blackmoon | b26b9c0b3427cb95afe56ba9cf5b399e5e51f2a005de870674c39beb4bdbdc0b

Analysis

max time kernel
91s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
16-09-2022 10:53

Target

b26b9c0b3427cb95afe56ba9cf5b399e5e51f2a005de870674c39beb4bdbdc0b.dll
Size

1.4MB
MD5

6082f4d4a2c791afdbca425dc9914048
SHA1

02e563b41d6768a5cb47b550eb7441dcc9451099
SHA256

b26b9c0b3427cb95afe56ba9cf5b399e5e51f2a005de870674c39beb4bdbdc0b
SHA512

1451cce034a0795ed189a62487201c3a7c5779b834ad08aa54cc1c8e0c2ed253efb0da4e67f1affb339f6f15a7cf3602c75fe9d9919784ef50d222ece7072a46
SSDEEP

24576:CsDQAneLB/YZ2hPjGvk4XauuTZkfWrVnkQd/23T4PB1kuQe/NAKQ84/Z:CO5n6bhqvquuHkQVB1ka/E/Z

Score

10^/10

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
behavioral2/memory/904-133-0x0000000010000000-0x00000000103C3000-memory.dmp	family_blackmoon

Blocklisted process makes network request 1 IoCs

flow	pid	Process
6	904	rundll32.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\mghrLua.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\mghrLua.dll	rundll32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
904	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4884 wrote to memory of 904	4884	rundll32.exe	79
PID 4884 wrote to memory of 904	4884	rundll32.exe	79
PID 4884 wrote to memory of 904	4884	rundll32.exe	79

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b26b9c0b3427cb95afe56ba9cf5b399e5e51f2a005de870674c39beb4bdbdc0b.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4884
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\b26b9c0b3427cb95afe56ba9cf5b399e5e51f2a005de870674c39beb4bdbdc0b.dll,#1
  2⤵
  - Blocklisted process makes network request
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  PID:904

memory/904-132-0x0000000000000000-mapping.dmp

Download
memory/904-133-0x0000000010000000-0x00000000103C3000-memory.dmp

Filesize
3.8MB

Download
memory/904-134-0x0000000000860000-0x0000000000863000-memory.dmp

Filesize
12KB

Download