blackmoon | 0c472b45dd78a2481f107d2fb5e782ff8041e12cdfe248bc80ebd59aa1036ee1

Analysis

max time kernel
50s
max time network
64s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
16/10/2023, 18:17

Target

NEAS.345c2e12cd3abf5c7f2eff72fd9f1cc0.exe
Size

131KB
MD5

345c2e12cd3abf5c7f2eff72fd9f1cc0
SHA1

6db1c0e7c0cb31fcc388f78410dd51e4d632f255
SHA256

0c472b45dd78a2481f107d2fb5e782ff8041e12cdfe248bc80ebd59aa1036ee1
SHA512

0471a08ba09d2ebc3ba9609451033fcec9cefeb78b8256951ec9051b4421cb63fe7f75d60fb3f91a36f2fa4ac4030b99757e7cfd43c7e1aee374b8fb82b785fb
SSDEEP

3072:ymb3NkkiQ3mdBjFo73tvn+Yp9gBEpBmj60Lxcw:n3C9BRo7tvnJ9oEzA6Bw

Score

10^/10

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
behavioral2/memory/1800-4-0x0000000000400000-0x0000000000429000-memory.dmp	family_blackmoon

Executes dropped EXE 1 IoCs

pid	Process
3224	55u78.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/memory/1800-2-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/1800-4-0x0000000000400000-0x0000000000429000-memory.dmp	upx

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1800 wrote to memory of 3224	1800	NEAS.345c2e12cd3abf5c7f2eff72fd9f1cc0.exe	84
PID 1800 wrote to memory of 3224	1800	NEAS.345c2e12cd3abf5c7f2eff72fd9f1cc0.exe	84
PID 1800 wrote to memory of 3224	1800	NEAS.345c2e12cd3abf5c7f2eff72fd9f1cc0.exe	84

C:\Users\Admin\AppData\Local\Temp\NEAS.345c2e12cd3abf5c7f2eff72fd9f1cc0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.345c2e12cd3abf5c7f2eff72fd9f1cc0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1800
- \??\c:\55u78.exe
  c:\55u78.exe
  2⤵
  - Executes dropped EXE
  PID:3224
- - \??\c:\4uu5gf.exe
    c:\4uu5gf.exe
    3⤵
    PID:1504

C:\55u78.exe

Filesize
131KB

MD5
71e2049e9150f25f84aba3d47375482f

SHA1
95073664ce45d06b74eaba1918c03202f7ea8380

SHA256
febfbfc39b4429c962526cb9e6ae41e496bf3732a74a6be38b1cbbc320a56f18

SHA512
16f04c86b7d718024c5461c889e3dcab89557141b1e3f5fcad2bd77ec8c9c78662224faddef7318080fc5c427dc389280cd1b495244e33a9cf97606068f53926

Download Submit
\??\c:\55u78.exe

Filesize
131KB

MD5
71e2049e9150f25f84aba3d47375482f

SHA1
95073664ce45d06b74eaba1918c03202f7ea8380

SHA256
febfbfc39b4429c962526cb9e6ae41e496bf3732a74a6be38b1cbbc320a56f18

SHA512
16f04c86b7d718024c5461c889e3dcab89557141b1e3f5fcad2bd77ec8c9c78662224faddef7318080fc5c427dc389280cd1b495244e33a9cf97606068f53926

Download Submit
memory/1800-1-0x0000000002170000-0x000000000217C000-memory.dmp

Filesize
48KB

Download
memory/1800-0-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1800-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1800-4-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download