blackmoon | 290c4563fc3c33f35d2ce50d2140f4c62588d07efe7f2fd47d27420a2fa98ee1

Analysis

max time kernel
144s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20250410-en
resource tags

arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
submitted
22/04/2025, 07:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

290c4563fc3c33f35d2ce50d2140f4c62588d07efe7f2fd47d27420a2fa98ee1.exe
Size

621KB
MD5

c24957a07fa4d48e700fb30b85e7b439
SHA1

f147ca642cd93289c11cc3fbcbb2e6268b51299f
SHA256

290c4563fc3c33f35d2ce50d2140f4c62588d07efe7f2fd47d27420a2fa98ee1
SHA512

3d2dd9b489eb0d7fcd026fbaf86900aad8a84762c39f885c330f164b9757c6291d0a3ecba2f4cef219228516d630818234b229e1f82f0b2f870c467efd7549eb
SSDEEP

12288:A4svL4A4OvcjLGCHRkwOXC6QzTHTvllfd7lPGoeS+NM:A4sv8TOvcjLGKRkwOXC9zTzxdGNS+N

Score

10^/10

blackmoon banker discovery trojan

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 2 IoCs

resource	yara_rule
behavioral1/memory/4896-22-0x0000000010000000-0x0000000010011000-memory.dmp	family_blackmoon
behavioral1/memory/4896-61-0x0000000010000000-0x0000000010011000-memory.dmp	family_blackmoon

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ssoshareinfohelper64.lnk	290c4563fc3c33f35d2ce50d2140f4c62588d07efe7f2fd47d27420a2fa98ee1.exe

Executes dropped EXE 1 IoCs

pid	Process
4896	ssoshareinfohelper64.exe

Loads dropped DLL 1 IoCs

pid	Process
4896	ssoshareinfohelper64.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 14 IoCs

pid	Process
4896	ssoshareinfohelper64.exe
4896	ssoshareinfohelper64.exe
4896	ssoshareinfohelper64.exe
4896	ssoshareinfohelper64.exe
4896	ssoshareinfohelper64.exe
4896	ssoshareinfohelper64.exe
4896	ssoshareinfohelper64.exe
4896	ssoshareinfohelper64.exe
4896	ssoshareinfohelper64.exe
4896	ssoshareinfohelper64.exe
4896	ssoshareinfohelper64.exe
4896	ssoshareinfohelper64.exe
4896	ssoshareinfohelper64.exe
4896	ssoshareinfohelper64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ssoshareinfohelper64.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4896	ssoshareinfohelper64.exe
Token: SeIncBasePriorityPrivilege	4896	ssoshareinfohelper64.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4896	ssoshareinfohelper64.exe
4896	ssoshareinfohelper64.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1656 wrote to memory of 4896	1656	290c4563fc3c33f35d2ce50d2140f4c62588d07efe7f2fd47d27420a2fa98ee1.exe	96
PID 1656 wrote to memory of 4896	1656	290c4563fc3c33f35d2ce50d2140f4c62588d07efe7f2fd47d27420a2fa98ee1.exe	96
PID 1656 wrote to memory of 4896	1656	290c4563fc3c33f35d2ce50d2140f4c62588d07efe7f2fd47d27420a2fa98ee1.exe	96

C:\Users\Admin\AppData\Local\Temp\290c4563fc3c33f35d2ce50d2140f4c62588d07efe7f2fd47d27420a2fa98ee1.exe
"C:\Users\Admin\AppData\Local\Temp\290c4563fc3c33f35d2ce50d2140f4c62588d07efe7f2fd47d27420a2fa98ee1.exe"
1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Users\Admin\AppData\Roaming\Cache\ssoshareinfohelper64.exe
  C:\Users\Admin\AppData\Roaming\\Cache\ssoshareinfohelper64.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4896

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Cache\SSOShareInfoHelper64.exe

Filesize
2.4MB

MD5
f309de7250256a9bc74a5bb669169510

SHA1
ab58bbf6c4619e930b57ce4ce139e557cc08a723

SHA256
8fb6b476c2f497ee107d76c1c7de6eab027aaa7a2c53452b7936af8be33d2b52

SHA512
ecd95f712cd3fde284ed325d527fbafe03c98db80a4854bc6b32cc7bf447d98bd0b040f7e260ccf77b8a55f4dd6a97d2ad6e88ee2b580382c9649ba03a405de0

Download Submit
C:\Users\Admin\AppData\Roaming\Cache\config.ini

Filesize
59B

MD5
35e84cf0567b12a2cd2a576f83c86480

SHA1
0e3bacc8286b878958e6c684f063bea32d2f7be4

SHA256
1113458bfaa863a9bc5f17460435fa1197a516aab4f95c3fadf19d3726e1cf56

SHA512
d24d8cf27f0990d996e0fc36b5bf8b9e830cc4cb6034c5437af35c31b1e48277e074a8247dd0aa8976421f50121ea86bdbb75e0cfb0702f7ea7062e800d17cfd

