blackmoon | 086c3549f8a32a546814806081f870920dada88365fae110d1c821cb37de3b4f

Analysis

max time kernel
299s
max time network
155s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18/03/2025, 21:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

086c3549f8a32a546814806081f870920dada88365fae110d1c821cb37de3b4f.exe
Size

339KB
MD5

455dfbcee6b052278a1cee6adfef61e8
SHA1

2f5b1e2c82b333873e827bb2c0bd985cd89667ad
SHA256

086c3549f8a32a546814806081f870920dada88365fae110d1c821cb37de3b4f
SHA512

631c326eaafe0d4dfd7453dde3192f6048c0f6fa8650569b7c5ea89b3b67cfe642a84787ce28a9f0d2ad587f069308c937c56ce37fe292899227c51f54e11eef
SSDEEP

6144:IXdaAfyvRwWoe2XlFSFb3bzpYpYFRQnyHWPBsxm:IXdaAqvRwWoe2XjSVvUYuyHWPBsxm

Score

10^/10

blackmoon banker discovery trojan

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
behavioral1/files/0x00060000000173fc-150.dat	family_blackmoon

Executes dropped EXE 1 IoCs

pid	Process
544	Sysceamwvpei.exe

Loads dropped DLL 2 IoCs

pid	Process
2256	086c3549f8a32a546814806081f870920dada88365fae110d1c821cb37de3b4f.exe
2256	086c3549f8a32a546814806081f870920dada88365fae110d1c821cb37de3b4f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	086c3549f8a32a546814806081f870920dada88365fae110d1c821cb37de3b4f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysceamwvpei.exe

Modifies system certificate store 2 TTPs 2 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	086c3549f8a32a546814806081f870920dada88365fae110d1c821cb37de3b4f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	086c3549f8a32a546814806081f870920dada88365fae110d1c821cb37de3b4f.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
544	Sysceamwvpei.exe
544	Sysceamwvpei.exe
544	Sysceamwvpei.exe
544	Sysceamwvpei.exe
544	Sysceamwvpei.exe
544	Sysceamwvpei.exe
544	Sysceamwvpei.exe
544	Sysceamwvpei.exe
544	Sysceamwvpei.exe
544	Sysceamwvpei.exe
544	Sysceamwvpei.exe
544	Sysceamwvpei.exe
544	Sysceamwvpei.exe
544	Sysceamwvpei.exe
544	Sysceamwvpei.exe
544	Sysceamwvpei.exe
544	Sysceamwvpei.exe
544	Sysceamwvpei.exe
544	Sysceamwvpei.exe
544	Sysceamwvpei.exe
544	Sysceamwvpei.exe
544	Sysceamwvpei.exe
544	Sysceamwvpei.exe
544	Sysceamwvpei.exe
544	Sysceamwvpei.exe
544	Sysceamwvpei.exe
544	Sysceamwvpei.exe
544	Sysceamwvpei.exe
544	Sysceamwvpei.exe
544	Sysceamwvpei.exe
544	Sysceamwvpei.exe
544	Sysceamwvpei.exe
544	Sysceamwvpei.exe
544	Sysceamwvpei.exe
544	Sysceamwvpei.exe
544	Sysceamwvpei.exe
544	Sysceamwvpei.exe
544	Sysceamwvpei.exe
544	Sysceamwvpei.exe
544	Sysceamwvpei.exe
544	Sysceamwvpei.exe
544	Sysceamwvpei.exe
544	Sysceamwvpei.exe
544	Sysceamwvpei.exe
544	Sysceamwvpei.exe
544	Sysceamwvpei.exe
544	Sysceamwvpei.exe
544	Sysceamwvpei.exe
544	Sysceamwvpei.exe
544	Sysceamwvpei.exe
544	Sysceamwvpei.exe
544	Sysceamwvpei.exe
544	Sysceamwvpei.exe
544	Sysceamwvpei.exe
544	Sysceamwvpei.exe
544	Sysceamwvpei.exe
544	Sysceamwvpei.exe
544	Sysceamwvpei.exe
544	Sysceamwvpei.exe
544	Sysceamwvpei.exe
544	Sysceamwvpei.exe
544	Sysceamwvpei.exe
544	Sysceamwvpei.exe
544	Sysceamwvpei.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 544	2256	086c3549f8a32a546814806081f870920dada88365fae110d1c821cb37de3b4f.exe	32
PID 2256 wrote to memory of 544	2256	086c3549f8a32a546814806081f870920dada88365fae110d1c821cb37de3b4f.exe	32
PID 2256 wrote to memory of 544	2256	086c3549f8a32a546814806081f870920dada88365fae110d1c821cb37de3b4f.exe	32
PID 2256 wrote to memory of 544	2256	086c3549f8a32a546814806081f870920dada88365fae110d1c821cb37de3b4f.exe	32

