blackmoon | c327bf1c696f347a588b06dfad6bf93bf2b1a5a4bd71bb0ee8a93dcf61151b24

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
26/11/2023, 10:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c327bf1c696f347a588b06dfad6bf93bf2b1a5a4bd71bb0ee8a93dcf61151b24.exe
Size

10.6MB
MD5

fc67886445ee161ea074e983ed87711a
SHA1

16355b16649f046276de1ff4b1f09849263fbe71
SHA256

c327bf1c696f347a588b06dfad6bf93bf2b1a5a4bd71bb0ee8a93dcf61151b24
SHA512

4660dd31ec7097758f8b78fe13d581892ea8439dd7cf926097d7dba0b6952af54c503c95c1195764972fa14e49865e35b6b1c5c0b1a4611cf0a7e560e1920782
SSDEEP

196608:OBOtbQ6JVjP93izWhcSIIMSfpV4b653gsAaGEoXM8:OBOtbQ6zFyyMSxVeegsGEIM8

Score

10^/10

blackmoon banker trojan vmprotect

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 15 IoCs

resource	yara_rule
behavioral1/memory/2460-2-0x0000000000400000-0x0000000000EB6000-memory.dmp	family_blackmoon
behavioral1/memory/2460-6-0x0000000000400000-0x0000000000EB6000-memory.dmp	family_blackmoon
behavioral1/files/0x001100000001201d-28.dat	family_blackmoon
behavioral1/files/0x001100000001201d-34.dat	family_blackmoon
behavioral1/files/0x001100000001201d-32.dat	family_blackmoon
behavioral1/files/0x001100000001201d-30.dat	family_blackmoon
behavioral1/files/0x001100000001201d-35.dat	family_blackmoon
behavioral1/files/0x001100000001201d-41.dat	family_blackmoon
behavioral1/files/0x001100000001201d-37.dat	family_blackmoon
behavioral1/memory/2716-42-0x0000000000400000-0x0000000000EB6000-memory.dmp	family_blackmoon
behavioral1/memory/2800-53-0x0000000000400000-0x0000000000EB6000-memory.dmp	family_blackmoon
behavioral1/memory/2716-54-0x0000000000400000-0x0000000000EB6000-memory.dmp	family_blackmoon
behavioral1/memory/2460-55-0x0000000000400000-0x0000000000EB6000-memory.dmp	family_blackmoon
behavioral1/memory/2716-88-0x0000000000400000-0x0000000000EB6000-memory.dmp	family_blackmoon
behavioral1/memory/2800-89-0x0000000000400000-0x0000000000EB6000-memory.dmp	family_blackmoon

Executes dropped EXE 2 IoCs

pid	Process
2800	Alslihkvkf.exe
2716	Alslihkvkf.exe

Loads dropped DLL 4 IoCs

pid	Process
2460	c327bf1c696f347a588b06dfad6bf93bf2b1a5a4bd71bb0ee8a93dcf61151b24.exe
2460	c327bf1c696f347a588b06dfad6bf93bf2b1a5a4bd71bb0ee8a93dcf61151b24.exe
2460	c327bf1c696f347a588b06dfad6bf93bf2b1a5a4bd71bb0ee8a93dcf61151b24.exe
2460	c327bf1c696f347a588b06dfad6bf93bf2b1a5a4bd71bb0ee8a93dcf61151b24.exe

