blackmoon | d67dd66d7f97cca8e9091c6f59e8bc9b4973d73df1f5fdc13fd7e68211679d32

Analysis

max time kernel
148s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19-05-2024 18:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exe
Size

440KB
MD5

179a3747b82b58a9c3589974e145adf0
SHA1

80af51f31d6492945a846bd19f773005717f5c2c
SHA256

d67dd66d7f97cca8e9091c6f59e8bc9b4973d73df1f5fdc13fd7e68211679d32
SHA512

09aff14d940db5c491bba80e46f93ba2251505c092eb8b915f6da1b0b7d81b39a81041cfbe8e5685bf500460f15ebbbd777864f84869d6242b17b1ced4721fe2
SSDEEP

6144:xozXQKqfmiiyWwuiFOLeyOV0R7YRXxMSaAt:xgXQKSLpOCtV0R8xMSaAt

Score

10^/10

blackmoon banker trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\Syslemkyrfz.exe	family_blackmoon

Deletes itself 1 IoCs

Processes:

Syslemkyrfz.exe

pid process

1044 Syslemkyrfz.exe
Executes dropped EXE 1 IoCs

Processes:

Syslemkyrfz.exe

pid process

1044 Syslemkyrfz.exe
Loads dropped DLL 2 IoCs

Processes:

179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exe

pid process

2512 179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exe
2512 179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1044	Syslemkyrfz.exe

pid	process
1044	Syslemkyrfz.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exeSyslemkyrfz.exe

pid	process
2512	179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exe
2512	179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exe
2512	179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exe
2512	179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exe
2512	179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exe
2512	179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exe
2512	179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exe
2512	179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exe
1044	Syslemkyrfz.exe
1044	Syslemkyrfz.exe
1044	Syslemkyrfz.exe
1044	Syslemkyrfz.exe
1044	Syslemkyrfz.exe
1044	Syslemkyrfz.exe
1044	Syslemkyrfz.exe
1044	Syslemkyrfz.exe
1044	Syslemkyrfz.exe
1044	Syslemkyrfz.exe
1044	Syslemkyrfz.exe
1044	Syslemkyrfz.exe
1044	Syslemkyrfz.exe
1044	Syslemkyrfz.exe
1044	Syslemkyrfz.exe
1044	Syslemkyrfz.exe
1044	Syslemkyrfz.exe
1044	Syslemkyrfz.exe
1044	Syslemkyrfz.exe
1044	Syslemkyrfz.exe
1044	Syslemkyrfz.exe
1044	Syslemkyrfz.exe
1044	Syslemkyrfz.exe
1044	Syslemkyrfz.exe
1044	Syslemkyrfz.exe
1044	Syslemkyrfz.exe
1044	Syslemkyrfz.exe
1044	Syslemkyrfz.exe
1044	Syslemkyrfz.exe
1044	Syslemkyrfz.exe
1044	Syslemkyrfz.exe
1044	Syslemkyrfz.exe
1044	Syslemkyrfz.exe
1044	Syslemkyrfz.exe
1044	Syslemkyrfz.exe
1044	Syslemkyrfz.exe
1044	Syslemkyrfz.exe
1044	Syslemkyrfz.exe
1044	Syslemkyrfz.exe
1044	Syslemkyrfz.exe
1044	Syslemkyrfz.exe
1044	Syslemkyrfz.exe
1044	Syslemkyrfz.exe
1044	Syslemkyrfz.exe
1044	Syslemkyrfz.exe
1044	Syslemkyrfz.exe
1044	Syslemkyrfz.exe
1044	Syslemkyrfz.exe
1044	Syslemkyrfz.exe
1044	Syslemkyrfz.exe
1044	Syslemkyrfz.exe
1044	Syslemkyrfz.exe
1044	Syslemkyrfz.exe
1044	Syslemkyrfz.exe
1044	Syslemkyrfz.exe
1044	Syslemkyrfz.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exe

description	pid	process	target process
PID 2512 wrote to memory of 1044	2512	179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exe	Syslemkyrfz.exe
PID 2512 wrote to memory of 1044	2512	179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exe	Syslemkyrfz.exe
PID 2512 wrote to memory of 1044	2512	179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exe	Syslemkyrfz.exe
PID 2512 wrote to memory of 1044	2512	179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exe	Syslemkyrfz.exe

C:\Users\Admin\AppData\Local\Temp\179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2512

C:\Users\Admin\AppData\Local\Temp\Syslemkyrfz.exe
"C:\Users\Admin\AppData\Local\Temp\Syslemkyrfz.exe"
2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lpath.ini

Filesize
85B

MD5
54d41c70346c63fe3c979fde34619245

SHA1
67b3fb2513cb6139cc59fc2f3e8d2a7dda90075e

SHA256
78bdb350a85957d40c526bcac8ee71f821376600c40c8d21b08628a38b5f4797

SHA512
50f6e2acc57cd9793d20503d842736b9b97802082872d50d0c293d5551b79e805a2c7c213df6de3dca5306bfa497f03a64fda3c902158c2236b189242e0e4df8

Download Submit
\Users\Admin\AppData\Local\Temp\Syslemkyrfz.exe

Filesize
440KB

MD5
b2ede206ef0949852fcf8f3d0fffad8c

SHA1
e098e0682ee31177972a5867fc3f6c6d1c1066fb

SHA256
e90f15174bd9137bb44db7f169962dae846cf58a69a71e40131fcc6b034f5c1b

SHA512
6272644ed1995a6eb1fa5db962d04675406cdefbe46e2b95c3a5cfff4dcdc09683020070d244787a9bd1dea330d12d40215840bf9e40703bdb95e1310da05701

Download Submit