blackmoon | c7d490ed15a9e8059b5eef7d487fd46f8f9e04922b235b43b9508c63f165e906

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
07/10/2023, 05:55 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c7d490ed15a9e8059b5eef7d487fd46f8f9e04922b235b43b9508c63f165e906.exe
Size

4.3MB
MD5

b43033548b043b2fa3f5fbb6e2931966
SHA1

1841f9ed8cc3af7d9b431b8f136a2297780b01c3
SHA256

c7d490ed15a9e8059b5eef7d487fd46f8f9e04922b235b43b9508c63f165e906
SHA512

0e43d7455b48d7230f2f18804e5c265c84d3e363ef6c641040a9f3c9723cd9953bb75f6f48f90d037ff238919a0e4f835806757ea94e3a4e5fd45c0d5a739796
SSDEEP

98304:xiSKMbPs4ZcvDXGsUgG1/Q/g+ZmiPDC+kAE:LGDZHFg+ZTrnkJ

Score

10^/10

blackmoon banker trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 2 IoCs

resource	yara_rule
behavioral1/memory/1764-4-0x0000000002BB0000-0x0000000002C64000-memory.dmp	family_blackmoon
behavioral1/memory/1764-21-0x0000000002BB0000-0x0000000002C64000-memory.dmp	family_blackmoon