Download Submit
C:\Users\Admin\AppData\Roaming\Cache\res\theme\azure.she

Filesize
64KB

MD5
636f6a2c1521c82a3a503be1f3f6210f

SHA1
68410eefac45eef85465db572db78362bbc16208

SHA256
3835bd02c8f252236b41ca94bf69a034e6abd34daf44dbc7d4e2d074ddeca7fd

SHA512
5904bf6054c6c07355b0121c54559aaba6a0833286b0811aca30dcdf06f1447c4ed845c6176e6ee881dd815043d584d0259d382d9f2e0993a8bc89354ca5d872

Download Submit
C:\Users\Admin\AppData\Roaming\Cache\res\theme\purple.she

Filesize
7.4MB

MD5
6fdf3a25722a87f96244d268c7d3c05e

SHA1
369d84ed80e6e5433a288b4c520ebcfec9f347f2

SHA256
6ddcf9bdb3e087ac01018c35fc0ac18525bc4329baf5b9cba5a10d7d889ed2cf

SHA512
c1e3ce87a8edcbf2f6a34b4535844305584bccf42b244af46f42b9fe69114bd75327209ad7a398ff052f6e1da36750ee8eac7306d3d173a35244131e0d3aa355

Download Submit
C:\Users\Admin\AppData\Roaming\Cache\vcruntime140.dll

Filesize
82KB

MD5
d0520569180accd7e17ed9697711d6ec

SHA1
46cb7e2db7efda70b9a5b75b2fe0bb6038499008

SHA256
13026df002b3575564f32927b7f791d59b4cc571f30ccc28075c4edb4afef67c

SHA512
86e96f5648d714914469a576693a656390291a547ea9dd5903c85853ac63c68f69129e54f95e5fc7aec781b883232ffaf0d5a536302226f4243d1f2e517e2034

Download Submit
\??\c:\users\admin\appdata\roaming\cache\Sysdiag\license.dat

Filesize
122B

MD5
15f6c82d7021dce3a5ac2b1ebd251d63

SHA1
de6bb074dc70be138f7af1224792bb128e2282f2

SHA256
c94905702eacc6d210a809e14badcfb191b007b42caced4e221a9d6b8560b269

SHA512
e26ce10a3c635a5eee902bfb817809cd82b09b481d972c9596f84f3a6e28bbe832f5f48cb5750c6b7512c9fc651b3888e8006d73e9a02b614f9ffb28eff92c84

Download Submit
memory/4896-101-0x0000000006750000-0x0000000006971000-memory.dmp

Filesize
2.1MB

Download
memory/4896-92-0x0000000006750000-0x0000000006971000-memory.dmp

Filesize
2.1MB

Download
memory/4896-22-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/4896-23-0x0000000005870000-0x000000000598D000-memory.dmp

