blackmoon | c6ca361e4a9e5ef71fb4038e79d1cb9a216fe0e15e4ddffc785fdbdd28868b50

Analysis

max time kernel
118s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24-05-2024 15:03

Target

6795637955c629753c61da643f3730d0_NeikiAnalytics.exe
Size

4.1MB
MD5

6795637955c629753c61da643f3730d0
SHA1

3c49119abbb4bd2ab0130d2db6d7824371f1f3c1
SHA256

c6ca361e4a9e5ef71fb4038e79d1cb9a216fe0e15e4ddffc785fdbdd28868b50
SHA512

b62207966fa75fc7383ec713aad70a747aa89f02b9f7d436d87489f542c6ea3fb17d155dc0acef2940f312d31394e8892169324c25e670bcf96257e66e06a601
SSDEEP

98304:Rbmig2VCnxwWFUYTY25p/Fmj6dcKgosI10K991TOvFKlz1us3iYzW:RbBQnywfjFme+rodyQAKlwy

Score

10^/10

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 2 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\efr.efry	family_blackmoon
behavioral1/memory/2012-19-0x0000000000400000-0x0000000000833000-memory.dmp	family_blackmoon

Executes dropped EXE 1 IoCs

Processes:

efr.efry

pid process

2500 efr.efry
Loads dropped DLL 2 IoCs

Processes:

6795637955c629753c61da643f3730d0_NeikiAnalytics.exe

pid process

2012 6795637955c629753c61da643f3730d0_NeikiAnalytics.exe
2012 6795637955c629753c61da643f3730d0_NeikiAnalytics.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

6795637955c629753c61da643f3730d0_NeikiAnalytics.exe

pid process

2012 6795637955c629753c61da643f3730d0_NeikiAnalytics.exe

pid	process
2500	efr.efry

pid	process
2012	6795637955c629753c61da643f3730d0_NeikiAnalytics.exe
2012	6795637955c629753c61da643f3730d0_NeikiAnalytics.exe

pid	process
2012	6795637955c629753c61da643f3730d0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

6795637955c629753c61da643f3730d0_NeikiAnalytics.exe

description	pid	process	target process
PID 2012 wrote to memory of 2500	2012	6795637955c629753c61da643f3730d0_NeikiAnalytics.exe	efr.efry
PID 2012 wrote to memory of 2500	2012	6795637955c629753c61da643f3730d0_NeikiAnalytics.exe	efr.efry
PID 2012 wrote to memory of 2500	2012	6795637955c629753c61da643f3730d0_NeikiAnalytics.exe	efr.efry
PID 2012 wrote to memory of 2500	2012	6795637955c629753c61da643f3730d0_NeikiAnalytics.exe	efr.efry

C:\Users\Admin\AppData\Local\Temp\efr.efry
C:\Users\Admin\AppData\Local\Temp\efr.efry --
2⤵
- Executes dropped EXE
PID:2500

\Users\Admin\AppData\Local\Temp\efr.efry
Filesize
4.1MB

MD5
11528097f453cccf43bded3b72d4047d

SHA1
0d2eb7bf058c69ed21d1ae0121a3ef5b6a8ec24f

SHA256
51ee4edac861a45a8a83ca2d64da962cf8d041482026aa7595ac9dc0bd42983c

SHA512
edc79dc5e6f93bbdeeeeb02fbb011945bca06b6201f5b3ef493e45e02123772b25084dd1b47830fb2b57196abf3dbc128bfbc7771b75be327913566e73a7bbef

Download Submit
memory/2012-3-0x0000000002AB0000-0x0000000003196000-memory.dmp

Filesize
6.9MB

Download
memory/2012-4-0x0000000002AB0000-0x0000000003196000-memory.dmp

Filesize
6.9MB

Download
memory/2012-9-0x0000000002AB0000-0x0000000003196000-memory.dmp

Filesize
6.9MB

Download
memory/2012-17-0x0000000002AB0000-0x0000000003196000-memory.dmp

Filesize
6.9MB

Download
memory/2012-19-0x0000000000400000-0x0000000000833000-memory.dmp

Filesize
4.2MB

Download
memory/2012-20-0x0000000002AB0000-0x0000000003196000-memory.dmp

Filesize
6.9MB

Download
memory/2500-21-0x0000000002A60000-0x0000000003146000-memory.dmp

Filesize
6.9MB

Download
memory/2500-24-0x0000000002A60000-0x0000000003146000-memory.dmp

Filesize
6.9MB

Download
memory/2500-25-0x0000000002A60000-0x0000000003146000-memory.dmp

Filesize
6.9MB

Download
memory/2500-30-0x0000000002A60000-0x0000000003146000-memory.dmp

Filesize
6.9MB

Download
memory/2500-31-0x0000000002A60000-0x0000000003146000-memory.dmp

Filesize
6.9MB

Download