blackmoon | 6532d739e9ad30d62804f5c5a43f8177be8f9e4aa6d8059dd0c58bbe87fc514c

Analysis

max time kernel
149s
max time network
125s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
06/11/2023, 00:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.c9c574467131e973e1cb77eb1a2068d0.exe
Size

431KB
MD5

c9c574467131e973e1cb77eb1a2068d0
SHA1

6ead7320ea7cf74cff6be2be1e9fe70d44161b63
SHA256

6532d739e9ad30d62804f5c5a43f8177be8f9e4aa6d8059dd0c58bbe87fc514c
SHA512

8efb5eadff84f1fbed80c26ed28c1b8a53b2588f2b6414418cb22e7517c1443ce70bceba0a688e1ae32393e05605130c5205dcecb4db96e2d26b10d78a3c3bb2
SSDEEP

3072:TVmHpJqu0Vh6jw/fmZmRMpVuWwP5tOcQfgdVqYHKjoS1HwZCFjTPG1UFNE2XCKUd:TcHpJfHElepVuWwP5YcQfg8J+ojCKC+Q

Score

10^/10

blackmoon banker trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 5 IoCs

resource	yara_rule
behavioral1/files/0x0007000000016619-9.dat	family_blackmoon
behavioral1/files/0x0007000000016619-13.dat	family_blackmoon
behavioral1/files/0x0007000000016619-10.dat	family_blackmoon
behavioral1/files/0x0007000000016619-7.dat	family_blackmoon
behavioral1/files/0x0007000000016619-14.dat	family_blackmoon

Deletes itself 1 IoCs

pid	Process
2848	Systemzdxxq.exe

Executes dropped EXE 1 IoCs

pid	Process
2848	Systemzdxxq.exe

Loads dropped DLL 2 IoCs

pid	Process
2164	NEAS.c9c574467131e973e1cb77eb1a2068d0.exe
2164	NEAS.c9c574467131e973e1cb77eb1a2068d0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2164	NEAS.c9c574467131e973e1cb77eb1a2068d0.exe
2164	NEAS.c9c574467131e973e1cb77eb1a2068d0.exe
2164	NEAS.c9c574467131e973e1cb77eb1a2068d0.exe
2164	NEAS.c9c574467131e973e1cb77eb1a2068d0.exe
2164	NEAS.c9c574467131e973e1cb77eb1a2068d0.exe
2164	NEAS.c9c574467131e973e1cb77eb1a2068d0.exe
2164	NEAS.c9c574467131e973e1cb77eb1a2068d0.exe
2164	NEAS.c9c574467131e973e1cb77eb1a2068d0.exe
2848	Systemzdxxq.exe
2848	Systemzdxxq.exe
2848	Systemzdxxq.exe
2848	Systemzdxxq.exe
2848	Systemzdxxq.exe
2848	Systemzdxxq.exe
2848	Systemzdxxq.exe
2848	Systemzdxxq.exe
2848	Systemzdxxq.exe
2848	Systemzdxxq.exe
2848	Systemzdxxq.exe
2848	Systemzdxxq.exe
2848	Systemzdxxq.exe
2848	Systemzdxxq.exe
2848	Systemzdxxq.exe
2848	Systemzdxxq.exe
2848	Systemzdxxq.exe
2848	Systemzdxxq.exe
2848	Systemzdxxq.exe
2848	Systemzdxxq.exe
2848	Systemzdxxq.exe
2848	Systemzdxxq.exe
2848	Systemzdxxq.exe
2848	Systemzdxxq.exe
2848	Systemzdxxq.exe
2848	Systemzdxxq.exe
2848	Systemzdxxq.exe
2848	Systemzdxxq.exe
2848	Systemzdxxq.exe
2848	Systemzdxxq.exe
2848	Systemzdxxq.exe
2848	Systemzdxxq.exe
2848	Systemzdxxq.exe
2848	Systemzdxxq.exe
2848	Systemzdxxq.exe
2848	Systemzdxxq.exe
2848	Systemzdxxq.exe
2848	Systemzdxxq.exe
2848	Systemzdxxq.exe
2848	Systemzdxxq.exe
2848	Systemzdxxq.exe
2848	Systemzdxxq.exe
2848	Systemzdxxq.exe
2848	Systemzdxxq.exe
2848	Systemzdxxq.exe
2848	Systemzdxxq.exe
2848	Systemzdxxq.exe
2848	Systemzdxxq.exe
2848	Systemzdxxq.exe
2848	Systemzdxxq.exe
2848	Systemzdxxq.exe
2848	Systemzdxxq.exe
2848	Systemzdxxq.exe
2848	Systemzdxxq.exe
2848	Systemzdxxq.exe
2848	Systemzdxxq.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 2848	2164	NEAS.c9c574467131e973e1cb77eb1a2068d0.exe	29
PID 2164 wrote to memory of 2848	2164	NEAS.c9c574467131e973e1cb77eb1a2068d0.exe	29
PID 2164 wrote to memory of 2848	2164	NEAS.c9c574467131e973e1cb77eb1a2068d0.exe	29
PID 2164 wrote to memory of 2848	2164	NEAS.c9c574467131e973e1cb77eb1a2068d0.exe	29

