blackmoon | a57d34dc6a58c9c775ae4b49a7b430bbbbd24096aec0155d6213cad85b1df917

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27/12/2024, 01:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a57d34dc6a58c9c775ae4b49a7b430bbbbd24096aec0155d6213cad85b1df917.exe
Size

74KB
MD5

ac4c0bebe3916f45cc61474b7a471038
SHA1

d82e238ef725eb5e5d65dc0da7433a23f5f829af
SHA256

a57d34dc6a58c9c775ae4b49a7b430bbbbd24096aec0155d6213cad85b1df917
SHA512

0cb1584534a4b345df1116dd584a5f33952c49851394711692e70dd1790015076a811aa26cc5fce050b688c5ad5284fb4e6146fbcda0f6ec64249d070ec3ae90
SSDEEP

1536:IyfIcT9U1tPrgQvhLopacl1TsQk0NJP/PAjgas/3VUN0YWZPnouy8B:VfIS2vhLoz5sQkqgjg1YWZfoutB

Score

10^/10

blackmoon banker discovery trojan upx

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 3 IoCs

resource	yara_rule
behavioral1/memory/2008-7-0x0000000000400000-0x000000000046F000-memory.dmp	family_blackmoon
behavioral1/memory/2688-17-0x0000000000400000-0x000000000046F000-memory.dmp	family_blackmoon
behavioral1/memory/2688-21-0x0000000000400000-0x000000000046F000-memory.dmp	family_blackmoon

Deletes itself 1 IoCs

pid	Process
2688	Syslemztpph.exe

Executes dropped EXE 1 IoCs

pid	Process
2688	Syslemztpph.exe

Loads dropped DLL 2 IoCs

pid	Process
2008	a57d34dc6a58c9c775ae4b49a7b430bbbbd24096aec0155d6213cad85b1df917.exe
2008	a57d34dc6a58c9c775ae4b49a7b430bbbbd24096aec0155d6213cad85b1df917.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2008-0-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral1/memory/2008-7-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral1/files/0x000700000001752f-11.dat	upx
behavioral1/memory/2688-17-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral1/memory/2688-21-0x0000000000400000-0x000000000046F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a57d34dc6a58c9c775ae4b49a7b430bbbbd24096aec0155d6213cad85b1df917.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2008	a57d34dc6a58c9c775ae4b49a7b430bbbbd24096aec0155d6213cad85b1df917.exe
2008	a57d34dc6a58c9c775ae4b49a7b430bbbbd24096aec0155d6213cad85b1df917.exe
2008	a57d34dc6a58c9c775ae4b49a7b430bbbbd24096aec0155d6213cad85b1df917.exe
2008	a57d34dc6a58c9c775ae4b49a7b430bbbbd24096aec0155d6213cad85b1df917.exe
2008	a57d34dc6a58c9c775ae4b49a7b430bbbbd24096aec0155d6213cad85b1df917.exe
2008	a57d34dc6a58c9c775ae4b49a7b430bbbbd24096aec0155d6213cad85b1df917.exe
2008	a57d34dc6a58c9c775ae4b49a7b430bbbbd24096aec0155d6213cad85b1df917.exe
2008	a57d34dc6a58c9c775ae4b49a7b430bbbbd24096aec0155d6213cad85b1df917.exe
2688	Syslemztpph.exe
2688	Syslemztpph.exe
2688	Syslemztpph.exe
2688	Syslemztpph.exe
2688	Syslemztpph.exe
2688	Syslemztpph.exe
2688	Syslemztpph.exe
2688	Syslemztpph.exe
2688	Syslemztpph.exe
2688	Syslemztpph.exe
2688	Syslemztpph.exe
2688	Syslemztpph.exe
2688	Syslemztpph.exe
2688	Syslemztpph.exe
2688	Syslemztpph.exe
2688	Syslemztpph.exe
2688	Syslemztpph.exe
2688	Syslemztpph.exe
2688	Syslemztpph.exe
2688	Syslemztpph.exe
2688	Syslemztpph.exe
2688	Syslemztpph.exe
2688	Syslemztpph.exe
2688	Syslemztpph.exe
2688	Syslemztpph.exe
2688	Syslemztpph.exe
2688	Syslemztpph.exe
2688	Syslemztpph.exe
2688	Syslemztpph.exe
2688	Syslemztpph.exe
2688	Syslemztpph.exe
2688	Syslemztpph.exe
2688	Syslemztpph.exe
2688	Syslemztpph.exe
2688	Syslemztpph.exe
2688	Syslemztpph.exe
2688	Syslemztpph.exe
2688	Syslemztpph.exe
2688	Syslemztpph.exe
2688	Syslemztpph.exe
2688	Syslemztpph.exe
2688	Syslemztpph.exe
2688	Syslemztpph.exe
2688	Syslemztpph.exe
2688	Syslemztpph.exe
2688	Syslemztpph.exe
2688	Syslemztpph.exe
2688	Syslemztpph.exe
2688	Syslemztpph.exe
2688	Syslemztpph.exe
2688	Syslemztpph.exe
2688	Syslemztpph.exe
2688	Syslemztpph.exe
2688	Syslemztpph.exe
2688	Syslemztpph.exe
2688	Syslemztpph.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 2688	2008	a57d34dc6a58c9c775ae4b49a7b430bbbbd24096aec0155d6213cad85b1df917.exe	31
PID 2008 wrote to memory of 2688	2008	a57d34dc6a58c9c775ae4b49a7b430bbbbd24096aec0155d6213cad85b1df917.exe	31
PID 2008 wrote to memory of 2688	2008	a57d34dc6a58c9c775ae4b49a7b430bbbbd24096aec0155d6213cad85b1df917.exe	31
PID 2008 wrote to memory of 2688	2008	a57d34dc6a58c9c775ae4b49a7b430bbbbd24096aec0155d6213cad85b1df917.exe	31

