blackmoon | 699b222667bbc6d120abc8b3a01c5e38f34cf4695ad4ddfb67fa65ba88cfa8ee

Analysis

max time kernel
300s
max time network
213s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
18/03/2025, 04:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

699b222667bbc6d120abc8b3a01c5e38f34cf4695ad4ddfb67fa65ba88cfa8ee.exe
Size

338KB
MD5

f27c460214d36b81e3ced4e57f5cb5a9
SHA1

6e681c3574c2ea438950f623e7dbe0682c91ce8f
SHA256

699b222667bbc6d120abc8b3a01c5e38f34cf4695ad4ddfb67fa65ba88cfa8ee
SHA512

a2683741dc79b198134f5c4985e48470a343039fe96c9483aca3c2f5e9e78cb52fb477b2d18e4229595b0ebae93f0454f248f95c04ac8fee8c2b4f53df78d960
SSDEEP

6144:b5/YZ58drqrhGcbLhmvjSN6jZhixVK/B/zkXudeh:b5/Q58drihGiLhmGNiZsx0B/zkXoeh

Score

10^/10

blackmoon banker discovery trojan

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
behavioral2/files/0x00070000000242d2-25.dat	family_blackmoon

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	699b222667bbc6d120abc8b3a01c5e38f34cf4695ad4ddfb67fa65ba88cfa8ee.exe

Executes dropped EXE 1 IoCs

pid	Process
4584	Sysceamtcxmj.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	699b222667bbc6d120abc8b3a01c5e38f34cf4695ad4ddfb67fa65ba88cfa8ee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysceamtcxmj.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	699b222667bbc6d120abc8b3a01c5e38f34cf4695ad4ddfb67fa65ba88cfa8ee.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4584	Sysceamtcxmj.exe
4584	Sysceamtcxmj.exe
4584	Sysceamtcxmj.exe
4584	Sysceamtcxmj.exe
4584	Sysceamtcxmj.exe
4584	Sysceamtcxmj.exe
4584	Sysceamtcxmj.exe
4584	Sysceamtcxmj.exe
4584	Sysceamtcxmj.exe
4584	Sysceamtcxmj.exe
4584	Sysceamtcxmj.exe
4584	Sysceamtcxmj.exe
4584	Sysceamtcxmj.exe
4584	Sysceamtcxmj.exe
4584	Sysceamtcxmj.exe
4584	Sysceamtcxmj.exe
4584	Sysceamtcxmj.exe
4584	Sysceamtcxmj.exe
4584	Sysceamtcxmj.exe
4584	Sysceamtcxmj.exe
4584	Sysceamtcxmj.exe
4584	Sysceamtcxmj.exe
4584	Sysceamtcxmj.exe
4584	Sysceamtcxmj.exe
4584	Sysceamtcxmj.exe
4584	Sysceamtcxmj.exe
4584	Sysceamtcxmj.exe
4584	Sysceamtcxmj.exe
4584	Sysceamtcxmj.exe
4584	Sysceamtcxmj.exe
4584	Sysceamtcxmj.exe
4584	Sysceamtcxmj.exe
4584	Sysceamtcxmj.exe
4584	Sysceamtcxmj.exe
4584	Sysceamtcxmj.exe
4584	Sysceamtcxmj.exe
4584	Sysceamtcxmj.exe
4584	Sysceamtcxmj.exe
4584	Sysceamtcxmj.exe
4584	Sysceamtcxmj.exe
4584	Sysceamtcxmj.exe
4584	Sysceamtcxmj.exe
4584	Sysceamtcxmj.exe
4584	Sysceamtcxmj.exe
4584	Sysceamtcxmj.exe
4584	Sysceamtcxmj.exe
4584	Sysceamtcxmj.exe
4584	Sysceamtcxmj.exe
4584	Sysceamtcxmj.exe
4584	Sysceamtcxmj.exe
4584	Sysceamtcxmj.exe
4584	Sysceamtcxmj.exe
4584	Sysceamtcxmj.exe
4584	Sysceamtcxmj.exe
4584	Sysceamtcxmj.exe
4584	Sysceamtcxmj.exe
4584	Sysceamtcxmj.exe
4584	Sysceamtcxmj.exe
4584	Sysceamtcxmj.exe
4584	Sysceamtcxmj.exe
4584	Sysceamtcxmj.exe
4584	Sysceamtcxmj.exe
4584	Sysceamtcxmj.exe
4584	Sysceamtcxmj.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3360 wrote to memory of 4584	3360	699b222667bbc6d120abc8b3a01c5e38f34cf4695ad4ddfb67fa65ba88cfa8ee.exe	88
PID 3360 wrote to memory of 4584	3360	699b222667bbc6d120abc8b3a01c5e38f34cf4695ad4ddfb67fa65ba88cfa8ee.exe	88
PID 3360 wrote to memory of 4584	3360	699b222667bbc6d120abc8b3a01c5e38f34cf4695ad4ddfb67fa65ba88cfa8ee.exe	88

C:\Users\Admin\AppData\Local\Temp\699b222667bbc6d120abc8b3a01c5e38f34cf4695ad4ddfb67fa65ba88cfa8ee.exe
"C:\Users\Admin\AppData\Local\Temp\699b222667bbc6d120abc8b3a01c5e38f34cf4695ad4ddfb67fa65ba88cfa8ee.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3360
- C:\Users\Admin\AppData\Local\Temp\Sysceamtcxmj.exe
  "C:\Users\Admin\AppData\Local\Temp\Sysceamtcxmj.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C