C:\Users\Admin\AppData\Local\Temp\NEAS.c9c574467131e973e1cb77eb1a2068d0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.c9c574467131e973e1cb77eb1a2068d0.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Users\Admin\AppData\Local\Temp\Systemzdxxq.exe
  "C:\Users\Admin\AppData\Local\Temp\Systemzdxxq.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Systemzdxxq.exe

Filesize
431KB

MD5
2d8ebb6336ee4f9ae179bc05ea6004b4

SHA1
dffc46b4965aa8fb9b31939020275227ef49508c

SHA256
1b08a5633b23f3af330fe6184d6f3ed7737cbf4478e987ef6eadac1e5f43e99a

SHA512
2d458d8bf05e9ceb8830c9d36a3334300a1d56bd2adc790490e3e3a1013e1d8ea33c2cf58b7777c3b32e259286126d974bd77fc8dc6f4c9abf42b27c8d12219e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Systemzdxxq.exe

Filesize
431KB

MD5
2d8ebb6336ee4f9ae179bc05ea6004b4

SHA1
dffc46b4965aa8fb9b31939020275227ef49508c

SHA256
1b08a5633b23f3af330fe6184d6f3ed7737cbf4478e987ef6eadac1e5f43e99a

SHA512
2d458d8bf05e9ceb8830c9d36a3334300a1d56bd2adc790490e3e3a1013e1d8ea33c2cf58b7777c3b32e259286126d974bd77fc8dc6f4c9abf42b27c8d12219e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Systemzdxxq.exe

Filesize
431KB

MD5
2d8ebb6336ee4f9ae179bc05ea6004b4

SHA1
dffc46b4965aa8fb9b31939020275227ef49508c

SHA256
1b08a5633b23f3af330fe6184d6f3ed7737cbf4478e987ef6eadac1e5f43e99a

SHA512
2d458d8bf05e9ceb8830c9d36a3334300a1d56bd2adc790490e3e3a1013e1d8ea33c2cf58b7777c3b32e259286126d974bd77fc8dc6f4c9abf42b27c8d12219e

Download Submit
C:\Users\Admin\AppData\Local\Temp\path.ini

Filesize
75B

MD5
20b2433d67cc8f723900652800eb38b0

SHA1
a9a69023f34f15b909e646f5fd475bebe341c22a

SHA256
51d04cd5b3df1ddce6a6d200f0cf37bbd7a711eb2bcd0770545cb451a26a1c3a

SHA512
5f7c614fa162c05f42e58412451b73729a5e324a796aade4bdccd1d9e1296aa89943d5809e7b0bd5615278d9e6fce6f97675f361357a3df687df36d174e961c0

Download Submit
\Users\Admin\AppData\Local\Temp\Systemzdxxq.exe

Filesize
431KB

MD5
2d8ebb6336ee4f9ae179bc05ea6004b4

SHA1
dffc46b4965aa8fb9b31939020275227ef49508c

SHA256
1b08a5633b23f3af330fe6184d6f3ed7737cbf4478e987ef6eadac1e5f43e99a

SHA512
2d458d8bf05e9ceb8830c9d36a3334300a1d56bd2adc790490e3e3a1013e1d8ea33c2cf58b7777c3b32e259286126d974bd77fc8dc6f4c9abf42b27c8d12219e

Download Submit
\Users\Admin\AppData\Local\Temp\Systemzdxxq.exe

Filesize
431KB

MD5
2d8ebb6336ee4f9ae179bc05ea6004b4

SHA1
dffc46b4965aa8fb9b31939020275227ef49508c

SHA256
1b08a5633b23f3af330fe6184d6f3ed7737cbf4478e987ef6eadac1e5f43e99a

SHA512
2d458d8bf05e9ceb8830c9d36a3334300a1d56bd2adc790490e3e3a1013e1d8ea33c2cf58b7777c3b32e259286126d974bd77fc8dc6f4c9abf42b27c8d12219e

Download Submit