blackmoon | 2aa9084d850f6408d898696389ab62889dabefea3b66909f148324da24a03730

General

Target

2aa9084d850f6408d898696389ab62889dabefea3b66909f148324da24a03730.dll
Size

1.8MB
MD5

3e9a335d0f037cb4a5107b71be89856e
SHA1

10f07b895a2e92dc4381f7513f94588fd0803948
SHA256

2aa9084d850f6408d898696389ab62889dabefea3b66909f148324da24a03730
SHA512

2a1e1bf26cac0de350bc9904dcebd0db54ed59f7b48337872c28d6ce7b5430fd8a8ccf0c195188ccb4277aa16ff28d8e78acbd3c9cff2aaf920b9d684dd8d9e5
SSDEEP

49152:OOaTmE9MRVRTYnttI1LHpkhP4tUPTzM4GbM:8aE98VRTGGtOha2kL

Score

10^/10

blackmoon banker trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4696-138-0x0000000010000000-0x000000001051C000-memory.dmp	family_blackmoon

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

25 4696 rundll32.exe

flow	pid	process
25	4696	rundll32.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4696-138-0x0000000010000000-0x000000001051C000-memory.dmp	upx

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1488 4696 WerFault.exe rundll32.exe

pid	pid_target	process	target process
1488	4696	WerFault.exe	rundll32.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\E403A1DFC8F377E0F4AA43A83EE9EA079A1F55F2	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\E403A1DFC8F377E0F4AA43A83EE9EA079A1F55F2\Blob = 09000000010000004c000000304a060a2b0601040182370a0602060a2b0601040182370a060106082b0601050507030806082b0601050507030406082b0601050507030306082b0601050507030206082b060105050703015c000000010000000400000000100000030000000100000014000000e403a1dfc8f377e0f4aa43a83ee9ea079a1f55f219000000010000001000000079d8e39856b0540913defb485e73ed621400000001000000140000000525862f6536a1e59d9eca5c0919ad0e3d96261d0f000000010000001400000052bf462203121ab271f48ff1a32d373fd9f12399040000000100000010000000dc911e8da3a186bb4d52eec0e57b51555300000001000000230000003021301f060960864801a4a227020130123010060a2b0601040182373c0101030200c02000000001000000d3050000308205cf308203b7a00302010202041eb132d5300d06092a864886f70d01010505003076310b300906035504061302434e31233021060355040a0c1a4a656d6d794c6f76654a656e6e7920504b492053657276696365311e301c060355040b0c15706b692e6a656d6d796c6f76656a656e6e792e746b3122302006035504030c194a656d6d794c6f76654a656e6e7920455620526f6f742043413020170d3030303130313030303030305a180f32303939313233313233353935395a3076310b300906035504061302434e31233021060355040a0c1a4a656d6d794c6f76654a656e6e7920504b492053657276696365311e301c060355040b0c15706b692e6a656d6d796c6f76656a656e6e792e746b3122302006035504030c194a656d6d794c6f76654a656e6e7920455620526f6f7420434130820222300d06092a864886f70d01010105000382020f003082020a0282020100b5bf164ce267332d80ffed87e949041ea0b8dd6e4389cc2ece1e2606c7dc4085d75631f5bf99e3b60a4dbe48dc7337e8edc95dd02aca568a119c2884dd8cecd0c174585e1b6ec89e47f37f28626bb42abb0f7cb0ee0f25d11e268026937bfc4587de5d7cd89d9cd3fee634120724a3771d3dec3ba265398f84274bc72d683be7982706d99e24f4ffe84370fb7b0c8d56449c1bdb2d53ca85a55ea12b4cb65aa691fbbceb57c3cb924ded732c252a968069030dbd3a2bf0c8fa027b7ab6afc325b439d4edc7bad1d3e57dfa244705d36bae516daa94378ea3a87e54aad21deb547b1bc659ca611b05da6f473f6dedfc7616bb9a86838cb2b1be86ff2169d4bcc9078527fa4e579acfc1d649339751c2e6521