blackmoon | 3b3d515ed1ef90b0631205d6f94facf5bd3b65e0db214c28dfd96cef8d07e7e9

Analysis

max time kernel
299s
max time network
215s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
18/03/2025, 02:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b3d515ed1ef90b0631205d6f94facf5bd3b65e0db214c28dfd96cef8d07e7e9.exe
Size

339KB
MD5

1707cfec198c538b9dbe83ca9d7e0604
SHA1

204e630e591578ee301704dca26f1d0e4ed6a558
SHA256

3b3d515ed1ef90b0631205d6f94facf5bd3b65e0db214c28dfd96cef8d07e7e9
SHA512

97113d176fd589ee1927ce3a489ed7009a7da27110ad4d8e68f49180df699aa7d5ad62f285836090d2e6f163e09d712c031d91670e1d4f8f923335044d4bc73a
SSDEEP

6144:IXdaAfyvRwWoe2XlFSFb3bzpYpYFRQnyHWPBsxK:IXdaAqvRwWoe2XjSVvUYuyHWPBsxK

Score

10^/10

blackmoon banker discovery trojan

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000024222-27.dat	family_blackmoon

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	3b3d515ed1ef90b0631205d6f94facf5bd3b65e0db214c28dfd96cef8d07e7e9.exe

Executes dropped EXE 1 IoCs

pid	Process
4976	Sysceammynyz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b3d515ed1ef90b0631205d6f94facf5bd3b65e0db214c28dfd96cef8d07e7e9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysceammynyz.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	3b3d515ed1ef90b0631205d6f94facf5bd3b65e0db214c28dfd96cef8d07e7e9.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4976	Sysceammynyz.exe
4976	Sysceammynyz.exe
4976	Sysceammynyz.exe
4976	Sysceammynyz.exe
4976	Sysceammynyz.exe
4976	Sysceammynyz.exe
4976	Sysceammynyz.exe
4976	Sysceammynyz.exe
4976	Sysceammynyz.exe
4976	Sysceammynyz.exe
4976	Sysceammynyz.exe
4976	Sysceammynyz.exe
4976	Sysceammynyz.exe
4976	Sysceammynyz.exe
4976	Sysceammynyz.exe
4976	Sysceammynyz.exe
4976	Sysceammynyz.exe
4976	Sysceammynyz.exe
4976	Sysceammynyz.exe
4976	Sysceammynyz.exe
4976	Sysceammynyz.exe
4976	Sysceammynyz.exe
4976	Sysceammynyz.exe
4976	Sysceammynyz.exe
4976	Sysceammynyz.exe
4976	Sysceammynyz.exe
4976	Sysceammynyz.exe
4976	Sysceammynyz.exe
4976	Sysceammynyz.exe
4976	Sysceammynyz.exe
4976	Sysceammynyz.exe
4976	Sysceammynyz.exe
4976	Sysceammynyz.exe
4976	Sysceammynyz.exe
4976	Sysceammynyz.exe
4976	Sysceammynyz.exe
4976	Sysceammynyz.exe
4976	Sysceammynyz.exe
4976	Sysceammynyz.exe
4976	Sysceammynyz.exe
4976	Sysceammynyz.exe
4976	Sysceammynyz.exe
4976	Sysceammynyz.exe
4976	Sysceammynyz.exe
4976	Sysceammynyz.exe
4976	Sysceammynyz.exe
4976	Sysceammynyz.exe
4976	Sysceammynyz.exe
4976	Sysceammynyz.exe
4976	Sysceammynyz.exe
4976	Sysceammynyz.exe
4976	Sysceammynyz.exe
4976	Sysceammynyz.exe
4976	Sysceammynyz.exe
4976	Sysceammynyz.exe
4976	Sysceammynyz.exe
4976	Sysceammynyz.exe
4976	Sysceammynyz.exe
4976	Sysceammynyz.exe
4976	Sysceammynyz.exe
4976	Sysceammynyz.exe
4976	Sysceammynyz.exe
4976	Sysceammynyz.exe
4976	Sysceammynyz.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 4976	2924	3b3d515ed1ef90b0631205d6f94facf5bd3b65e0db214c28dfd96cef8d07e7e9.exe	88
PID 2924 wrote to memory of 4976	2924	3b3d515ed1ef90b0631205d6f94facf5bd3b65e0db214c28dfd96cef8d07e7e9.exe	88
PID 2924 wrote to memory of 4976	2924	3b3d515ed1ef90b0631205d6f94facf5bd3b65e0db214c28dfd96cef8d07e7e9.exe	88

C:\Users\Admin\AppData\Local\Temp\3b3d515ed1ef90b0631205d6f94facf5bd3b65e0db214c28dfd96cef8d07e7e9.exe
"C:\Users\Admin\AppData\Local\Temp\3b3d515ed1ef90b0631205d6f94facf5bd3b65e0db214c28dfd96cef8d07e7e9.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Users\Admin\AppData\Local\Temp\Sysceammynyz.exe
  "C:\Users\Admin\AppData\Local\Temp\Sysceammynyz.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C

Filesize
471B

MD5
748ac2950512e7a84706ead4ae3ca696

SHA1
721e46335a8612ef899a10a398f09832710914b6

SHA256
199b44a2d5a612c2eb543d4d781201fd3127af4418e308866e0803d9ba24262e

SHA512
79e3167a99a4f30935825c8cc06ce4782012cb551db16826df40ff7c1506b88b0133cdd3195755568dc78b19c345fc000ce27b240f68f641c9338abba2b9801f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5F263F63198568CED7739E17893D8775_CF1B4004AECEBF2DA58DF22FDCAD263F

Filesize
471B

MD5
953ae899d5687a9cb61c8b825601a03d

SHA1
40fec0f63286feb4b7ab9feb88607024591b06ed

SHA256
f1169cccbdce28cdf2cc7cec47e75a3f4fd9addfdcefb963e2ffdca75af5f69e

SHA512
d5b0161b9413cf9e98deb3a5bbfaab207efb31990692f4dcf3374bd1d17393cd4a2d761dc3dbaadedd689f0a23910ff431712ebe9533943a5f746649a2b70e05

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A406A0C16078CBE0C5819DA376FB1D88_62573A0254D54D5CD82EB4B17EEF9776

Filesize
727B

MD5
3ac89ccb8fec499cfe37b87a91390e3e

SHA1
9bffbb44a7698a15e3344e7105b09a965ce66aed

SHA256
860972cfe22375342d4db21a4a684f9e528e96dec6f96a313092c27e361dfd65

SHA512
12be431a1c3323b52a940bbf9b70dd9ffdab39bc0b31596dbe68aac59dad9107ada75c851f9e86c64e25e9ac88bfed72a3c76d6f57ca4ce6ebe39150e6c5455c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_A0B760D8ABF6F649D185B46E3E114CC2

Filesize
471B

MD5
dee3b52e37da8d91dbd87b552263ce4a

SHA1
7b92d79052d127852947eb6d45a5744c74d465b4

SHA256
b1a4186d325a70198b7662eb18094bf097fc349ed2f3c9f9226f518c4d0b4acb

SHA512
420b058aaafedad2de52cc011c5554197aed6e1c911b20eb7a822badad06f606ee1e21071ffba41b1100c4516cec920330320fd45816d2cba1d7a6fda6a51eba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C

Filesize
398B

MD5
7c1fa34e8a6ea3f94443ea7bef7e81ca

SHA1
c29ebd053ef517902b2bfb3a6b4cedec62e3d88f

SHA256
c1679e100a149f22f0ecdf85a630b2f303fc2e564409d8a2ddee16f1211d0716

SHA512
fa091dc453d2b9ebc26355faeacefa231d644e94834ebede0317c76cdec1c6180f93ad1646b89d52d1bedc1bd0d858e08fc48262e48466fd48df80deca692eeb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5F263F63198568CED7739E17893D8775_CF1B4004AECEBF2DA58DF22FDCAD263F

Filesize
414B

MD5
9c10114dece39389f30c837c760b60d5

SHA1
b5c3e0b292eb961b54a0371a7397d1410f0c1f42

SHA256
c6f5f7c39651620469d1913b5e19c578b8ae6a7abb2e4d591624596c26c74616

SHA512
0f6890cded32d559b9dfcf59800f3ab1491d82ebd810e9c50df1c153ff7e491102cd5dea5240b1d446a40c0bbc22874576e7071fc7397a7394a8014d57539b48

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A406A0C16078CBE0C5819DA376FB1D88_62573A0254D54D5CD82EB4B17EEF9776

Filesize
406B

MD5
b4e660446ac989d113decc6a8140c077

SHA1
b62d4dfbf60111fd894222e039bffa8eda3b851a

SHA256
c11cd99ed2a99f9a89e3b2c38cf538afa834d0ed0870f8d66340b8198f259a6e

SHA512
41e7aecc0dd02151b1aa84120b206ad18c56e356a62b6ef9081865e9a1cf5f96c1269c474422b1722e0b1c71ad97db014417fd2ff4f6a819fb1457a51ce24b2b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AD5F118F7897046E8CA970AE6A6AB70B_A0B760D8ABF6F649D185B46E3E114CC2

Filesize
410B

MD5
394cf1824a6b1e3cc2f876590406a382

SHA1
2f64837d0381b3b46f55e6e2104fddbf9a5f02a0

SHA256
6bd321c48df009dbae5a029a4996bf303465d2869a3739ef584efb553adec6f1

SHA512
0175db5e3039c13b373b5b529b09f767560b00dc0b169f825eab2554cd79a9d42537097c1e3dedf92366a59ba7082d55653ecdafd94fa93b25d1445c57d7e76e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysceammynyz.exe

Filesize
339KB

MD5
5f5e83a7e38f71b8dd1805137bfe118c

SHA1
70d793b93e1d3841794ec8f6d7358b8e68fc37be

SHA256
8eef1b15bd0d215cc773ae8bb592f9809dcb0c3c3e4f66f64b20ce3a124842ea

SHA512
52ac0b5e792ee17f514c0dafe39455eac885a6ceb5f8fd1e08f20499da5f5ed9d4f5b9d8caf811ed59103583d5d57eb96e029f2cb0cbdc85bd602763c9b67f26

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpath.ini

Filesize
102B

MD5
e062d79ac58f08fe17dd10efc7a21fc6

SHA1
2beb2a131cb86b0bada38f993ddf2379c7ce2573

SHA256
2b93a0d80265a0b66f9dbc4d34916468cd326ccdd8ef243d9c132ae44f0dc288

SHA512
2220bd721348ed416699534560f415dc1805af40b9feabe54f07cfe365b54fdde41a7cecfdacc8713e64db0126b715d32ae61b32277b04c92801f55bf78278af

Download Submit