blackmoon | 00c28885f9f24c7ea2f2846a1fe26c01d4e5adbe6a67d5e93f9f0d7e87b990d3

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
20-05-2024 20:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00c28885f9f24c7ea2f2846a1fe26c01d4e5adbe6a67d5e93f9f0d7e87b990d3.exe
Size

4.5MB
MD5

6053aaa74236170b3b6e4604e377e0b5
SHA1

1983a0e088727ee5ceaa0386de81f08e8dddd022
SHA256

00c28885f9f24c7ea2f2846a1fe26c01d4e5adbe6a67d5e93f9f0d7e87b990d3
SHA512

cb0dd2dcd0a97fcaf65153e5ca54d3bd3d19bc22c8e507571f2f1a5f2b8be9f944ee1ef3d14a62eb503cabe0f2041b8193b7562ac22ea6ea6422859f10e854b3
SSDEEP

98304:hS5bmig2VCnxwWFUYTY25p/Fmj6dcKgosI10K991TOvFKlz1us3iYzW:WbBQnywfjFme+rodyQAKlwy

Score

10^/10

blackmoon banker trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1180-27-0x0000000000400000-0x0000000000891000-memory.dmp	family_blackmoon

Executes dropped EXE 1 IoCs

Processes:

eqo.eqosqh

pid process

1180 eqo.eqosqh
Suspicious behavior: RenamesItself 1 IoCs

Processes:

00c28885f9f24c7ea2f2846a1fe26c01d4e5adbe6a67d5e93f9f0d7e87b990d3.exe

pid process

5016 00c28885f9f24c7ea2f2846a1fe26c01d4e5adbe6a67d5e93f9f0d7e87b990d3.exe

pid	process
1180	eqo.eqosqh

pid	process
5016	00c28885f9f24c7ea2f2846a1fe26c01d4e5adbe6a67d5e93f9f0d7e87b990d3.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

00c28885f9f24c7ea2f2846a1fe26c01d4e5adbe6a67d5e93f9f0d7e87b990d3.exe

description	pid	process	target process
PID 5016 wrote to memory of 1180	5016	00c28885f9f24c7ea2f2846a1fe26c01d4e5adbe6a67d5e93f9f0d7e87b990d3.exe	eqo.eqosqh
PID 5016 wrote to memory of 1180	5016	00c28885f9f24c7ea2f2846a1fe26c01d4e5adbe6a67d5e93f9f0d7e87b990d3.exe	eqo.eqosqh
PID 5016 wrote to memory of 1180	5016	00c28885f9f24c7ea2f2846a1fe26c01d4e5adbe6a67d5e93f9f0d7e87b990d3.exe	eqo.eqosqh

C:\Users\Admin\AppData\Local\Temp\00c28885f9f24c7ea2f2846a1fe26c01d4e5adbe6a67d5e93f9f0d7e87b990d3.exe
"C:\Users\Admin\AppData\Local\Temp\00c28885f9f24c7ea2f2846a1fe26c01d4e5adbe6a67d5e93f9f0d7e87b990d3.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:5016

C:\Users\Admin\AppData\Local\Temp\eqo.eqosqh
C:\Users\Admin\AppData\Local\Temp\eqo.eqosqh --
2⤵
- Executes dropped EXE
PID:1180

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\eqo.eqosqh

Filesize
2.1MB

MD5
dd42355c36a9583199c4bace68238c3d

SHA1
568595e4fd458f4c038a1ee02cddc7fa8c3ed801

SHA256
0358060553c27159b84f69bf7bbe72733b85112726fc0f090ecfd2e8010172cf

SHA512
7fb80dc955bd4d6b05bae8ba0692f6c2bcf1d29cfe0193376b96c5a2c5fc84a623d036fe9d56de5f6e1094495fe727e40f6c5989d0e92c2170686b65a5737043

Download Submit
C:\Users\Admin\AppData\Local\Temp\eqo.eqosqh

Filesize
448KB

MD5
4d6f26bde8158d0735468c5a47c667b4

SHA1
e9247da3c77ca1d9505e78a07970fb80d69be756

SHA256
9ca64141be0ab2a3b05de2c49577eb349df4dcbc7a80fb996e1620f7aa6acd18

SHA512
c84aa9484a66cac298753c0e2e6ea942fd1ffb1df08026a58a69db2d6e62f150c415951675e0fdaf79139a3ef5a400909ee13aca7556e7be7dd18c8ab79c7d7c

Download Submit
memory/1180-26-0x0000000002E70000-0x0000000003556000-memory.dmp

Filesize
6.9MB

Download
memory/1180-19-0x0000000002E70000-0x0000000003556000-memory.dmp

Filesize
6.9MB

Download
memory/1180-25-0x0000000002E70000-0x0000000003556000-memory.dmp

Filesize
6.9MB

Download
memory/1180-23-0x0000000002E70000-0x0000000003556000-memory.dmp

Filesize
6.9MB

Download
memory/1180-27-0x0000000000400000-0x0000000000891000-memory.dmp

Filesize
4.6MB

Download
memory/1180-29-0x0000000002E70000-0x0000000003556000-memory.dmp

Filesize
6.9MB

Download
memory/5016-13-0x0000000002F20000-0x0000000003606000-memory.dmp

Filesize
6.9MB

Download
memory/5016-9-0x0000000002F20000-0x0000000003606000-memory.dmp

Filesize
6.9MB

Download
memory/5016-14-0x0000000000400000-0x0000000000891000-memory.dmp

Filesize
4.6MB

Download
memory/5016-7-0x0000000002F20000-0x0000000003606000-memory.dmp

Filesize
6.9MB

Download
memory/5016-3-0x0000000002F20000-0x0000000003606000-memory.dmp

Filesize
6.9MB

Download