blackmoon | 3b3d515ed1ef90b0631205d6f94facf5bd3b65e0db214c28dfd96cef8d07e7e9

Analysis

max time kernel
299s
max time network
155s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18/03/2025, 02:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b3d515ed1ef90b0631205d6f94facf5bd3b65e0db214c28dfd96cef8d07e7e9.exe
Size

339KB
MD5

1707cfec198c538b9dbe83ca9d7e0604
SHA1

204e630e591578ee301704dca26f1d0e4ed6a558
SHA256

3b3d515ed1ef90b0631205d6f94facf5bd3b65e0db214c28dfd96cef8d07e7e9
SHA512

97113d176fd589ee1927ce3a489ed7009a7da27110ad4d8e68f49180df699aa7d5ad62f285836090d2e6f163e09d712c031d91670e1d4f8f923335044d4bc73a
SSDEEP

6144:IXdaAfyvRwWoe2XlFSFb3bzpYpYFRQnyHWPBsxK:IXdaAqvRwWoe2XjSVvUYuyHWPBsxK

Score

10^/10

blackmoon qqpass banker discovery trojan

Malware Config

Extracted

Family

qqpass

http://cf.qq.com/act/a20141214luxury/?ADTAG=client.btn.detail

Attributes

url
http://i3.tietuku.com/801db876cdcaa96c.png
user_agent
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0008000000016c84-149.dat	family_blackmoon

QQpass
QQpass is a trojan written in C++..
trojan qqpass
Qqpass family
qqpass

Executes dropped EXE 1 IoCs

pid	Process
2052	Sysceamrajcl.exe

Loads dropped DLL 2 IoCs

pid	Process
2976	3b3d515ed1ef90b0631205d6f94facf5bd3b65e0db214c28dfd96cef8d07e7e9.exe
2976	3b3d515ed1ef90b0631205d6f94facf5bd3b65e0db214c28dfd96cef8d07e7e9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b3d515ed1ef90b0631205d6f94facf5bd3b65e0db214c28dfd96cef8d07e7e9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysceamrajcl.exe

Modifies system certificate store 2 TTPs 2 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	3b3d515ed1ef90b0631205d6f94facf5bd3b65e0db214c28dfd96cef8d07e7e9.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	3b3d515ed1ef90b0631205d6f94facf5bd3b65e0db214c28dfd96cef8d07e7e9.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2052	Sysceamrajcl.exe
2052	Sysceamrajcl.exe
2052	Sysceamrajcl.exe
2052	Sysceamrajcl.exe
2052	Sysceamrajcl.exe
2052	Sysceamrajcl.exe
2052	Sysceamrajcl.exe
2052	Sysceamrajcl.exe
2052	Sysceamrajcl.exe
2052	Sysceamrajcl.exe
2052	Sysceamrajcl.exe
2052	Sysceamrajcl.exe
2052	Sysceamrajcl.exe
2052	Sysceamrajcl.exe
2052	Sysceamrajcl.exe
2052	Sysceamrajcl.exe
2052	Sysceamrajcl.exe
2052	Sysceamrajcl.exe
2052	Sysceamrajcl.exe
2052	Sysceamrajcl.exe
2052	Sysceamrajcl.exe
2052	Sysceamrajcl.exe
2052	Sysceamrajcl.exe
2052	Sysceamrajcl.exe
2052	Sysceamrajcl.exe
2052	Sysceamrajcl.exe
2052	Sysceamrajcl.exe
2052	Sysceamrajcl.exe
2052	Sysceamrajcl.exe
2052	Sysceamrajcl.exe
2052	Sysceamrajcl.exe
2052	Sysceamrajcl.exe
2052	Sysceamrajcl.exe
2052	Sysceamrajcl.exe
2052	Sysceamrajcl.exe
2052	Sysceamrajcl.exe
2052	Sysceamrajcl.exe
2052	Sysceamrajcl.exe
2052	Sysceamrajcl.exe
2052	Sysceamrajcl.exe
2052	Sysceamrajcl.exe
2052	Sysceamrajcl.exe
2052	Sysceamrajcl.exe
2052	Sysceamrajcl.exe
2052	Sysceamrajcl.exe
2052	Sysceamrajcl.exe
2052	Sysceamrajcl.exe
2052	Sysceamrajcl.exe
2052	Sysceamrajcl.exe
2052	Sysceamrajcl.exe
2052	Sysceamrajcl.exe
2052	Sysceamrajcl.exe
2052	Sysceamrajcl.exe
2052	Sysceamrajcl.exe
2052	Sysceamrajcl.exe
2052	Sysceamrajcl.exe
2052	Sysceamrajcl.exe
2052	Sysceamrajcl.exe
2052	Sysceamrajcl.exe
2052	Sysceamrajcl.exe
2052	Sysceamrajcl.exe
2052	Sysceamrajcl.exe
2052	Sysceamrajcl.exe
2052	Sysceamrajcl.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 2052	2976	3b3d515ed1ef90b0631205d6f94facf5bd3b65e0db214c28dfd96cef8d07e7e9.exe	31
PID 2976 wrote to memory of 2052	2976	3b3d515ed1ef90b0631205d6f94facf5bd3b65e0db214c28dfd96cef8d07e7e9.exe	31
PID 2976 wrote to memory of 2052	2976	3b3d515ed1ef90b0631205d6f94facf5bd3b65e0db214c28dfd96cef8d07e7e9.exe	31
PID 2976 wrote to memory of 2052	2976	3b3d515ed1ef90b0631205d6f94facf5bd3b65e0db214c28dfd96cef8d07e7e9.exe	31

