blackmoon | a57d34dc6a58c9c775ae4b49a7b430bbbbd24096aec0155d6213cad85b1df917

Analysis

max time kernel
149s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27/12/2024, 01:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a57d34dc6a58c9c775ae4b49a7b430bbbbd24096aec0155d6213cad85b1df917.exe
Size

74KB
MD5

ac4c0bebe3916f45cc61474b7a471038
SHA1

d82e238ef725eb5e5d65dc0da7433a23f5f829af
SHA256

a57d34dc6a58c9c775ae4b49a7b430bbbbd24096aec0155d6213cad85b1df917
SHA512

0cb1584534a4b345df1116dd584a5f33952c49851394711692e70dd1790015076a811aa26cc5fce050b688c5ad5284fb4e6146fbcda0f6ec64249d070ec3ae90
SSDEEP

1536:IyfIcT9U1tPrgQvhLopacl1TsQk0NJP/PAjgas/3VUN0YWZPnouy8B:VfIS2vhLoz5sQkqgjg1YWZfoutB

Score

10^/10

blackmoon banker discovery trojan upx

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 2 IoCs

resource	yara_rule
behavioral2/memory/2164-15-0x0000000000400000-0x000000000046F000-memory.dmp	family_blackmoon
behavioral2/memory/4216-17-0x0000000000400000-0x000000000046F000-memory.dmp	family_blackmoon

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	a57d34dc6a58c9c775ae4b49a7b430bbbbd24096aec0155d6213cad85b1df917.exe

Deletes itself 1 IoCs

pid	Process
4216	Syslemohtxt.exe

Executes dropped EXE 1 IoCs

pid	Process
4216	Syslemohtxt.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2164-0-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral2/files/0x0031000000023b7f-9.dat	upx
behavioral2/memory/4216-14-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral2/memory/2164-15-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral2/memory/4216-17-0x0000000000400000-0x000000000046F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a57d34dc6a58c9c775ae4b49a7b430bbbbd24096aec0155d6213cad85b1df917.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Syslemohtxt.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2164	a57d34dc6a58c9c775ae4b49a7b430bbbbd24096aec0155d6213cad85b1df917.exe
2164	a57d34dc6a58c9c775ae4b49a7b430bbbbd24096aec0155d6213cad85b1df917.exe
2164	a57d34dc6a58c9c775ae4b49a7b430bbbbd24096aec0155d6213cad85b1df917.exe
2164	a57d34dc6a58c9c775ae4b49a7b430bbbbd24096aec0155d6213cad85b1df917.exe
2164	a57d34dc6a58c9c775ae4b49a7b430bbbbd24096aec0155d6213cad85b1df917.exe
2164	a57d34dc6a58c9c775ae4b49a7b430bbbbd24096aec0155d6213cad85b1df917.exe
2164	a57d34dc6a58c9c775ae4b49a7b430bbbbd24096aec0155d6213cad85b1df917.exe
2164	a57d34dc6a58c9c775ae4b49a7b430bbbbd24096aec0155d6213cad85b1df917.exe
2164	a57d34dc6a58c9c775ae4b49a7b430bbbbd24096aec0155d6213cad85b1df917.exe
2164	a57d34dc6a58c9c775ae4b49a7b430bbbbd24096aec0155d6213cad85b1df917.exe
2164	a57d34dc6a58c9c775ae4b49a7b430bbbbd24096aec0155d6213cad85b1df917.exe
2164	a57d34dc6a58c9c775ae4b49a7b430bbbbd24096aec0155d6213cad85b1df917.exe
2164	a57d34dc6a58c9c775ae4b49a7b430bbbbd24096aec0155d6213cad85b1df917.exe
2164	a57d34dc6a58c9c775ae4b49a7b430bbbbd24096aec0155d6213cad85b1df917.exe
2164	a57d34dc6a58c9c775ae4b49a7b430bbbbd24096aec0155d6213cad85b1df917.exe
2164	a57d34dc6a58c9c775ae4b49a7b430bbbbd24096aec0155d6213cad85b1df917.exe
4216	Syslemohtxt.exe
4216	Syslemohtxt.exe
4216	Syslemohtxt.exe
4216	Syslemohtxt.exe
4216	Syslemohtxt.exe
4216	Syslemohtxt.exe
4216	Syslemohtxt.exe
4216	Syslemohtxt.exe
4216	Syslemohtxt.exe
4216	Syslemohtxt.exe
4216	Syslemohtxt.exe
4216	Syslemohtxt.exe
4216	Syslemohtxt.exe
4216	Syslemohtxt.exe
4216	Syslemohtxt.exe
4216	Syslemohtxt.exe
4216	Syslemohtxt.exe
4216	Syslemohtxt.exe
4216	Syslemohtxt.exe
4216	Syslemohtxt.exe
4216	Syslemohtxt.exe
4216	Syslemohtxt.exe
4216	Syslemohtxt.exe
4216	Syslemohtxt.exe
4216	Syslemohtxt.exe
4216	Syslemohtxt.exe
4216	Syslemohtxt.exe
4216	Syslemohtxt.exe
4216	Syslemohtxt.exe
4216	Syslemohtxt.exe
4216	Syslemohtxt.exe
4216	Syslemohtxt.exe
4216	Syslemohtxt.exe
4216	Syslemohtxt.exe
4216	Syslemohtxt.exe
4216	Syslemohtxt.exe
4216	Syslemohtxt.exe
4216	Syslemohtxt.exe
4216	Syslemohtxt.exe
4216	Syslemohtxt.exe
4216	Syslemohtxt.exe
4216	Syslemohtxt.exe
4216	Syslemohtxt.exe
4216	Syslemohtxt.exe
4216	Syslemohtxt.exe
4216	Syslemohtxt.exe
4216	Syslemohtxt.exe
4216	Syslemohtxt.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 4216	2164	a57d34dc6a58c9c775ae4b49a7b430bbbbd24096aec0155d6213cad85b1df917.exe	82
PID 2164 wrote to memory of 4216	2164	a57d34dc6a58c9c775ae4b49a7b430bbbbd24096aec0155d6213cad85b1df917.exe	82
PID 2164 wrote to memory of 4216	2164	a57d34dc6a58c9c775ae4b49a7b430bbbbd24096aec0155d6213cad85b1df917.exe	82

