blackmoon | c7ceba999ae1987059509ac4eaec21b32800e501005fffeead566bf2f9d5c29c

Analysis

max time kernel
141s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
11-05-2023 03:49

Target

c7ceba999ae1987059509ac4eaec21b32800e501005fffeead566bf2f9d5c29c.exe
Size

2.2MB
MD5

f772f257f10db544eae72c462f21878c
SHA1

0104c7d4942a552504f7e287b06b8dbb43d2874b
SHA256

c7ceba999ae1987059509ac4eaec21b32800e501005fffeead566bf2f9d5c29c
SHA512

fe9bf66e6ab072c4c79e82a3bd5d33f0478d93d8bfcb52ce2c3b1a2f49e346591c8adf4a00ebd143584b703ee2ef97d5014101b56d3104e90a560382e09483a5
SSDEEP

49152:brZlHdYb+Z434XQsJ7WOwzcLtC6L1Rm3tWXm+K+WqCsm:b9rS+nQALw8tVBR8tWXrVWBsm

Score

10^/10

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1280-145-0x0000000000400000-0x0000000000877000-memory.dmp	family_blackmoon

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

Processes:

resource	yara_rule
behavioral2/memory/1280-133-0x0000000000400000-0x0000000000877000-memory.dmp	upx
behavioral2/memory/1280-140-0x0000000003670000-0x00000000036A6000-memory.dmp	upx
behavioral2/memory/1280-142-0x0000000003670000-0x00000000036A6000-memory.dmp	upx
behavioral2/memory/1280-143-0x0000000003670000-0x00000000036A6000-memory.dmp	upx
behavioral2/memory/1280-145-0x0000000000400000-0x0000000000877000-memory.dmp	upx

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

c7ceba999ae1987059509ac4eaec21b32800e501005fffeead566bf2f9d5c29c.exe

pid process

1280 c7ceba999ae1987059509ac4eaec21b32800e501005fffeead566bf2f9d5c29c.exe

pid	process
1280	c7ceba999ae1987059509ac4eaec21b32800e501005fffeead566bf2f9d5c29c.exe

C:\Users\Admin\AppData\Local\Temp\c7ceba999ae1987059509ac4eaec21b32800e501005fffeead566bf2f9d5c29c.exe
"C:\Users\Admin\AppData\Local\Temp\c7ceba999ae1987059509ac4eaec21b32800e501005fffeead566bf2f9d5c29c.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:1280

memory/1280-133-0x0000000000400000-0x0000000000877000-memory.dmp

Filesize
4.5MB

Download
memory/1280-134-0x00000000034E0000-0x0000000003553000-memory.dmp

Filesize
460KB

Download
memory/1280-140-0x0000000003670000-0x00000000036A6000-memory.dmp

Filesize
216KB

Download
memory/1280-141-0x0000000003700000-0x0000000003713000-memory.dmp

Filesize
76KB

Download
memory/1280-142-0x0000000003670000-0x00000000036A6000-memory.dmp

Filesize
216KB

Download
memory/1280-143-0x0000000003670000-0x00000000036A6000-memory.dmp

Filesize
216KB

Download
memory/1280-144-0x00000000038E0000-0x00000000038E1000-memory.dmp

Filesize
4KB

Download
memory/1280-145-0x0000000000400000-0x0000000000877000-memory.dmp

Filesize
4.5MB

Download
memory/1280-146-0x0000000003700000-0x0000000003713000-memory.dmp

Filesize
76KB

Download