blackmoon | e67a5de2a37a1f551b43856378beaf2b9dacf18947004c63fe5c3c077765b8d1

General

Target

libcrypto-3.dll
Size

102.3MB
MD5

4bcb44a845417cafc7d9b26fe931ac3a
SHA1

d47e4b9d732585e28ce229f7ef9bdd941fabea6e
SHA256

dc5c197f147eeb7dc774653b80b1fc13a0bc1221eb0e942621bd1631ca2d0573
SHA512

5a6e0a75ff7546a2f51c2dc57eb1dc18514439037d05d7f078a22793b4972d09aa3e77eef9edd17850671bcbb1359b8bf8ffd55d7765db20dd8ddde9d4d852eb
SSDEEP

24576:7Yqgr+TBzrabXb8zsMbQrjQzeBa3q0LZdU0B9IwiPr6VoVVD83HNUJyPiOKLA:7ztzsM5n62U0BG76VoPuHNMy6

Score

10^/10

blackmoon gh0strat banker rat trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4276-149-0x0000000000400000-0x0000000000426000-memory.dmp	family_blackmoon
behavioral2/memory/4276-150-0x0000000000400000-0x0000000000426000-memory.dmp	family_blackmoon
behavioral2/memory/4276-153-0x0000000000400000-0x0000000000426000-memory.dmp	family_blackmoon
behavioral2/memory/2364-177-0x0000000010000000-0x0000000011000000-memory.dmp	family_blackmoon

Gh0st RAT payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2584-154-0x0000000010000000-0x0000000010015000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Blocklisted process makes network request 39 IoCs

Processes:

cmd.exe

flow	pid	process
24	2584	cmd.exe
27	2584	cmd.exe
40	2584	cmd.exe
45	2584	cmd.exe
49	2584	cmd.exe
51	2584	cmd.exe
52	2584	cmd.exe
64	2584	cmd.exe
69	2584	cmd.exe
71	2584	cmd.exe
75	2584	cmd.exe
78	2584	cmd.exe
82	2584	cmd.exe
84	2584	cmd.exe
86	2584	cmd.exe
88	2584	cmd.exe
90	2584	cmd.exe
92	2584	cmd.exe
94	2584	cmd.exe
96	2584	cmd.exe
98	2584	cmd.exe
101	2584	cmd.exe
103	2584	cmd.exe
105	2584	cmd.exe
107	2584	cmd.exe
109	2584	cmd.exe
111	2584	cmd.exe
113	2584	cmd.exe
115	2584	cmd.exe
117	2584	cmd.exe
119	2584	cmd.exe
121	2584	cmd.exe
123	2584	cmd.exe
125	2584	cmd.exe
127	2584	cmd.exe
129	2584	cmd.exe
131	2584	cmd.exe
133	2584	cmd.exe
136	2584	cmd.exe

Executes dropped EXE 2 IoCs

Processes:

secvbnmcxccvxcxcsdsdsxcxczsasadrunshellcode86000.exemecxzcaasxzcxcassascxcxcx23667.exe

pid process

4276 secvbnmcxccvxcxcsdsdsxcxczsasadrunshellcode86000.exe
4512 mecxzcaasxzcxcassascxcxcx23667.exe

pid	process
4276	secvbnmcxccvxcxcsdsdsxcxczsasadrunshellcode86000.exe
4512	mecxzcaasxzcxcassascxcxcx23667.exe

Drops file in System32 directory 3 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\secvbnmcxccvxcxcsdsdsxcxczsasadrunshellcode86000.exe	rundll32.exe
File created	C:\Windows\SysWOW64\mecxzcaasxzcxcassascxcxcx23667.exe	rundll32.exe
File created	C:\Windows\SysWOW64\secvbnmcxccvxcxcsdsdsxcxczsasadrunshellcode86000.exe	rundll32.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 2364 set thread context of 2312	2364	rundll32.exe	cmd.exe
PID 2364 set thread context of 2584	2364	rundll32.exe	cmd.exe
PID 2364 set thread context of 4276	2364	rundll32.exe	secvbnmcxccvxcxcsdsdsxcxczsasadrunshellcode86000.exe
PID 2364 set thread context of 4512	2364	rundll32.exe	mecxzcaasxzcxcassascxcxcx23667.exe
PID 2364 set thread context of 3264	2364	rundll32.exe	cmd.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

