blackmoon | 199b2cb92890944469b6eb84f8893f419c48799df164604d0f4ed9b6dc41551d

Analysis

max time kernel
148s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24-05-2024 07:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d3af3d5142b11c8fb767076688c5e790_NeikiAnalytics.exe
Size

431KB
MD5

d3af3d5142b11c8fb767076688c5e790
SHA1

e95579fbb827aa2ee9b031fe44dccc00171f351d
SHA256

199b2cb92890944469b6eb84f8893f419c48799df164604d0f4ed9b6dc41551d
SHA512

fb93037aaefe8e4ae95b9640d1f409737a0ae8380fcad2c8a6c998e8a09c0ca9e9ec16c3464c81899b86162a2518487322d0bb05d1cc25afe777d04b8b1bbf1f
SSDEEP

3072:TVmHpJqu0Vh6jw/fmZmRMpVuWwP5tOcQfgdVqYHKjoS1HwZCFjTPG1UFNE2XCKUM:TcHpJfHElepVuWwP5YcQfg8J+ojCKC+r

Score

10^/10

blackmoon banker trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Systemvhjog.exe	family_blackmoon

Deletes itself 1 IoCs

Processes:

Systemvhjog.exe

pid process

2568 Systemvhjog.exe
Executes dropped EXE 1 IoCs

Processes:

Systemvhjog.exe

pid process

2568 Systemvhjog.exe
Loads dropped DLL 2 IoCs

Processes:

d3af3d5142b11c8fb767076688c5e790_NeikiAnalytics.exe

pid process

2940 d3af3d5142b11c8fb767076688c5e790_NeikiAnalytics.exe
2940 d3af3d5142b11c8fb767076688c5e790_NeikiAnalytics.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2568	Systemvhjog.exe

pid	process
2568	Systemvhjog.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

d3af3d5142b11c8fb767076688c5e790_NeikiAnalytics.exeSystemvhjog.exe

pid	process
2940	d3af3d5142b11c8fb767076688c5e790_NeikiAnalytics.exe
2940	d3af3d5142b11c8fb767076688c5e790_NeikiAnalytics.exe
2940	d3af3d5142b11c8fb767076688c5e790_NeikiAnalytics.exe
2940	d3af3d5142b11c8fb767076688c5e790_NeikiAnalytics.exe
2940	d3af3d5142b11c8fb767076688c5e790_NeikiAnalytics.exe
2940	d3af3d5142b11c8fb767076688c5e790_NeikiAnalytics.exe
2940	d3af3d5142b11c8fb767076688c5e790_NeikiAnalytics.exe
2940	d3af3d5142b11c8fb767076688c5e790_NeikiAnalytics.exe
2568	Systemvhjog.exe
2568	Systemvhjog.exe
2568	Systemvhjog.exe
2568	Systemvhjog.exe
2568	Systemvhjog.exe
2568	Systemvhjog.exe
2568	Systemvhjog.exe
2568	Systemvhjog.exe
2568	Systemvhjog.exe
2568	Systemvhjog.exe
2568	Systemvhjog.exe
2568	Systemvhjog.exe
2568	Systemvhjog.exe
2568	Systemvhjog.exe
2568	Systemvhjog.exe
2568	Systemvhjog.exe
2568	Systemvhjog.exe
2568	Systemvhjog.exe
2568	Systemvhjog.exe
2568	Systemvhjog.exe
2568	Systemvhjog.exe
2568	Systemvhjog.exe
2568	Systemvhjog.exe
2568	Systemvhjog.exe
2568	Systemvhjog.exe
2568	Systemvhjog.exe
2568	Systemvhjog.exe
2568	Systemvhjog.exe
2568	Systemvhjog.exe
2568	Systemvhjog.exe
2568	Systemvhjog.exe
2568	Systemvhjog.exe
2568	Systemvhjog.exe
2568	Systemvhjog.exe
2568	Systemvhjog.exe
2568	Systemvhjog.exe
2568	Systemvhjog.exe
2568	Systemvhjog.exe
2568	Systemvhjog.exe
2568	Systemvhjog.exe
2568	Systemvhjog.exe
2568	Systemvhjog.exe
2568	Systemvhjog.exe
2568	Systemvhjog.exe
2568	Systemvhjog.exe
2568	Systemvhjog.exe
2568	Systemvhjog.exe
2568	Systemvhjog.exe
2568	Systemvhjog.exe
2568	Systemvhjog.exe
2568	Systemvhjog.exe
2568	Systemvhjog.exe
2568	Systemvhjog.exe
2568	Systemvhjog.exe
2568	Systemvhjog.exe
2568	Systemvhjog.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

d3af3d5142b11c8fb767076688c5e790_NeikiAnalytics.exe

description	pid	process	target process
PID 2940 wrote to memory of 2568	2940	d3af3d5142b11c8fb767076688c5e790_NeikiAnalytics.exe	Systemvhjog.exe
PID 2940 wrote to memory of 2568	2940	d3af3d5142b11c8fb767076688c5e790_NeikiAnalytics.exe	Systemvhjog.exe
PID 2940 wrote to memory of 2568	2940	d3af3d5142b11c8fb767076688c5e790_NeikiAnalytics.exe	Systemvhjog.exe
PID 2940 wrote to memory of 2568	2940	d3af3d5142b11c8fb767076688c5e790_NeikiAnalytics.exe	Systemvhjog.exe

C:\Users\Admin\AppData\Local\Temp\d3af3d5142b11c8fb767076688c5e790_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\d3af3d5142b11c8fb767076688c5e790_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2940

C:\Users\Admin\AppData\Local\Temp\Systemvhjog.exe
"C:\Users\Admin\AppData\Local\Temp\Systemvhjog.exe"
2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2568

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Systemvhjog.exe
Filesize
431KB

MD5
acfd73609b883a458953da5759706d3b

SHA1
46594110a566fe479b49e62f9eb0003441a2984d

SHA256
3c61214cda022676e30150fe38e8028a61903d7a66aac1afd00358e20a03a581

SHA512
c26591e97c5755e9489916f382024b06458cc1f2a2d683343595fcc4166c86d67cb29433cefcbe9c36ca94dfb24c2dd1710d8e2924291f356b2bd79a6a99c2c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\path.ini
Filesize
85B

MD5
84f7dc59153b50b6b9b34c0560d41e90

SHA1
8d041093234961ac5ed02d7d66c2e0f1ca472d69

SHA256
cb0ee27015a0322f5be5c8ac38d60c055b139347b9692117109d00be8e645d3f

SHA512
57381f536d4a4a7c6097a420aad20dbecead35266e21fe58263fde5f0fc2e2d6bc950dafbf4285d5b791e23c450807b191e35528d6ecf564eed5de671721b2d2

Download Submit