C:\Users\Admin\AppData\Local\Temp\a57d34dc6a58c9c775ae4b49a7b430bbbbd24096aec0155d6213cad85b1df917.exe
"C:\Users\Admin\AppData\Local\Temp\a57d34dc6a58c9c775ae4b49a7b430bbbbd24096aec0155d6213cad85b1df917.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Users\Admin\AppData\Local\Temp\Syslemohtxt.exe
  "C:\Users\Admin\AppData\Local\Temp\Syslemohtxt.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Syslemohtxt.exe

Filesize
74KB

MD5
bb04c05ce22212d801a85aa1068f1d6f

SHA1
6d47d162f5c766c477738e4f109b830f9dade4c5

SHA256
20f295f90be106624730f55ec09e99a048ffa30e08f25d8c45d0b7eb2de20c2a

SHA512
c0d4dba8b4773d9034963d0e88a498313f7c19a80f0fb143efd8c4d98db1203c1cc2369175956fe04322c3eb01c1dff17347f5eb674ad57fc74c9cf4cc789dfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpath.ini

Filesize
102B

MD5
cde383206f6ab85887644a64fa8596fe

SHA1
51fa328b7e7b023e51e3bbfa192e74dbccb2c43f

SHA256
79ff631d442a41106400498ce1722a8120597822cf8251e112361e85edac7a96

SHA512
bba42b3e665e6bda90ff8e8b97d2b8ffa3f1a60671ea1171d2932242131bca2f33e29298ce317b1935219aa1a9ba0eb1f44f80d951faf2e85d50da6ea4e2478d

Download Submit
memory/2164-0-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2164-15-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4216-14-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4216-17-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download