blackmoon | 3c943c91da82f8f69c9bd2a3a80fad28ee3d6973526a034de074449360834e0c

Analysis

max time kernel
141s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2025, 08:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c943c91da82f8f69c9bd2a3a80fad28ee3d6973526a034de074449360834e0c.exe
Size

2.0MB
MD5

304dc49d23f4684cf11a3865a8f6638e
SHA1

8f32cb2f77bb045713d3d00d095ba75231d7edae
SHA256

3c943c91da82f8f69c9bd2a3a80fad28ee3d6973526a034de074449360834e0c
SHA512

03c0f99e634bd1be880d7119ec7bba4d3a82417aa7d0a28bf509ed057eca14a75545a6de454fdab5c5240fa0623bed1206abc9e0c6af13e10295f586a8616ecf
SSDEEP

49152:Od7uWrA4X27PKu+tROA/nrOpZqLRcITUxe+raEFuQrb+7L:07nmr+fO4SpZqL5Axe/mHbwL

Score

10^/10

blackmoon banker bootkit discovery persistence trojan upx

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
behavioral2/memory/3664-85-0x0000000000400000-0x0000000000442200-memory.dmp	family_blackmoon

Executes dropped EXE 1 IoCs

pid	Process
3664	Bugreport-262650.dll

Loads dropped DLL 1 IoCs

pid	Process
2720	3c943c91da82f8f69c9bd2a3a80fad28ee3d6973526a034de074449360834e0c.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	3c943c91da82f8f69c9bd2a3a80fad28ee3d6973526a034de074449360834e0c.exe

UPX packed file 38 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2720-0-0x0000000000400000-0x000000000090F200-memory.dmp	upx
behavioral2/memory/2720-6-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2720-52-0x0000000002E20000-0x0000000002E92000-memory.dmp	upx
behavioral2/memory/2720-53-0x0000000002E20000-0x0000000002E92000-memory.dmp	upx
behavioral2/memory/2720-51-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2720-50-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2720-49-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2720-46-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2720-44-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2720-42-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2720-40-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2720-36-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2720-34-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2720-33-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2720-28-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2720-26-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2720-24-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2720-20-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2720-18-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2720-16-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2720-12-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2720-10-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2720-7-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2720-38-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2720-30-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2720-14-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2720-8-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2720-56-0x0000000000400000-0x000000000090F200-memory.dmp	upx
behavioral2/memory/2720-57-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2720-59-0x0000000002E20000-0x0000000002E92000-memory.dmp	upx
behavioral2/memory/2720-60-0x0000000000400000-0x000000000090F200-memory.dmp	upx
behavioral2/memory/2720-66-0x0000000000400000-0x000000000090F200-memory.dmp	upx
behavioral2/files/0x00070000000242db-68.dat	upx
behavioral2/memory/3664-70-0x0000000000400000-0x0000000000442200-memory.dmp	upx
behavioral2/memory/3664-85-0x0000000000400000-0x0000000000442200-memory.dmp	upx
behavioral2/memory/2720-496-0x0000000000400000-0x000000000090F200-memory.dmp	upx
behavioral2/memory/2720-1151-0x0000000000400000-0x000000000090F200-memory.dmp	upx
behavioral2/memory/2720-1155-0x0000000000400000-0x000000000090F200-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3c943c91da82f8f69c9bd2a3a80fad28ee3d6973526a034de074449360834e0c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bugreport-262650.dll

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2720	3c943c91da82f8f69c9bd2a3a80fad28ee3d6973526a034de074449360834e0c.exe
2720	3c943c91da82f8f69c9bd2a3a80fad28ee3d6973526a034de074449360834e0c.exe
2720	3c943c91da82f8f69c9bd2a3a80fad28ee3d6973526a034de074449360834e0c.exe
2720	3c943c91da82f8f69c9bd2a3a80fad28ee3d6973526a034de074449360834e0c.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2720	3c943c91da82f8f69c9bd2a3a80fad28ee3d6973526a034de074449360834e0c.exe
2720	3c943c91da82f8f69c9bd2a3a80fad28ee3d6973526a034de074449360834e0c.exe
2720	3c943c91da82f8f69c9bd2a3a80fad28ee3d6973526a034de074449360834e0c.exe
2720	3c943c91da82f8f69c9bd2a3a80fad28ee3d6973526a034de074449360834e0c.exe
2720	3c943c91da82f8f69c9bd2a3a80fad28ee3d6973526a034de074449360834e0c.exe
2720	3c943c91da82f8f69c9bd2a3a80fad28ee3d6973526a034de074449360834e0c.exe
3664	Bugreport-262650.dll

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2720 wrote to memory of 3664	2720	3c943c91da82f8f69c9bd2a3a80fad28ee3d6973526a034de074449360834e0c.exe	98
PID 2720 wrote to memory of 3664	2720	3c943c91da82f8f69c9bd2a3a80fad28ee3d6973526a034de074449360834e0c.exe	98
PID 2720 wrote to memory of 3664	2720	3c943c91da82f8f69c9bd2a3a80fad28ee3d6973526a034de074449360834e0c.exe	98

