blackmoon | 086c3549f8a32a546814806081f870920dada88365fae110d1c821cb37de3b4f

Analysis

max time kernel
299s
max time network
214s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
18/03/2025, 21:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

086c3549f8a32a546814806081f870920dada88365fae110d1c821cb37de3b4f.exe
Size

339KB
MD5

455dfbcee6b052278a1cee6adfef61e8
SHA1

2f5b1e2c82b333873e827bb2c0bd985cd89667ad
SHA256

086c3549f8a32a546814806081f870920dada88365fae110d1c821cb37de3b4f
SHA512

631c326eaafe0d4dfd7453dde3192f6048c0f6fa8650569b7c5ea89b3b67cfe642a84787ce28a9f0d2ad587f069308c937c56ce37fe292899227c51f54e11eef
SSDEEP

6144:IXdaAfyvRwWoe2XlFSFb3bzpYpYFRQnyHWPBsxm:IXdaAqvRwWoe2XjSVvUYuyHWPBsxm

Score

10^/10

blackmoon banker discovery trojan

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000024247-27.dat	family_blackmoon

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	086c3549f8a32a546814806081f870920dada88365fae110d1c821cb37de3b4f.exe

Executes dropped EXE 1 IoCs

pid	Process
4892	Sysceamtmczr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	086c3549f8a32a546814806081f870920dada88365fae110d1c821cb37de3b4f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysceamtmczr.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	086c3549f8a32a546814806081f870920dada88365fae110d1c821cb37de3b4f.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4892	Sysceamtmczr.exe
4892	Sysceamtmczr.exe
4892	Sysceamtmczr.exe
4892	Sysceamtmczr.exe
4892	Sysceamtmczr.exe
4892	Sysceamtmczr.exe
4892	Sysceamtmczr.exe
4892	Sysceamtmczr.exe
4892	Sysceamtmczr.exe
4892	Sysceamtmczr.exe
4892	Sysceamtmczr.exe
4892	Sysceamtmczr.exe
4892	Sysceamtmczr.exe
4892	Sysceamtmczr.exe
4892	Sysceamtmczr.exe
4892	Sysceamtmczr.exe
4892	Sysceamtmczr.exe
4892	Sysceamtmczr.exe
4892	Sysceamtmczr.exe
4892	Sysceamtmczr.exe
4892	Sysceamtmczr.exe
4892	Sysceamtmczr.exe
4892	Sysceamtmczr.exe
4892	Sysceamtmczr.exe
4892	Sysceamtmczr.exe
4892	Sysceamtmczr.exe
4892	Sysceamtmczr.exe
4892	Sysceamtmczr.exe
4892	Sysceamtmczr.exe
4892	Sysceamtmczr.exe
4892	Sysceamtmczr.exe
4892	Sysceamtmczr.exe
4892	Sysceamtmczr.exe
4892	Sysceamtmczr.exe
4892	Sysceamtmczr.exe
4892	Sysceamtmczr.exe
4892	Sysceamtmczr.exe
4892	Sysceamtmczr.exe
4892	Sysceamtmczr.exe
4892	Sysceamtmczr.exe
4892	Sysceamtmczr.exe
4892	Sysceamtmczr.exe
4892	Sysceamtmczr.exe
4892	Sysceamtmczr.exe
4892	Sysceamtmczr.exe
4892	Sysceamtmczr.exe
4892	Sysceamtmczr.exe
4892	Sysceamtmczr.exe
4892	Sysceamtmczr.exe
4892	Sysceamtmczr.exe
4892	Sysceamtmczr.exe
4892	Sysceamtmczr.exe
4892	Sysceamtmczr.exe
4892	Sysceamtmczr.exe
4892	Sysceamtmczr.exe
4892	Sysceamtmczr.exe
4892	Sysceamtmczr.exe
4892	Sysceamtmczr.exe
4892	Sysceamtmczr.exe
4892	Sysceamtmczr.exe
4892	Sysceamtmczr.exe
4892	Sysceamtmczr.exe
4892	Sysceamtmczr.exe
4892	Sysceamtmczr.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4612 wrote to memory of 4892	4612	086c3549f8a32a546814806081f870920dada88365fae110d1c821cb37de3b4f.exe	88
PID 4612 wrote to memory of 4892	4612	086c3549f8a32a546814806081f870920dada88365fae110d1c821cb37de3b4f.exe	88
PID 4612 wrote to memory of 4892	4612	086c3549f8a32a546814806081f870920dada88365fae110d1c821cb37de3b4f.exe	88

C:\Users\Admin\AppData\Local\Temp\086c3549f8a32a546814806081f870920dada88365fae110d1c821cb37de3b4f.exe
"C:\Users\Admin\AppData\Local\Temp\086c3549f8a32a546814806081f870920dada88365fae110d1c821cb37de3b4f.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4612
- C:\Users\Admin\AppData\Local\Temp\Sysceamtmczr.exe
  "C:\Users\Admin\AppData\Local\Temp\Sysceamtmczr.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C

Filesize
471B

MD5
bb5a3d1f620b167b73988f61f4ca4ad6

SHA1
97a5f741bc3596103235b855fe73e8cc54c50c0f

SHA256
f6216345521480bac9883bd26537408535ba0f294a5e95910d7fbd9cd4ee1924

SHA512
fe5b5edd98db92897880fb31638b5a44e73f9877e2a519c205297ef1c7d3330cde5047a5312fa977477a1e3aa99b60eae275a0eddc2a16c558285aab93eceffc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5F263F63198568CED7739E17893D8775_CF1B4004AECEBF2DA58DF22FDCAD263F