816 4276 WerFault.exe secvbnmcxccvxcxcsdsdsxcxczsasadrunshellcode86000.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

rundll32.exe

pid process

2364 rundll32.exe
2364 rundll32.exe
2364 rundll32.exe
2364 rundll32.exe
2364 rundll32.exe
2364 rundll32.exe
2364 rundll32.exe
2364 rundll32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

secvbnmcxccvxcxcsdsdsxcxczsasadrunshellcode86000.exemecxzcaasxzcxcassascxcxcx23667.exe

pid process

4276 secvbnmcxccvxcxcsdsdsxcxczsasadrunshellcode86000.exe
4512 mecxzcaasxzcxcassascxcxcx23667.exe

pid	pid_target	process	target process
816	4276	WerFault.exe	secvbnmcxccvxcxcsdsdsxcxczsasadrunshellcode86000.exe

pid	process
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe

pid	process
4276	secvbnmcxccvxcxcsdsdsxcxczsasadrunshellcode86000.exe
4512	mecxzcaasxzcxcassascxcxcx23667.exe

Suspicious use of WriteProcessMemory 49 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1388 wrote to memory of 2364	1388	rundll32.exe	rundll32.exe
PID 1388 wrote to memory of 2364	1388	rundll32.exe	rundll32.exe
PID 1388 wrote to memory of 2364	1388	rundll32.exe	rundll32.exe
PID 2364 wrote to memory of 2412	2364	rundll32.exe	cmd.exe
PID 2364 wrote to memory of 2412	2364	rundll32.exe	cmd.exe
PID 2364 wrote to memory of 2412	2364	rundll32.exe	cmd.exe
PID 2364 wrote to memory of 2312	2364	rundll32.exe	cmd.exe
PID 2364 wrote to memory of 2312	2364	rundll32.exe	cmd.exe
PID 2364 wrote to memory of 2312	2364	rundll32.exe	cmd.exe
PID 2364 wrote to memory of 2312	2364	rundll32.exe	cmd.exe
PID 2364 wrote to memory of 2312	2364	rundll32.exe	cmd.exe
PID 2364 wrote to memory of 2312	2364	rundll32.exe	cmd.exe
PID 2364 wrote to memory of 2312	2364	rundll32.exe	cmd.exe
PID 2364 wrote to memory of 2312	2364	rundll32.exe	cmd.exe
PID 2364 wrote to memory of 2584	2364	rundll32.exe	cmd.exe
PID 2364 wrote to memory of 2584	2364	rundll32.exe	cmd.exe
PID 2364 wrote to memory of 2584	2364	rundll32.exe	cmd.exe
PID 2364 wrote to memory of 2584	2364	rundll32.exe	cmd.exe
PID 2364 wrote to memory of 2584	2364	rundll32.exe	cmd.exe
PID 2364 wrote to memory of 2584	2364	rundll32.exe	cmd.exe
PID 2364 wrote to memory of 2584	2364	rundll32.exe	cmd.exe
PID 2364 wrote to memory of 2584	2364	rundll32.exe	cmd.exe
PID 2364 wrote to memory of 4276	2364	rundll32.exe	secvbnmcxccvxcxcsdsdsxcxczsasadrunshellcode86000.exe
PID 2364 wrote to memory of 4276	2364	rundll32.exe	secvbnmcxccvxcxcsdsdsxcxczsasadrunshellcode86000.exe
PID 2364 wrote to memory of 4276	2364	rundll32.exe	secvbnmcxccvxcxcsdsdsxcxczsasadrunshellcode86000.exe
PID 2364 wrote to memory of 4276	2364	rundll32.exe	secvbnmcxccvxcxcsdsdsxcxczsasadrunshellcode86000.exe
PID 2364 wrote to memory of 4276	2364	rundll32.exe	secvbnmcxccvxcxcsdsdsxcxczsasadrunshellcode86000.exe
PID 2364 wrote to memory of 4276	2364	rundll32.exe	secvbnmcxccvxcxcsdsdsxcxczsasadrunshellcode86000.exe
PID 2364 wrote to memory of 4276	2364	rundll32.exe	secvbnmcxccvxcxcsdsdsxcxczsasadrunshellcode86000.exe
PID 2364 wrote to memory of 4276	2364	rundll32.exe	secvbnmcxccvxcxcsdsdsxcxczsasadrunshellcode86000.exe
PID 2364 wrote to memory of 4276	2364	rundll32.exe	secvbnmcxccvxcxcsdsdsxcxczsasadrunshellcode86000.exe
PID 2364 wrote to memory of 4512	2364	rundll32.exe	mecxzcaasxzcxcassascxcxcx23667.exe
PID 2364 wrote to memory of 4512	2364	rundll32.exe	mecxzcaasxzcxcassascxcxcx23667.exe
PID 2364 wrote to memory of 4512	2364	rundll32.exe	mecxzcaasxzcxcassascxcxcx23667.exe
PID 2364 wrote to memory of 4512	2364	rundll32.exe	mecxzcaasxzcxcassascxcxcx23667.exe
PID 2364 wrote to memory of 4512	2364	rundll32.exe	mecxzcaasxzcxcassascxcxcx23667.exe
PID 2364 wrote to memory of 4512	2364	rundll32.exe	mecxzcaasxzcxcassascxcxcx23667.exe
PID 2364 wrote to memory of 4512	2364	rundll32.exe	mecxzcaasxzcxcassascxcxcx23667.exe
