blackmoon | 5a66dec96a86d26eeefe918dc19bc5f3ae8556d52dc26b41d43489438bd1dacb

Analysis

max time kernel
1s
max time network
7s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
24/10/2023, 00:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.c56fd8ae55fac1c449a1492f20c095a0_JC.exe
Size

392KB
MD5

c56fd8ae55fac1c449a1492f20c095a0
SHA1

9dc8cf6ec6069a8cf0a3b83f62b0ec00ad6c6d72
SHA256

5a66dec96a86d26eeefe918dc19bc5f3ae8556d52dc26b41d43489438bd1dacb
SHA512

84b2bcd49124fd5a9a2dd416f6d9692a9714c7b3747c447063502c7eddcb17c1979e3c7fafd5b2fa4890ed651bba1df3cc80f8a83db1e21aadf4a2d71aded466
SSDEEP

12288:n3C9uDVFSjA8uhwI7FjpjUEq0rczZhfihmCJXb3dV:SnhQ9z

Score

10^/10

blackmoon banker trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 4 IoCs

resource	yara_rule
behavioral2/memory/2244-3-0x0000000000400000-0x0000000000429000-memory.dmp	family_blackmoon
behavioral2/memory/3144-12-0x0000000000400000-0x0000000000429000-memory.dmp	family_blackmoon
behavioral2/memory/3228-20-0x0000000000400000-0x0000000000429000-memory.dmp	family_blackmoon
behavioral2/memory/2520-26-0x0000000000400000-0x0000000000429000-memory.dmp	family_blackmoon

Executes dropped EXE 1 IoCs

pid	Process
3144	pt899.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2244-2-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/2244-3-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/3144-12-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/3228-18-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/3228-20-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/3144-10-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/2520-26-0x0000000000400000-0x0000000000429000-memory.dmp	upx

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 3144	2244	NEAS.c56fd8ae55fac1c449a1492f20c095a0_JC.exe	82
PID 2244 wrote to memory of 3144	2244	NEAS.c56fd8ae55fac1c449a1492f20c095a0_JC.exe	82
PID 2244 wrote to memory of 3144	2244	NEAS.c56fd8ae55fac1c449a1492f20c095a0_JC.exe	82

C:\Users\Admin\AppData\Local\Temp\NEAS.c56fd8ae55fac1c449a1492f20c095a0_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.c56fd8ae55fac1c449a1492f20c095a0_JC.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2244
- \??\c:\pt899.exe
  c:\pt899.exe
  2⤵
  - Executes dropped EXE
  PID:3144
- - \??\c:\gwgu4nu.exe
    c:\gwgu4nu.exe
    3⤵
    PID:3228
  - - \??\c:\26795.exe
      c:\26795.exe
      4⤵
      PID:2520
    - - \??\c:\imook.exe
        
        c:\imook.exe
        5⤵
        
        PID:3068

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\26795.exe

Filesize
392KB

MD5
8a5a6e514f8d99883979f0fe9312aabb

SHA1
6410b3ddd1ed7e0202293751b5fe1757a6825d0e

SHA256
bffbb6780d82a4848c6a9dbf41058ae8791bdedbbdb32339d54c53371a830160

SHA512
b5be89cf83fc780514f7aaf4f3d6a728f3f51f054905bba1ef54deaf0b73ec8aaeaad2a98ac994f0e65187d6c13ec0e322041023cc0ba4ff834c18b987a3b424

Download Submit
C:\26795.exe

Filesize
392KB

MD5
8a5a6e514f8d99883979f0fe9312aabb

SHA1
6410b3ddd1ed7e0202293751b5fe1757a6825d0e

SHA256
bffbb6780d82a4848c6a9dbf41058ae8791bdedbbdb32339d54c53371a830160

SHA512
b5be89cf83fc780514f7aaf4f3d6a728f3f51f054905bba1ef54deaf0b73ec8aaeaad2a98ac994f0e65187d6c13ec0e322041023cc0ba4ff834c18b987a3b424