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1764	c7d490ed15a9e8059b5eef7d487fd46f8f9e04922b235b43b9508c63f165e906.exe
1764	c7d490ed15a9e8059b5eef7d487fd46f8f9e04922b235b43b9508c63f165e906.exe
1764	c7d490ed15a9e8059b5eef7d487fd46f8f9e04922b235b43b9508c63f165e906.exe
1764	c7d490ed15a9e8059b5eef7d487fd46f8f9e04922b235b43b9508c63f165e906.exe
1764	c7d490ed15a9e8059b5eef7d487fd46f8f9e04922b235b43b9508c63f165e906.exe
1764	c7d490ed15a9e8059b5eef7d487fd46f8f9e04922b235b43b9508c63f165e906.exe
1764	c7d490ed15a9e8059b5eef7d487fd46f8f9e04922b235b43b9508c63f165e906.exe
1764	c7d490ed15a9e8059b5eef7d487fd46f8f9e04922b235b43b9508c63f165e906.exe
1764	c7d490ed15a9e8059b5eef7d487fd46f8f9e04922b235b43b9508c63f165e906.exe
1764	c7d490ed15a9e8059b5eef7d487fd46f8f9e04922b235b43b9508c63f165e906.exe
1764	c7d490ed15a9e8059b5eef7d487fd46f8f9e04922b235b43b9508c63f165e906.exe
1764	c7d490ed15a9e8059b5eef7d487fd46f8f9e04922b235b43b9508c63f165e906.exe
1764	c7d490ed15a9e8059b5eef7d487fd46f8f9e04922b235b43b9508c63f165e906.exe
1764	c7d490ed15a9e8059b5eef7d487fd46f8f9e04922b235b43b9508c63f165e906.exe
1764	c7d490ed15a9e8059b5eef7d487fd46f8f9e04922b235b43b9508c63f165e906.exe
1764	c7d490ed15a9e8059b5eef7d487fd46f8f9e04922b235b43b9508c63f165e906.exe
1764	c7d490ed15a9e8059b5eef7d487fd46f8f9e04922b235b43b9508c63f165e906.exe
1764	c7d490ed15a9e8059b5eef7d487fd46f8f9e04922b235b43b9508c63f165e906.exe
1764	c7d490ed15a9e8059b5eef7d487fd46f8f9e04922b235b43b9508c63f165e906.exe
1764	c7d490ed15a9e8059b5eef7d487fd46f8f9e04922b235b43b9508c63f165e906.exe
1764	c7d490ed15a9e8059b5eef7d487fd46f8f9e04922b235b43b9508c63f165e906.exe
1764	c7d490ed15a9e8059b5eef7d487fd46f8f9e04922b235b43b9508c63f165e906.exe
1764	c7d490ed15a9e8059b5eef7d487fd46f8f9e04922b235b43b9508c63f165e906.exe
1764	c7d490ed15a9e8059b5eef7d487fd46f8f9e04922b235b43b9508c63f165e906.exe
1764	c7d490ed15a9e8059b5eef7d487fd46f8f9e04922b235b43b9508c63f165e906.exe
1764	c7d490ed15a9e8059b5eef7d487fd46f8f9e04922b235b43b9508c63f165e906.exe
1764	c7d490ed15a9e8059b5eef7d487fd46f8f9e04922b235b43b9508c63f165e906.exe
1764	c7d490ed15a9e8059b5eef7d487fd46f8f9e04922b235b43b9508c63f165e906.exe
1764	c7d490ed15a9e8059b5eef7d487fd46f8f9e04922b235b43b9508c63f165e906.exe
1764	c7d490ed15a9e8059b5eef7d487fd46f8f9e04922b235b43b9508c63f165e906.exe
1764	c7d490ed15a9e8059b5eef7d487fd46f8f9e04922b235b43b9508c63f165e906.exe
1764	c7d490ed15a9e8059b5eef7d487fd46f8f9e04922b235b43b9508c63f165e906.exe
1764	c7d490ed15a9e8059b5eef7d487fd46f8f9e04922b235b43b9508c63f165e906.exe
1764	c7d490ed15a9e8059b5eef7d487fd46f8f9e04922b235b43b9508c63f165e906.exe
1764	c7d490ed15a9e8059b5eef7d487fd46f8f9e04922b235b43b9508c63f165e906.exe
1764	c7d490ed15a9e8059b5eef7d487fd46f8f9e04922b235b43b9508c63f165e906.exe
1764	c7d490ed15a9e8059b5eef7d487fd46f8f9e04922b235b43b9508c63f165e906.exe
1764	c7d490ed15a9e8059b5eef7d487fd46f8f9e04922b235b43b9508c63f165e906.exe
1764	c7d490ed15a9e8059b5eef7d487fd46f8f9e04922b235b43b9508c63f165e906.exe
1764	c7d490ed15a9e8059b5eef7d487fd46f8f9e04922b235b43b9508c63f165e906.exe
1764	c7d490ed15a9e8059b5eef7d487fd46f8f9e04922b235b43b9508c63f165e906.exe
1764	c7d490ed15a9e8059b5eef7d487fd46f8f9e04922b235b43b9508c63f165e906.exe
1764	c7d490ed15a9e8059b5eef7d487fd46f8f9e04922b235b43b9508c63f165e906.exe
1764	c7d490ed15a9e8059b5eef7d487fd46f8f9e04922b235b43b9508c63f165e906.exe
1764	c7d490ed15a9e8059b5eef7d487fd46f8f9e04922b235b43b9508c63f165e906.exe
1764	c7d490ed15a9e8059b5eef7d487fd46f8f9e04922b235b43b9508c63f165e906.exe
1764	c7d490ed15a9e8059b5eef7d487fd46f8f9e04922b235b43b9508c63f165e906.exe
1764	c7d490ed15a9e8059b5eef7d487fd46f8f9e04922b235b43b9508c63f165e906.exe
1764	c7d490ed15a9e8059b5eef7d487fd46f8f9e04922b235b43b9508c63f165e906.exe
1764	c7d490ed15a9e8059b5eef7d487fd46f8f9e04922b235b43b9508c63f165e906.exe
1764	c7d490ed15a9e8059b5eef7d487fd46f8f9e04922b235b43b9508c63f165e906.exe
1764	c7d490ed15a9e8059b5eef7d487fd46f8f9e04922b235b43b9508c63f165e906.exe
1764	c7d490ed15a9e8059b5eef7d487fd46f8f9e04922b235b43b9508c63f165e906.exe
1764	c7d490ed15a9e8059b5eef7d487fd46f8f9e04922b235b43b9508c63f165e906.exe
1764	c7d490ed15a9e8059b5eef7d487fd46f8f9e04922b235b43b9508c63f165e906.exe
1764	c7d490ed15a9e8059b5eef7d487fd46f8f9e04922b235b43b9508c63f165e906.exe
1764	c7d490ed15a9e8059b5eef7d487fd46f8f9e04922b235b43b9508c63f165e906.exe
1764	c7d490ed15a9e8059b5eef7d487fd46f8f9e04922b235b43b9508c63f165e906.exe
1764	c7d490ed15a9e8059b5eef7d487fd46f8f9e04922b235b43b9508c63f165e906.exe
1764	c7d490ed15a9e8059b5eef7d487fd46f8f9e04922b235b43b9508c63f165e906.exe
1764	c7d490ed15a9e8059b5eef7d487fd46f8f9e04922b235b43b9508c63f165e906.exe
1764	c7d490ed15a9e8059b5eef7d487fd46f8f9e04922b235b43b9508c63f165e906.exe
1764	c7d490ed15a9e8059b5eef7d487fd46f8f9e04922b235b43b9508c63f165e906.exe
1764	c7d490ed15a9e8059b5eef7d487fd46f8f9e04922b235b43b9508c63f165e906.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1764	c7d490ed15a9e8059b5eef7d487fd46f8f9e04922b235b43b9508c63f165e906.exe
1764	c7d490ed15a9e8059b5eef7d487fd46f8f9e04922b235b43b9508c63f165e906.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1764	c7d490ed15a9e8059b5eef7d487fd46f8f9e04922b235b43b9508c63f165e906.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1764	c7d490ed15a9e8059b5eef7d487fd46f8f9e04922b235b43b9508c63f165e906.exe
1764	c7d490ed15a9e8059b5eef7d487fd46f8f9e04922b235b43b9508c63f165e906.exe

