blackmoon | 1bed5fd6213c8e2ed4bb290f2bb23c66a947a4e2d5713c1852193fafe135477f

Analysis

max time kernel
2s
max time network
43s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
01/11/2023, 14:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.992b9204f18dc4ec02973dd1f5bb5600.exe
Size

87KB
MD5

992b9204f18dc4ec02973dd1f5bb5600
SHA1

5113e3039db8db6104f9a9806b59b54c5f750de4
SHA256

1bed5fd6213c8e2ed4bb290f2bb23c66a947a4e2d5713c1852193fafe135477f
SHA512

f2b9ef4f750b732276ef2806796bea3adf5cbfa99404e6755940f61c959bc3fa2f322be299a8fdc7f6d58b8733a460d9125e254baa9fbbd1d7ea9f18a9413071
SSDEEP

1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDoLU1gq6toilpUsp70DDIL:ymb3NkkiQ3mdBjFoLkmo+UU7yEL

Score

10^/10

blackmoon banker trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 5 IoCs

resource	yara_rule
behavioral2/memory/2960-3-0x0000000000400000-0x0000000000429000-memory.dmp	family_blackmoon
behavioral2/memory/4000-11-0x0000000000400000-0x0000000000429000-memory.dmp	family_blackmoon
behavioral2/memory/2356-18-0x0000000000400000-0x0000000000429000-memory.dmp	family_blackmoon
behavioral2/memory/4816-26-0x0000000000400000-0x0000000000429000-memory.dmp	family_blackmoon
behavioral2/memory/4952-34-0x0000000000400000-0x0000000000429000-memory.dmp	family_blackmoon

Executes dropped EXE 3 IoCs

pid	Process
4000	1u1lg1.exe
2356	ga5t1.exe
4816	29w9e5u.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2960-2-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/2960-3-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/4000-11-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/2356-18-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/4816-24-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/4816-26-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/4952-32-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/4952-34-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/3948-40-0x0000000000400000-0x0000000000429000-memory.dmp	upx

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 4000	2960	NEAS.992b9204f18dc4ec02973dd1f5bb5600.exe	86
PID 2960 wrote to memory of 4000	2960	NEAS.992b9204f18dc4ec02973dd1f5bb5600.exe	86
PID 2960 wrote to memory of 4000	2960	NEAS.992b9204f18dc4ec02973dd1f5bb5600.exe	86
PID 4000 wrote to memory of 2356	4000	1u1lg1.exe	87
PID 4000 wrote to memory of 2356	4000	1u1lg1.exe	87
PID 4000 wrote to memory of 2356	4000	1u1lg1.exe	87
PID 2356 wrote to memory of 4816	2356	ga5t1.exe	88
PID 2356 wrote to memory of 4816	2356	ga5t1.exe	88
PID 2356 wrote to memory of 4816	2356	ga5t1.exe	88

C:\Users\Admin\AppData\Local\Temp\NEAS.992b9204f18dc4ec02973dd1f5bb5600.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.992b9204f18dc4ec02973dd1f5bb5600.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2960
- \??\c:\1u1lg1.exe
  c:\1u1lg1.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4000
- - \??\c:\ga5t1.exe
    c:\ga5t1.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2356
  - - \??\c:\29w9e5u.exe
      c:\29w9e5u.exe
      4⤵
      Executes dropped EXE
      PID:4816
    - - \??\c:\ilsa44.exe
        
        c:\ilsa44.exe
        5⤵
        
        PID:4952
      - \??\c:\2ukg5.exe
        
        c:\2ukg5.exe
        6⤵
        
        PID:3948
        
        \??\c:\1fe20f.exe
        
        c:\1fe20f.exe
        7⤵
        
        PID:1312

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\1fe20f.exe

Filesize
87KB

MD5
b21751d391fb48cffd07842f10bc4066

SHA1
6650d456f2d2ee003c4aabf7e3847c10fbcb1891

SHA256
6a83d5495b089177a75b13a46be2a4e219a39c55faad4115ca938b72e0008e63

SHA512
d5ca9cac37de11eba2b4a3d71651520ba5c1dfe91ef8d23a0089b8d2ebdaea73ad8c88aebbc6108f06ecff55425a1b56d868c8365f55b1f0bd0286ddd99fb0bf

Download Submit
C:\1u1lg1.exe

Filesize
87KB

MD5
823bf8e4a54ddd67dfd7ab562752be54

SHA1
456411e12f8bdeb216de220e3953b90bb34fece2

SHA256
c5337c03e0ea627988e745556f5cf700d8b5999d09d226feafbcc8e76f7fa043

SHA512
4c80fd0292aa19723e7a0119c29d1e6122e20e49aff8d046bdc11ebf0582c7abd564e83f1eb8ee3194f2af51f4d58b24ce7306b4dc12ce27d7ea6bb47527481a

Download Submit
C:\29w9e5u.exe

Filesize
87KB

MD5
2b1e8e30cc6d18a9b5a0308cb96cff09

SHA1
b701a2f539beccca1cd500bab5714dd15cc9cc7d

SHA256
65bfa9c65bc8af0a00b36800d0ab43e05cb0b7dd7fee9d43a7b3668ef3be532a

SHA512
8bf3b1653d5f44781f24bf2eeb06f944d9e5de9c08d811fe455db0928f784498422f3585740a3d62cf8f5510dfcef3f9ea58b6e689ef373437abcf3583e28e2a

