blackmoon | b537dc5396eeea421c8e0144ed2b835a7bd57a1beffbc98c5ff441e2750854d7

Analysis

max time kernel
141s
max time network
33s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
07-07-2023 19:45

Target

b537dc5396eeea421c8e0144ed2b835a7bd57a1beffbc98c5ff441e2750854d7.exe
Size

395KB
MD5

6c6155e763f7185efe2b2b479b9408e5
SHA1

c27916a89cc5e0e31731cdefd0bd97ba3879381f
SHA256

b537dc5396eeea421c8e0144ed2b835a7bd57a1beffbc98c5ff441e2750854d7
SHA512

d164cec94f1ef852d6b63759edc44fbb9138fea99a5e009f15417352e4f972e1e35664f5bab9fedf47114ac5c93eb993cfd2ce4e3856bdf677cdf16cc2be3c7a
SSDEEP

3072:P6Pj0UGvb0boMUBxtM1vMO2Q4U2VW591c6H:CoUGvQbovxtmd4UBTq6

Score

10^/10

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1352-54-0x0000000000400000-0x00000000004FB000-memory.dmp	family_blackmoon
behavioral1/memory/1352-55-0x0000000000400000-0x00000000004FB000-memory.dmp	family_blackmoon
behavioral1/memory/1352-56-0x0000000000400000-0x00000000004FB000-memory.dmp	family_blackmoon
behavioral1/memory/1352-57-0x0000000000400000-0x00000000004FB000-memory.dmp	family_blackmoon
behavioral1/memory/1352-70-0x0000000000400000-0x00000000004FB000-memory.dmp	family_blackmoon

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

b537dc5396eeea421c8e0144ed2b835a7bd57a1beffbc98c5ff441e2750854d7.exe

pid	process
1352	b537dc5396eeea421c8e0144ed2b835a7bd57a1beffbc98c5ff441e2750854d7.exe
1352	b537dc5396eeea421c8e0144ed2b835a7bd57a1beffbc98c5ff441e2750854d7.exe
1352	b537dc5396eeea421c8e0144ed2b835a7bd57a1beffbc98c5ff441e2750854d7.exe
1352	b537dc5396eeea421c8e0144ed2b835a7bd57a1beffbc98c5ff441e2750854d7.exe
1352	b537dc5396eeea421c8e0144ed2b835a7bd57a1beffbc98c5ff441e2750854d7.exe
1352	b537dc5396eeea421c8e0144ed2b835a7bd57a1beffbc98c5ff441e2750854d7.exe
1352	b537dc5396eeea421c8e0144ed2b835a7bd57a1beffbc98c5ff441e2750854d7.exe
1352	b537dc5396eeea421c8e0144ed2b835a7bd57a1beffbc98c5ff441e2750854d7.exe
1352	b537dc5396eeea421c8e0144ed2b835a7bd57a1beffbc98c5ff441e2750854d7.exe
1352	b537dc5396eeea421c8e0144ed2b835a7bd57a1beffbc98c5ff441e2750854d7.exe
1352	b537dc5396eeea421c8e0144ed2b835a7bd57a1beffbc98c5ff441e2750854d7.exe
1352	b537dc5396eeea421c8e0144ed2b835a7bd57a1beffbc98c5ff441e2750854d7.exe
1352	b537dc5396eeea421c8e0144ed2b835a7bd57a1beffbc98c5ff441e2750854d7.exe
1352	b537dc5396eeea421c8e0144ed2b835a7bd57a1beffbc98c5ff441e2750854d7.exe
1352	b537dc5396eeea421c8e0144ed2b835a7bd57a1beffbc98c5ff441e2750854d7.exe
1352	b537dc5396eeea421c8e0144ed2b835a7bd57a1beffbc98c5ff441e2750854d7.exe
1352	b537dc5396eeea421c8e0144ed2b835a7bd57a1beffbc98c5ff441e2750854d7.exe
1352	b537dc5396eeea421c8e0144ed2b835a7bd57a1beffbc98c5ff441e2750854d7.exe
1352	b537dc5396eeea421c8e0144ed2b835a7bd57a1beffbc98c5ff441e2750854d7.exe
1352	b537dc5396eeea421c8e0144ed2b835a7bd57a1beffbc98c5ff441e2750854d7.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

b537dc5396eeea421c8e0144ed2b835a7bd57a1beffbc98c5ff441e2750854d7.exe

description pid process

Token: SeDebugPrivilege 1352 b537dc5396eeea421c8e0144ed2b835a7bd57a1beffbc98c5ff441e2750854d7.exe

description	pid	process
Token: SeDebugPrivilege	1352	b537dc5396eeea421c8e0144ed2b835a7bd57a1beffbc98c5ff441e2750854d7.exe

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2868

memory/1352-54-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/1352-55-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/1352-56-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/1352-57-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/1352-70-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download