Filesize
471B

MD5
a22a8b0d6d02393da0bd9d7b66c330f0

SHA1
691721a8d53bda3f880ffa5d2af70f1e8031a3ca

SHA256
839ed5c644c6410385fb0f8be1cf96fef21666df7fddd49f6048c53c89863721

SHA512
453b8dc69a9408b194b4cdad20cb4aaa2625ff29cf8cfc9623f9cc889b29f1754b12f4e406a5e15602c01e5da14d006bbd124271412c8e8b8fa00cef5c75f5a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A406A0C16078CBE0C5819DA376FB1D88_62573A0254D54D5CD82EB4B17EEF9776

Filesize
727B

MD5
59b1bc7b4764661c3b691708e6bfc0a0

SHA1
9b776abd98a05522a172b1df5c5ff6f39effeef7

SHA256
c60b22584505c7bf04584936d6774f73451d6a7a10f77696e39f7dd768cafd45

SHA512
a29e9c33469bdadf6ede1ffdee52a2a8b09ce1d504f57d27b4745d8d509908f7572fc1c026fc2b5f18ed1d8fab7ae1a2f2216ee01a43154b3f12aec8db809221

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_A0B760D8ABF6F649D185B46E3E114CC2

Filesize
471B

MD5
08ae0da9a482c80f4e6601882693bdf3

SHA1
7c5f1d8ccf982d47bcc958ad74a5a220f356afb8

SHA256
a58a60103a77fec29c456cb8acbc8fb32d4c57044395f1aaaaf55ee53463b19b

SHA512
9e35a99fef4531043bfcd14c74e530a97f7120e26902fe2d75808b64a3e1582e0ca418f0aa734c61b4690a884a803f717d3ce9f953c25b7c4016f8f081ff2048

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C

Filesize
398B

MD5
e13c4ab639690cf966560eeb6e2fa64b

SHA1
7baef2200af0dc5398f39205fc578a5d1e381cb3

SHA256
8e092af1420f2852c8bba45925d2714eb942054b79cc044e2ab659f40ad69671

SHA512
753bb46619ce02913e3708e7b1a7015e9973cc092348b3583307cc9584d2a0d7057949b48f46e13fa337d137e442cce671fa2069dc0fe6eedf3fc47fe45eff6b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5F263F63198568CED7739E17893D8775_CF1B4004AECEBF2DA58DF22FDCAD263F

Filesize
414B

MD5
fd1b6a6675e6a4e6de4885f9c1c9e860

SHA1
30307d638c605cc78dccc96e1999795372132da7

SHA256
23698c8ab97c986b79617fd46bf9b02c1484f8154b97b95e20c6e27fec711610

SHA512
4d284e9c13a3f77f3ae5bcc8bf1e8c2b1059d026d4338a1aa5316e8058dc020d6f602eeb3db136c37cc22de33e510af544d36654c33ef9ac04bae317ec51b137

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A406A0C16078CBE0C5819DA376FB1D88_62573A0254D54D5CD82EB4B17EEF9776

Filesize
406B

MD5
7d5aaa16471666199ee3be05d5ef8d53

SHA1
52ddc0c8be9737d0a7a9ab307f395e3edc499fb3

SHA256
6c2c416aef9353f2142c46241edbf747c117a053d29ed8502724c1685d7564b0

SHA512
ecc229b4bff14e0b37de87370cc86cdab6334b3e011947fd22537473bd868131e4e119c7da0c2ed64df20f812610ad6642cde6183b45ba9c46ca6e71e9a14703

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AD5F118F7897046E8CA970AE6A6AB70B_A0B760D8ABF6F649D185B46E3E114CC2

Filesize
410B

MD5
9cf1202c5136d153def8fa1d07db679d

SHA1
7af2f8b02a99cd53396148704e70b630b18c9dcb

SHA256
8cd6742c769a7b430df8d1bd3e79ddc3413e7807fb0b8f392de971a830fc2a94

SHA512
35f5d733c0a401ab3259c027404b154ed8a7b78ac6a4070d3e44e9f04d94062e37623867073c8554235ab40fc9ee38a134fc0cd029d74c917aa30bbb6a4bdc1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysceamtmczr.exe

Filesize
339KB

MD5
79e39226d9d6c02d2345d291ff183449

SHA1
5e7581bd3d1300932f3c5abd36fd868187d3d3e3

SHA256
08d8176a737ab125e17753db24b6cf31da7f745f6353d8d20762336b1fae63d7

SHA512
e23f03dca116c8c00e3153b4fd005f78f9c340322400b8b050e7f327f899484e229198b5187fe549cccf2d2bec899325fcb4807ddac6a325668af32b870096f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpath.ini

Filesize
102B

MD5
af9f1250a66b71dc8a5fee6796d618de

SHA1
b93d6f1d1dfc6d9dcc683e9f0b61f87c48ea18e9

SHA256
29e78c3feb8a94240ea50ef55b8c99c717420896771bb6434f9fe46f6d49d4a5

SHA512
638a08bfe46b544b6fda98318112b2b60728a6d3efac39656be841bf5a95952d6797d5caa60f7a896796748d7d963012b44c142aae85fc0755617b9d8cb20d36

Download Submit