VMProtect packed file 15 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/2460-2-0x0000000000400000-0x0000000000EB6000-memory.dmp	vmprotect
behavioral1/memory/2460-6-0x0000000000400000-0x0000000000EB6000-memory.dmp	vmprotect
behavioral1/files/0x001100000001201d-28.dat	vmprotect
behavioral1/files/0x001100000001201d-34.dat	vmprotect
behavioral1/files/0x001100000001201d-32.dat	vmprotect
behavioral1/files/0x001100000001201d-30.dat	vmprotect
behavioral1/files/0x001100000001201d-35.dat	vmprotect
behavioral1/files/0x001100000001201d-41.dat	vmprotect
behavioral1/files/0x001100000001201d-37.dat	vmprotect
behavioral1/memory/2716-42-0x0000000000400000-0x0000000000EB6000-memory.dmp	vmprotect
behavioral1/memory/2800-53-0x0000000000400000-0x0000000000EB6000-memory.dmp	vmprotect
behavioral1/memory/2716-54-0x0000000000400000-0x0000000000EB6000-memory.dmp	vmprotect
behavioral1/memory/2460-55-0x0000000000400000-0x0000000000EB6000-memory.dmp	vmprotect
behavioral1/memory/2716-88-0x0000000000400000-0x0000000000EB6000-memory.dmp	vmprotect
behavioral1/memory/2800-89-0x0000000000400000-0x0000000000EB6000-memory.dmp	vmprotect

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
2460	c327bf1c696f347a588b06dfad6bf93bf2b1a5a4bd71bb0ee8a93dcf61151b24.exe
2800	Alslihkvkf.exe
2716	Alslihkvkf.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2460	c327bf1c696f347a588b06dfad6bf93bf2b1a5a4bd71bb0ee8a93dcf61151b24.exe
2460	c327bf1c696f347a588b06dfad6bf93bf2b1a5a4bd71bb0ee8a93dcf61151b24.exe
2460	c327bf1c696f347a588b06dfad6bf93bf2b1a5a4bd71bb0ee8a93dcf61151b24.exe
2460	c327bf1c696f347a588b06dfad6bf93bf2b1a5a4bd71bb0ee8a93dcf61151b24.exe
2460	c327bf1c696f347a588b06dfad6bf93bf2b1a5a4bd71bb0ee8a93dcf61151b24.exe
2716	Alslihkvkf.exe
2800	Alslihkvkf.exe
2800	Alslihkvkf.exe
2800	Alslihkvkf.exe
2800	Alslihkvkf.exe
2800	Alslihkvkf.exe
2716	Alslihkvkf.exe
2716	Alslihkvkf.exe
2716	Alslihkvkf.exe
2716	Alslihkvkf.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2460	c327bf1c696f347a588b06dfad6bf93bf2b1a5a4bd71bb0ee8a93dcf61151b24.exe
Token: SeDebugPrivilege	2460	c327bf1c696f347a588b06dfad6bf93bf2b1a5a4bd71bb0ee8a93dcf61151b24.exe
Token: SeDebugPrivilege	2800	Alslihkvkf.exe
Token: SeDebugPrivilege	2800	Alslihkvkf.exe
Token: SeDebugPrivilege	2716	Alslihkvkf.exe
Token: SeDebugPrivilege	2716	Alslihkvkf.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2460	c327bf1c696f347a588b06dfad6bf93bf2b1a5a4bd71bb0ee8a93dcf61151b24.exe
2800	Alslihkvkf.exe
2716	Alslihkvkf.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2460 wrote to memory of 2800	2460	c327bf1c696f347a588b06dfad6bf93bf2b1a5a4bd71bb0ee8a93dcf61151b24.exe	28
PID 2460 wrote to memory of 2800	2460	c327bf1c696f347a588b06dfad6bf93bf2b1a5a4bd71bb0ee8a93dcf61151b24.exe	28
PID 2460 wrote to memory of 2800	2460	c327bf1c696f347a588b06dfad6bf93bf2b1a5a4bd71bb0ee8a93dcf61151b24.exe	28
PID 2460 wrote to memory of 2800	2460	c327bf1c696f347a588b06dfad6bf93bf2b1a5a4bd71bb0ee8a93dcf61151b24.exe	28
PID 2460 wrote to memory of 2716	2460	c327bf1c696f347a588b06dfad6bf93bf2b1a5a4bd71bb0ee8a93dcf61151b24.exe	29
PID 2460 wrote to memory of 2716	2460	c327bf1c696f347a588b06dfad6bf93bf2b1a5a4bd71bb0ee8a93dcf61151b24.exe	29
PID 2460 wrote to memory of 2716	2460	c327bf1c696f347a588b06dfad6bf93bf2b1a5a4bd71bb0ee8a93dcf61151b24.exe	29
PID 2460 wrote to memory of 2716	2460	c327bf1c696f347a588b06dfad6bf93bf2b1a5a4bd71bb0ee8a93dcf61151b24.exe	29

