blackmoon | 5f39daa7e0bbce80fd66b9cefde88032eb8a14d2e98a7031c2c849ab22fa5d3f

Analysis

max time kernel
160s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
03/11/2023, 15:59

Target

5f39daa7e0bbce80fd66b9cefde88032eb8a14d2e98a7031c2c849ab22fa5d3f.exe
Size

856KB
MD5

d56cec5f847a4e075d05925560dac182
SHA1

fb666c645575960cda418cd4f3662865099a05df
SHA256

5f39daa7e0bbce80fd66b9cefde88032eb8a14d2e98a7031c2c849ab22fa5d3f
SHA512

4b3375b43b4b9f0545724f6269df8aa6fb740e28d8c400f2e45ae743a921a7d006c722e02c46536c29c86997cc3f5d2e4d3788bb11cc3eff671ec36abc72680b
SSDEEP

24576:OFs9imJumWV/rAP8MgA7NWLaHRieR0pB/wG:70muMlgA7NiaHRieGpB/T

Score

10^/10

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 6 IoCs

resource	yara_rule
behavioral2/memory/3292-2-0x0000000000400000-0x0000000000677000-memory.dmp	family_blackmoon
behavioral2/files/0x0006000000009f03-5.dat	family_blackmoon
behavioral2/memory/3292-8-0x0000000000400000-0x0000000000677000-memory.dmp	family_blackmoon
behavioral2/memory/3292-10-0x0000000000400000-0x0000000000677000-memory.dmp	family_blackmoon
behavioral2/memory/3292-13-0x0000000000400000-0x0000000000677000-memory.dmp	family_blackmoon
behavioral2/memory/3292-15-0x0000000000400000-0x0000000000677000-memory.dmp	family_blackmoon

Loads dropped DLL 1 IoCs

pid	Process
3292	5f39daa7e0bbce80fd66b9cefde88032eb8a14d2e98a7031c2c849ab22fa5d3f.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/memory/3292-0-0x0000000000400000-0x0000000000677000-memory.dmp	upx
behavioral2/memory/3292-1-0x0000000000400000-0x0000000000677000-memory.dmp	upx
behavioral2/memory/3292-2-0x0000000000400000-0x0000000000677000-memory.dmp	upx
behavioral2/memory/3292-8-0x0000000000400000-0x0000000000677000-memory.dmp	upx
behavioral2/memory/3292-10-0x0000000000400000-0x0000000000677000-memory.dmp	upx
behavioral2/memory/3292-13-0x0000000000400000-0x0000000000677000-memory.dmp	upx
behavioral2/memory/3292-15-0x0000000000400000-0x0000000000677000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\libexdui.dll	5f39daa7e0bbce80fd66b9cefde88032eb8a14d2e98a7031c2c849ab22fa5d3f.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3292	5f39daa7e0bbce80fd66b9cefde88032eb8a14d2e98a7031c2c849ab22fa5d3f.exe
3292	5f39daa7e0bbce80fd66b9cefde88032eb8a14d2e98a7031c2c849ab22fa5d3f.exe
3292	5f39daa7e0bbce80fd66b9cefde88032eb8a14d2e98a7031c2c849ab22fa5d3f.exe

C:\Windows\libexdui.dll

Filesize
660KB

MD5
edb2ae3f3a41f5e9939ab13b14231049

SHA1
dd72537627466033192d6ff3a7c65c515cf6df31

SHA256
d470bea39a4d942afe3789a4d8d90f6152b00b5bb2cc3f1bcff013da7cbaf061

SHA512
35f777e97fed4b082f64f288f0b822c7a57d09176bf5ba7bdfe2e9b2dc8444302451019e77c0b8c950c01389f56acc1216da1d88ca089694ba58103af06c2b8c

Download Submit
memory/3292-0-0x0000000000400000-0x0000000000677000-memory.dmp

Filesize
2.5MB

Download
memory/3292-1-0x0000000000400000-0x0000000000677000-memory.dmp

Filesize
2.5MB

Download
memory/3292-2-0x0000000000400000-0x0000000000677000-memory.dmp

Filesize
2.5MB

Download
memory/3292-8-0x0000000000400000-0x0000000000677000-memory.dmp

Filesize
2.5MB

Download
memory/3292-10-0x0000000000400000-0x0000000000677000-memory.dmp

Filesize
2.5MB

Download
memory/3292-11-0x0000000006220000-0x0000000006221000-memory.dmp

Filesize
4KB

Download
memory/3292-12-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/3292-13-0x0000000000400000-0x0000000000677000-memory.dmp

Filesize
2.5MB

Download
memory/3292-14-0x00000000061B0000-0x00000000061B1000-memory.dmp

Filesize
4KB

Download
memory/3292-15-0x0000000000400000-0x0000000000677000-memory.dmp

Filesize
2.5MB

Download