blackmoon | c7ceba999ae1987059509ac4eaec21b32800e501005fffeead566bf2f9d5c29c

Analysis

max time kernel
150s
max time network
30s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
11-05-2023 03:49

Target

c7ceba999ae1987059509ac4eaec21b32800e501005fffeead566bf2f9d5c29c.exe
Size

2.2MB
MD5

f772f257f10db544eae72c462f21878c
SHA1

0104c7d4942a552504f7e287b06b8dbb43d2874b
SHA256

c7ceba999ae1987059509ac4eaec21b32800e501005fffeead566bf2f9d5c29c
SHA512

fe9bf66e6ab072c4c79e82a3bd5d33f0478d93d8bfcb52ce2c3b1a2f49e346591c8adf4a00ebd143584b703ee2ef97d5014101b56d3104e90a560382e09483a5
SSDEEP

49152:brZlHdYb+Z434XQsJ7WOwzcLtC6L1Rm3tWXm+K+WqCsm:b9rS+nQALw8tVBR8tWXrVWBsm

Score

10^/10

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2024-54-0x0000000000400000-0x0000000000877000-memory.dmp	family_blackmoon
behavioral1/memory/2024-65-0x0000000000400000-0x0000000000877000-memory.dmp	family_blackmoon
behavioral1/memory/2024-67-0x0000000000400000-0x0000000000877000-memory.dmp	family_blackmoon

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

Processes:

resource	yara_rule
behavioral1/memory/2024-54-0x0000000000400000-0x0000000000877000-memory.dmp	upx
behavioral1/memory/2024-61-0x00000000008C0000-0x00000000008F6000-memory.dmp	upx
behavioral1/memory/2024-62-0x00000000008C0000-0x00000000008F6000-memory.dmp	upx
behavioral1/memory/2024-65-0x0000000000400000-0x0000000000877000-memory.dmp	upx
behavioral1/memory/2024-66-0x00000000008C0000-0x00000000008F6000-memory.dmp	upx
behavioral1/memory/2024-67-0x0000000000400000-0x0000000000877000-memory.dmp	upx

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

c7ceba999ae1987059509ac4eaec21b32800e501005fffeead566bf2f9d5c29c.exe

pid process

2024 c7ceba999ae1987059509ac4eaec21b32800e501005fffeead566bf2f9d5c29c.exe

pid	process
2024	c7ceba999ae1987059509ac4eaec21b32800e501005fffeead566bf2f9d5c29c.exe

C:\Users\Admin\AppData\Local\Temp\c7ceba999ae1987059509ac4eaec21b32800e501005fffeead566bf2f9d5c29c.exe
"C:\Users\Admin\AppData\Local\Temp\c7ceba999ae1987059509ac4eaec21b32800e501005fffeead566bf2f9d5c29c.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:2024

memory/2024-54-0x0000000000400000-0x0000000000877000-memory.dmp

Filesize
4.5MB

Download
memory/2024-55-0x00000000023B0000-0x0000000002423000-memory.dmp

Filesize
460KB

Download
memory/2024-61-0x00000000008C0000-0x00000000008F6000-memory.dmp

Filesize
216KB

Download
memory/2024-63-0x0000000000950000-0x0000000000963000-memory.dmp

Filesize
76KB

Download
memory/2024-62-0x00000000008C0000-0x00000000008F6000-memory.dmp

Filesize
216KB

Download
memory/2024-64-0x0000000002E20000-0x0000000002E21000-memory.dmp

Filesize
4KB

Download
memory/2024-65-0x0000000000400000-0x0000000000877000-memory.dmp

Filesize
4.5MB

Download
memory/2024-66-0x00000000008C0000-0x00000000008F6000-memory.dmp

Filesize
216KB

Download
memory/2024-67-0x0000000000400000-0x0000000000877000-memory.dmp

Filesize
4.5MB

Download