C:\Users\Admin\AppData\Local\Temp\c327bf1c696f347a588b06dfad6bf93bf2b1a5a4bd71bb0ee8a93dcf61151b24.exe
"C:\Users\Admin\AppData\Local\Temp\c327bf1c696f347a588b06dfad6bf93bf2b1a5a4bd71bb0ee8a93dcf61151b24.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2460
- C:\Users\Admin\AppData\Local\Temp\Alslihkvkf.exe
  C:\Users\Admin\AppData\Local\Temp\Alslihkvkf.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2800
- C:\Users\Admin\AppData\Local\Temp\Alslihkvkf.exe
  "C:\Users\Admin\AppData\Local\Temp\Alslihkvkf.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2716

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\625C.tmp

Filesize
813KB

MD5
5e0db2d8b2750543cd2ebb9ea8e6cdd3

SHA1
8b997b38e179cd03c0a2e87bddbc1ebca39a8630

SHA256
01eb95fa3943cf3c6b1a21e473a5c3cb9fcbce46913b15c96cac14e4f04075b4

SHA512
38a2064f7a740feb6dba46d57998140f16da7b9302bfe217a24d593220c2340f854645d05993aac6b7ecf819b5c09e062c5c81ba29f79d919ae518e6de071716

Download Submit
C:\Users\Admin\AppData\Local\Temp\6309.tmp

Filesize
304KB

MD5
d6d3ad7bf1d6f6ce9547613ed5e170a2

SHA1
6a20fe18619dc46e379c42f12ed761749053cbf9

SHA256
ea3bd7fec193a8cfe1d5736301acadc476fb6aac5475a45776d0a638e9845445

SHA512
2b900118d582eb8bba1612c67909bda97b2cd8755a00de1135c2809ab65385523a2f1c74eff7b37fc4ada585decfab2febbab9247d46038787a9ac786747c222

Download Submit
C:\Users\Admin\AppData\Local\Temp\Alslihkvkf.exe

Filesize
10.6MB

MD5
f52b5ca7d9cb8f845cf84fd431b5e3fc

SHA1
39de2a1c2e8d74cbdbb110d52112dd42bb0ca56e

SHA256
7113d3ed8ebd0b85c134fc1dd281270d4d25c2773e12e05df935119707e4c4a6

SHA512
a840dfc2a48afe6ef0215f65119a182252125b778d116d12380143ace2db61c2e97020ad6b904623fdc4df8b7b718ae59b1ab11ea3e696ab1c9d8419a5eb39bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Alslihkvkf.exe

Filesize
10.6MB

MD5
f52b5ca7d9cb8f845cf84fd431b5e3fc

SHA1
39de2a1c2e8d74cbdbb110d52112dd42bb0ca56e

SHA256
7113d3ed8ebd0b85c134fc1dd281270d4d25c2773e12e05df935119707e4c4a6

SHA512
a840dfc2a48afe6ef0215f65119a182252125b778d116d12380143ace2db61c2e97020ad6b904623fdc4df8b7b718ae59b1ab11ea3e696ab1c9d8419a5eb39bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Alslihkvkf.exe

Filesize
10.6MB

MD5
f52b5ca7d9cb8f845cf84fd431b5e3fc

SHA1
39de2a1c2e8d74cbdbb110d52112dd42bb0ca56e

SHA256
7113d3ed8ebd0b85c134fc1dd281270d4d25c2773e12e05df935119707e4c4a6

SHA512
a840dfc2a48afe6ef0215f65119a182252125b778d116d12380143ace2db61c2e97020ad6b904623fdc4df8b7b718ae59b1ab11ea3e696ab1c9d8419a5eb39bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\f76624c.tmp

