blackmoon | 704674dcc5f95e32d486d6f3415472cb769e6c89a0127cf73315cb722c8eed41

Analysis

max time kernel
152s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
08/10/2023, 05:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

704674dcc5f95e32d486d6f3415472cb769e6c89a0127cf73315cb722c8eed41.exe
Size

5.8MB
MD5

641f610d6742e5b085f2c05510508bd4
SHA1

02a4395bb1e5fb3c44e1abba08da737e7b5ed794
SHA256

704674dcc5f95e32d486d6f3415472cb769e6c89a0127cf73315cb722c8eed41
SHA512

7c193ecd249677239c65f8911b1023e8310f1d0a8b8f0aae8e938dcc5df9b8ed2a02a8179e741657bd5e5524113255e352b65fe01e9125305a3b885a071da978
SSDEEP

98304:svRukgqNtpBt5QWoDjDdqYNbYB6bcyX+loDQzRH2hhKXjGMyQjWkiiZut1LC6s6L:gukgqNJEWItqYiqcyX+loDQzKG6MZ4iu

Score

10^/10

blackmoon banker trojan upx vmprotect

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 2 IoCs

resource	yara_rule
behavioral2/memory/4164-13-0x0000000010000000-0x0000000010024000-memory.dmp	family_blackmoon
behavioral2/memory/4164-16-0x0000000010000000-0x0000000010024000-memory.dmp	family_blackmoon

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4164-13-0x0000000010000000-0x0000000010024000-memory.dmp	upx
behavioral2/memory/4164-16-0x0000000010000000-0x0000000010024000-memory.dmp	upx

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/4164-0-0x0000000000400000-0x0000000000EE8000-memory.dmp	vmprotect
behavioral2/memory/4164-8-0x0000000000400000-0x0000000000EE8000-memory.dmp	vmprotect

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings	704674dcc5f95e32d486d6f3415472cb769e6c89a0127cf73315cb722c8eed41.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4164	704674dcc5f95e32d486d6f3415472cb769e6c89a0127cf73315cb722c8eed41.exe
4164	704674dcc5f95e32d486d6f3415472cb769e6c89a0127cf73315cb722c8eed41.exe
4164	704674dcc5f95e32d486d6f3415472cb769e6c89a0127cf73315cb722c8eed41.exe
4164	704674dcc5f95e32d486d6f3415472cb769e6c89a0127cf73315cb722c8eed41.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4164	704674dcc5f95e32d486d6f3415472cb769e6c89a0127cf73315cb722c8eed41.exe
4500	OpenWith.exe
4164	704674dcc5f95e32d486d6f3415472cb769e6c89a0127cf73315cb722c8eed41.exe
4164	704674dcc5f95e32d486d6f3415472cb769e6c89a0127cf73315cb722c8eed41.exe

C:\Users\Admin\AppData\Local\Temp\704674dcc5f95e32d486d6f3415472cb769e6c89a0127cf73315cb722c8eed41.exe
"C:\Users\Admin\AppData\Local\Temp\704674dcc5f95e32d486d6f3415472cb769e6c89a0127cf73315cb722c8eed41.exe"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4164

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4500

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4164-0-0x0000000000400000-0x0000000000EE8000-memory.dmp

Filesize
10.9MB

Download
memory/4164-1-0x00000000011A0000-0x00000000011A1000-memory.dmp

Filesize
4KB

Download
memory/4164-2-0x0000000002D60000-0x0000000002D61000-memory.dmp

Filesize
4KB

Download
memory/4164-3-0x0000000002D70000-0x0000000002D71000-memory.dmp

Filesize
4KB

Download
memory/4164-6-0x0000000002DD0000-0x0000000002DD1000-memory.dmp

Filesize
4KB

Download
memory/4164-5-0x0000000002DC0000-0x0000000002DC1000-memory.dmp

Filesize
4KB

Download
memory/4164-4-0x0000000002D80000-0x0000000002D81000-memory.dmp

Filesize
4KB

Download
memory/4164-7-0x0000000002DE0000-0x0000000002DE1000-memory.dmp

Filesize
4KB

Download
memory/4164-8-0x0000000000400000-0x0000000000EE8000-memory.dmp

Filesize
10.9MB

Download
memory/4164-12-0x0000000002E40000-0x0000000002F4A000-memory.dmp

Filesize
1.0MB

Download
memory/4164-13-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/4164-14-0x00000000754E0000-0x00000000755D0000-memory.dmp

Filesize
960KB

Download
memory/4164-15-0x00000000754E0000-0x00000000755D0000-memory.dmp

Filesize
960KB

Download
memory/4164-16-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/4164-17-0x0000000002E40000-0x0000000002F4A000-memory.dmp

Filesize
1.0MB

Download
memory/4164-18-0x00000000754E0000-0x00000000755D0000-memory.dmp

Filesize
960KB

Download
memory/4164-19-0x00000000754E0000-0x00000000755D0000-memory.dmp

Filesize
960KB

Download