blackmoon | d89447de1ebb02394f5eb8fa8c3e5ad1478e9cfb5d0a0a3adc0a2af614f95a3a

Analysis

max time kernel
5s
max time network
29s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 09:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d89447de1ebb02394f5eb8fa8c3e5ad1478e9cfb5d0a0a3adc0a2af614f95a3a.exe
Size

5.8MB
MD5

e08015604f562f1409440fec6a32b1f8
SHA1

f84afe3ff4bf4e463a881ab1e92de37e23d3a0b9
SHA256

d89447de1ebb02394f5eb8fa8c3e5ad1478e9cfb5d0a0a3adc0a2af614f95a3a
SHA512

dda10ce2ba42e22032065942b03f51fd1d2f96247ad09725d1de10c8e3eebead7a5d1e9b40813c08830bb88beec0ff18496a9e00a0fc0cb2f5e27b61ef7b0f51
SSDEEP

98304:FLcFdRkuo92IMlQnbVIPzf83ouM3z7JYnGrxMy+FY9i3voKziPDC+kAECq4:F0dRdo929MxMfaoN6ILgjmrnkJ6

Score

10^/10

blackmoon banker trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 7 IoCs

resource	yara_rule
behavioral2/memory/4680-9-0x0000000000400000-0x00000000009F8000-memory.dmp	family_blackmoon
behavioral2/memory/4680-10-0x0000000000400000-0x00000000009F8000-memory.dmp	family_blackmoon
behavioral2/memory/4680-12-0x0000000000400000-0x00000000009F8000-memory.dmp	family_blackmoon
behavioral2/memory/3280-17-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackmoon
behavioral2/memory/3280-19-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackmoon
behavioral2/memory/3280-26-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackmoon
behavioral2/memory/4680-386-0x0000000000400000-0x00000000009F8000-memory.dmp	family_blackmoon

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\libcurl.dll	d89447de1ebb02394f5eb8fa8c3e5ad1478e9cfb5d0a0a3adc0a2af614f95a3a.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4188 set thread context of 4680	4188	d89447de1ebb02394f5eb8fa8c3e5ad1478e9cfb5d0a0a3adc0a2af614f95a3a.exe	94
PID 4188 set thread context of 3280	4188	d89447de1ebb02394f5eb8fa8c3e5ad1478e9cfb5d0a0a3adc0a2af614f95a3a.exe	95