C:\Users\Admin\AppData\Local\Temp\a57d34dc6a58c9c775ae4b49a7b430bbbbd24096aec0155d6213cad85b1df917.exe
"C:\Users\Admin\AppData\Local\Temp\a57d34dc6a58c9c775ae4b49a7b430bbbbd24096aec0155d6213cad85b1df917.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Users\Admin\AppData\Local\Temp\Syslemztpph.exe
  "C:\Users\Admin\AppData\Local\Temp\Syslemztpph.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lpath.ini

Filesize
102B

MD5
cde383206f6ab85887644a64fa8596fe

SHA1
51fa328b7e7b023e51e3bbfa192e74dbccb2c43f

SHA256
79ff631d442a41106400498ce1722a8120597822cf8251e112361e85edac7a96

SHA512
bba42b3e665e6bda90ff8e8b97d2b8ffa3f1a60671ea1171d2932242131bca2f33e29298ce317b1935219aa1a9ba0eb1f44f80d951faf2e85d50da6ea4e2478d

Download Submit
\Users\Admin\AppData\Local\Temp\Syslemztpph.exe

Filesize
74KB

MD5
8b773067034cfb5353c89430e6a6d93b

SHA1
077cbd602c5d09cb5416818b61d9b9c4d6170a49

SHA256
a4c0943b5fb630e6d12fb3b70413e52d7d28c76b5c919c3c16b49e61d62d917e

SHA512
a70e036d667e63eba7b663aad1be9850cb14406bf4c7e229b627ac7f4417a256088945dbe0a15815bcefb77b9f7b4696a4fdb761196a8cb68d39aca7c8852159

Download Submit
memory/2008-0-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2008-7-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2008-16-0x0000000003150000-0x00000000031BF000-memory.dmp

Filesize
444KB

Download
memory/2688-17-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2688-21-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download