blackmoon | 1890c78a3c93a98b369c10f6f3cd2de069d9ab456172b732a890c52a5546f3c8

Analysis

max time kernel
298s
max time network
216s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
18/03/2025, 01:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1890c78a3c93a98b369c10f6f3cd2de069d9ab456172b732a890c52a5546f3c8.exe
Size

436KB
MD5

b2f6b9e3c10c59c3f0979f4c9b67c8ec
SHA1

ae228cc40ec62a7a83fd4a5426462069e1bc40cf
SHA256

1890c78a3c93a98b369c10f6f3cd2de069d9ab456172b732a890c52a5546f3c8
SHA512

a8ce45f33739726f25170d05fade6ecbcae9ecb13c4e4203b3fc75ad6c1cfedda812b90ddd1508b77b00618256f0e607eb91d4d11c32340e6dc545aed0a83852
SSDEEP

3072:q0mx45LFnq9qDAuSbAXVkQUQ9oPfz0c0uxNUIqTkHoYCDfxj4/0/yjUuMx8kl:q0m2FqgDAuSbAXKfz0c0sUIJHk40/yWp

Score

10^/10

blackmoon banker discovery trojan

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
behavioral2/files/0x00070000000240cc-8.dat	family_blackmoon

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	1890c78a3c93a98b369c10f6f3cd2de069d9ab456172b732a890c52a5546f3c8.exe

Deletes itself 1 IoCs

pid	Process
2980	Syslemeqgqc.exe

Executes dropped EXE 1 IoCs

pid	Process
2980	Syslemeqgqc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1890c78a3c93a98b369c10f6f3cd2de069d9ab456172b732a890c52a5546f3c8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Syslemeqgqc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4848	1890c78a3c93a98b369c10f6f3cd2de069d9ab456172b732a890c52a5546f3c8.exe
4848	1890c78a3c93a98b369c10f6f3cd2de069d9ab456172b732a890c52a5546f3c8.exe
4848	1890c78a3c93a98b369c10f6f3cd2de069d9ab456172b732a890c52a5546f3c8.exe
4848	1890c78a3c93a98b369c10f6f3cd2de069d9ab456172b732a890c52a5546f3c8.exe
4848	1890c78a3c93a98b369c10f6f3cd2de069d9ab456172b732a890c52a5546f3c8.exe
4848	1890c78a3c93a98b369c10f6f3cd2de069d9ab456172b732a890c52a5546f3c8.exe
4848	1890c78a3c93a98b369c10f6f3cd2de069d9ab456172b732a890c52a5546f3c8.exe
4848	1890c78a3c93a98b369c10f6f3cd2de069d9ab456172b732a890c52a5546f3c8.exe
4848	1890c78a3c93a98b369c10f6f3cd2de069d9ab456172b732a890c52a5546f3c8.exe
4848	1890c78a3c93a98b369c10f6f3cd2de069d9ab456172b732a890c52a5546f3c8.exe
4848	1890c78a3c93a98b369c10f6f3cd2de069d9ab456172b732a890c52a5546f3c8.exe
4848	1890c78a3c93a98b369c10f6f3cd2de069d9ab456172b732a890c52a5546f3c8.exe
4848	1890c78a3c93a98b369c10f6f3cd2de069d9ab456172b732a890c52a5546f3c8.exe
4848	1890c78a3c93a98b369c10f6f3cd2de069d9ab456172b732a890c52a5546f3c8.exe
4848	1890c78a3c93a98b369c10f6f3cd2de069d9ab456172b732a890c52a5546f3c8.exe
4848	1890c78a3c93a98b369c10f6f3cd2de069d9ab456172b732a890c52a5546f3c8.exe
2980	Syslemeqgqc.exe
2980	Syslemeqgqc.exe
2980	Syslemeqgqc.exe
2980	Syslemeqgqc.exe
2980	Syslemeqgqc.exe
2980	Syslemeqgqc.exe
2980	Syslemeqgqc.exe
2980	Syslemeqgqc.exe
2980	Syslemeqgqc.exe
2980	Syslemeqgqc.exe
2980	Syslemeqgqc.exe
2980	Syslemeqgqc.exe
2980	Syslemeqgqc.exe
2980	Syslemeqgqc.exe
2980	Syslemeqgqc.exe
2980	Syslemeqgqc.exe
2980	Syslemeqgqc.exe
2980	Syslemeqgqc.exe
2980	Syslemeqgqc.exe
2980	Syslemeqgqc.exe
2980	Syslemeqgqc.exe
2980	Syslemeqgqc.exe
2980	Syslemeqgqc.exe
2980	Syslemeqgqc.exe
2980	Syslemeqgqc.exe
2980	Syslemeqgqc.exe
2980	Syslemeqgqc.exe
2980	Syslemeqgqc.exe
2980	Syslemeqgqc.exe
2980	Syslemeqgqc.exe
2980	Syslemeqgqc.exe
2980	Syslemeqgqc.exe
2980	Syslemeqgqc.exe
2980	Syslemeqgqc.exe
2980	Syslemeqgqc.exe
2980	Syslemeqgqc.exe
2980	Syslemeqgqc.exe
2980	Syslemeqgqc.exe
2980	Syslemeqgqc.exe
2980	Syslemeqgqc.exe
2980	Syslemeqgqc.exe
2980	Syslemeqgqc.exe
2980	Syslemeqgqc.exe
2980	Syslemeqgqc.exe
2980	Syslemeqgqc.exe
2980	Syslemeqgqc.exe
2980	Syslemeqgqc.exe
2980	Syslemeqgqc.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4848 wrote to memory of 2980	4848	1890c78a3c93a98b369c10f6f3cd2de069d9ab456172b732a890c52a5546f3c8.exe	88
PID 4848 wrote to memory of 2980	4848	1890c78a3c93a98b369c10f6f3cd2de069d9ab456172b732a890c52a5546f3c8.exe	88
PID 4848 wrote to memory of 2980	4848	1890c78a3c93a98b369c10f6f3cd2de069d9ab456172b732a890c52a5546f3c8.exe	88

C:\Users\Admin\AppData\Local\Temp\1890c78a3c93a98b369c10f6f3cd2de069d9ab456172b732a890c52a5546f3c8.exe
"C:\Users\Admin\AppData\Local\Temp\1890c78a3c93a98b369c10f6f3cd2de069d9ab456172b732a890c52a5546f3c8.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4848
- C:\Users\Admin\AppData\Local\Temp\Syslemeqgqc.exe
  "C:\Users\Admin\AppData\Local\Temp\Syslemeqgqc.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Syslemeqgqc.exe

Filesize
436KB

MD5
b8425e4c2fab7b3eb34d7dace97e7c64

SHA1
8dd3f3921d9ebca4f75fec3253b0f2ee444042ca

SHA256
55f1e37ae6c361025a828662263b958fb087f95cd2210b9bb64ded4311e60d1f

SHA512
2b0cf241bc5667e4f739564662d16432c4a44ad0ff755b31d17adc9cb1fcd313b9c55be721a0a41e3b2b0b245476fe7f58373708bf1b704e2a85fc31a679b984

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpath.ini

Filesize
102B

MD5
cce0d6b6190cf17c199f4ddef9e1afb9

SHA1
7d1273eea354687bfeff833aea8b4f8857edaa15

SHA256
b093cf107c6f45018213fa6b684c3a70cdc3b1c74ba9eea1d5d53549ae7efd77

SHA512
d0d5cead8834e418ccc787ea74a7e80ec2328d630996b561617534a47c48d3c5ce780f137ee9879b766a8ba3323e6fea4769760fd1458f3f652cb9eef56b5436

Download Submit