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4188	d89447de1ebb02394f5eb8fa8c3e5ad1478e9cfb5d0a0a3adc0a2af614f95a3a.exe
4188	d89447de1ebb02394f5eb8fa8c3e5ad1478e9cfb5d0a0a3adc0a2af614f95a3a.exe
4188	d89447de1ebb02394f5eb8fa8c3e5ad1478e9cfb5d0a0a3adc0a2af614f95a3a.exe
4188	d89447de1ebb02394f5eb8fa8c3e5ad1478e9cfb5d0a0a3adc0a2af614f95a3a.exe
4680	dllhst3g.exe
4680	dllhst3g.exe
4680	dllhst3g.exe
4680	dllhst3g.exe
3280	RdpSaUacHelper.exe
3280	RdpSaUacHelper.exe
3280	RdpSaUacHelper.exe
3280	RdpSaUacHelper.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4188	d89447de1ebb02394f5eb8fa8c3e5ad1478e9cfb5d0a0a3adc0a2af614f95a3a.exe
4680	dllhst3g.exe
3280	RdpSaUacHelper.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4188 wrote to memory of 4788	4188	d89447de1ebb02394f5eb8fa8c3e5ad1478e9cfb5d0a0a3adc0a2af614f95a3a.exe	86
PID 4188 wrote to memory of 4788	4188	d89447de1ebb02394f5eb8fa8c3e5ad1478e9cfb5d0a0a3adc0a2af614f95a3a.exe	86
PID 4188 wrote to memory of 4788	4188	d89447de1ebb02394f5eb8fa8c3e5ad1478e9cfb5d0a0a3adc0a2af614f95a3a.exe	86
PID 4188 wrote to memory of 3252	4188	d89447de1ebb02394f5eb8fa8c3e5ad1478e9cfb5d0a0a3adc0a2af614f95a3a.exe	87
PID 4188 wrote to memory of 3252	4188	d89447de1ebb02394f5eb8fa8c3e5ad1478e9cfb5d0a0a3adc0a2af614f95a3a.exe	87
PID 4188 wrote to memory of 3252	4188	d89447de1ebb02394f5eb8fa8c3e5ad1478e9cfb5d0a0a3adc0a2af614f95a3a.exe	87
PID 4188 wrote to memory of 2092	4188	d89447de1ebb02394f5eb8fa8c3e5ad1478e9cfb5d0a0a3adc0a2af614f95a3a.exe	88
PID 4188 wrote to memory of 2092	4188	d89447de1ebb02394f5eb8fa8c3e5ad1478e9cfb5d0a0a3adc0a2af614f95a3a.exe	88
PID 4188 wrote to memory of 2092	4188	d89447de1ebb02394f5eb8fa8c3e5ad1478e9cfb5d0a0a3adc0a2af614f95a3a.exe	88
PID 4188 wrote to memory of 3728	4188	d89447de1ebb02394f5eb8fa8c3e5ad1478e9cfb5d0a0a3adc0a2af614f95a3a.exe	89
PID 4188 wrote to memory of 3728	4188	d89447de1ebb02394f5eb8fa8c3e5ad1478e9cfb5d0a0a3adc0a2af614f95a3a.exe	89
PID 4188 wrote to memory of 3728	4188	d89447de1ebb02394f5eb8fa8c3e5ad1478e9cfb5d0a0a3adc0a2af614f95a3a.exe	89
PID 4188 wrote to memory of 4692	4188	d89447de1ebb02394f5eb8fa8c3e5ad1478e9cfb5d0a0a3adc0a2af614f95a3a.exe	90
PID 4188 wrote to memory of 4692	4188	d89447de1ebb02394f5eb8fa8c3e5ad1478e9cfb5d0a0a3adc0a2af614f95a3a.exe	90
PID 4188 wrote to memory of 4692	4188	d89447de1ebb02394f5eb8fa8c3e5ad1478e9cfb5d0a0a3adc0a2af614f95a3a.exe	90
PID 4188 wrote to memory of 4564	4188	d89447de1ebb02394f5eb8fa8c3e5ad1478e9cfb5d0a0a3adc0a2af614f95a3a.exe	91
PID 4188 wrote to memory of 4564	4188	d89447de1ebb02394f5eb8fa8c3e5ad1478e9cfb5d0a0a3adc0a2af614f95a3a.exe	91
PID 4188 wrote to memory of 4564	4188	d89447de1ebb02394f5eb8fa8c3e5ad1478e9cfb5d0a0a3adc0a2af614f95a3a.exe	91
PID 4188 wrote to memory of 5092	4188	d89447de1ebb02394f5eb8fa8c3e5ad1478e9cfb5d0a0a3adc0a2af614f95a3a.exe	92
PID 4188 wrote to memory of 5092	4188	d89447de1ebb02394f5eb8fa8c3e5ad1478e9cfb5d0a0a3adc0a2af614f95a3a.exe	92
PID 4188 wrote to memory of 5092	4188	d89447de1ebb02394f5eb8fa8c3e5ad1478e9cfb5d0a0a3adc0a2af614f95a3a.exe	92
PID 4188 wrote to memory of 1852	4188	d89447de1ebb02394f5eb8fa8c3e5ad1478e9cfb5d0a0a3adc0a2af614f95a3a.exe	93
PID 4188 wrote to memory of 1852	4188	d89447de1ebb02394f5eb8fa8c3e5ad1478e9cfb5d0a0a3adc0a2af614f95a3a.exe	93
PID 4188 wrote to memory of 1852	4188	d89447de1ebb02394f5eb8fa8c3e5ad1478e9cfb5d0a0a3adc0a2af614f95a3a.exe	93
PID 4188 wrote to memory of 4680	4188	d89447de1ebb02394f5eb8fa8c3e5ad1478e9cfb5d0a0a3adc0a2af614f95a3a.exe	94
PID 4188 wrote to memory of 4680	4188	d89447de1ebb02394f5eb8fa8c3e5ad1478e9cfb5d0a0a3adc0a2af614f95a3a.exe	94
PID 4188 wrote to memory of 4680	4188	d89447de1ebb02394f5eb8fa8c3e5ad1478e9cfb5d0a0a3adc0a2af614f95a3a.exe	94
PID 4188 wrote to memory of 4680	4188	d89447de1ebb02394f5eb8fa8c3e5ad1478e9cfb5d0a0a3adc0a2af614f95a3a.exe	94
PID 4188 wrote to memory of 4680	4188	d89447de1ebb02394f5eb8fa8c3e5ad1478e9cfb5d0a0a3adc0a2af614f95a3a.exe	94
PID 4188 wrote to memory of 4680	4188	d89447de1ebb02394f5eb8fa8c3e5ad1478e9cfb5d0a0a3adc0a2af614f95a3a.exe	94
PID 4188 wrote to memory of 4680	4188	d89447de1ebb02394f5eb8fa8c3e5ad1478e9cfb5d0a0a3adc0a2af614f95a3a.exe	94
PID 4188 wrote to memory of 4680	4188	d89447de1ebb02394f5eb8fa8c3e5ad1478e9cfb5d0a0a3adc0a2af614f95a3a.exe	94
PID 4188 wrote to memory of 4680	4188	d89447de1ebb02394f5eb8fa8c3e5ad1478e9cfb5d0a0a3adc0a2af614f95a3a.exe	94
PID 4188 wrote to memory of 3280	4188	d89447de1ebb02394f5eb8fa8c3e5ad1478e9cfb5d0a0a3adc0a2af614f95a3a.exe	95
PID 4188 wrote to memory of 3280	4188	d89447de1ebb02394f5eb8fa8c3e5ad1478e9cfb5d0a0a3adc0a2af614f95a3a.exe	95
PID 4188 wrote to memory of 3280	4188	d89447de1ebb02394f5eb8fa8c3e5ad1478e9cfb5d0a0a3adc0a2af614f95a3a.exe	95
PID 4188 wrote to memory of 3280	4188	d89447de1ebb02394f5eb8fa8c3e5ad1478e9cfb5d0a0a3adc0a2af614f95a3a.exe	95
PID 4188 wrote to memory of 3280	4188	d89447de1ebb02394f5eb8fa8c3e5ad1478e9cfb5d0a0a3adc0a2af614f95a3a.exe	95
PID 4188 wrote to memory of 3280	4188	d89447de1ebb02394f5eb8fa8c3e5ad1478e9cfb5d0a0a3adc0a2af614f95a3a.exe	95
PID 4188 wrote to memory of 3280	4188	d89447de1ebb02394f5eb8fa8c3e5ad1478e9cfb5d0a0a3adc0a2af614f95a3a.exe	95
PID 4188 wrote to memory of 3280	4188	d89447de1ebb02394f5eb8fa8c3e5ad1478e9cfb5d0a0a3adc0a2af614f95a3a.exe	95
PID 4188 wrote to memory of 3280	4188	d89447de1ebb02394f5eb8fa8c3e5ad1478e9cfb5d0a0a3adc0a2af614f95a3a.exe	95

C:\Users\Admin\AppData\Local\Temp\d89447de1ebb02394f5eb8fa8c3e5ad1478e9cfb5d0a0a3adc0a2af614f95a3a.exe
"C:\Users\Admin\AppData\Local\Temp\d89447de1ebb02394f5eb8fa8c3e5ad1478e9cfb5d0a0a3adc0a2af614f95a3a.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4188
- C:\Windows\SysWOW64\sfc.exe
  sfc.exe
  2⤵
  PID:4788
- C:\Windows\SysWOW64\auditpol.exe
  auditpol.exe
  2⤵
  PID:3252
- C:\Windows\SysWOW64\mcbuilder.exe
  mcbuilder.exe
  2⤵
  PID:2092
- C:\Windows\SysWOW64\schtasks.exe
  schtasks.exe
  2⤵
  PID:3728
- C:\Windows\SysWOW64\cttune.exe
  cttune.exe
  2⤵
  PID:4692
- C:\Windows\SysWOW64\write.exe
  write.exe
  2⤵
  PID:4564
- C:\Windows\SysWOW64\curl.exe
  curl.exe
  2⤵
  PID:5092
- C:\Windows\SysWOW64\extrac32.exe
  extrac32.exe
  2⤵
  PID:1852
- C:\Windows\SysWOW64\dllhst3g.exe
  dllhst3g.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4680
- C:\Windows\SysWOW64\RdpSaUacHelper.exe
  RdpSaUacHelper.exe Mzeasst
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3280