Download Submit
C:\29w9e5u.exe

Filesize
87KB

MD5
2b1e8e30cc6d18a9b5a0308cb96cff09

SHA1
b701a2f539beccca1cd500bab5714dd15cc9cc7d

SHA256
65bfa9c65bc8af0a00b36800d0ab43e05cb0b7dd7fee9d43a7b3668ef3be532a

SHA512
8bf3b1653d5f44781f24bf2eeb06f944d9e5de9c08d811fe455db0928f784498422f3585740a3d62cf8f5510dfcef3f9ea58b6e689ef373437abcf3583e28e2a

Download Submit
C:\2ukg5.exe

Filesize
87KB

MD5
a21a8b61c60d6698ca2bdea41fc090a7

SHA1
93f2b51859c8902023c4596ecd87cf0b07039b88

SHA256
d06852204fcafa5772218fda1377a68a1ef72c45f365463133e58391a2b56464

SHA512
8e4a1b6b1ba9cef9a66398652423bbaffe1a3429142e43fa38160b563a183e4fcbc20cd8072a653e54f0a38ad0d17499c78671f0566179e236f4e9d415e11ac9

Download Submit
C:\ga5t1.exe

Filesize
87KB

MD5
f977aeb821b8737a9ed97fba7f19409e

SHA1
b8a836ad9da057a56743705d728d78a24040fc6f

SHA256
1b94b73e113ddeb40fe1d3a4164f0b0721d50128e4dd28328dd822b306de374a

SHA512
be268ca23d943b2f8e530298da56903700b8f9befa566f9c6d194f0a8e45748dc2fed349370f23d29e0df560eca780be1845eea713dd7ed69ef4b696c95c48d7

Download Submit
C:\ilsa44.exe

Filesize
87KB

MD5
1765a6839fea417cc92dcce1ca550336

SHA1
821ab768f202ccd96048fef331a8742f1d32aecf

SHA256
360636bbff25f0d194b0e0b26ffd73b90ef1e88b3cbc21439693c137c072081b

SHA512
e422d88a0e538554cb27e473c05a0b0c7e317a9efccd6d95fdc36b26fb760275863dedd92a8cef15aa1579451d0466d61ff313e624f3127364d84f4f75df3543

Download Submit
\??\c:\1fe20f.exe

Filesize
87KB

MD5
b21751d391fb48cffd07842f10bc4066

SHA1
6650d456f2d2ee003c4aabf7e3847c10fbcb1891

SHA256
6a83d5495b089177a75b13a46be2a4e219a39c55faad4115ca938b72e0008e63

SHA512
d5ca9cac37de11eba2b4a3d71651520ba5c1dfe91ef8d23a0089b8d2ebdaea73ad8c88aebbc6108f06ecff55425a1b56d868c8365f55b1f0bd0286ddd99fb0bf

Download Submit
\??\c:\1u1lg1.exe

Filesize
87KB

MD5
823bf8e4a54ddd67dfd7ab562752be54

SHA1
456411e12f8bdeb216de220e3953b90bb34fece2

SHA256
c5337c03e0ea627988e745556f5cf700d8b5999d09d226feafbcc8e76f7fa043

SHA512
4c80fd0292aa19723e7a0119c29d1e6122e20e49aff8d046bdc11ebf0582c7abd564e83f1eb8ee3194f2af51f4d58b24ce7306b4dc12ce27d7ea6bb47527481a

Download Submit
\??\c:\29w9e5u.exe

Filesize
87KB

MD5
2b1e8e30cc6d18a9b5a0308cb96cff09

SHA1
b701a2f539beccca1cd500bab5714dd15cc9cc7d

SHA256
65bfa9c65bc8af0a00b36800d0ab43e05cb0b7dd7fee9d43a7b3668ef3be532a

SHA512
8bf3b1653d5f44781f24bf2eeb06f944d9e5de9c08d811fe455db0928f784498422f3585740a3d62cf8f5510dfcef3f9ea58b6e689ef373437abcf3583e28e2a

Download Submit
\??\c:\2ukg5.exe

Filesize
87KB

MD5
a21a8b61c60d6698ca2bdea41fc090a7

SHA1
93f2b51859c8902023c4596ecd87cf0b07039b88

SHA256
d06852204fcafa5772218fda1377a68a1ef72c45f365463133e58391a2b56464

SHA512
8e4a1b6b1ba9cef9a66398652423bbaffe1a3429142e43fa38160b563a183e4fcbc20cd8072a653e54f0a38ad0d17499c78671f0566179e236f4e9d415e11ac9

Download Submit
\??\c:\ga5t1.exe

Filesize
87KB

MD5
f977aeb821b8737a9ed97fba7f19409e

SHA1
b8a836ad9da057a56743705d728d78a24040fc6f

SHA256
1b94b73e113ddeb40fe1d3a4164f0b0721d50128e4dd28328dd822b306de374a

SHA512
be268ca23d943b2f8e530298da56903700b8f9befa566f9c6d194f0a8e45748dc2fed349370f23d29e0df560eca780be1845eea713dd7ed69ef4b696c95c48d7

Download Submit
\??\c:\ilsa44.exe

Filesize
87KB

MD5
1765a6839fea417cc92dcce1ca550336

SHA1
821ab768f202ccd96048fef331a8742f1d32aecf

SHA256
360636bbff25f0d194b0e0b26ffd73b90ef1e88b3cbc21439693c137c072081b

SHA512
e422d88a0e538554cb27e473c05a0b0c7e317a9efccd6d95fdc36b26fb760275863dedd92a8cef15aa1579451d0466d61ff313e624f3127364d84f4f75df3543

Download Submit
memory/2356-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2960-0-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2960-1-0x00000000004B0000-0x00000000004BC000-memory.dmp

Filesize
48KB

Download
memory/2960-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2960-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3948-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4000-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4816-24-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4816-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4952-34-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4952-32-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download