blackmoon | 81061ca8835f361cb6554ce48c1dac634e40486b3d9b36dc00448f40dc0a9a7c

Analysis

max time kernel
28s
max time network
131s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
19-05-2023 11:21

Target

tmp.exe
Size

7.3MB
MD5

d3bf474de7039be1758918653d179d54
SHA1

49b3c66dd93ba512e3dc423339d77a15b79efc05
SHA256

81061ca8835f361cb6554ce48c1dac634e40486b3d9b36dc00448f40dc0a9a7c
SHA512

8ba871edf781bd3ea6f27dc43e5a783b6475874d34438a364d80d9dfcda1faa8271a3e15d22de2159354fca0bafff7e4ce9443210cfce83fb254b528e688ee00
SSDEEP

196608:EiNibKiPyg8KD0fJHPcgAL9fvbmEB5Rxg0nb:EiwPp0xHPahvbbrb

Score

10^/10

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2000-59-0x0000000010000000-0x000000001005D000-memory.dmp	family_blackmoon
behavioral1/memory/2000-67-0x0000000010000000-0x000000001005D000-memory.dmp	family_blackmoon

Drops file in Drivers directory 8 IoCs

Processes:

tmp.exe

description	ioc	process
File created	C:\Windows\System32\drivers\Recdr35cdr	tmp.exe
File opened for modification	C:\Windows\System32\drivers\Recdr35cdr	tmp.exe
File created	C:\Windows\System32\drivers\Repyy33pyy	tmp.exe
File opened for modification	C:\Windows\System32\drivers\Repyy33pyy	tmp.exe
File created	C:\Windows\SysWOW64\drivers\vMhCvEiK.dll	tmp.exe
File opened for modification	C:\Windows\System32\drivers\vMhCvEiK.dll	tmp.exe
File created	C:\Windows\SysWOW64\drivers\hYkXfKhF.dll	tmp.exe
File opened for modification	C:\Windows\SysWOW64\drivers\hYkXfKhF.dll	tmp.exe

pid	process
468
468

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Drops file in Drivers directory
PID:2000

C:\Windows\System32\drivers\Repyy33pyy

Filesize
63KB

MD5
73919ef9b3dac69301729cd8bf02ff5c

SHA1
ec809efa4412c3dc8e9c363bbef08efb9335aa5b

SHA256
e5869f427fec9843be68e8aa991b44cd2d0d0425345ba7e2bddbf2369ec1903c

SHA512
531e88fbdfc75ef6c2a85ca073853aff010de9e262395d50d4bc07c336f7311f828aa214ab0d4f8849a94a2ae93c138a6ed27a9a70240bf8593812730c18c8eb

Download Submit
memory/2000-59-0x0000000010000000-0x000000001005D000-memory.dmp

Filesize
372KB

Download
memory/2000-60-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2000-67-0x0000000010000000-0x000000001005D000-memory.dmp

Filesize
372KB

Download