blackmoon | b16f7b2881866796100a1767fcd49c351ac0cd2953d9846d4a76745b1351601a

Analysis

max time kernel
141s
max time network
124s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
15/08/2023, 05:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b16f7b2881866796100a1767fcd49c351ac0cd2953d9846d4a76745b1351601a.exe
Size

590KB
MD5

c9f1b96c2d48fc6ed5b1042c12e68c01
SHA1

76f8ebacaf908971bcc53a3f32523109066ee6f4
SHA256

b16f7b2881866796100a1767fcd49c351ac0cd2953d9846d4a76745b1351601a
SHA512

88669d01241ea98185a13b67cf4f8067bcab6d6224748a0f66d42dcc870b2f89f745e4f5bd0d7d1fe45047dba56ef4a98118aa032730ffcedd9b02e8da3a9112
SSDEEP

12288:GND9yMNMoLWB7ZowJjSEurznuNEX3lYPzWVp4cRu:GND9D6oLWB7HtSEurzUGmbDp

Score

10^/10

blackmoon banker trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 3 IoCs

resource	yara_rule
behavioral1/memory/2192-64-0x0000000000400000-0x00000000005A3000-memory.dmp	family_blackmoon
behavioral1/memory/2192-67-0x0000000000400000-0x00000000005A3000-memory.dmp	family_blackmoon
behavioral1/memory/2192-70-0x0000000000400000-0x00000000005A3000-memory.dmp	family_blackmoon

Executes dropped EXE 1 IoCs

pid	Process
2184	aow_dr.exe

Loads dropped DLL 2 IoCs

pid	Process
2192	b16f7b2881866796100a1767fcd49c351ac0cd2953d9846d4a76745b1351601a.exe
2804	Process not Found

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2192-54-0x0000000000400000-0x00000000005A3000-memory.dmp	upx
behavioral1/memory/2192-64-0x0000000000400000-0x00000000005A3000-memory.dmp	upx
behavioral1/memory/2192-67-0x0000000000400000-0x00000000005A3000-memory.dmp	upx
behavioral1/memory/2192-70-0x0000000000400000-0x00000000005A3000-memory.dmp	upx

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2192	b16f7b2881866796100a1767fcd49c351ac0cd2953d9846d4a76745b1351601a.exe
2192	b16f7b2881866796100a1767fcd49c351ac0cd2953d9846d4a76745b1351601a.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 2184	2192	b16f7b2881866796100a1767fcd49c351ac0cd2953d9846d4a76745b1351601a.exe	28
PID 2192 wrote to memory of 2184	2192	b16f7b2881866796100a1767fcd49c351ac0cd2953d9846d4a76745b1351601a.exe	28
PID 2192 wrote to memory of 2184	2192	b16f7b2881866796100a1767fcd49c351ac0cd2953d9846d4a76745b1351601a.exe	28
PID 2192 wrote to memory of 2184	2192	b16f7b2881866796100a1767fcd49c351ac0cd2953d9846d4a76745b1351601a.exe	28

C:\Users\Admin\AppData\Local\Temp\b16f7b2881866796100a1767fcd49c351ac0cd2953d9846d4a76745b1351601a.exe
"C:\Users\Admin\AppData\Local\Temp\b16f7b2881866796100a1767fcd49c351ac0cd2953d9846d4a76745b1351601a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Users\Admin\AppData\Local\Temp\aow_dr.exe
  C:\Users\Admin\AppData\Local\Temp\aow_dr.exe
  2⤵
  - Executes dropped EXE
  PID:2184

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aow_dr.exe

Filesize
13KB

MD5
dc0afe131cc346ca405a2afce6ea0d25

SHA1
a485647cbeb3cb9204445499d76b8bb0d466ab5a

SHA256
6cfbe0885a7a811534e170d1f532535467e568895cf535ee5d19511100212f79

SHA512
b0d9920d41b6b76a6cd4cd8ac182dc0612054fc0b6e45ec3ffa064bf92d4bd981aaf21a6e74e5bda17abae484688f4dcf0fcf90f27cc797ee08372b7bf4549f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\dr.dll

Filesize
192B

MD5
283d4d83419e5b42ccc89cd1db8adb18

SHA1
5c86d02754b9773ca59b690e5b39a0af9249afa3

SHA256
822412da7e49ad0fb5f60f5cb871e76aa83a7f2d5e9525e48950549df1aee659

SHA512
0d1644ed8cff13d5970cd60e2ca45713948c12a43bd43675c2dc36ee60e67281cc2fb6773c8bc4d97771d1e3e54b673000910d2aed6962b1f15ef3836dcbe247

Download Submit
\Users\Admin\AppData\Local\Temp\aow_dr.exe

Filesize
13KB

MD5
dc0afe131cc346ca405a2afce6ea0d25

SHA1
a485647cbeb3cb9204445499d76b8bb0d466ab5a

SHA256
6cfbe0885a7a811534e170d1f532535467e568895cf535ee5d19511100212f79

SHA512
b0d9920d41b6b76a6cd4cd8ac182dc0612054fc0b6e45ec3ffa064bf92d4bd981aaf21a6e74e5bda17abae484688f4dcf0fcf90f27cc797ee08372b7bf4549f3

Download Submit
\Users\Admin\AppData\Local\Temp\aow_dr.exe

Filesize
13KB

MD5
dc0afe131cc346ca405a2afce6ea0d25

SHA1
a485647cbeb3cb9204445499d76b8bb0d466ab5a

SHA256
6cfbe0885a7a811534e170d1f532535467e568895cf535ee5d19511100212f79

SHA512
b0d9920d41b6b76a6cd4cd8ac182dc0612054fc0b6e45ec3ffa064bf92d4bd981aaf21a6e74e5bda17abae484688f4dcf0fcf90f27cc797ee08372b7bf4549f3

Download Submit
memory/2192-54-0x0000000000400000-0x00000000005A3000-memory.dmp

Filesize
1.6MB

Download
memory/2192-64-0x0000000000400000-0x00000000005A3000-memory.dmp

Filesize
1.6MB

Download
memory/2192-67-0x0000000000400000-0x00000000005A3000-memory.dmp

Filesize
1.6MB

Download
memory/2192-70-0x0000000000400000-0x00000000005A3000-memory.dmp

Filesize
1.6MB

Download