Filesize
1.1MB

Download
memory/4896-28-0x0000000005870000-0x000000000598D000-memory.dmp

Filesize
1.1MB

Download
memory/4896-31-0x0000000003F10000-0x0000000003F11000-memory.dmp

Filesize
4KB

Download
memory/4896-30-0x0000000077AF2000-0x0000000077AF3000-memory.dmp

Filesize
4KB

Download
memory/4896-29-0x00000000050F0000-0x0000000005864000-memory.dmp

Filesize
7.5MB

Download
memory/4896-27-0x0000000005870000-0x000000000598D000-memory.dmp

Filesize
1.1MB

Download
memory/4896-33-0x0000000006750000-0x0000000006971000-memory.dmp

Filesize
2.1MB

Download
memory/4896-39-0x0000000077AF2000-0x0000000077AF3000-memory.dmp

Filesize
4KB

Download
memory/4896-37-0x0000000006750000-0x0000000006971000-memory.dmp

Filesize
2.1MB

Download
memory/4896-41-0x0000000006EE0000-0x00000000073E5000-memory.dmp

Filesize
5.0MB

Download
memory/4896-40-0x00000000050F0000-0x0000000005864000-memory.dmp

Filesize
7.5MB

Download
memory/4896-49-0x0000000000D30000-0x0000000001712000-memory.dmp

Filesize
9.9MB

Download
memory/4896-44-0x0000000004390000-0x0000000004391000-memory.dmp

Filesize
4KB

Download
memory/4896-43-0x0000000077AF2000-0x0000000077AF3000-memory.dmp

Filesize
4KB

Download
memory/4896-59-0x0000000006EE0000-0x00000000073E5000-memory.dmp

Filesize
5.0MB

Download
memory/4896-64-0x0000000006750000-0x0000000006971000-memory.dmp

Filesize
2.1MB

Download
memory/4896-66-0x00000000050F0000-0x0000000005864000-memory.dmp

Filesize
7.5MB

Download
memory/4896-67-0x0000000006750000-0x0000000006971000-memory.dmp

Filesize
2.1MB

Download
memory/4896-70-0x0000000006750000-0x0000000006971000-memory.dmp

Filesize
2.1MB

Download
memory/4896-73-0x0000000006750000-0x0000000006971000-memory.dmp

Filesize
2.1MB

Download
memory/4896-77-0x0000000006750000-0x0000000006971000-memory.dmp

Filesize
2.1MB

Download
memory/4896-83-0x0000000006750000-0x0000000006971000-memory.dmp

Filesize
2.1MB

Download
memory/4896-89-0x0000000006750000-0x0000000006971000-memory.dmp

Filesize
2.1MB

Download
memory/4896-95-0x0000000006750000-0x0000000006971000-memory.dmp

Filesize
2.1MB

Download
memory/4896-102-0x0000000005870000-0x000000000598D000-memory.dmp

Filesize
1.1MB

Download
memory/4896-15-0x0000000000D30000-0x0000000001712000-memory.dmp

Filesize
9.9MB

Download
memory/4896-100-0x0000000006750000-0x0000000006971000-memory.dmp

Filesize
2.1MB

Download
memory/4896-17-0x000000007EFC0000-0x000000007F391000-memory.dmp

Filesize
3.8MB

Download
memory/4896-99-0x0000000006750000-0x0000000006971000-memory.dmp

Filesize
2.1MB

Download
memory/4896-69-0x0000000006750000-0x0000000006971000-memory.dmp

Filesize
2.1MB

Download
memory/4896-96-0x0000000006750000-0x0000000006971000-memory.dmp

Filesize
2.1MB

Download
memory/4896-94-0x0000000006750000-0x0000000006971000-memory.dmp

Filesize
2.1MB

Download
memory/4896-93-0x0000000006750000-0x0000000006971000-memory.dmp

Filesize
2.1MB

Download
memory/4896-98-0x0000000006750000-0x0000000006971000-memory.dmp

Filesize
2.1MB

Download
memory/4896-91-0x0000000006750000-0x0000000006971000-memory.dmp

Filesize
2.1MB

Download
memory/4896-90-0x0000000006750000-0x0000000006971000-memory.dmp

Filesize
2.1MB

Download
memory/4896-88-0x0000000006750000-0x0000000006971000-memory.dmp

Filesize
2.1MB

Download
memory/4896-87-0x0000000006750000-0x0000000006971000-memory.dmp

Filesize
2.1MB

Download
memory/4896-86-0x0000000006750000-0x0000000006971000-memory.dmp

Filesize
2.1MB

Download
memory/4896-85-0x0000000006750000-0x0000000006971000-memory.dmp

Filesize
2.1MB

Download
memory/4896-84-0x0000000006750000-0x0000000006971000-memory.dmp

Filesize
2.1MB

Download
memory/4896-82-0x0000000006750000-0x0000000006971000-memory.dmp

Filesize
2.1MB

Download
memory/4896-81-0x0000000006750000-0x0000000006971000-memory.dmp

Filesize
2.1MB

Download
memory/4896-80-0x0000000006750000-0x0000000006971000-memory.dmp

Filesize
2.1MB

Download
memory/4896-79-0x0000000006750000-0x0000000006971000-memory.dmp

Filesize
2.1MB

Download
memory/4896-78-0x0000000006750000-0x0000000006971000-memory.dmp

Filesize
2.1MB

Download
memory/4896-76-0x0000000006750000-0x0000000006971000-memory.dmp

Filesize
2.1MB

Download
memory/4896-75-0x0000000006750000-0x0000000006971000-memory.dmp

Filesize
2.1MB

Download
memory/4896-74-0x0000000006750000-0x0000000006971000-memory.dmp

Filesize
2.1MB

Download
memory/4896-72-0x0000000006750000-0x0000000006971000-memory.dmp

Filesize
2.1MB

Download
memory/4896-71-0x0000000006750000-0x0000000006971000-memory.dmp

Filesize
2.1MB

Download
memory/4896-97-0x0000000006750000-0x0000000006971000-memory.dmp

Filesize
2.1MB

Download
memory/4896-68-0x0000000006750000-0x0000000006971000-memory.dmp

Filesize
2.1MB

Download
memory/4896-65-0x0000000006750000-0x0000000006971000-memory.dmp

Filesize
2.1MB

Download
memory/4896-61-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/4896-60-0x000000007EFC0000-0x000000007F391000-memory.dmp

Filesize
3.8MB

Download
memory/4896-104-0x0000000003F10000-0x0000000003F11000-memory.dmp

Filesize
4KB

Download
memory/4896-108-0x0000000004390000-0x0000000004391000-memory.dmp

Filesize
4KB

Download
memory/4896-115-0x0000000077AF2000-0x0000000077AF3000-memory.dmp

Filesize
4KB

Download