blackmoon | 238ce9ce900f12bdc8e037a1ee008bbf75476839587ac282c53efa865243eab6

Analysis

max time kernel
142s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2023 13:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

238ce9ce900f12bdc8e037a1ee008bbf75476839587ac282c53efa865243eab6.exe
Size

40.8MB
MD5

4c8a57dece40509a486b61e1d0ec2421
SHA1

43ef3dfd0434f6680a8b51fd6172ca4fe865dfaf
SHA256

238ce9ce900f12bdc8e037a1ee008bbf75476839587ac282c53efa865243eab6
SHA512

d564ecd6e0ade2f113bdff53a1abcabe5182b117c54079440c3b8a660da7842ee5ee862572b97a44251182fe3ae41986ab9efb94a255a0a0bdfa6f8fd844d379
SSDEEP

786432:QqVcWXywg7p1ez2kahdZY9jfI72wVPCVtRgeBq56x5l8cmO6/BTc:lfg7p1bnh/Y9jQKw56MGeXTc

Score

10^/10

blackmoon banker trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1400-275-0x0000000000400000-0x0000000000663000-memory.dmp	family_blackmoon

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7-zip32.dll	acprotect

Loads dropped DLL 1 IoCs

Processes:

238ce9ce900f12bdc8e037a1ee008bbf75476839587ac282c53efa865243eab6.exe

pid process

1400 238ce9ce900f12bdc8e037a1ee008bbf75476839587ac282c53efa865243eab6.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1400-133-0x0000000000400000-0x0000000000663000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\7-zip32.dll	upx
behavioral2/memory/1400-143-0x0000000010000000-0x000000001009E000-memory.dmp	upx
behavioral2/memory/1400-275-0x0000000000400000-0x0000000000663000-memory.dmp	upx
behavioral2/memory/1400-276-0x0000000010000000-0x000000001009E000-memory.dmp	upx

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

238ce9ce900f12bdc8e037a1ee008bbf75476839587ac282c53efa865243eab6.exe

pid	process
1400	238ce9ce900f12bdc8e037a1ee008bbf75476839587ac282c53efa865243eab6.exe
1400	238ce9ce900f12bdc8e037a1ee008bbf75476839587ac282c53efa865243eab6.exe

C:\Users\Admin\AppData\Local\Temp\238ce9ce900f12bdc8e037a1ee008bbf75476839587ac282c53efa865243eab6.exe
"C:\Users\Admin\AppData\Local\Temp\238ce9ce900f12bdc8e037a1ee008bbf75476839587ac282c53efa865243eab6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1400

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7-zip32.dll

Filesize
251KB

MD5
b47f35506e4c1a5f7da6b5f3fb3b735f

SHA1
085e3186754943f7627f9a8be80c06d81029581e

SHA256
8702364360f9070aeb7ce22b81ae02e558938d1e703a26245e2b0e0611b041e5

SHA512
755bc38fd198c295ece6f17621aa0ef2cc60418f8efe8476de307a1906df7f6835050ddc6757bc5f8448879778d04bfed785cd9a59e1ebf560133f8696dd27a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\e571bd5.tmp\data.ini

Filesize
1KB

MD5
e75f21948a41c5026af99703d717dcd8

SHA1
4e0a4ce1f685a57f59ee20b2e124df09a7c46db2

SHA256
c26a57ffc95fdf4be750335aff29fe53d394dc940446d965378059d943ef18e5

SHA512
731752118b2bf40591cbbb326b398528075ebfbce1b8e6fd7ec98b84b86a905cf20ff8359a42df7796dd34cbb01f82702819b7bd853a08defd52c98000cc312e

Download Submit
C:\Users\Admin\AppData\Local\Temp\e571bd5.tmp\data.ini

Filesize
1KB

MD5
d1465904c1113bf299c3e83441bf00c1

SHA1
50af7d7b1f1e73db0773c3fdc7300150df42ecad

SHA256
7b899d68f2bf66a1d93b8446658293de800e52f56382637a868da020f0fe0b73

SHA512
bde1d08111387d6780fe8ccc4154ca8113fa8b1eb8a14d96cce8c3255c28cde998b78b516d2be8500c06f314246db20d292c52a467b2f120c89f9aed0e1428d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\e571bd5.tmp\variable.ini

Filesize
672B

MD5
cb45d58839fde01714fc3488ae527a50

SHA1
f352e7d44c5dcb70eaf3b6c2a4b2771a569b26f8

SHA256
994ae753591096f3062f8c6118427961b9252b45c1cee0309f261bf6943e9583

SHA512
47f02dded0763c4f79ce5a2370d2cd9b61e1fa87a39a8714e36cae320496938bf871656f939937803debf978ccb51f7219efe9f5781aa38963f7818720f96bdb

Download Submit
memory/1400-133-0x0000000000400000-0x0000000000663000-memory.dmp

Filesize
2.4MB

Download
memory/1400-143-0x0000000010000000-0x000000001009E000-memory.dmp

Filesize
632KB

Download
memory/1400-274-0x00000000026E0000-0x00000000026E1000-memory.dmp

Filesize
4KB

Download
memory/1400-275-0x0000000000400000-0x0000000000663000-memory.dmp

Filesize
2.4MB

Download
memory/1400-276-0x0000000010000000-0x000000001009E000-memory.dmp

Filesize
632KB

Download