blackmoon | d89447de1ebb02394f5eb8fa8c3e5ad1478e9cfb5d0a0a3adc0a2af614f95a3a

Analysis

max time kernel
175s
max time network
212s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11-10-2023 09:19

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

d89447de1ebb02394f5eb8fa8c3e5ad1478e9cfb5d0a0a3adc0a2af614f95a3a.exe
Size

5.8MB
MD5

e08015604f562f1409440fec6a32b1f8
SHA1

f84afe3ff4bf4e463a881ab1e92de37e23d3a0b9
SHA256

d89447de1ebb02394f5eb8fa8c3e5ad1478e9cfb5d0a0a3adc0a2af614f95a3a
SHA512

dda10ce2ba42e22032065942b03f51fd1d2f96247ad09725d1de10c8e3eebead7a5d1e9b40813c08830bb88beec0ff18496a9e00a0fc0cb2f5e27b61ef7b0f51
SSDEEP

98304:FLcFdRkuo92IMlQnbVIPzf83ouM3z7JYnGrxMy+FY9i3voKziPDC+kAECq4:F0dRdo929MxMfaoN6ILgjmrnkJ6

Score

10^/10

blackmoon banker trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 10 IoCs

resource	yara_rule
behavioral1/memory/2616-15-0x0000000000400000-0x00000000009F8000-memory.dmp	family_blackmoon
behavioral1/memory/2616-18-0x0000000000400000-0x00000000009F8000-memory.dmp	family_blackmoon
behavioral1/memory/2740-38-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackmoon
behavioral1/memory/2616-26-0x0000000000400000-0x00000000009F8000-memory.dmp	family_blackmoon
behavioral1/memory/2740-43-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackmoon
behavioral1/memory/2740-50-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackmoon
behavioral1/memory/2740-67-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackmoon
behavioral1/memory/2740-78-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackmoon
behavioral1/memory/2616-591-0x0000000000400000-0x00000000009F8000-memory.dmp	family_blackmoon
behavioral1/memory/2616-595-0x0000000000400000-0x00000000009F8000-memory.dmp	family_blackmoon

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\libcurl.dll	d89447de1ebb02394f5eb8fa8c3e5ad1478e9cfb5d0a0a3adc0a2af614f95a3a.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2728 set thread context of 2616	2728	d89447de1ebb02394f5eb8fa8c3e5ad1478e9cfb5d0a0a3adc0a2af614f95a3a.exe	29
PID 2728 set thread context of 2740	2728	d89447de1ebb02394f5eb8fa8c3e5ad1478e9cfb5d0a0a3adc0a2af614f95a3a.exe	30

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2728	d89447de1ebb02394f5eb8fa8c3e5ad1478e9cfb5d0a0a3adc0a2af614f95a3a.exe
2728	d89447de1ebb02394f5eb8fa8c3e5ad1478e9cfb5d0a0a3adc0a2af614f95a3a.exe
2616	SystemPropertiesDataExecutionPrevention.exe
2616	SystemPropertiesDataExecutionPrevention.exe
2740	instnm.exe
2740	instnm.exe
2740	instnm.exe
2740	instnm.exe
2740	instnm.exe
2740	instnm.exe
2740	instnm.exe
2740	instnm.exe
2740	instnm.exe
2740	instnm.exe
2740	instnm.exe
2740	instnm.exe
2740	instnm.exe
2740	instnm.exe
2740	instnm.exe
2740	instnm.exe
2740	instnm.exe
2740	instnm.exe
2740	instnm.exe
2740	instnm.exe
2740	instnm.exe
2740	instnm.exe
2740	instnm.exe
2740	instnm.exe
2740	instnm.exe
2740	instnm.exe
2740	instnm.exe
2740	instnm.exe
2740	instnm.exe
2740	instnm.exe
2740	instnm.exe
2740	instnm.exe
2740	instnm.exe
2740	instnm.exe
2740	instnm.exe
2740	instnm.exe
2740	instnm.exe
2740	instnm.exe
2740	instnm.exe
2740	instnm.exe
2740	instnm.exe
2740	instnm.exe
2740	instnm.exe
2740	instnm.exe
2740	instnm.exe
2740	instnm.exe
2740	instnm.exe
2740	instnm.exe
2740	instnm.exe
2740	instnm.exe
2740	instnm.exe
2740	instnm.exe
2740	instnm.exe
2740	instnm.exe
2740	instnm.exe
2740	instnm.exe
2740	instnm.exe
2740	instnm.exe
2740	instnm.exe
2740	instnm.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2728	d89447de1ebb02394f5eb8fa8c3e5ad1478e9cfb5d0a0a3adc0a2af614f95a3a.exe
2616	SystemPropertiesDataExecutionPrevention.exe
2740	instnm.exe
2616	SystemPropertiesDataExecutionPrevention.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2728 wrote to memory of 2616	2728	d89447de1ebb02394f5eb8fa8c3e5ad1478e9cfb5d0a0a3adc0a2af614f95a3a.exe	29
PID 2728 wrote to memory of 2616	2728	d89447de1ebb02394f5eb8fa8c3e5ad1478e9cfb5d0a0a3adc0a2af614f95a3a.exe	29
PID 2728 wrote to memory of 2616	2728	d89447de1ebb02394f5eb8fa8c3e5ad1478e9cfb5d0a0a3adc0a2af614f95a3a.exe	29
PID 2728 wrote to memory of 2616	2728	d89447de1ebb02394f5eb8fa8c3e5ad1478e9cfb5d0a0a3adc0a2af614f95a3a.exe	29
PID 2728 wrote to memory of 2616	2728	d89447de1ebb02394f5eb8fa8c3e5ad1478e9cfb5d0a0a3adc0a2af614f95a3a.exe	29
PID 2728 wrote to memory of 2616	2728	d89447de1ebb02394f5eb8fa8c3e5ad1478e9cfb5d0a0a3adc0a2af614f95a3a.exe	29
PID 2728 wrote to memory of 2616	2728	d89447de1ebb02394f5eb8fa8c3e5ad1478e9cfb5d0a0a3adc0a2af614f95a3a.exe	29
PID 2728 wrote to memory of 2616	2728	d89447de1ebb02394f5eb8fa8c3e5ad1478e9cfb5d0a0a3adc0a2af614f95a3a.exe	29
PID 2728 wrote to memory of 2616	2728	d89447de1ebb02394f5eb8fa8c3e5ad1478e9cfb5d0a0a3adc0a2af614f95a3a.exe	29
PID 2728 wrote to memory of 2616	2728	d89447de1ebb02394f5eb8fa8c3e5ad1478e9cfb5d0a0a3adc0a2af614f95a3a.exe	29
PID 2728 wrote to memory of 2740	2728	d89447de1ebb02394f5eb8fa8c3e5ad1478e9cfb5d0a0a3adc0a2af614f95a3a.exe	30
PID 2728 wrote to memory of 2740	2728	d89447de1ebb02394f5eb8fa8c3e5ad1478e9cfb5d0a0a3adc0a2af614f95a3a.exe	30
PID 2728 wrote to memory of 2740	2728	d89447de1ebb02394f5eb8fa8c3e5ad1478e9cfb5d0a0a3adc0a2af614f95a3a.exe	30
PID 2728 wrote to memory of 2740	2728	d89447de1ebb02394f5eb8fa8c3e5ad1478e9cfb5d0a0a3adc0a2af614f95a3a.exe	30
PID 2728 wrote to memory of 2740	2728	d89447de1ebb02394f5eb8fa8c3e5ad1478e9cfb5d0a0a3adc0a2af614f95a3a.exe	30
PID 2728 wrote to memory of 2740	2728	d89447de1ebb02394f5eb8fa8c3e5ad1478e9cfb5d0a0a3adc0a2af614f95a3a.exe	30
PID 2728 wrote to memory of 2740	2728	d89447de1ebb02394f5eb8fa8c3e5ad1478e9cfb5d0a0a3adc0a2af614f95a3a.exe	30
PID 2728 wrote to memory of 2740	2728	d89447de1ebb02394f5eb8fa8c3e5ad1478e9cfb5d0a0a3adc0a2af614f95a3a.exe	30
PID 2728 wrote to memory of 2740	2728	d89447de1ebb02394f5eb8fa8c3e5ad1478e9cfb5d0a0a3adc0a2af614f95a3a.exe	30
PID 2728 wrote to memory of 2740	2728	d89447de1ebb02394f5eb8fa8c3e5ad1478e9cfb5d0a0a3adc0a2af614f95a3a.exe	30
PID 2728 wrote to memory of 2740	2728	d89447de1ebb02394f5eb8fa8c3e5ad1478e9cfb5d0a0a3adc0a2af614f95a3a.exe	30
PID 2728 wrote to memory of 2740	2728	d89447de1ebb02394f5eb8fa8c3e5ad1478e9cfb5d0a0a3adc0a2af614f95a3a.exe	30
PID 2728 wrote to memory of 2740	2728	d89447de1ebb02394f5eb8fa8c3e5ad1478e9cfb5d0a0a3adc0a2af614f95a3a.exe	30

C:\Users\Admin\AppData\Local\Temp\d89447de1ebb02394f5eb8fa8c3e5ad1478e9cfb5d0a0a3adc0a2af614f95a3a.exe
"C:\Users\Admin\AppData\Local\Temp\d89447de1ebb02394f5eb8fa8c3e5ad1478e9cfb5d0a0a3adc0a2af614f95a3a.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Windows\SysWOW64\SystemPropertiesDataExecutionPrevention.exe
  SystemPropertiesDataExecutionPrevention.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2616
- C:\Windows\SysWOW64\instnm.exe
  instnm.exe Mzeasst
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2740