PID 2364 wrote to memory of 4512	2364	rundll32.exe	mecxzcaasxzcxcassascxcxcx23667.exe
PID 2364 wrote to memory of 4512	2364	rundll32.exe	mecxzcaasxzcxcassascxcxcx23667.exe
PID 2364 wrote to memory of 4512	2364	rundll32.exe	mecxzcaasxzcxcassascxcxcx23667.exe
PID 2364 wrote to memory of 3264	2364	rundll32.exe	cmd.exe
PID 2364 wrote to memory of 3264	2364	rundll32.exe	cmd.exe
PID 2364 wrote to memory of 3264	2364	rundll32.exe	cmd.exe
PID 2364 wrote to memory of 3264	2364	rundll32.exe	cmd.exe
PID 2364 wrote to memory of 3264	2364	rundll32.exe	cmd.exe
PID 2364 wrote to memory of 3264	2364	rundll32.exe	cmd.exe
PID 2364 wrote to memory of 3264	2364	rundll32.exe	cmd.exe
PID 2364 wrote to memory of 3264	2364	rundll32.exe	cmd.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\libcrypto-3.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\libcrypto-3.dll,#1
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2364
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe
    3⤵
    PID:2412
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe
    3⤵
    PID:2312
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe
    3⤵
    - Blocklisted process makes network request
    PID:2584
- - C:\Windows\SysWOW64\secvbnmcxccvxcxcsdsdsxcxczsasadrunshellcode86000.exe
    C:\Windows\SysWOW64\secvbnmcxccvxcxcsdsdsxcxczsasadrunshellcode86000.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4276
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4276 -s 392
      4⤵
      Program crash
      PID:816
- - C:\Windows\SysWOW64\mecxzcaasxzcxcassascxcxcx23667.exe
    C:\Windows\SysWOW64\mecxzcaasxzcxcassascxcxcx23667.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4512
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe
    3⤵
    PID:3264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4276 -ip 4276
1⤵
PID:2148

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\mecxzcaasxzcxcassascxcxcx23667.exe

Filesize
60KB

MD5
889b99c52a60dd49227c5e485a016679

SHA1
8fa889e456aa646a4d0a4349977430ce5fa5e2d7

SHA256
6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

SHA512
08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

Download Submit
C:\Windows\SysWOW64\secvbnmcxccvxcxcsdsdsxcxczsasadrunshellcode86000.exe

Filesize
60KB

MD5
889b99c52a60dd49227c5e485a016679

SHA1
8fa889e456aa646a4d0a4349977430ce5fa5e2d7

SHA256
6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

SHA512
08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

Download Submit
memory/2312-136-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2312-137-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2312-138-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2312-140-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2364-134-0x0000000000D90000-0x0000000000D98000-memory.dmp

Filesize
32KB

Download
memory/2364-177-0x0000000010000000-0x0000000011000000-memory.dmp

Filesize
16.0MB

Download
memory/2584-154-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/4276-147-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4276-153-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4276-150-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4276-149-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4276-148-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4512-162-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4512-164-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4512-165-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4512-163-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4512-168-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4512-169-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4512-170-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4512-171-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4512-161-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads