blackmoon | d0d05ec10590781112d9d6c8c03131058a57977154f919b124305a2a75194f64

Analysis

max time kernel
135s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
22-03-2023 08:49

Target

d0d05ec10590781112d9d6c8c03131058a57977154f919b124305a2a75194f64.exe
Size

1.7MB
MD5

9160dc004f19ef38f0f05eedca29d2b7
SHA1

eaf2463e9dc5747b7d8e13dd2e3576ccb7280048
SHA256

d0d05ec10590781112d9d6c8c03131058a57977154f919b124305a2a75194f64
SHA512

8a8adbdc8a82d7fe9e460b819569ae1747e722675f1c8f1edc04b06d1e9b3f9a472ba1ac9d4e5ec1263090288c1a3c79ce82bced019e0cd5103535b0fbba6c41
SSDEEP

24576:jIlYZaol8VPqLAzlcd3Sa/MQ7tyej73z9mc3C0rEToS2/0NGxZjrDQGDcKANWGpu:8auMUTrCDcKMWKlhm23akQphXwouW

Score

10^/10

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\d0d05ec10590781112d9d6c8c03131058a57977154f919b124305a2a75194f64.exe	family_blackmoon
behavioral2/memory/3528-136-0x0000000000400000-0x00000000005F3000-memory.dmp	family_blackmoon

Executes dropped EXE 1 IoCs

Processes:

d0d05ec10590781112d9d6c8c03131058a57977154f919b124305a2a75194f64.exe

pid process

2080 d0d05ec10590781112d9d6c8c03131058a57977154f919b124305a2a75194f64.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

d0d05ec10590781112d9d6c8c03131058a57977154f919b124305a2a75194f64.exe

pid	process
2080	d0d05ec10590781112d9d6c8c03131058a57977154f919b124305a2a75194f64.exe
2080	d0d05ec10590781112d9d6c8c03131058a57977154f919b124305a2a75194f64.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

d0d05ec10590781112d9d6c8c03131058a57977154f919b124305a2a75194f64.exe

pid process

3528 d0d05ec10590781112d9d6c8c03131058a57977154f919b124305a2a75194f64.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

d0d05ec10590781112d9d6c8c03131058a57977154f919b124305a2a75194f64.exed0d05ec10590781112d9d6c8c03131058a57977154f919b124305a2a75194f64.exe

pid	process
3528	d0d05ec10590781112d9d6c8c03131058a57977154f919b124305a2a75194f64.exe
2080	d0d05ec10590781112d9d6c8c03131058a57977154f919b124305a2a75194f64.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

d0d05ec10590781112d9d6c8c03131058a57977154f919b124305a2a75194f64.exe

description	pid	process	target process
PID 3528 wrote to memory of 2080	3528	d0d05ec10590781112d9d6c8c03131058a57977154f919b124305a2a75194f64.exe	d0d05ec10590781112d9d6c8c03131058a57977154f919b124305a2a75194f64.exe
PID 3528 wrote to memory of 2080	3528	d0d05ec10590781112d9d6c8c03131058a57977154f919b124305a2a75194f64.exe	d0d05ec10590781112d9d6c8c03131058a57977154f919b124305a2a75194f64.exe
PID 3528 wrote to memory of 2080	3528	d0d05ec10590781112d9d6c8c03131058a57977154f919b124305a2a75194f64.exe	d0d05ec10590781112d9d6c8c03131058a57977154f919b124305a2a75194f64.exe

C:\Users\Admin\AppData\Local\Temp\d0d05ec10590781112d9d6c8c03131058a57977154f919b124305a2a75194f64.exe

Filesize
1.7MB

MD5
94941e960fff1fa8ff6f896ab01bb2c8

SHA1
8d8850353828b27244909ec32d7ba058df56cc20

SHA256
7cfe0326bf854a87c1b5a4416666149fc7dae6cc9e998aa4c78af2bd8bf06b2c

SHA512
dd4083bff3765d9050dc565a65408a1c4fdc7758a2b02071c1e794df7441255f362fae41e9316fcaa41317d59e21015fe9e42e99f7f441e1eba41887f8f471f7

Download Submit
memory/3528-136-0x0000000000400000-0x00000000005F3000-memory.dmp

Filesize
1.9MB

Download