmlhi.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2948 wrote to memory of 2732	2948	a57d34dc6a58c9c775ae4b49a7b430bbbbd24096aec0155d6213cad85b1df917.exe	32
PID 2948 wrote to memory of 2732	2948	a57d34dc6a58c9c775ae4b49a7b430bbbbd24096aec0155d6213cad85b1df917.exe	32
PID 2948 wrote to memory of 2732	2948	a57d34dc6a58c9c775ae4b49a7b430bbbbd24096aec0155d6213cad85b1df917.exe	32
PID 2948 wrote to memory of 2732	2948	a57d34dc6a58c9c775ae4b49a7b430bbbbd24096aec0155d6213cad85b1df917.exe	32

C:\Users\Admin\AppData\Local\Temp\a57d34dc6a58c9c775ae4b49a7b430bbbbd24096aec0155d6213cad85b1df917.exe
"C:\Users\Admin\AppData\Local\Temp\a57d34dc6a58c9c775ae4b49a7b430bbbbd24096aec0155d6213cad85b1df917.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2948
- C:\Users\Admin\AppData\Local\Temp\Syslemsmlhi.exe
  "C:\Users\Admin\AppData\Local\Temp\Syslemsmlhi.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lpath.ini

Filesize
102B

MD5
cde383206f6ab85887644a64fa8596fe

SHA1
51fa328b7e7b023e51e3bbfa192e74dbccb2c43f

SHA256
79ff631d442a41106400498ce1722a8120597822cf8251e112361e85edac7a96

SHA512
bba42b3e665e6bda90ff8e8b97d2b8ffa3f1a60671ea1171d2932242131bca2f33e29298ce317b1935219aa1a9ba0eb1f44f80d951faf2e85d50da6ea4e2478d

Download Submit
\Users\Admin\AppData\Local\Temp\Syslemsmlhi.exe

Filesize
74KB

MD5
9741ff4bd45f3aef7a0034e2cf1ecd11

SHA1
be5f7e03b6821d1962e79def15854e41de32a066

SHA256
023f47980bfee960d0807bc9a08e271ca10edf455ad2c723ef67946d55eed9d5

SHA512
93e304617d5ccb861ec6aa2b7444ad81a9b5db6e32173d7cb1a9730207927ca8ee83154a6dee0d9e8b59e4b5ea5ae6c5bb22d289280ea2c30eb0db5c687d9837

Download Submit
memory/2732-19-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2948-0-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2948-7-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download