blackmoon | 086c3549f8a32a546814806081f870920dada88365fae110d1c821cb37de3b4f

Analysis

max time kernel
299s
max time network
163s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
18/03/2025, 00:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

086c3549f8a32a546814806081f870920dada88365fae110d1c821cb37de3b4f.exe
Size

339KB
MD5

455dfbcee6b052278a1cee6adfef61e8
SHA1

2f5b1e2c82b333873e827bb2c0bd985cd89667ad
SHA256

086c3549f8a32a546814806081f870920dada88365fae110d1c821cb37de3b4f
SHA512

631c326eaafe0d4dfd7453dde3192f6048c0f6fa8650569b7c5ea89b3b67cfe642a84787ce28a9f0d2ad587f069308c937c56ce37fe292899227c51f54e11eef
SSDEEP

6144:IXdaAfyvRwWoe2XlFSFb3bzpYpYFRQnyHWPBsxm:IXdaAqvRwWoe2XjSVvUYuyHWPBsxm

Score

10^/10

blackmoon qqpass banker discovery trojan

Malware Config

Extracted

Family

qqpass

http://cf.qq.com/act/a20141214luxury/?ADTAG=client.btn.detail

Attributes

url
http://i3.tietuku.com/801db876cdcaa96c.png
user_agent
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000500000001949d-149.dat	family_blackmoon

QQpass
QQpass is a trojan written in C++..
trojan qqpass
Qqpass family
qqpass

Executes dropped EXE 1 IoCs

pid	Process
3064	Sysceamwxoui.exe

Loads dropped DLL 2 IoCs

pid	Process
824	086c3549f8a32a546814806081f870920dada88365fae110d1c821cb37de3b4f.exe
824	086c3549f8a32a546814806081f870920dada88365fae110d1c821cb37de3b4f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	086c3549f8a32a546814806081f870920dada88365fae110d1c821cb37de3b4f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysceamwxoui.exe

Modifies system certificate store 2 TTPs 2 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	086c3549f8a32a546814806081f870920dada88365fae110d1c821cb37de3b4f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	086c3549f8a32a546814806081f870920dada88365fae110d1c821cb37de3b4f.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3064	Sysceamwxoui.exe
3064	Sysceamwxoui.exe
3064	Sysceamwxoui.exe
3064	Sysceamwxoui.exe
3064	Sysceamwxoui.exe
3064	Sysceamwxoui.exe
3064	Sysceamwxoui.exe
3064	Sysceamwxoui.exe
3064	Sysceamwxoui.exe
3064	Sysceamwxoui.exe
3064	Sysceamwxoui.exe
3064	Sysceamwxoui.exe
3064	Sysceamwxoui.exe
3064	Sysceamwxoui.exe
3064	Sysceamwxoui.exe
3064	Sysceamwxoui.exe
3064	Sysceamwxoui.exe
3064	Sysceamwxoui.exe
3064	Sysceamwxoui.exe
3064	Sysceamwxoui.exe
3064	Sysceamwxoui.exe
3064	Sysceamwxoui.exe
3064	Sysceamwxoui.exe
3064	Sysceamwxoui.exe
3064	Sysceamwxoui.exe
3064	Sysceamwxoui.exe
3064	Sysceamwxoui.exe
3064	Sysceamwxoui.exe
3064	Sysceamwxoui.exe
3064	Sysceamwxoui.exe
3064	Sysceamwxoui.exe
3064	Sysceamwxoui.exe
3064	Sysceamwxoui.exe
3064	Sysceamwxoui.exe
3064	Sysceamwxoui.exe
3064	Sysceamwxoui.exe
3064	Sysceamwxoui.exe
3064	Sysceamwxoui.exe
3064	Sysceamwxoui.exe
3064	Sysceamwxoui.exe
3064	Sysceamwxoui.exe
3064	Sysceamwxoui.exe
3064	Sysceamwxoui.exe
3064	Sysceamwxoui.exe
3064	Sysceamwxoui.exe
3064	Sysceamwxoui.exe
3064	Sysceamwxoui.exe
3064	Sysceamwxoui.exe
3064	Sysceamwxoui.exe
3064	Sysceamwxoui.exe
3064	Sysceamwxoui.exe
3064	Sysceamwxoui.exe
3064	Sysceamwxoui.exe
3064	Sysceamwxoui.exe
3064	Sysceamwxoui.exe
3064	Sysceamwxoui.exe
3064	Sysceamwxoui.exe
3064	Sysceamwxoui.exe
3064	Sysceamwxoui.exe
3064	Sysceamwxoui.exe
3064	Sysceamwxoui.exe
3064	Sysceamwxoui.exe
3064	Sysceamwxoui.exe
3064	Sysceamwxoui.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 824 wrote to memory of 3064	824	086c3549f8a32a546814806081f870920dada88365fae110d1c821cb37de3b4f.exe	32
PID 824 wrote to memory of 3064	824	086c3549f8a32a546814806081f870920dada88365fae110d1c821cb37de3b4f.exe	32
PID 824 wrote to memory of 3064	824	086c3549f8a32a546814806081f870920dada88365fae110d1c821cb37de3b4f.exe	32
PID 824 wrote to memory of 3064	824	086c3549f8a32a546814806081f870920dada88365fae110d1c821cb37de3b4f.exe	32

C:\Users\Admin\AppData\Local\Temp\086c3549f8a32a546814806081f870920dada88365fae110d1c821cb37de3b4f.exe
"C:\Users\Admin\AppData\Local\Temp\086c3549f8a32a546814806081f870920dada88365fae110d1c821cb37de3b4f.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:824
- C:\Users\Admin\AppData\Local\Temp\Sysceamwxoui.exe
  "C:\Users\Admin\AppData\Local\Temp\Sysceamwxoui.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C

Filesize
471B

MD5
748ac2950512e7a84706ead4ae3ca696

SHA1
721e46335a8612ef899a10a398f09832710914b6

SHA256
199b44a2d5a612c2eb543d4d781201fd3127af4418e308866e0803d9ba24262e

SHA512
79e3167a99a4f30935825c8cc06ce4782012cb551db16826df40ff7c1506b88b0133cdd3195755568dc78b19c345fc000ce27b240f68f641c9338abba2b9801f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
71KB

MD5
83142242e97b8953c386f988aa694e4a

SHA1
833ed12fc15b356136dcdd27c61a50f59c5c7d50

SHA256
d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

SHA512
bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_A0B760D8ABF6F649D185B46E3E114CC2

Filesize
471B

MD5
dee3b52e37da8d91dbd87b552263ce4a

SHA1
7b92d79052d127852947eb6d45a5744c74d465b4

SHA256
b1a4186d325a70198b7662eb18094bf097fc349ed2f3c9f9226f518c4d0b4acb

SHA512
420b058aaafedad2de52cc011c5554197aed6e1c911b20eb7a822badad06f606ee1e21071ffba41b1100c4516cec920330320fd45816d2cba1d7a6fda6a51eba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C1B8D87CA29E93F2FEEB2834BE22FBB2

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C

Filesize
398B

MD5
9faab6905c9298f74dc88448b306d19e

SHA1
69f107cf38c6ee3b4e635aa56d474c16c5d40229

SHA256
0ececd53c12406dba58a37c93aed300f363ba9dea40787a5274ba96576f07281

SHA512
c80577aea511ecb171099a6080ef0d9646c33f9f806e0b4405329a806a4a751a2052be4a104ac0b2bd3005ba7cbf8f01c129213c9dc604272fd1b18697cca06e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f0a866a94816db9f0ac484216eb1391a

SHA1
a53a1a259210f5cbdef3133045e81db3a426e9c4

SHA256
b89c51e343b20966724350587fde300db03c223f629a4cd0c805d9f9fedc27ca

SHA512
648b012b58ea0110625083f1743d1f618a37bc1bbd59e018d29eee9d9f32e3c4cc933fbd82fadee7b352cff263ec6d2e74b666e33f84411461881ed21a9d7fa2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AD5F118F7897046E8CA970AE6A6AB70B_A0B760D8ABF6F649D185B46E3E114CC2

Filesize
410B

MD5
8e0ce275368a49875bf4cd2ad723912e

SHA1
f5f635e2eca79915187ed92014264bde687c15af

SHA256
a7564d38e44930c685c4b922dd1862c24add09c93207fbac91c5fe0b8faf54d1

SHA512
cb3c1c9af0caccc3d597f58124c110525480b7ba573df600c7500f23fdea30d26bfb6e852ebe88839f5f4924737aa0b56bfa2970a287c85aa51c9fce127c791e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C1B8D87CA29E93F2FEEB2834BE22FBB2

Filesize
250B

MD5
b283c40f29631b1c960ee58afe6f5a37

SHA1
da64ec411e6c9a55fff5c8ecf07e65c7aae90b47

SHA256
03f737877f2302d2289d6bbc1509647610a9a8cff0dadafb1f02ad6097182ed8

SHA512
97ba2db890e24e9b2784aaaeb8358b233e529ef97d7b14cb1c35d78bd143cd152948e2e5ea79e97ceaa6c04c25a07ae1e265932528fe52573b10119a86bd93bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC8F1.tmp

Filesize
183KB

MD5
109cab5505f5e065b63d01361467a83b

SHA1
4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

SHA256
ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

SHA512
753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpath.ini

Filesize
102B

MD5
af9f1250a66b71dc8a5fee6796d618de

SHA1
b93d6f1d1dfc6d9dcc683e9f0b61f87c48ea18e9

SHA256
29e78c3feb8a94240ea50ef55b8c99c717420896771bb6434f9fe46f6d49d4a5

SHA512
638a08bfe46b544b6fda98318112b2b60728a6d3efac39656be841bf5a95952d6797d5caa60f7a896796748d7d963012b44c142aae85fc0755617b9d8cb20d36

Download Submit
\Users\Admin\AppData\Local\Temp\Sysceamwxoui.exe

Filesize
339KB

MD5
63dba8e6eb7870f50ca50942744f1e3d

SHA1
149197d0adbcb257b740dc436a65bea21158b347

SHA256
ccbfe4df89800e10fa63336d754852128336a520f39b6a6ee424c1fa1f7036f0

SHA512
943e29f798bf1bcb986f5cf8cd5c8bd919bcb7e9c4f02ab2c500f5a3cc6c49cb21421b07cb1bff3fd2f005da6f0bd81100b56d070d4cb80d99551bd53ff3cc2e

Download Submit