C:\Users\Admin\AppData\Local\Temp\086c3549f8a32a546814806081f870920dada88365fae110d1c821cb37de3b4f.exe
"C:\Users\Admin\AppData\Local\Temp\086c3549f8a32a546814806081f870920dada88365fae110d1c821cb37de3b4f.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Users\Admin\AppData\Local\Temp\Sysceamwvpei.exe
  "C:\Users\Admin\AppData\Local\Temp\Sysceamwvpei.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C

Filesize
471B

MD5
bb5a3d1f620b167b73988f61f4ca4ad6

SHA1
97a5f741bc3596103235b855fe73e8cc54c50c0f

SHA256
f6216345521480bac9883bd26537408535ba0f294a5e95910d7fbd9cd4ee1924

SHA512
fe5b5edd98db92897880fb31638b5a44e73f9877e2a519c205297ef1c7d3330cde5047a5312fa977477a1e3aa99b60eae275a0eddc2a16c558285aab93eceffc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
71KB

MD5
83142242e97b8953c386f988aa694e4a

SHA1
833ed12fc15b356136dcdd27c61a50f59c5c7d50

SHA256
d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

SHA512
bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_A0B760D8ABF6F649D185B46E3E114CC2

Filesize
471B

MD5
08ae0da9a482c80f4e6601882693bdf3

SHA1
7c5f1d8ccf982d47bcc958ad74a5a220f356afb8

SHA256
a58a60103a77fec29c456cb8acbc8fb32d4c57044395f1aaaaf55ee53463b19b

SHA512
9e35a99fef4531043bfcd14c74e530a97f7120e26902fe2d75808b64a3e1582e0ca418f0aa734c61b4690a884a803f717d3ce9f953c25b7c4016f8f081ff2048

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C1B8D87CA29E93F2FEEB2834BE22FBB2

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C

Filesize
398B

MD5
bb7f5e4c7ce05dd3b81708a6fd4d09a4

SHA1
2388353950e4bf76c80ffaf4107e7dfc895aafce

SHA256
1497aea7a55f66717c4177b0ba10a457fab079d14600ad381be39f14c5d2458e

SHA512
80341936c0230c26285fc4d1576642ff053541839261abf5c9ceb0247441acc9371a079c17b576ddb9f27242e11d70403d070b5d55df3a3a68f52f2833c38179

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7df1a820bb9ffef215bcf149d2be2e79

SHA1
fa3bcf880f5a1e6b4380e1b27391cbdd7bfe5832

SHA256
1bad8f349fee8d4c8f25be64b56995185f2519c477e46325496d4fecec1c7108

SHA512
8ef9328aed597e5fe96ed8e0c11a7f8176249a03840381b365252f3d38fff139da86be5e6d6922588d9a257d9ab1b471cc0119ac47c9803d10a610bccde4dfe1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AD5F118F7897046E8CA970AE6A6AB70B_A0B760D8ABF6F649D185B46E3E114CC2

Filesize
410B

MD5
a20dc70a06fb4fc90b21a7efd4029014

SHA1
6d8f14243bb5b3dd8f720589280ad80294d049dd

SHA256
a696d4e54f06e82499eacfbd9633a9e1449d3377ac1efd26d208b27ff2247355

SHA512
b9899e3ad1a7cc47c0aa6dfb568a070d3a46eb790587ca2f313b4b07e4f6d14959bd7afc91bfa618307a0dda097afb984d0861de69f0275827c026abcd67a1de

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C1B8D87CA29E93F2FEEB2834BE22FBB2

Filesize
250B

MD5
e9e9bab907d3b71f5d9aa57f69bcd12e

SHA1
e2cbaf6a547815832a47bb65179fb4b7aa7072fc

SHA256
d819e99e3986c53b2cc90012553a9a637907464821ff9635b33bc25e2f7c0ded

SHA512
35ab155a0a5477773d0fcada79788cba6349849d56b388717d63eaa98f661813882eaa1fa0097b7a9e9fe077c626d15c3d4499d9ac145b6d9667cca2e942fb1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysceamwvpei.exe

Filesize
339KB

MD5
63023c4c667a2b5e8a34c60aa8505fce

SHA1
92ff4b7bd53518a02e8cfab2a2604f5bbab3f417

SHA256
11e7231dfabbf340350f4126bc595142bdc5792e64c3f089e02a1663709417fe

SHA512
aecc43378e7bac13f8e9079a701e9b0c00281ccee6cd5683f8a2a9fb06a29ccefda3144721c90416ee70208816197bc2dfcaf13a422c368e5f949ab254a6275a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC1A1.tmp

Filesize
183KB

MD5
109cab5505f5e065b63d01361467a83b

SHA1
4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

SHA256
ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

SHA512
753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpath.ini

Filesize
102B

MD5
af9f1250a66b71dc8a5fee6796d618de

SHA1
b93d6f1d1dfc6d9dcc683e9f0b61f87c48ea18e9

SHA256
29e78c3feb8a94240ea50ef55b8c99c717420896771bb6434f9fe46f6d49d4a5

SHA512
638a08bfe46b544b6fda98318112b2b60728a6d3efac39656be841bf5a95952d6797d5caa60f7a896796748d7d963012b44c142aae85fc0755617b9d8cb20d36

Download Submit