C:\Users\Admin\AppData\Local\Temp\3b3d515ed1ef90b0631205d6f94facf5bd3b65e0db214c28dfd96cef8d07e7e9.exe
"C:\Users\Admin\AppData\Local\Temp\3b3d515ed1ef90b0631205d6f94facf5bd3b65e0db214c28dfd96cef8d07e7e9.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Users\Admin\AppData\Local\Temp\Sysceamrajcl.exe
  "C:\Users\Admin\AppData\Local\Temp\Sysceamrajcl.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C

Filesize
471B

MD5
748ac2950512e7a84706ead4ae3ca696

SHA1
721e46335a8612ef899a10a398f09832710914b6

SHA256
199b44a2d5a612c2eb543d4d781201fd3127af4418e308866e0803d9ba24262e

SHA512
79e3167a99a4f30935825c8cc06ce4782012cb551db16826df40ff7c1506b88b0133cdd3195755568dc78b19c345fc000ce27b240f68f641c9338abba2b9801f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
71KB

MD5
83142242e97b8953c386f988aa694e4a

SHA1
833ed12fc15b356136dcdd27c61a50f59c5c7d50

SHA256
d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

SHA512
bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_A0B760D8ABF6F649D185B46E3E114CC2

Filesize
471B

MD5
dee3b52e37da8d91dbd87b552263ce4a

SHA1
7b92d79052d127852947eb6d45a5744c74d465b4

SHA256
b1a4186d325a70198b7662eb18094bf097fc349ed2f3c9f9226f518c4d0b4acb

SHA512
420b058aaafedad2de52cc011c5554197aed6e1c911b20eb7a822badad06f606ee1e21071ffba41b1100c4516cec920330320fd45816d2cba1d7a6fda6a51eba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C1B8D87CA29E93F2FEEB2834BE22FBB2

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C

Filesize
398B

MD5
0b95b952a05d86e5a1f0585a1a2a60a9

SHA1
d1968c30b48a03720924f4612de0b4cd80a4f1ea

SHA256
e9357a60f74068c7b8b6aa1f7dc2533e3a47603eee5d56d63d0802cfa9ba7bca

SHA512
42ef0f4418530eea0ca225491274559ecc90c5c8306555ff5c013162fee3965359bf9fbe14e27f1f1437b1f9e3dabb7e964066d8c5dd3b46779755bb3a09b9ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
31709aa517026754c81a0bf963602598

SHA1
8f68dc93a66e748c228ca952fc5df23107b1e532

SHA256
a4aa96ce71e6b6c1e724519d3ff773388c98fa6cf877f2c0574b2db6535212c6

SHA512
aeb49ac354a21f8d07bd33d733eebbb8a1fae6c24d49fb9541b643870602b6e649a2b05acc924e2e9123f1e96a2a72107bf5071e6349a49fa0c09bd6c7c3b8fe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AD5F118F7897046E8CA970AE6A6AB70B_A0B760D8ABF6F649D185B46E3E114CC2

Filesize
410B

MD5
dc3d9c8b9c72a5eeac3cdd4097e0d037

SHA1
7e53b0ac02dfff7914fb52fd128c1f29de848f46

SHA256
ab5ed37d9d20477ce8b5f7659a487679ccc8214eee519faeb23a166fc5e74d6e

SHA512
651973d8410592f996a36b61d79317a96af0de4cd4b69e688da57799162527be4e601e730d0a6d28f767ae424196df00cbf61c7cc89b5409d41e54ff459c95b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C1B8D87CA29E93F2FEEB2834BE22FBB2

Filesize
250B

MD5
a346560bc0fa583381fa390fa102e399

SHA1
9fdffebe05e15cfcccffe1857a19828755ae8baa

SHA256
1ed1d8a8fd7b558a5fcb0d6414cf6eb5a82728b616b235f49554c2f4c6911ad5

SHA512
4d751e14c665ca5c92b96463ced0e82adec07b775f3913bd702018f08929fa277e6bd84461fe45949e1382d0d03711e3978232ce75f604a775435e08df440d40

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar90A3.tmp

Filesize
183KB

MD5
109cab5505f5e065b63d01361467a83b

SHA1
4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

SHA256
ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

SHA512
753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpath.ini

Filesize
102B

MD5
e062d79ac58f08fe17dd10efc7a21fc6

SHA1
2beb2a131cb86b0bada38f993ddf2379c7ce2573

SHA256
2b93a0d80265a0b66f9dbc4d34916468cd326ccdd8ef243d9c132ae44f0dc288

SHA512
2220bd721348ed416699534560f415dc1805af40b9feabe54f07cfe365b54fdde41a7cecfdacc8713e64db0126b715d32ae61b32277b04c92801f55bf78278af

Download Submit
\Users\Admin\AppData\Local\Temp\Sysceamrajcl.exe

Filesize
339KB

MD5
4dc2034e009567cea2dc709d0b7ff9c1

SHA1
f46feb8f9de5492109c8c2e7eb4f27e51514fc27

SHA256
be9f71256a6e5aaf6cf3f0e430ddd93018d06900f12c176984676842d1bbd3a5

SHA512
ad2b134679bcdc064bdcee412a9f074e8d42f847765fe835ee39d9d277e654bcf81a5f3d4d51849205386669dd79ff908f3277de2a8770b5bcb4f09b950b5733

Download Submit