Filesize
1.2MB

MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
\Users\Admin\AppData\Local\Temp\Alslihkvkf.exe

Filesize
10.6MB

MD5
f52b5ca7d9cb8f845cf84fd431b5e3fc

SHA1
39de2a1c2e8d74cbdbb110d52112dd42bb0ca56e

SHA256
7113d3ed8ebd0b85c134fc1dd281270d4d25c2773e12e05df935119707e4c4a6

SHA512
a840dfc2a48afe6ef0215f65119a182252125b778d116d12380143ace2db61c2e97020ad6b904623fdc4df8b7b718ae59b1ab11ea3e696ab1c9d8419a5eb39bc

Download Submit
\Users\Admin\AppData\Local\Temp\Alslihkvkf.exe

Filesize
10.6MB

MD5
f52b5ca7d9cb8f845cf84fd431b5e3fc

SHA1
39de2a1c2e8d74cbdbb110d52112dd42bb0ca56e

SHA256
7113d3ed8ebd0b85c134fc1dd281270d4d25c2773e12e05df935119707e4c4a6

SHA512
a840dfc2a48afe6ef0215f65119a182252125b778d116d12380143ace2db61c2e97020ad6b904623fdc4df8b7b718ae59b1ab11ea3e696ab1c9d8419a5eb39bc

Download Submit
\Users\Admin\AppData\Local\Temp\Alslihkvkf.exe

Filesize
10.6MB

MD5
f52b5ca7d9cb8f845cf84fd431b5e3fc

SHA1
39de2a1c2e8d74cbdbb110d52112dd42bb0ca56e

SHA256
7113d3ed8ebd0b85c134fc1dd281270d4d25c2773e12e05df935119707e4c4a6

SHA512
a840dfc2a48afe6ef0215f65119a182252125b778d116d12380143ace2db61c2e97020ad6b904623fdc4df8b7b718ae59b1ab11ea3e696ab1c9d8419a5eb39bc

Download Submit
\Users\Admin\AppData\Local\Temp\Alslihkvkf.exe

Filesize
10.6MB

MD5
f52b5ca7d9cb8f845cf84fd431b5e3fc

SHA1
39de2a1c2e8d74cbdbb110d52112dd42bb0ca56e

SHA256
7113d3ed8ebd0b85c134fc1dd281270d4d25c2773e12e05df935119707e4c4a6

SHA512
a840dfc2a48afe6ef0215f65119a182252125b778d116d12380143ace2db61c2e97020ad6b904623fdc4df8b7b718ae59b1ab11ea3e696ab1c9d8419a5eb39bc

Download Submit
memory/2460-7-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/2460-0-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2460-6-0x0000000000400000-0x0000000000EB6000-memory.dmp

Filesize
10.7MB

Download
memory/2460-55-0x0000000000400000-0x0000000000EB6000-memory.dmp

Filesize
10.7MB

Download
memory/2460-5-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2460-3-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2460-2-0x0000000000400000-0x0000000000EB6000-memory.dmp

Filesize
10.7MB

Download
memory/2716-42-0x0000000000400000-0x0000000000EB6000-memory.dmp

Filesize
10.7MB

Download
memory/2716-54-0x0000000000400000-0x0000000000EB6000-memory.dmp

Filesize
10.7MB

Download
memory/2716-88-0x0000000000400000-0x0000000000EB6000-memory.dmp

Filesize
10.7MB

Download
memory/2800-53-0x0000000000400000-0x0000000000EB6000-memory.dmp

Filesize
10.7MB

Download
memory/2800-89-0x0000000000400000-0x0000000000EB6000-memory.dmp

Filesize
10.7MB

Download