blackmoon | b4d4590a582639275a82f8de43cb470da98af293b3e3d147ae66fd24b793a832

Resubmissions

19-11-2022 13:50

16-11-2022 22:11

max time kernel
140s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
19-11-2022 13:50

Target

b4d4590a582639275a82f8de43cb470da98af293b3e3d147ae66fd24b793a832.exe
Size

4.0MB
MD5

a0588d88e7ddb01fc9ac9d3b5cf215d8
SHA1

3647f00f21ba2f090d81f07fca5137c4566b4046
SHA256

b4d4590a582639275a82f8de43cb470da98af293b3e3d147ae66fd24b793a832
SHA512

0597a689f1b9c521415835272f123782ce5431c3049be15aa38664e8b288cf29a6715eb47e023e2479bfbba2ee387435ba72b5b7e14801a6c086b59f311df9c6
SSDEEP

98304:WBLaX2XjPrbVGbFWMZNA2wITWuXIu/M1vrGp1oVXL:YLaWrh3WNVwWWuz/M1vqpeXL

Score

10^/10

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 4 IoCs

resource	yara_rule
behavioral2/memory/2084-133-0x0000000000400000-0x0000000001092000-memory.dmp	family_blackmoon
behavioral2/memory/2084-134-0x0000000000400000-0x0000000001092000-memory.dmp	family_blackmoon
behavioral2/memory/2084-135-0x0000000000400000-0x0000000001092000-memory.dmp	family_blackmoon
behavioral2/memory/2084-143-0x0000000000400000-0x0000000001092000-memory.dmp	family_blackmoon

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2084	b4d4590a582639275a82f8de43cb470da98af293b3e3d147ae66fd24b793a832.exe
2084	b4d4590a582639275a82f8de43cb470da98af293b3e3d147ae66fd24b793a832.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2084	b4d4590a582639275a82f8de43cb470da98af293b3e3d147ae66fd24b793a832.exe
2084	b4d4590a582639275a82f8de43cb470da98af293b3e3d147ae66fd24b793a832.exe
2084	b4d4590a582639275a82f8de43cb470da98af293b3e3d147ae66fd24b793a832.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2084	b4d4590a582639275a82f8de43cb470da98af293b3e3d147ae66fd24b793a832.exe
2084	b4d4590a582639275a82f8de43cb470da98af293b3e3d147ae66fd24b793a832.exe
2084	b4d4590a582639275a82f8de43cb470da98af293b3e3d147ae66fd24b793a832.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2084	b4d4590a582639275a82f8de43cb470da98af293b3e3d147ae66fd24b793a832.exe
2084	b4d4590a582639275a82f8de43cb470da98af293b3e3d147ae66fd24b793a832.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 1884	2084	b4d4590a582639275a82f8de43cb470da98af293b3e3d147ae66fd24b793a832.exe	91
PID 2084 wrote to memory of 1884	2084	b4d4590a582639275a82f8de43cb470da98af293b3e3d147ae66fd24b793a832.exe	91
PID 2084 wrote to memory of 1884	2084	b4d4590a582639275a82f8de43cb470da98af293b3e3d147ae66fd24b793a832.exe	91
PID 1884 wrote to memory of 1860	1884	cmd.exe	93
PID 1884 wrote to memory of 1860	1884	cmd.exe	93
PID 1884 wrote to memory of 1860	1884	cmd.exe	93
PID 1884 wrote to memory of 1544	1884	cmd.exe	94
PID 1884 wrote to memory of 1544	1884	cmd.exe	94
PID 1884 wrote to memory of 1544	1884	cmd.exe	94
PID 1884 wrote to memory of 1836	1884	cmd.exe	95
PID 1884 wrote to memory of 1836	1884	cmd.exe	95
PID 1884 wrote to memory of 1836	1884	cmd.exe	95
PID 1884 wrote to memory of 4328	1884	cmd.exe	96
PID 1884 wrote to memory of 4328	1884	cmd.exe	96
PID 1884 wrote to memory of 4328	1884	cmd.exe	96
PID 1884 wrote to memory of 796	1884	cmd.exe	97
PID 1884 wrote to memory of 796	1884	cmd.exe	97
PID 1884 wrote to memory of 796	1884	cmd.exe	97

C:\Users\Admin\AppData\Local\Temp\deldl.bat

Filesize
699B

MD5
c6bd8c5ea90831eb71f920bffbdc0a29

SHA1
e87c7d038d85e19d0ab3b56f32a70b9a5486ece5

SHA256
c406efc6d11bef6aefce056fc46fc562eb717aaf30a3bb8e35e460af78ea88ed

SHA512
8c47b14dcf1957040a03aa1cf16854bf90aee4e2b5a46522b291fcecfed4a6bfb442aef5d52b22f5b367638609856a50a5c3d43ab43427c09c0744c0b9572c1c

Download Submit
memory/2084-132-0x0000000000400000-0x0000000001092000-memory.dmp

Filesize
12.6MB

Download
memory/2084-133-0x0000000000400000-0x0000000001092000-memory.dmp

Filesize
12.6MB

Download
memory/2084-134-0x0000000000400000-0x0000000001092000-memory.dmp

Filesize
12.6MB

Download
memory/2084-135-0x0000000000400000-0x0000000001092000-memory.dmp

Filesize
12.6MB

Download
memory/2084-143-0x0000000000400000-0x0000000001092000-memory.dmp

Filesize
12.6MB

Download