blackmoon | 91d54a460dbb7a790bc808f65eb42f2640fe65a0801b9674fbd4a097103013da

Analysis

max time kernel
299s
max time network
132s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18/03/2025, 06:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

91d54a460dbb7a790bc808f65eb42f2640fe65a0801b9674fbd4a097103013da.exe
Size

452KB
MD5

e85a0049754f3d3d6bf2d0b1edeb7664
SHA1

d4954846dfa14ed0ebe9ce48ac2043ca99d765d8
SHA256

91d54a460dbb7a790bc808f65eb42f2640fe65a0801b9674fbd4a097103013da
SHA512

ff2885cf2d0e8c99e40b745106eabaeda6ee36c06b404cb2c575b98ef87d75d8774fa33bfd5ff4d19c54bfd2a8dc57906b9a53135f0d0b4b952c36539687d409
SSDEEP

6144:/vPBvEQR6H3Udg2FuHRfepwqHpA7b2+yO2COKCZL:/vpv/R6H3U25fehHpAW+yOBOKCZL

Score

10^/10

blackmoon qqpass banker discovery trojan upx

Malware Config

Extracted

Family

qqpass

Attributes

user_agent
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 5 IoCs

resource	yara_rule
behavioral1/memory/3020-0-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackmoon
behavioral1/memory/3020-11-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackmoon
behavioral1/files/0x0007000000016c7b-20.dat	family_blackmoon
behavioral1/memory/2796-22-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackmoon
behavioral1/memory/2796-146-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackmoon

QQpass
QQpass is a trojan written in C++..
trojan qqpass
Qqpass family
qqpass

Executes dropped EXE 1 IoCs

pid	Process
2796	elxplorernvnys.exe

Loads dropped DLL 2 IoCs

pid	Process
3020	91d54a460dbb7a790bc808f65eb42f2640fe65a0801b9674fbd4a097103013da.exe
3020	91d54a460dbb7a790bc808f65eb42f2640fe65a0801b9674fbd4a097103013da.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3020-0-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/3020-11-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/files/0x0007000000016c7b-20.dat	upx
behavioral1/memory/2796-22-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/2796-146-0x0000000000400000-0x0000000000473000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	91d54a460dbb7a790bc808f65eb42f2640fe65a0801b9674fbd4a097103013da.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	elxplorernvnys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3020	91d54a460dbb7a790bc808f65eb42f2640fe65a0801b9674fbd4a097103013da.exe
3020	91d54a460dbb7a790bc808f65eb42f2640fe65a0801b9674fbd4a097103013da.exe
3020	91d54a460dbb7a790bc808f65eb42f2640fe65a0801b9674fbd4a097103013da.exe
2796	elxplorernvnys.exe
2796	elxplorernvnys.exe
2796	elxplorernvnys.exe
2796	elxplorernvnys.exe
2796	elxplorernvnys.exe
2796	elxplorernvnys.exe
2796	elxplorernvnys.exe
2796	elxplorernvnys.exe
2796	elxplorernvnys.exe
2796	elxplorernvnys.exe
2796	elxplorernvnys.exe
2796	elxplorernvnys.exe
2796	elxplorernvnys.exe
2796	elxplorernvnys.exe
2796	elxplorernvnys.exe
2796	elxplorernvnys.exe
2796	elxplorernvnys.exe
2796	elxplorernvnys.exe
2796	elxplorernvnys.exe
2796	elxplorernvnys.exe
2796	elxplorernvnys.exe
2796	elxplorernvnys.exe
2796	elxplorernvnys.exe
2796	elxplorernvnys.exe
2796	elxplorernvnys.exe
2796	elxplorernvnys.exe
2796	elxplorernvnys.exe
2796	elxplorernvnys.exe
2796	elxplorernvnys.exe
2796	elxplorernvnys.exe
2796	elxplorernvnys.exe
2796	elxplorernvnys.exe
2796	elxplorernvnys.exe
2796	elxplorernvnys.exe
2796	elxplorernvnys.exe
2796	elxplorernvnys.exe
2796	elxplorernvnys.exe
2796	elxplorernvnys.exe
2796	elxplorernvnys.exe
2796	elxplorernvnys.exe
2796	elxplorernvnys.exe
2796	elxplorernvnys.exe
2796	elxplorernvnys.exe
2796	elxplorernvnys.exe
2796	elxplorernvnys.exe
2796	elxplorernvnys.exe
2796	elxplorernvnys.exe
2796	elxplorernvnys.exe
2796	elxplorernvnys.exe
2796	elxplorernvnys.exe
2796	elxplorernvnys.exe
2796	elxplorernvnys.exe
2796	elxplorernvnys.exe
2796	elxplorernvnys.exe
2796	elxplorernvnys.exe
2796	elxplorernvnys.exe
2796	elxplorernvnys.exe
2796	elxplorernvnys.exe
2796	elxplorernvnys.exe
2796	elxplorernvnys.exe
2796	elxplorernvnys.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3020 wrote to memory of 2796	3020	91d54a460dbb7a790bc808f65eb42f2640fe65a0801b9674fbd4a097103013da.exe	31
PID 3020 wrote to memory of 2796	3020	91d54a460dbb7a790bc808f65eb42f2640fe65a0801b9674fbd4a097103013da.exe	31
PID 3020 wrote to memory of 2796	3020	91d54a460dbb7a790bc808f65eb42f2640fe65a0801b9674fbd4a097103013da.exe	31
PID 3020 wrote to memory of 2796	3020	91d54a460dbb7a790bc808f65eb42f2640fe65a0801b9674fbd4a097103013da.exe	31

C:\Users\Admin\AppData\Local\Temp\91d54a460dbb7a790bc808f65eb42f2640fe65a0801b9674fbd4a097103013da.exe
"C:\Users\Admin\AppData\Local\Temp\91d54a460dbb7a790bc808f65eb42f2640fe65a0801b9674fbd4a097103013da.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Users\Admin\AppData\Local\Temp\elxplorernvnys.exe
  "C:\Users\Admin\AppData\Local\Temp\elxplorernvnys.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
71KB

MD5
83142242e97b8953c386f988aa694e4a

SHA1
833ed12fc15b356136dcdd27c61a50f59c5c7d50

SHA256
d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

SHA512
bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCD26.tmp

Filesize
183KB

MD5
109cab5505f5e065b63d01361467a83b

SHA1
4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

SHA256
ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

SHA512
753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\elxplorernvnys.exe

Filesize
452KB

MD5
f80b7768f7bedc50206743482ab0d6a5

SHA1
84e6bb327c631292734956134182afc9dd16227f

SHA256
ce703f1f19be982d2d5ddd4228d85ec12442ed1a09b6b9ec721cfb362f72e6a2

SHA512
e9218d788300554fb63529de6bb984006c67615dfda317ef4b38883aebcefbcddeecdf1af58ae07644a2b22bb1c334369d72ff80e5cdfd28eda5da84c77d0a34

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpath.ini

Filesize
102B

MD5
4171c9de755988cc7c3c9ca86b9f7b70

SHA1
daf87352c4385f638feaa213d093992ec2d3f635

SHA256
fbc0b2eedd30dee9f29a8a143d69105dba5c883795a9f7129a73acba395ac5d0

SHA512
a89185d635d3c7eddfb1e8fd909188708c8393b71557ed569701f3f859482c07845d2249d68dfa346ba3ebb4345e4b522fe7efb6442ae7fb87f15fb085ef7856

Download Submit
memory/2796-22-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2796-146-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3020-0-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3020-11-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3020-21-0x00000000037D0000-0x0000000003843000-memory.dmp

Filesize
460KB

Download