blackmoon | 10ae094ee043955d4c0996bb09f61a4fc7e91d843182b9139755d4258b164799

Analysis

max time kernel
150s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 18:50

Target

10ae094ee043955d4c0996bb09f61a4fc7e91d843182b9139755d4258b164799.exe
Size

2.7MB
MD5

78f859499e7ee0089583258a0815c4ca
SHA1

5bb211d3902e4bbf7b516634c6f531beb8e704e6
SHA256

10ae094ee043955d4c0996bb09f61a4fc7e91d843182b9139755d4258b164799
SHA512

5a42e6445f36288c09631d02d62775aeb454a6a55e397ad667c33bd481fe2097d70b81a7b952f1b0a4309107f39f4e798f4d3e211c6d45a3f38805ccdac3df10
SSDEEP

49152:ROMNT+hOy1U8EkTYN/KXeqpomFsE01zdBST1Ws:EMNChj1U8MN/KXeOFs7OWs

Score

10^/10

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\FOJBGT.EZS	family_blackmoon

Executes dropped EXE 1 IoCs

Processes:

FOJBGT.EZS

pid process

4672 FOJBGT.EZS
Loads dropped DLL 2 IoCs

Processes:

FOJBGT.EZS

pid process

4672 FOJBGT.EZS
4672 FOJBGT.EZS
Drops file in System32 directory 2 IoCs

Processes:

FOJBGT.EZS

description ioc process

File created C:\Windows\SysWOW64\ESPI11.dll FOJBGT.EZS
File opened for modification C:\Windows\SysWOW64\ESPI11.dll FOJBGT.EZS

description	ioc	process
File created	C:\Windows\SysWOW64\ESPI11.dll	FOJBGT.EZS
File opened for modification	C:\Windows\SysWOW64\ESPI11.dll	FOJBGT.EZS

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

FOJBGT.EZS

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

10ae094ee043955d4c0996bb09f61a4fc7e91d843182b9139755d4258b164799.exeFOJBGT.EZS

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

10ae094ee043955d4c0996bb09f61a4fc7e91d843182b9139755d4258b164799.exeFOJBGT.EZS

description	pid	process	target process
PID 3612 wrote to memory of 4672	3612	10ae094ee043955d4c0996bb09f61a4fc7e91d843182b9139755d4258b164799.exe	FOJBGT.EZS
PID 3612 wrote to memory of 4672	3612	10ae094ee043955d4c0996bb09f61a4fc7e91d843182b9139755d4258b164799.exe	FOJBGT.EZS
PID 3612 wrote to memory of 4672	3612	10ae094ee043955d4c0996bb09f61a4fc7e91d843182b9139755d4258b164799.exe	FOJBGT.EZS
PID 4672 wrote to memory of 3860	4672	FOJBGT.EZS	netsh.exe
PID 4672 wrote to memory of 3860	4672	FOJBGT.EZS	netsh.exe
PID 4672 wrote to memory of 3860	4672	FOJBGT.EZS	netsh.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3468,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=4204 /prefetch:8
1⤵
PID:460

C:\Users\Admin\AppData\Local\Temp\FOJBGT.EZS
Filesize
2.7MB

MD5
dd1c9b981d5e0877fa6922cbdc8fb38b

SHA1
4d9f0f6b1d5a382d5abed45c78ffdec7a5823736

SHA256
15eccfb33746d01a86b7b49c334b6ba665338c8893dacd7a8b37cd69dc53d803

SHA512
2ea7141f75eaba769e7306c6287e0f57d21b9e4af4ef8e7159686c908cf35a940e340130bdde4b5befd534bffa5ac236702f33313ca9d34b5fcbaad8ed3f384a

Download Submit
C:\Windows\SysWOW64\ESPI11.dll
Filesize
120KB

MD5
c3adbb35a05b44bc877a895d273aa270

SHA1
8afe20d8261d217fd23ccfe53bd45ad3bec82d2d

SHA256
b2b2ea9737587313d420bde96a42063c002a83e35d9f987f8ec0d5d4d96c262c

SHA512
614dc24e3368047d68e2833ecdf9cda1f5ef290fc74287769a70df46bfa937386ce2e1332b3bada0f7e54b470ecdfe7c8bbd4ec3fa1c815f52993bb7edb93afc

Download Submit