432cf6b5f26666f2c732ec567a2f5c89f62a34b4a73352238b02d981eaf905c6a66ebe570b20d6ae57d978420f34ab679268d8910217031fa6c69831f485eab30c445789242977e2c9d2df3f0f1aa4ec0cae5612418ffdf0127b7d5809e7a1803121d5b0ff82537ab112a49d7946a51ec8c4691332d5ffa415471f2d95e104400776c21250ae00d587b233b22a596db169e0583c0027c59814544963e66a5eb293ea11523e338d924244bd36b6d27227eecf848c3aef39b756123595c646d36d6cdf570b72fe9fbef779e0afa1db7cf4cc81964b366441f8032337a328f3c988997d0a27d2d8dce891c221a514ab30203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604140525862f6536a1e59d9eca5c0919ad0e3d96261d301f0603551d230418301680140525862f6536a1e59d9eca5c0919ad0e3d96261d300d06092a864886f70d01010505000382020100ad21caaf24b3bfa5ae380783453b61419a4625b1adf976ca6ee77f802063842fd2ca4879ddf39df1a0ca779bb313fb86d1241607b6df5e868ad9cddb69e19baf3107c22cf951569dc8d5f89db4b4ab7b859b61482b10df9bfcce81c4f1b86c77d40a5ee2805a460dd0d6ea165f86e67085097d159090416b07de58ece97764bd1ab9d3c197d1e52aa132182f68fe1962f194b22e1a5a9d4d25c46c9e97a8a6fde4ec57296b4a509eb6dcc8be7b25ff104ef9892d413c93662351b7f3bab4725aaadd18adf65efba74224dbd1dd718356d68e205046d648ac74e11d3be7494d0dba37c51a467af57c721a25968ab1e6a48416009cfb2ac1c063245d93ec2459ac262778e907e4b9aa5bf666db808344c83857d632ae46fe2daba83d1497a155bb9da767ca7fe567b218dffda7aa61055501b2f515cd0fd8b830a67c82b765f52cf80f077ea177480395a29c8dbe9cd572715257a7cef58ad63218e05d16f0096bd496e12d17bf7790b9ddb6318fb91a2a3f3395dd55e4ba739c2c8d15442fbc8de41bade132d1a23fb5a2844e6b08062208f9191e1f3ca0a5504e07cf4b3f2baa683bdc0dc10a8a6631b3d46481641798a4a37b35ada800104d8bc70c0fc31f6615284cb1229592ee072139b6a15a8ad9e1a8135bb4fe7b426d5e69ca1a9a420d7ce3612490d4d9421835a89a05f14e3ca3fd987c51cd62f2926945cfbff32caa	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

rundll32.exe

description pid process

Token: SeLoadDriverPrivilege 4696 rundll32.exe

description	pid	process
Token: SeLoadDriverPrivilege	4696	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 820 wrote to memory of 4696	820	rundll32.exe	rundll32.exe
PID 820 wrote to memory of 4696	820	rundll32.exe	rundll32.exe
PID 820 wrote to memory of 4696	820	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2aa9084d850f6408d898696389ab62889dabefea3b66909f148324da24a03730.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:820

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2aa9084d850f6408d898696389ab62889dabefea3b66909f148324da24a03730.dll,#1
2⤵
- Blocklisted process makes network request
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:4696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 732
3⤵
- Program crash
PID:1488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4696 -ip 4696
1⤵
PID:4084

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4696-133-0x0000000002340000-0x0000000002347000-memory.dmp

Filesize
28KB

Download
memory/4696-138-0x0000000010000000-0x000000001051C000-memory.dmp

Filesize
5.1MB

Download
memory/4696-139-0x00000000029B0000-0x0000000002E42000-memory.dmp

Filesize
4.6MB

Download
memory/4696-140-0x00000000029B0000-0x0000000002E42000-memory.dmp

Filesize
4.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads