blackmoon | ef3618fbc19d8994c0022450e1487dfa5e730ced9fb0c2f9149e1d16ba71779c

Analysis

max time kernel
117s
max time network
121s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
15-10-2023 19:37

Target

4cf34258777fbff3b6d2a36e9c801ec0_exe32.exe
Size

135KB
MD5

4cf34258777fbff3b6d2a36e9c801ec0
SHA1

791ad3bce22d022d910641fc051e5d8ffb40224c
SHA256

ef3618fbc19d8994c0022450e1487dfa5e730ced9fb0c2f9149e1d16ba71779c
SHA512

befa34c85a09b47195ff403e588cfe22f2c6ac1c02db6d5f64626664d5d72f971e36cb30cb6d3f1a4ffcc90c3b0592aa24f2624990513962a8671427a5133f5e
SSDEEP

1536:Md+zUtBIBU+2Da4lH4Iiue58o/ZDv4GMfcHZIlVKAn5ZAcXeOqbZ6Njk9:OqSe5OmiEoAcCbZ6I

Score

10^/10

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000c000000012273-5.dat	family_blackmoon
behavioral1/files/0x000c000000012273-6.dat	family_blackmoon

Deletes itself 1 IoCs

pid	Process
3052	p71a73g.exe

Executes dropped EXE 1 IoCs

pid	Process
3052	p71a73g.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	\??\c:\windows\friendl.dll	p71a73g.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1824 wrote to memory of 3052	1824	4cf34258777fbff3b6d2a36e9c801ec0_exe32.exe	28
PID 1824 wrote to memory of 3052	1824	4cf34258777fbff3b6d2a36e9c801ec0_exe32.exe	28
PID 1824 wrote to memory of 3052	1824	4cf34258777fbff3b6d2a36e9c801ec0_exe32.exe	28
PID 1824 wrote to memory of 3052	1824	4cf34258777fbff3b6d2a36e9c801ec0_exe32.exe	28

C:\Users\Admin\AppData\Local\Temp\4cf34258777fbff3b6d2a36e9c801ec0_exe32.exe
"C:\Users\Admin\AppData\Local\Temp\4cf34258777fbff3b6d2a36e9c801ec0_exe32.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1824
- \??\c:\p71a73g.exe
  c:\p71a73g.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:3052

C:\p71a73g.exe

Filesize
135KB

MD5
5584cbeb4312fbdd8ae7a39495d18656

SHA1
096551e76130a6dd299f96e19150d4416f6e6a68

SHA256
6835403fefc1b0af23616ef5ed6181bba57aa9374970ae3efbf6e537ded2d60a

SHA512
23c6587bfbaa5dc397ea05a056d78a8cac0fdaf804f0f010e5c2f6ce688c7f96f2a0a7e6ff8f2cfca31149c94d4ba531f5fa5d46b26e973601b69d4e36400f39

Download Submit
C:\p71a73g.exe

Filesize
135KB

MD5
5584cbeb4312fbdd8ae7a39495d18656

SHA1
096551e76130a6dd299f96e19150d4416f6e6a68

SHA256
6835403fefc1b0af23616ef5ed6181bba57aa9374970ae3efbf6e537ded2d60a

SHA512
23c6587bfbaa5dc397ea05a056d78a8cac0fdaf804f0f010e5c2f6ce688c7f96f2a0a7e6ff8f2cfca31149c94d4ba531f5fa5d46b26e973601b69d4e36400f39

Download Submit
\??\c:\jl

Filesize
76B

MD5
a7dc062367cfd2cbd2a5c8510e83a20f

SHA1
c91c56d8849ac7df2f2c817341255d92d792ac01

SHA256
a6917b527e60ef773a2c8ad74f3f7e01b99a0d1fcf40cff6e93c529c0a420e90

SHA512
f11882e340557cdd0cd89194bd6cbb985a5aa78c3accb45534837415d1f595beb228ca74277799ca430417e27eca44974f15b4d105cd92541e854f1ff0c5f6e5

Download Submit