blackmoon | e3ba5bb057ea8d27bd39fc4d8b607c8c51c5021ec10d5bcf011866317fdc16c6

Analysis

max time kernel
90s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
14/10/2022, 20:23

Target

e3ba5bb057ea8d27bd39fc4d8b607c8c51c5021ec10d5bcf011866317fdc16c6.dll
Size

3.9MB
MD5

9a05d32a9e7fedce9c4fc8cb0afa966c
SHA1

46791e12d3471d9ccd012a9ed52be43dd7a2b8a9
SHA256

e3ba5bb057ea8d27bd39fc4d8b607c8c51c5021ec10d5bcf011866317fdc16c6
SHA512

ef643a5ef313505a0f6b5ca5f4e9635b7d8534b507f129aad61b0b31e2011a44248dd50f7f808544c7c06e8783954d510ba1de175332607a067486d59119c074
SSDEEP

98304:ziSacGY85ycuvTZ6Er4v/YBYSnFP1GashgyiIqoXKkV6:zPZG3y9lEvsYS51ZshgyiIDXKkV

Score

10^/10

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 4 IoCs

resource	yara_rule
behavioral2/memory/3468-133-0x0000000010000000-0x000000001043D000-memory.dmp	family_blackmoon
behavioral2/memory/3468-134-0x0000000010000000-0x000000001043D000-memory.dmp	family_blackmoon
behavioral2/memory/3468-135-0x0000000010000000-0x000000001043D000-memory.dmp	family_blackmoon
behavioral2/memory/3468-136-0x0000000010000000-0x000000001043D000-memory.dmp	family_blackmoon

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

resource	yara_rule
behavioral2/files/0x000e000000022e04-137.dat	aspack_v212_v242

Loads dropped DLL 1 IoCs

pid	Process
3468	rundll32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\987561.bmd	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4228	3468	WerFault.exe	80

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4676 wrote to memory of 3468	4676	rundll32.exe	80
PID 4676 wrote to memory of 3468	4676	rundll32.exe	80
PID 4676 wrote to memory of 3468	4676	rundll32.exe	80

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e3ba5bb057ea8d27bd39fc4d8b607c8c51c5021ec10d5bcf011866317fdc16c6.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4676
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\e3ba5bb057ea8d27bd39fc4d8b607c8c51c5021ec10d5bcf011866317fdc16c6.dll,#1
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  PID:3468
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3468 -s 688
    3⤵
    - Program crash
    PID:4228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3468 -ip 3468
1⤵
PID:4128

C:\Windows\SysWOW64\987561.bmd

Filesize
1.9MB

MD5
aae2c15f00256d1a50cd72665e267f36

SHA1
de15c39b155a45782313d5523f93e4dcdefe59ac

SHA256
691feff90464a118c8390a8d366d6ab407a0642e6d0c937a293f639e23eabe2f

SHA512
9fb4751b44e279a3e73131ce5debeb1cac9805a31063cdc265c3cd945db1e7f14dc62a38595bc2311d110467fcb898023a158cf6063cde7939e1fd97ff0a8122

Download Submit
memory/3468-133-0x0000000010000000-0x000000001043D000-memory.dmp

Filesize
4.2MB

Download
memory/3468-134-0x0000000010000000-0x000000001043D000-memory.dmp

Filesize
4.2MB

Download
memory/3468-135-0x0000000010000000-0x000000001043D000-memory.dmp

Filesize
4.2MB

Download
memory/3468-136-0x0000000010000000-0x000000001043D000-memory.dmp

Filesize
4.2MB

Download
memory/3468-138-0x0000000074B40000-0x0000000074FC8000-memory.dmp

Filesize
4.5MB

Download
memory/3468-139-0x00000000016D0000-0x000000000178F000-memory.dmp

Filesize
764KB

Download
memory/3468-140-0x0000000074B40000-0x0000000074FC8000-memory.dmp

Filesize
4.5MB

Download
memory/3468-141-0x00000000016D0000-0x000000000178F000-memory.dmp

Filesize
764KB

Download