Filesize
471B

MD5
748ac2950512e7a84706ead4ae3ca696

SHA1
721e46335a8612ef899a10a398f09832710914b6

SHA256
199b44a2d5a612c2eb543d4d781201fd3127af4418e308866e0803d9ba24262e

SHA512
79e3167a99a4f30935825c8cc06ce4782012cb551db16826df40ff7c1506b88b0133cdd3195755568dc78b19c345fc000ce27b240f68f641c9338abba2b9801f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5F263F63198568CED7739E17893D8775_CF1B4004AECEBF2DA58DF22FDCAD263F

Filesize
471B

MD5
953ae899d5687a9cb61c8b825601a03d

SHA1
40fec0f63286feb4b7ab9feb88607024591b06ed

SHA256
f1169cccbdce28cdf2cc7cec47e75a3f4fd9addfdcefb963e2ffdca75af5f69e

SHA512
d5b0161b9413cf9e98deb3a5bbfaab207efb31990692f4dcf3374bd1d17393cd4a2d761dc3dbaadedd689f0a23910ff431712ebe9533943a5f746649a2b70e05

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A406A0C16078CBE0C5819DA376FB1D88_62573A0254D54D5CD82EB4B17EEF9776

Filesize
727B

MD5
3ac89ccb8fec499cfe37b87a91390e3e

SHA1
9bffbb44a7698a15e3344e7105b09a965ce66aed

SHA256
860972cfe22375342d4db21a4a684f9e528e96dec6f96a313092c27e361dfd65

SHA512
12be431a1c3323b52a940bbf9b70dd9ffdab39bc0b31596dbe68aac59dad9107ada75c851f9e86c64e25e9ac88bfed72a3c76d6f57ca4ce6ebe39150e6c5455c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_A0B760D8ABF6F649D185B46E3E114CC2

Filesize
471B

MD5
08ae0da9a482c80f4e6601882693bdf3

SHA1
7c5f1d8ccf982d47bcc958ad74a5a220f356afb8

SHA256
a58a60103a77fec29c456cb8acbc8fb32d4c57044395f1aaaaf55ee53463b19b

SHA512
9e35a99fef4531043bfcd14c74e530a97f7120e26902fe2d75808b64a3e1582e0ca418f0aa734c61b4690a884a803f717d3ce9f953c25b7c4016f8f081ff2048

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C

Filesize
398B

MD5
ce3f3ff8829493c3af4fd38e41236e58

SHA1
878859db90ebfd7ef981fe07318de40683d3c038

SHA256
7a6215cd78d5f4a30e59ca5751f575da624e3ed5d2bbb8cc7bfc45c850aa49b3

SHA512
60c5ff308e3bc0569e4959d2b68a960059dafff211a5b4df720644ebb0466170bc2452c1e101850238dcb3df62a29bd1c5636b3be3a7b3ee262cee5eeb3c380a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5F263F63198568CED7739E17893D8775_CF1B4004AECEBF2DA58DF22FDCAD263F

Filesize
414B

MD5
a666a6216cc6ee10af7207391df50a4f

SHA1
142232b406e1e27d73d39fad683a2e79f3754c29

SHA256
547087115e77dfaa917909ffd028eab428ee96a8dbe7b7aec0de0df9e1b17413

SHA512
3b111cb1c17cc124b505d77194078be49f4fd681cb9b27ff9b321c889bf9664ca0b7fe8c0a9dbbd84fede2efa383792dece80f1e0f3685227652560d399f4b5c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A406A0C16078CBE0C5819DA376FB1D88_62573A0254D54D5CD82EB4B17EEF9776

Filesize
406B

MD5
505e995c61ced3df615fbd4f8a9299ef

SHA1
5041f665babebb9184bf688013eb729373968d3a

SHA256
b8c1f573eb0acbd6ddb27ffb7ee76cd55fdf36aff1682d333bf6bb11183e303c

SHA512
29573e093a5d789c6563d97878177bed01c8a90f1cf4e39527c28ca7af1f28abecf21c21d416a3f47e3f620a5ba3f2601f576839dd63b72c5868796aa0ae5130

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AD5F118F7897046E8CA970AE6A6AB70B_A0B760D8ABF6F649D185B46E3E114CC2

Filesize
410B

MD5
b42f11780e861b810b06e9aaea5c3d11

SHA1
0d12afb5b79ee7c1bfb6619236e27d1297aec67a

SHA256
ab6157d1a91038cfe887c0a202fc3debc565b2418d62fe045537590bf3e0d209

SHA512
87323f8eb57a50ccc87a6c180706cba9a223ff71619ee37627391616d5f68b03cd6a3cc34f88ad15f2c59aee4944214095f827e51439d56c898bebb993b007c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysceamtcxmj.exe

Filesize
338KB

MD5
ebc2bef74b099f2b4cef0140b66654ca

SHA1
874d3f29826ffe9326798d3b6558b4b44b6226f5

SHA256
a65141c91aef5e92241aff96e0579b08538600871e49bbe90f5e88f99d17daba

SHA512
f4e79460b6ddeaa848b8be2d20bc14ecf837f53da635b995403165e4b0013fd9b237a435cea0a72e95a0167f2aa9eb1a5c8507fb4052cc5b062fd58946a98713

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpath.ini

Filesize
102B

MD5
ed65912190c1ebfa6363aff27c3a33e4

SHA1
e59a08ef137248ed064308859b7193feb6e63903

SHA256
a18363fd7965314f5e69bbd9602e4cd5b21e14fea8ccb7ec3837ae08f0c405ab

SHA512
53cb0999146cdbf98ace02c9ea12957b7338b26e390453d7d56af05745c7bbf0a288f9288ce7bba9c06970ce1fb0cacd4fc58226e2430cf5022e4cb9d9395cf9

Download Submit