blackmoon | 00c28885f9f24c7ea2f2846a1fe26c01d4e5adbe6a67d5e93f9f0d7e87b990d3

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20-05-2024 20:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00c28885f9f24c7ea2f2846a1fe26c01d4e5adbe6a67d5e93f9f0d7e87b990d3.exe
Size

4.5MB
MD5

6053aaa74236170b3b6e4604e377e0b5
SHA1

1983a0e088727ee5ceaa0386de81f08e8dddd022
SHA256

00c28885f9f24c7ea2f2846a1fe26c01d4e5adbe6a67d5e93f9f0d7e87b990d3
SHA512

cb0dd2dcd0a97fcaf65153e5ca54d3bd3d19bc22c8e507571f2f1a5f2b8be9f944ee1ef3d14a62eb503cabe0f2041b8193b7562ac22ea6ea6422859f10e854b3
SSDEEP

98304:hS5bmig2VCnxwWFUYTY25p/Fmj6dcKgosI10K991TOvFKlz1us3iYzW:WbBQnywfjFme+rodyQAKlwy

Score

10^/10

blackmoon banker trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2864-19-0x0000000000400000-0x0000000000891000-memory.dmp	family_blackmoon

Executes dropped EXE 1 IoCs

Processes:

behwg.behwgc

pid process

2604 behwg.behwgc

pid	process
2604	behwg.behwgc

Loads dropped DLL 2 IoCs

Processes:

00c28885f9f24c7ea2f2846a1fe26c01d4e5adbe6a67d5e93f9f0d7e87b990d3.exe

pid	process
2864	00c28885f9f24c7ea2f2846a1fe26c01d4e5adbe6a67d5e93f9f0d7e87b990d3.exe
2864	00c28885f9f24c7ea2f2846a1fe26c01d4e5adbe6a67d5e93f9f0d7e87b990d3.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

00c28885f9f24c7ea2f2846a1fe26c01d4e5adbe6a67d5e93f9f0d7e87b990d3.exe

pid process

2864 00c28885f9f24c7ea2f2846a1fe26c01d4e5adbe6a67d5e93f9f0d7e87b990d3.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

00c28885f9f24c7ea2f2846a1fe26c01d4e5adbe6a67d5e93f9f0d7e87b990d3.exe

description	pid	process	target process
PID 2864 wrote to memory of 2604	2864	00c28885f9f24c7ea2f2846a1fe26c01d4e5adbe6a67d5e93f9f0d7e87b990d3.exe	behwg.behwgc
PID 2864 wrote to memory of 2604	2864	00c28885f9f24c7ea2f2846a1fe26c01d4e5adbe6a67d5e93f9f0d7e87b990d3.exe	behwg.behwgc
PID 2864 wrote to memory of 2604	2864	00c28885f9f24c7ea2f2846a1fe26c01d4e5adbe6a67d5e93f9f0d7e87b990d3.exe	behwg.behwgc
PID 2864 wrote to memory of 2604	2864	00c28885f9f24c7ea2f2846a1fe26c01d4e5adbe6a67d5e93f9f0d7e87b990d3.exe	behwg.behwgc

C:\Users\Admin\AppData\Local\Temp\00c28885f9f24c7ea2f2846a1fe26c01d4e5adbe6a67d5e93f9f0d7e87b990d3.exe
"C:\Users\Admin\AppData\Local\Temp\00c28885f9f24c7ea2f2846a1fe26c01d4e5adbe6a67d5e93f9f0d7e87b990d3.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2864

C:\Users\Admin\AppData\Local\Temp\behwg.behwgc
C:\Users\Admin\AppData\Local\Temp\behwg.behwgc --
2⤵
- Executes dropped EXE
PID:2604

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\behwg.behwgc

Filesize
2.1MB

MD5
57466db9c3fcba2b38c5298d0624f02f

SHA1
5e185aa3af4ebd0121a0051a51fa9674df91bddd

SHA256
d5005cb019f62c8444a7144fd58f804aafd0908a3418eb8c3363f3f3535914eb

SHA512
3eef333b9eeff8d09defa7584e7f957a9ac4a2e89308ef0e8456741ce461264c8f5ff36375b2f2503b9b7072f92875c73a97e16a29efa1da6705074d2cae755f

Download Submit
\Users\Admin\AppData\Local\Temp\behwg.behwgc

Filesize
2.8MB

MD5
51278d4c79465ef2bf1d60b16e0538a2

SHA1
6fd9de82fd0779c0fbff745e66236044949a857b

SHA256
50926ed37fdb9f6f5d8e62799c4f2d0f6b8dcc7be06353ff558e459cb1dbe4b3

SHA512
122af007134a4f3ec3994d683bf5f5f237b1e009f90ad791aa5e3358e9d7d516925dd2fbdbdd3e2784cdc886cec96ad721eefc87a736d10dee9348c046d83e2f

Download Submit
memory/2604-24-0x0000000002970000-0x0000000003056000-memory.dmp

Filesize
6.9MB

Download
memory/2604-29-0x0000000002970000-0x0000000003056000-memory.dmp

Filesize
6.9MB

Download
memory/2604-31-0x0000000002970000-0x0000000003056000-memory.dmp

Filesize
6.9MB

Download
memory/2604-30-0x0000000002970000-0x0000000003056000-memory.dmp

Filesize
6.9MB

Download
memory/2864-3-0x0000000002B90000-0x0000000003276000-memory.dmp

Filesize
6.9MB

Download
memory/2864-9-0x0000000002B90000-0x0000000003276000-memory.dmp

Filesize
6.9MB

Download
memory/2864-7-0x0000000002B90000-0x0000000003276000-memory.dmp

Filesize
6.9MB

Download
memory/2864-19-0x0000000000400000-0x0000000000891000-memory.dmp

Filesize
4.6MB

Download
memory/2864-20-0x0000000002B90000-0x0000000003276000-memory.dmp

Filesize
6.9MB

Download
memory/2864-18-0x0000000002B90000-0x0000000003276000-memory.dmp

Filesize
6.9MB

Download