Download Submit
C:\gwgu4nu.exe

Filesize
392KB

MD5
3042deea2a41febb4555aea9209e4de8

SHA1
bde75483f2131a803f8ab6bb3c4abba028e48b78

SHA256
c2aa79d046b9eb8fd6de38c634580d284d02845ef5ec8abf0a3a0b4ce8216daa

SHA512
d655cc5fdf5d860d63a04afb874707804b48f5bf777ed991ed8da83299c45697833a29026cc412bc96bf3ecacd3bfbaa9d2e0c54d5cecf9e9ee62f4e05229c8e

Download Submit
C:\imook.exe

Filesize
392KB

MD5
d8efd7ac0b4c7884566cda09948b050d

SHA1
8e19acbd2e636c21d4e187bc604b7fcaccfbd929

SHA256
2ef001d46acf1fb696103407139cd29e0f183a0c6aa0f45b861b829339d1e9ea

SHA512
57b0bc96d8b23064b5556339426eaf028391890827cf1ec770641a0d3efaccf0dee1b95e997ad32c99905e0e2c0efe84454528fac3c16cd54c8b20bae3a958e0

Download Submit
C:\pt899.exe

Filesize
392KB

MD5
6a7980b4926f4f96dbbe763150538a8c

SHA1
4ccc9ebd350e6aa64c89445fe77f82f8e1ad6952

SHA256
8e78c9247676068763a016c6b359e61259a21ba65e644c194ab46caf3859f9d8

SHA512
e9a05d2a50c197bb818f242b71909a7aa8bd61d9e57dd3be9835cee4f9cdc622be7dd22ae6f6929cce5fb72083f67888c9c3e301c4f497fd25d91640140f33c9

Download Submit
\??\c:\26795.exe

Filesize
392KB

MD5
8a5a6e514f8d99883979f0fe9312aabb

SHA1
6410b3ddd1ed7e0202293751b5fe1757a6825d0e

SHA256
bffbb6780d82a4848c6a9dbf41058ae8791bdedbbdb32339d54c53371a830160

SHA512
b5be89cf83fc780514f7aaf4f3d6a728f3f51f054905bba1ef54deaf0b73ec8aaeaad2a98ac994f0e65187d6c13ec0e322041023cc0ba4ff834c18b987a3b424

Download Submit
\??\c:\gwgu4nu.exe

Filesize
392KB

MD5
3042deea2a41febb4555aea9209e4de8

SHA1
bde75483f2131a803f8ab6bb3c4abba028e48b78

SHA256
c2aa79d046b9eb8fd6de38c634580d284d02845ef5ec8abf0a3a0b4ce8216daa

SHA512
d655cc5fdf5d860d63a04afb874707804b48f5bf777ed991ed8da83299c45697833a29026cc412bc96bf3ecacd3bfbaa9d2e0c54d5cecf9e9ee62f4e05229c8e

Download Submit
\??\c:\imook.exe

Filesize
66KB

MD5
bb894bef51ff94282c07054eff54f927

SHA1
1d28fd6c9bcb28c78fbd00a217a9ab21b394c3b5

SHA256
1a98fffb5a8918e6ff0ff074bd416c1f96899cf8d17a20b2c23c16a06273e82a

SHA512
d3c6d1cefa7e466967e187fa93bdc421da96c4d519a46aa091256931a36cfae784d34b40c62748bd7b5ad3882058fd3e044b29f9eaa6dda9938b3d92a5c1b206

Download Submit
\??\c:\pt899.exe

Filesize
392KB

MD5
6a7980b4926f4f96dbbe763150538a8c

SHA1
4ccc9ebd350e6aa64c89445fe77f82f8e1ad6952

SHA256
8e78c9247676068763a016c6b359e61259a21ba65e644c194ab46caf3859f9d8

SHA512
e9a05d2a50c197bb818f242b71909a7aa8bd61d9e57dd3be9835cee4f9cdc622be7dd22ae6f6929cce5fb72083f67888c9c3e301c4f497fd25d91640140f33c9

Download Submit
memory/2244-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2244-1-0x0000000000580000-0x000000000058C000-memory.dmp

Filesize
48KB

Download
memory/2244-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2244-0-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2520-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3144-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3144-12-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3228-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3228-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download