C:\Users\Admin\AppData\Local\Temp\c7d490ed15a9e8059b5eef7d487fd46f8f9e04922b235b43b9508c63f165e906.exe
"C:\Users\Admin\AppData\Local\Temp\c7d490ed15a9e8059b5eef7d487fd46f8f9e04922b235b43b9508c63f165e906.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1764

Network

No results found

42.51.13.213:86

c7d490ed15a9e8059b5eef7d487fd46f8f9e04922b235b43b9508c63f165e906.exe

152 B
120 B
3
3
42.51.13.213:86

c7d490ed15a9e8059b5eef7d487fd46f8f9e04922b235b43b9508c63f165e906.exe

152 B
120 B
3
3
42.51.13.213:86

c7d490ed15a9e8059b5eef7d487fd46f8f9e04922b235b43b9508c63f165e906.exe

152 B
120 B
3
3

No results found

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Manatee2022\Config\manatee.cfg

Filesize
111B

MD5
750d1e62d281091d5120890a82eb2542

SHA1
159dbe6b56d8f9fd6457d4c3f4d5bdcd58078c28

SHA256
e478f0b3c195f14daaf4982550f0d68ca64f12588ee993c9d1644effc095233e

SHA512
100497c5d8d05fdff91a905f6836597131f4b3bda303f6e63b7ab894b9a5da1a77320357ce8fb56237ca6f966fc60153df2a3ab7ed0924ec3f15ff8b580daa5e

Download Submit
memory/1764-0-0x0000000010000000-0x000000001001A000-memory.dmp

Filesize
104KB

Download
memory/1764-1-0x0000000075CF0000-0x0000000075E00000-memory.dmp

Filesize
1.1MB

Download
memory/1764-3-0x0000000000890000-0x00000000008E9000-memory.dmp

Filesize
356KB

Download
memory/1764-4-0x0000000002BB0000-0x0000000002C64000-memory.dmp

Filesize
720KB

Download
memory/1764-2-0x0000000002AA0000-0x0000000002BB0000-memory.dmp

Filesize
1.1MB

Download
memory/1764-14-0x0000000002300000-0x0000000002301000-memory.dmp

Filesize
4KB

Download
memory/1764-15-0x0000000000940000-0x0000000000941000-memory.dmp

Filesize
4KB

Download
memory/1764-19-0x0000000010000000-0x000000001001A000-memory.dmp

Filesize
104KB

Download
memory/1764-20-0x0000000075CF0000-0x0000000075E00000-memory.dmp

Filesize
1.1MB

Download
memory/1764-21-0x0000000002BB0000-0x0000000002C64000-memory.dmp

Filesize
720KB

Download
memory/1764-22-0x0000000000C20000-0x0000000000C21000-memory.dmp

Filesize
4KB

Download