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\manatee.ini

Filesize
260B

MD5
48cf4e6b553dbc5432b14476bd096bed

SHA1
6a98f5b0e385a7188c367c326665b1d88dd2c641

SHA256
0e4fa0074803f18390697bcc03a4b88a42dbbfdef8698003a9e2d27b6d39306a

SHA512
45273ba55ae6f5d3e7bb2532464ad9bd9418643db99866540fb7773994f814a581ba450cf6aa56a60b8a05f8311516062f218f691805d00180da8d1d5cdadb50

Download Submit
\??\c:\manatee.ini

Filesize
213B

MD5
30d33686e7db5f692d64977a6fdfddd9

SHA1
9db3ff86dc705e7bebec29dfd9e871ca8d20ec23

SHA256
8b4ead3c39bd85793ea400410d902cf8759e9a0bc6b3519cebb73e76db13449a

SHA512
eb4348c01bdb685b038edc861254af926ea98bf625fdedd5615eb703777668f344862381f28389bdb26a0d42fa40501431a6d16afa389d488d1eca568366a312

Download Submit
memory/3280-323-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3280-260-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3280-324-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3280-325-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3280-326-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3280-331-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3280-335-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3280-340-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3280-15-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3280-16-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3280-339-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3280-17-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3280-19-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3280-338-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3280-337-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3280-336-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3280-26-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3280-334-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3280-333-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3280-303-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3280-332-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3280-327-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3280-185-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/3280-244-0x00000000009F0000-0x00000000009F1000-memory.dmp

Filesize
4KB

Download
memory/3280-248-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3280-320-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3280-330-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3280-304-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3280-329-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3280-328-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3280-321-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3280-297-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3280-298-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3280-299-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3280-301-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3280-302-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3280-322-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3280-305-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3280-319-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3280-306-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3280-307-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3280-308-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3280-309-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3280-310-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3280-311-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3280-312-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3280-313-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3280-314-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3280-315-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3280-316-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3280-317-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3280-318-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4188-96-0x0000000010000000-0x0000000010059000-memory.dmp

Filesize
356KB

Download
memory/4188-29-0x0000000076050000-0x0000000076265000-memory.dmp

Filesize
2.1MB

Download
memory/4188-3-0x00000000028D0000-0x0000000002929000-memory.dmp

Filesize
356KB

Download
memory/4188-0-0x0000000010000000-0x0000000010059000-memory.dmp

Filesize
356KB

Download
memory/4188-5-0x0000000076050000-0x0000000076265000-memory.dmp

Filesize
2.1MB

Download
memory/4188-7-0x0000000003440000-0x00000000035E3000-memory.dmp

Filesize
1.6MB

Download
memory/4188-28-0x0000000003220000-0x0000000003435000-memory.dmp

Filesize
2.1MB

Download
memory/4188-1-0x0000000076740000-0x0000000076830000-memory.dmp

Filesize
960KB

Download
memory/4188-155-0x0000000076740000-0x0000000076830000-memory.dmp

Filesize
960KB

Download
memory/4188-97-0x00000000028D0000-0x0000000002929000-memory.dmp

Filesize
356KB

Download
memory/4188-86-0x0000000002BF0000-0x0000000002CE0000-memory.dmp

Filesize
960KB

Download
memory/4188-2-0x0000000077A32000-0x0000000077A33000-memory.dmp

Filesize
4KB

Download
memory/4680-25-0x0000000002B00000-0x0000000002B59000-memory.dmp

Filesize
356KB

Download
memory/4680-46-0x0000000050000000-0x0000000050109000-memory.dmp

Filesize
1.0MB

Download
memory/4680-22-0x0000000076740000-0x0000000076830000-memory.dmp

Filesize
960KB

Download
memory/4680-12-0x0000000000400000-0x00000000009F8000-memory.dmp

Filesize
6.0MB

Download
memory/4680-10-0x0000000000400000-0x00000000009F8000-memory.dmp

Filesize
6.0MB

Download
memory/4680-9-0x0000000000400000-0x00000000009F8000-memory.dmp

Filesize
6.0MB

Download
memory/4680-8-0x0000000000400000-0x00000000009F8000-memory.dmp

Filesize
6.0MB

Download
memory/4680-24-0x0000000076050000-0x0000000076265000-memory.dmp

Filesize
2.1MB

Download
memory/4680-6-0x0000000000400000-0x00000000009F8000-memory.dmp

Filesize
6.0MB

Download
memory/4680-18-0x0000000010000000-0x0000000010059000-memory.dmp

Filesize
356KB

Download
memory/4680-386-0x0000000000400000-0x00000000009F8000-memory.dmp

Filesize
6.0MB

Download