blackmoon | 82151abe9fbda4bf09c23ed946fd56d6af7c4582ce49b9a2884b71780169abc6

Analysis

max time kernel
123s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2023 14:05

Target

82151abe9fbda4bf09c23ed94.exe
Size

476KB
MD5

f1eed8c9913ba48d51b9c03e75e155f0
SHA1

79bf7476a9f3ba427445cb27613a44a2e4b3cb7d
SHA256

82151abe9fbda4bf09c23ed946fd56d6af7c4582ce49b9a2884b71780169abc6
SHA512

d55e09caf26b67ed3cd53f751c314e7295b0dd70fb4c04011b923172651ad19173a1f45b789f3fa76d7ba27272f10f745db162f254ef783b480f2b2b158664bf
SSDEEP

12288:64hsx/Zi0qBgAqEiRKI9A4C5CCC1CCCCXCCCCCwCCCCCCNCCCCCCCxCCCCCCCC5G:dOhi0qj

Score

10^/10

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4660-133-0x0000000000400000-0x00000000004F6000-memory.dmp	family_blackmoon
behavioral2/memory/4660-134-0x0000000000400000-0x00000000004F6000-memory.dmp	family_blackmoon
behavioral2/memory/4660-135-0x0000000000400000-0x00000000004F6000-memory.dmp	family_blackmoon
behavioral2/memory/4660-136-0x0000000000400000-0x00000000004F6000-memory.dmp	family_blackmoon

Drops file in System32 directory 8 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{9B9F843E-AF08-4FB7-90A3-8AD641720558}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{EEE84273-C1BD-4A88-AF61-5FF03459D7D4}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{61B8BC1D-7EDB-49F6-97E9-20A5F7C1F811}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{E3AA0FB4-D097-4652-AB15-8BC7B5F2808D}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{9A00D0A8-2F94-4EAF-9A51-0742660E298A}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{83854896-72ED-44B6-ADF8-ACFE97B0C439}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{57BA56C9-F9A8-49F3-86F0-2EB2310449E9}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{83351D96-BA57-42AE-BF2B-45E566B154D0}.catalogItem	svchost.exe

C:\Users\Admin\AppData\Local\Temp\82151abe9fbda4bf09c23ed94.exe
"C:\Users\Admin\AppData\Local\Temp\82151abe9fbda4bf09c23ed94.exe"
1⤵
PID:4660

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
PID:4304

memory/4660-133-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/4660-134-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/4660-135-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/4660-136-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download