blackmoon | 91d54a460dbb7a790bc808f65eb42f2640fe65a0801b9674fbd4a097103013da

Analysis

max time kernel
300s
max time network
214s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
18/03/2025, 06:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

91d54a460dbb7a790bc808f65eb42f2640fe65a0801b9674fbd4a097103013da.exe
Size

452KB
MD5

e85a0049754f3d3d6bf2d0b1edeb7664
SHA1

d4954846dfa14ed0ebe9ce48ac2043ca99d765d8
SHA256

91d54a460dbb7a790bc808f65eb42f2640fe65a0801b9674fbd4a097103013da
SHA512

ff2885cf2d0e8c99e40b745106eabaeda6ee36c06b404cb2c575b98ef87d75d8774fa33bfd5ff4d19c54bfd2a8dc57906b9a53135f0d0b4b952c36539687d409
SSDEEP

6144:/vPBvEQR6H3Udg2FuHRfepwqHpA7b2+yO2COKCZL:/vpv/R6H3U25fehHpAW+yOBOKCZL

Score

10^/10

blackmoon qqpass banker discovery trojan upx

Malware Config

Extracted

Family

qqpass

Attributes

user_agent
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 4 IoCs

resource	yara_rule
behavioral2/memory/5136-0-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackmoon
behavioral2/files/0x0009000000024250-12.dat	family_blackmoon
behavioral2/memory/5136-48-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackmoon
behavioral2/memory/4632-57-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackmoon

QQpass
QQpass is a trojan written in C++..
trojan qqpass
Qqpass family
qqpass

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	91d54a460dbb7a790bc808f65eb42f2640fe65a0801b9674fbd4a097103013da.exe

Executes dropped EXE 1 IoCs

pid	Process
4632	elxplorerjcidh.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5136-0-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/files/0x0009000000024250-12.dat	upx
behavioral2/memory/5136-48-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/4632-57-0x0000000000400000-0x0000000000473000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	91d54a460dbb7a790bc808f65eb42f2640fe65a0801b9674fbd4a097103013da.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	elxplorerjcidh.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	91d54a460dbb7a790bc808f65eb42f2640fe65a0801b9674fbd4a097103013da.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5136	91d54a460dbb7a790bc808f65eb42f2640fe65a0801b9674fbd4a097103013da.exe
5136	91d54a460dbb7a790bc808f65eb42f2640fe65a0801b9674fbd4a097103013da.exe
5136	91d54a460dbb7a790bc808f65eb42f2640fe65a0801b9674fbd4a097103013da.exe
5136	91d54a460dbb7a790bc808f65eb42f2640fe65a0801b9674fbd4a097103013da.exe
5136	91d54a460dbb7a790bc808f65eb42f2640fe65a0801b9674fbd4a097103013da.exe
5136	91d54a460dbb7a790bc808f65eb42f2640fe65a0801b9674fbd4a097103013da.exe
4632	elxplorerjcidh.exe
4632	elxplorerjcidh.exe
4632	elxplorerjcidh.exe
4632	elxplorerjcidh.exe
4632	elxplorerjcidh.exe
4632	elxplorerjcidh.exe
4632	elxplorerjcidh.exe
4632	elxplorerjcidh.exe
4632	elxplorerjcidh.exe
4632	elxplorerjcidh.exe
4632	elxplorerjcidh.exe
4632	elxplorerjcidh.exe
4632	elxplorerjcidh.exe
4632	elxplorerjcidh.exe
4632	elxplorerjcidh.exe
4632	elxplorerjcidh.exe
4632	elxplorerjcidh.exe
4632	elxplorerjcidh.exe
4632	elxplorerjcidh.exe
4632	elxplorerjcidh.exe
4632	elxplorerjcidh.exe
4632	elxplorerjcidh.exe
4632	elxplorerjcidh.exe
4632	elxplorerjcidh.exe
4632	elxplorerjcidh.exe
4632	elxplorerjcidh.exe
4632	elxplorerjcidh.exe
4632	elxplorerjcidh.exe
4632	elxplorerjcidh.exe
4632	elxplorerjcidh.exe
4632	elxplorerjcidh.exe
4632	elxplorerjcidh.exe
4632	elxplorerjcidh.exe
4632	elxplorerjcidh.exe
4632	elxplorerjcidh.exe
4632	elxplorerjcidh.exe
4632	elxplorerjcidh.exe
4632	elxplorerjcidh.exe
4632	elxplorerjcidh.exe
4632	elxplorerjcidh.exe
4632	elxplorerjcidh.exe
4632	elxplorerjcidh.exe
4632	elxplorerjcidh.exe
4632	elxplorerjcidh.exe
4632	elxplorerjcidh.exe
4632	elxplorerjcidh.exe
4632	elxplorerjcidh.exe
4632	elxplorerjcidh.exe
4632	elxplorerjcidh.exe
4632	elxplorerjcidh.exe
4632	elxplorerjcidh.exe
4632	elxplorerjcidh.exe
4632	elxplorerjcidh.exe
4632	elxplorerjcidh.exe
4632	elxplorerjcidh.exe
4632	elxplorerjcidh.exe
4632	elxplorerjcidh.exe
4632	elxplorerjcidh.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5136 wrote to memory of 4632	5136	91d54a460dbb7a790bc808f65eb42f2640fe65a0801b9674fbd4a097103013da.exe	88
PID 5136 wrote to memory of 4632	5136	91d54a460dbb7a790bc808f65eb42f2640fe65a0801b9674fbd4a097103013da.exe	88
PID 5136 wrote to memory of 4632	5136	91d54a460dbb7a790bc808f65eb42f2640fe65a0801b9674fbd4a097103013da.exe	88

C:\Users\Admin\AppData\Local\Temp\91d54a460dbb7a790bc808f65eb42f2640fe65a0801b9674fbd4a097103013da.exe
"C:\Users\Admin\AppData\Local\Temp\91d54a460dbb7a790bc808f65eb42f2640fe65a0801b9674fbd4a097103013da.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5136
- C:\Users\Admin\AppData\Local\Temp\elxplorerjcidh.exe
  "C:\Users\Admin\AppData\Local\Temp\elxplorerjcidh.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\elxplorerjcidh.exe

Filesize
452KB

MD5
f80b7768f7bedc50206743482ab0d6a5

SHA1
84e6bb327c631292734956134182afc9dd16227f

SHA256
ce703f1f19be982d2d5ddd4228d85ec12442ed1a09b6b9ec721cfb362f72e6a2

SHA512
e9218d788300554fb63529de6bb984006c67615dfda317ef4b38883aebcefbcddeecdf1af58ae07644a2b22bb1c334369d72ff80e5cdfd28eda5da84c77d0a34

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpath.ini

Filesize
102B

MD5
4171c9de755988cc7c3c9ca86b9f7b70

SHA1
daf87352c4385f638feaa213d093992ec2d3f635

SHA256
fbc0b2eedd30dee9f29a8a143d69105dba5c883795a9f7129a73acba395ac5d0

SHA512
a89185d635d3c7eddfb1e8fd909188708c8393b71557ed569701f3f859482c07845d2249d68dfa346ba3ebb4345e4b522fe7efb6442ae7fb87f15fb085ef7856

Download Submit
memory/4632-57-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/5136-0-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/5136-48-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download