blackmoon | 213f5dae4243fc5b09381cc91b9f99403422b9e73d92a4f59c14d0cdc2d807fa

Analysis

max time kernel
94s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27/12/2024, 20:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

213f5dae4243fc5b09381cc91b9f99403422b9e73d92a4f59c14d0cdc2d807fa.exe
Size

1.6MB
MD5

856cd3c2647f6d44b6922faed39b7d85
SHA1

cf4b6fd39905230dc7a8dbc6f097f17ac04d7379
SHA256

213f5dae4243fc5b09381cc91b9f99403422b9e73d92a4f59c14d0cdc2d807fa
SHA512

b5b81c9b3f82cc5512db8458792a8b112fb427efab4ea0c95ea84a4c51339efbfbed7796f746e187f26039698328a68bce76d44156daa4d530785ca433af2a53
SSDEEP

24576:OrtSzyNr05PcgOzXQleqH7jJ34vNkzU9DbdYrN/IyX5iICqBh3SWgSklWny5:OY60WXkTjF4veUUrN/IycI7BST1Wny5

Score

10^/10

blackmoon banker discovery trojan

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
behavioral2/files/0x000b000000023bb1-2.dat	family_blackmoon

Executes dropped EXE 1 IoCs

pid	Process
4032	XGKIU.ASS

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	213f5dae4243fc5b09381cc91b9f99403422b9e73d92a4f59c14d0cdc2d807fa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XGKIU.ASS

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Main	213f5dae4243fc5b09381cc91b9f99403422b9e73d92a4f59c14d0cdc2d807fa.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "www.2345.com/?k744606640"	213f5dae4243fc5b09381cc91b9f99403422b9e73d92a4f59c14d0cdc2d807fa.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4032	XGKIU.ASS
4032	XGKIU.ASS

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3148	213f5dae4243fc5b09381cc91b9f99403422b9e73d92a4f59c14d0cdc2d807fa.exe
Token: SeDebugPrivilege	4032	XGKIU.ASS

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3148	213f5dae4243fc5b09381cc91b9f99403422b9e73d92a4f59c14d0cdc2d807fa.exe
3148	213f5dae4243fc5b09381cc91b9f99403422b9e73d92a4f59c14d0cdc2d807fa.exe
4032	XGKIU.ASS
4032	XGKIU.ASS

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3148 wrote to memory of 4032	3148	213f5dae4243fc5b09381cc91b9f99403422b9e73d92a4f59c14d0cdc2d807fa.exe	83
PID 3148 wrote to memory of 4032	3148	213f5dae4243fc5b09381cc91b9f99403422b9e73d92a4f59c14d0cdc2d807fa.exe	83
PID 3148 wrote to memory of 4032	3148	213f5dae4243fc5b09381cc91b9f99403422b9e73d92a4f59c14d0cdc2d807fa.exe	83

C:\Users\Admin\AppData\Local\Temp\213f5dae4243fc5b09381cc91b9f99403422b9e73d92a4f59c14d0cdc2d807fa.exe
"C:\Users\Admin\AppData\Local\Temp\213f5dae4243fc5b09381cc91b9f99403422b9e73d92a4f59c14d0cdc2d807fa.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3148
- C:\Users\Admin\AppData\Local\Temp\XGKIU.ASS
  "C:\Users\Admin\AppData\Local\Temp\XGKIU.ASS"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XGKIU.ASS

Filesize
1.6MB

MD5
9c94668fbf793aa3b4068795d28f3875

SHA1
84c96b427c996e4da79cb20ca3d5d9c59f5c6b32

SHA256
749767b9c7e516e623f340200b75c814a9caf521127b7d31f06298749c075c2b

SHA512
32584eb53ae20fc3bd8549dec8a1b94a3442d0c805884c3d780d20f212e6cfea1880cfc01d4e599d9422d71982b7d6c9dcd5d758a5fb93d7f72570c178214f97

Download Submit