C:\Users\Admin\AppData\Local\Temp\3c943c91da82f8f69c9bd2a3a80fad28ee3d6973526a034de074449360834e0c.exe
"C:\Users\Admin\AppData\Local\Temp\3c943c91da82f8f69c9bd2a3a80fad28ee3d6973526a034de074449360834e0c.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Users\Admin\AppData\Local\Temp\data\Bugreport-262650.dll
  C:\Users\Admin\AppData\Local\Temp\data\Bugreport-262650.dll Bugreport %E9%AA%A8%E5%A4%B4QQ%E9%99%8C%E7%94%9F%E7%A9%BA%E9%97%B4%E7%95%99%E7%97%95%E8%B5%9E%20
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\data\Bugreport-262650.dll

Filesize
83KB

MD5
a285e02eee9dfb44b79133547534ba2d

SHA1
a21f95bed7b55027a006024b4ba8cae485c4ee3e

SHA256
51cb8733e664cea0596203f5ad8aecc325ced480033739370870b4b320d068a0

SHA512
1ab95bce3041daedd129d17912bd8dcb71742fdb6d58dccc8705b42aabea9647b10aec7d2c596c277b218d66ebe95da575bd1efede0ad3c9af95e870744a4f68

Download Submit
C:\Users\Admin\AppData\Local\Temp\data\Bugreport.ini

Filesize
113B

MD5
7c12e1e9b8ae55b37e6937e650f5830d

SHA1
6b682ec50c1ab13d8774dbc793cbed38cac79e8f

SHA256
cbff7ef2cf0c0621f7d810a73639d35e0750658122daaf86f4fc950116e3fab5

SHA512
dd60c60681f2aa4c4124fd7ff2add4f4c97c57fdf76e39f0406a736ce837516fc5f542a062d5df1122eac7f4c473c460cfbe9f6d6a3f6a4c511ca552fa885ccf

Download Submit
C:\Users\Admin\AppData\Local\Temp\data\Bugreport_error.ini

Filesize
286B

MD5
b4b8c90f8f166c667925748268e52e1b

SHA1
72b97884ca91994414ec0a7082979a3319ca14a6

SHA256
85321380861d64f3754f11b0c67427c945a5e49213a390ab95c396ec43540c15

SHA512
0f48da7943a1f2913e7236a42b7961d6d352013bad497ea106409ceb68d3be44674155b6f5252f95dd3cdc66bfa30dea5625e9871b291e3b730b6fd656967bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\data\ÕËºÅÁÐ±í.PLFX.N

Filesize
1KB

MD5
4234ea30074792ee58e7a36009808831

SHA1
15ecab19d468218266f541898d7be2c0e334a561

SHA256
4234957c0679bfee8362586f985e53eff76279064433cd799ec437d8e5534110

SHA512
646cebac2a5d6235943ac4d996f6b3ec75c6ebc4f5ca189666252ae59110bfc3c0a2703aa128499f5eb55b659f953e7aa59d9472ab9a97871eac13017f98bf12

Download Submit
C:\Users\Admin\AppData\Local\Temp\iext1.fnr.bbs.125.la

Filesize
724KB

MD5
a96fbd5e66b31f3d816ad80f623e9bd9

SHA1
4eda42260bd3eb930cd4eafd7d15c6af367bcf18

SHA256
2e67ba278646fde95bb614dcbcc7da1c6bf7976c918b2c6ad3d78640000326f3

SHA512
43921107313775ea14b1bd33cf758c13798f4fa1c1074771c1c96b1b43b98f3416d249ed8ab3171383772d0054829c3754a91b5e94135f1df6d67a76f599c80e

Download Submit
memory/2720-16-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2720-38-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2720-49-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2720-46-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2720-44-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2720-42-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2720-40-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2720-36-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2720-34-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2720-33-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2720-28-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2720-26-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2720-24-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2720-20-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2720-18-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2720-0-0x0000000000400000-0x000000000090F200-memory.dmp

Filesize
5.1MB

Download
memory/2720-12-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2720-10-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2720-7-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2720-50-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2720-30-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2720-14-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2720-8-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2720-56-0x0000000000400000-0x000000000090F200-memory.dmp

Filesize
5.1MB

Download
memory/2720-57-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2720-59-0x0000000002E20000-0x0000000002E92000-memory.dmp

Filesize
456KB

Download
memory/2720-60-0x0000000000400000-0x000000000090F200-memory.dmp

Filesize
5.1MB

Download
memory/2720-66-0x0000000000400000-0x000000000090F200-memory.dmp

Filesize
5.1MB

Download
memory/2720-51-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2720-1155-0x0000000000400000-0x000000000090F200-memory.dmp

Filesize
5.1MB

Download
memory/2720-53-0x0000000002E20000-0x0000000002E92000-memory.dmp

Filesize
456KB

Download
memory/2720-52-0x0000000002E20000-0x0000000002E92000-memory.dmp

Filesize
456KB

Download
memory/2720-1151-0x0000000000400000-0x000000000090F200-memory.dmp

Filesize
5.1MB

Download
memory/2720-83-0x0000000002970000-0x0000000002971000-memory.dmp

Filesize
4KB

Download
memory/2720-6-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2720-496-0x0000000000400000-0x000000000090F200-memory.dmp

Filesize
5.1MB

Download
memory/3664-85-0x0000000000400000-0x0000000000442200-memory.dmp

Filesize
264KB

Download
memory/3664-70-0x0000000000400000-0x0000000000442200-memory.dmp

Filesize
264KB

Download