blackmoon | 2a94bef55dd9fa7692bb27739a510e434c8a87d4c0661c8a70854bacdcf4ea67

Analysis

max time kernel
146s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240319-en
resource tags

arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system
submitted
10/04/2024, 01:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a94bef55dd9fa7692bb27739a510e434c8a87d4c0661c8a70854bacdcf4ea67.exe
Size

113KB
MD5

7f1724a7f154d9be81887ef065dce1b1
SHA1

0a060d513d209075c4d914b94ef1bbe6285b995d
SHA256

2a94bef55dd9fa7692bb27739a510e434c8a87d4c0661c8a70854bacdcf4ea67
SHA512

ff170925ff666c5558d4619c4ee133ec4a5ac5b2b23c188f280fea9b8d32bf7e81f584a5a445226e7ccdc62f7cd0fbb406a711173b0b48d7ef5a35de15350a46
SSDEEP

1536:bViMsvI+AQX1OdBaKpVllHG/fdt+fV3JbB5OPnDE5+QDJ4rX27qTrf:bav9OdPx8wJ4rm7qn

Score

10^/10

blackmoon banker trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023325-3.dat	family_blackmoon

Executes dropped EXE 1 IoCs

pid	Process
4552	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 4552	2224	2a94bef55dd9fa7692bb27739a510e434c8a87d4c0661c8a70854bacdcf4ea67.exe	95
PID 2224 wrote to memory of 4552	2224	2a94bef55dd9fa7692bb27739a510e434c8a87d4c0661c8a70854bacdcf4ea67.exe	95
PID 2224 wrote to memory of 4552	2224	2a94bef55dd9fa7692bb27739a510e434c8a87d4c0661c8a70854bacdcf4ea67.exe	95

C:\Users\Admin\AppData\Local\Temp\2a94bef55dd9fa7692bb27739a510e434c8a87d4c0661c8a70854bacdcf4ea67.exe
"C:\Users\Admin\AppData\Local\Temp\2a94bef55dd9fa7692bb27739a510e434c8a87d4c0661c8a70854bacdcf4ea67.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  C:\Windows\system32\svhost.exe -k RPC
  2⤵
  - Executes dropped EXE
  PID:4552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1304 --field-trial-handle=2256,i,16750283575152780128,2524258836761969159,262144 --variations-seed-version /prefetch:8
1⤵
PID:4452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
113KB

MD5
ecf858c7bf0c606b2e0e628abf96c73c

SHA1
a7094d9003bc2154ca57b7bbc426148ded5d91c2

SHA256
65e9e2f41cc7dca16b3bf4d8b783c489bd89cad673c630022545658ad4dcbc90

SHA512
723c7b89caf1a35d38d77f1e577603bdb0b79b850a6e3341b94c6dece3f4263df6719f818a07269725910835f4e84a3c8694acf8e9dab57119a587449803eec2

Download Submit
C:\Users\Admin\AppData\Local\Temp\~pidtemp.TMP

Filesize
102B

MD5
a31557fe968d2762b715ba204f748a2a

SHA1
e9cfe2011cf6f454e05b07eda648d62af35ad173

SHA256
8085f108970ed0120c23e425d383f11e4ab9e549ae212ac7046d653d175b671c

SHA512
cff2212c3f75d73aab32cbcb61923294f6fd934d19142f507d244cd94e2bfc21d73c88ff102824e44714d4417c0dce79ac9d48a8d8524acbe92a231494647b4e

Download Submit