blackmoon | b9ab5445c84aa49ccd5cece88e96094198aad01358f35e2566853cdc1afa2ac3

Analysis

max time kernel
1s
max time network
41s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
06/11/2023, 22:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.02f7357855f89d0f7c2c0baf6364e950.exe
Size

78KB
MD5

02f7357855f89d0f7c2c0baf6364e950
SHA1

bc59ebc85ee4921c669027407979ee69a9758af1
SHA256

b9ab5445c84aa49ccd5cece88e96094198aad01358f35e2566853cdc1afa2ac3
SHA512

838983687d4802f18e9809c1c7f69e8a15366611b7b2237802c4ff581e22d14a252c601255c64d829ed83f02b0ad0c778f45f71961feec5434b6cd5a238dee93
SSDEEP

1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDoLU1gxmcK8S9/LhuQhj:ymb3NkkiQ3mdBjFoLkmW8A/bj

Score

10^/10

blackmoon banker trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 5 IoCs

resource	yara_rule
behavioral2/memory/1688-9-0x0000000000400000-0x0000000000429000-memory.dmp	family_blackmoon
behavioral2/memory/4696-11-0x0000000000400000-0x0000000000429000-memory.dmp	family_blackmoon
behavioral2/memory/3604-22-0x0000000000400000-0x0000000000429000-memory.dmp	family_blackmoon
behavioral2/memory/2404-25-0x0000000000400000-0x0000000000429000-memory.dmp	family_blackmoon
behavioral2/memory/4636-35-0x0000000000400000-0x0000000000429000-memory.dmp	family_blackmoon

Executes dropped EXE 2 IoCs

pid	Process
4696	8045b7i.exe
3604	o739377.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1688-2-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/1688-3-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/1688-9-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/4696-11-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/3604-17-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/3604-22-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/2404-25-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/4636-31-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/4636-35-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/1084-38-0x0000000000400000-0x0000000000429000-memory.dmp	upx

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 4696	1688	NEAS.02f7357855f89d0f7c2c0baf6364e950.exe	85
PID 1688 wrote to memory of 4696	1688	NEAS.02f7357855f89d0f7c2c0baf6364e950.exe	85
PID 1688 wrote to memory of 4696	1688	NEAS.02f7357855f89d0f7c2c0baf6364e950.exe	85
PID 4696 wrote to memory of 3604	4696	8045b7i.exe	86
PID 4696 wrote to memory of 3604	4696	8045b7i.exe	86
PID 4696 wrote to memory of 3604	4696	8045b7i.exe	86
PID 3604 wrote to memory of 2404	3604	o739377.exe	87
PID 3604 wrote to memory of 2404	3604	o739377.exe	87
PID 3604 wrote to memory of 2404	3604	o739377.exe	87

C:\Users\Admin\AppData\Local\Temp\NEAS.02f7357855f89d0f7c2c0baf6364e950.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.02f7357855f89d0f7c2c0baf6364e950.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1688
- \??\c:\8045b7i.exe
  c:\8045b7i.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4696
- - \??\c:\o739377.exe
    c:\o739377.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3604
  - - \??\c:\rh0mxco.exe
      c:\rh0mxco.exe
      4⤵
      PID:2404
    - - \??\c:\2471176.exe
        
        c:\2471176.exe
        5⤵
        
        PID:4636
      - \??\c:\2p71a8.exe
        
        c:\2p71a8.exe
        6⤵
        
        PID:1084
        
        \??\c:\n5739.exe
        
        c:\n5739.exe
        7⤵
        
        PID:2204

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\2471176.exe

Filesize
78KB

MD5
42823a1972a15ccb7c823d11cc4f9ed0

SHA1
e34736801e2f06ad3626a41a491e56d8b633356b

SHA256
abb5d3aae38baa255392c83fc7e6a36d08371f39a9933b033a72a352b6e89d4f

SHA512
da2684391f9913050e922e1611b5369b0ad6ebbbe4fc46da7bb3348c87b2333719c258588d5d81018a635ed3ea90435c6a58f0a63ad5940d2bcaf5e31d076fdd

Download Submit
C:\2p71a8.exe

Filesize
78KB

MD5
8995a72a04cb91c051196cf810d36016

SHA1
e2ea6d5e4241c98f138d5f839bb343282be59b37

SHA256
509c2a6af88007c5c5dbbb5b81171f5f736d78d33cc0a870ba860f653be995da

SHA512
4a0f5e8b2264ea9804a54e35c62205fbee993214891db92f135d7ad2a6823e9f94821ea7ffbcf7ddce5f7350a6aaf35433993b0e1c35bf87c5360101409bc4a7

Download Submit
C:\8045b7i.exe

Filesize
78KB

MD5
e500d4721e862ae7f22deb208fd25625

SHA1
dd86841ea3c2a17dc9ea42be2fe2fb192f85dbb1

SHA256
368c1142971494342b387812b8604d8d47d15737bafa07dec2a1b2f754e7bf5e

SHA512
6207c67618ecbdf3b29be313722b60fd5383e97abf6bcb25dfb281bcd82e859b95f9a2671c64e05055c96ba90be521132ff669bfee02761a79661487f7e21fd7