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\manatee.ini

Filesize
244B

MD5
331535c9c818b98b80e9e83fef5b7b3d

SHA1
6c30e8f272e111f3e033ba513de266474f700e03

SHA256
af4d07f3f5eef6a53fd28a19d288c9d3de0a341c3c879e2894befa9b8787801c

SHA512
148ed5d3a082cf6433ddc76fba6010bd4e68b990c9bc3d37b2dce62ddbd5c49b20c652703747c8a98c10ce4ad58fb9cd7dce98d6ef26e802c676da3b9a1de05d

Download Submit
\??\c:\manatee.ini

Filesize
283B

MD5
e491e9d1152fc1ee13b0bcdd6547dc41

SHA1
67fcce56f4eb13ee71e88ccda8284eae7b42cfc0

SHA256
5dfb40d13bc7ae738ed147f1a9f2893d09b1402a9d5ae03e59e74ab3a397cf98

SHA512
ca58bb61011fb8cf783a080c31d9948e18a160a1ba164cf5a7bec979f5f8a5f78f6266f99dfb3c319fc89ac60e9e1c4b7c3f3940e6dc1fc3b54768bdbddbf1a5

Download Submit
\??\c:\manatee.ini

Filesize
283B

MD5
e491e9d1152fc1ee13b0bcdd6547dc41

SHA1
67fcce56f4eb13ee71e88ccda8284eae7b42cfc0

SHA256
5dfb40d13bc7ae738ed147f1a9f2893d09b1402a9d5ae03e59e74ab3a397cf98

SHA512
ca58bb61011fb8cf783a080c31d9948e18a160a1ba164cf5a7bec979f5f8a5f78f6266f99dfb3c319fc89ac60e9e1c4b7c3f3940e6dc1fc3b54768bdbddbf1a5

Download Submit
memory/2616-18-0x0000000000400000-0x00000000009F8000-memory.dmp

Filesize
6.0MB

Download
memory/2616-42-0x0000000000A80000-0x0000000000AD9000-memory.dmp

Filesize
356KB

Download
memory/2616-19-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2616-45-0x0000000050000000-0x0000000050109000-memory.dmp

Filesize
1.0MB

Download
memory/2616-40-0x0000000010000000-0x0000000010059000-memory.dmp

Filesize
356KB

Download
memory/2616-15-0x0000000000400000-0x00000000009F8000-memory.dmp

Filesize
6.0MB

Download
memory/2616-26-0x0000000000400000-0x00000000009F8000-memory.dmp

Filesize
6.0MB

Download
memory/2616-7-0x0000000000400000-0x00000000009F8000-memory.dmp

Filesize
6.0MB

Download
memory/2616-12-0x0000000000400000-0x00000000009F8000-memory.dmp

Filesize
6.0MB

Download
memory/2616-9-0x0000000000400000-0x00000000009F8000-memory.dmp

Filesize
6.0MB

Download
memory/2616-595-0x0000000000400000-0x00000000009F8000-memory.dmp

Filesize
6.0MB

Download
memory/2616-591-0x0000000000400000-0x00000000009F8000-memory.dmp

Filesize
6.0MB

Download
memory/2616-4-0x0000000000400000-0x00000000009F8000-memory.dmp

Filesize
6.0MB

Download
memory/2728-5-0x0000000075560000-0x0000000075670000-memory.dmp

Filesize
1.1MB

Download
memory/2728-1-0x0000000000A00000-0x0000000000A59000-memory.dmp

Filesize
356KB

Download
memory/2728-48-0x0000000002F70000-0x00000000030F0000-memory.dmp

Filesize
1.5MB

Download
memory/2728-2-0x000000007766F000-0x0000000077670000-memory.dmp

Filesize
4KB

Download
memory/2728-0-0x0000000010000000-0x0000000010059000-memory.dmp

Filesize
356KB

Download
memory/2728-52-0x0000000002D20000-0x0000000002E30000-memory.dmp

Filesize
1.1MB

Download
memory/2728-49-0x0000000000A00000-0x0000000000A59000-memory.dmp

Filesize
356KB

Download
memory/2728-53-0x0000000010000000-0x0000000010059000-memory.dmp

Filesize
356KB

Download
memory/2728-54-0x0000000075560000-0x0000000075670000-memory.dmp

Filesize
1.1MB

Download
memory/2740-90-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2740-99-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2740-44-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2740-43-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2740-67-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2740-72-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2740-70-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2740-27-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2740-74-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2740-77-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2740-78-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2740-79-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2740-81-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2740-82-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2740-80-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2740-83-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2740-85-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2740-29-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2740-89-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2740-88-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2740-87-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2740-86-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2740-84-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2740-91-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2740-92-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2740-93-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2740-98-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2740-97-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2740-96-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2740-95-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2740-94-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2740-50-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2740-100-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2740-105-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2740-104-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2740-103-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2740-102-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2740-101-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2740-107-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2740-106-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2740-111-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2740-110-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2740-109-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2740-108-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2740-112-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2740-113-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2740-118-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2740-117-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2740-116-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2740-115-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2740-114-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2740-119-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2740-121-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2740-120-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2740-122-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2740-124-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2740-123-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2740-125-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2740-35-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2740-38-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2740-24-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download