blackmoon | 988b3767a1e5de3842381e7d8bdc86ea517ec0aecb982f9c658b3531a7232b7f

Analysis

max time kernel
169s
max time network
200s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2023, 20:28

Target

NEAS.7ae7b352caa5024d4e4b0d20eb8cb330.exe
Size

47KB
MD5

7ae7b352caa5024d4e4b0d20eb8cb330
SHA1

422bb2dded488a13899b85b897e0a295d7e4aae1
SHA256

988b3767a1e5de3842381e7d8bdc86ea517ec0aecb982f9c658b3531a7232b7f
SHA512

dea5b8e5a3ddaab8ea529d6ce45cd4156b7bbca14ce86bdbea8da15dfbe5031ee983861fe336c7d03af97badda7162133292dd844bd32535a145c346c48163b6
SSDEEP

768:kgiCW3swyczpQGof7BAs9g9yfyL6dStnO6yxzJGlpseNTbMtUXQLlPnbcuyD7UT:H9w/Qhjas9Qeo6dS4D1JGlp/NstI6lPR

Score

10^/10

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 2 IoCs

resource	yara_rule
behavioral2/memory/2520-7-0x0000000000400000-0x000000000042C000-memory.dmp	family_blackmoon
behavioral2/memory/4432-9-0x0000000000400000-0x000000000042C000-memory.dmp	family_blackmoon

Executes dropped EXE 1 IoCs

pid	Process
4432	nkn6g7.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/memory/2520-0-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral2/files/0x000a0000000230f9-5.dat	upx
behavioral2/files/0x000a0000000230f9-4.dat	upx
behavioral2/memory/2520-7-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral2/memory/4432-9-0x0000000000400000-0x000000000042C000-memory.dmp	upx

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 4432	2520	NEAS.7ae7b352caa5024d4e4b0d20eb8cb330.exe	87
PID 2520 wrote to memory of 4432	2520	NEAS.7ae7b352caa5024d4e4b0d20eb8cb330.exe	87
PID 2520 wrote to memory of 4432	2520	NEAS.7ae7b352caa5024d4e4b0d20eb8cb330.exe	87

C:\Users\Admin\AppData\Local\Temp\NEAS.7ae7b352caa5024d4e4b0d20eb8cb330.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.7ae7b352caa5024d4e4b0d20eb8cb330.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2520
- \??\c:\nkn6g7.exe
  c:\nkn6g7.exe
  2⤵
  - Executes dropped EXE
  PID:4432

C:\nkn6g7.exe

Filesize
47KB

MD5
f1842bb49e7a3acbedacf88cf062a422

SHA1
99d385b1c865aa32b5e877b2d86d24a316fe042c

SHA256
8ab53beae55f6be2c32201eef0ddbbeeb3d38bee354ffd704c2e4c3d7b1b9718

SHA512
f578ba337cec72617fa0434be5abc6e923fd128bdd202831cc1b72930f6b008d5830f43c89df3d849f536b6e84741de9eafcd3dfff480095075644742688a02c

Download Submit
\??\c:\jl

Filesize
75B

MD5
cb551364eeb2723d7e705c247ba5e193

SHA1
5435775684591a48134e45c6270dbb3a1cdf0693

SHA256
c2549dd8c2a17cd17b272b7b620755f93231beedfc817b0f53b17b63cdc3bbff

SHA512
57b03a536bbf1c0040a03acbae9a55a02e484151fa4077982fd3e27f7a337332473be4d9ec72b2693c49766ad62c343af2700496374fba24a6d7eafdc3129a24

Download Submit
\??\c:\nkn6g7.exe

Filesize
47KB

MD5
f1842bb49e7a3acbedacf88cf062a422

SHA1
99d385b1c865aa32b5e877b2d86d24a316fe042c

SHA256
8ab53beae55f6be2c32201eef0ddbbeeb3d38bee354ffd704c2e4c3d7b1b9718

SHA512
f578ba337cec72617fa0434be5abc6e923fd128bdd202831cc1b72930f6b008d5830f43c89df3d849f536b6e84741de9eafcd3dfff480095075644742688a02c

Download Submit
memory/2520-0-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2520-7-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4432-9-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download