Download Submit
C:\o739377.exe

Filesize
78KB

MD5
f2434915b2bbcca7a4773a541ac63db8

SHA1
9873c6fac74f7ce0e3550ce659b0a9b6baeaf58f

SHA256
8cb61d321b4f1f3ec90d7db3a97d38363a7e7fe1947208ce58dc1a08318f5253

SHA512
8135660f011b28c9814a5e5fd461768111ae313b1c5fc9fe122fcec4ee9997c51058078a6fff00d65d8b6e7b521c104dbbe0f13c3e84f8ac9a0b696c10e3a893

Download Submit
C:\rh0mxco.exe

Filesize
78KB

MD5
99a4e54eadf5a9aa7e2ac62f916a8382

SHA1
d4dbfe65e9b91e18e4b17294a8ef9bae6125bdf0

SHA256
7f1124f3656870b2416c638f017cc173bddab9c999418d55fe737f29b47ffe51

SHA512
45b1b3516f12a60ed3114623e8405d5482ea0c9b1001ecfa3992a0b6e7948f93beae8a6b19a4099c63c0fe352dcaf914589c092c3bc135248bd055d1b11dd0a0

Download Submit
C:\rh0mxco.exe

Filesize
78KB

MD5
99a4e54eadf5a9aa7e2ac62f916a8382

SHA1
d4dbfe65e9b91e18e4b17294a8ef9bae6125bdf0

SHA256
7f1124f3656870b2416c638f017cc173bddab9c999418d55fe737f29b47ffe51

SHA512
45b1b3516f12a60ed3114623e8405d5482ea0c9b1001ecfa3992a0b6e7948f93beae8a6b19a4099c63c0fe352dcaf914589c092c3bc135248bd055d1b11dd0a0

Download Submit
\??\c:\2471176.exe

Filesize
78KB

MD5
42823a1972a15ccb7c823d11cc4f9ed0

SHA1
e34736801e2f06ad3626a41a491e56d8b633356b

SHA256
abb5d3aae38baa255392c83fc7e6a36d08371f39a9933b033a72a352b6e89d4f

SHA512
da2684391f9913050e922e1611b5369b0ad6ebbbe4fc46da7bb3348c87b2333719c258588d5d81018a635ed3ea90435c6a58f0a63ad5940d2bcaf5e31d076fdd

Download Submit
\??\c:\2p71a8.exe

Filesize
78KB

MD5
8995a72a04cb91c051196cf810d36016

SHA1
e2ea6d5e4241c98f138d5f839bb343282be59b37

SHA256
509c2a6af88007c5c5dbbb5b81171f5f736d78d33cc0a870ba860f653be995da

SHA512
4a0f5e8b2264ea9804a54e35c62205fbee993214891db92f135d7ad2a6823e9f94821ea7ffbcf7ddce5f7350a6aaf35433993b0e1c35bf87c5360101409bc4a7

Download Submit
\??\c:\8045b7i.exe

Filesize
78KB

MD5
e500d4721e862ae7f22deb208fd25625

SHA1
dd86841ea3c2a17dc9ea42be2fe2fb192f85dbb1

SHA256
368c1142971494342b387812b8604d8d47d15737bafa07dec2a1b2f754e7bf5e

SHA512
6207c67618ecbdf3b29be313722b60fd5383e97abf6bcb25dfb281bcd82e859b95f9a2671c64e05055c96ba90be521132ff669bfee02761a79661487f7e21fd7

Download Submit
\??\c:\o739377.exe

Filesize
78KB

MD5
f2434915b2bbcca7a4773a541ac63db8

SHA1
9873c6fac74f7ce0e3550ce659b0a9b6baeaf58f

SHA256
8cb61d321b4f1f3ec90d7db3a97d38363a7e7fe1947208ce58dc1a08318f5253

SHA512
8135660f011b28c9814a5e5fd461768111ae313b1c5fc9fe122fcec4ee9997c51058078a6fff00d65d8b6e7b521c104dbbe0f13c3e84f8ac9a0b696c10e3a893

Download Submit
\??\c:\rh0mxco.exe

Filesize
78KB

MD5
99a4e54eadf5a9aa7e2ac62f916a8382

SHA1
d4dbfe65e9b91e18e4b17294a8ef9bae6125bdf0

SHA256
7f1124f3656870b2416c638f017cc173bddab9c999418d55fe737f29b47ffe51

SHA512
45b1b3516f12a60ed3114623e8405d5482ea0c9b1001ecfa3992a0b6e7948f93beae8a6b19a4099c63c0fe352dcaf914589c092c3bc135248bd055d1b11dd0a0

Download Submit
memory/1084-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1688-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1688-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1688-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1688-0-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1688-1-0x0000000002170000-0x000000000217C000-memory.dmp

Filesize
48KB

Download
memory/2404-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3604-22-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3604-17-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4636-31-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4636-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4696-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download