Overview

overview

10

Static

static

3

6f77680bd0...b8.dll

windows7-x64

8

6f77680bd0...b8.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    126s
  • max time network
    135s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/07/2023, 23:06

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    6f77680bd0773b2c76406195aa33eb23fd2b4f409d3dccb78a4737c20c0758b8.dll

  • Size

    299KB

  • MD5

    6e181fe5091721e07cfb6150f94e3b16

  • SHA1

    4f6e690bc16856249cdbde121d007f7748c2dafd

  • SHA256

    6f77680bd0773b2c76406195aa33eb23fd2b4f409d3dccb78a4737c20c0758b8

  • SHA512

    1c9f87b50fb340db14f404111cebf8b01a3cf9cc5795edb6855afa1fa9a54445d692610bff51b6753feb01743aa23cc825f5fe1e6c107285e269b80fa1cbfc68

  • SSDEEP

    6144:Mszj4kdmVXtO+ofngVeyytZlz5dnYAm/rTOyLq+HBunTBSqMcAO0X9:/jj2OPfgEyytZlz/WOyexnTg7cy

Score
10/10
blackmoonbankertrojanupx

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 2 IoCs
  • Blocklisted process makes network request 7 IoCs
  • ACProtect 1.3x - 1.4x DLL software 2 IoCs

    Detects file using ACProtect software.

  • Loads dropped DLL 2 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 56 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\6f77680bd0773b2c76406195aa33eb23fd2b4f409d3dccb78a4737c20c0758b8.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2056
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\6f77680bd0773b2c76406195aa33eb23fd2b4f409d3dccb78a4737c20c0758b8.dll,#1
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5092

Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\SysWOW64\hErHcp.dll
          Filesize

          205KB

          MD5

          5d4dc7d4d1601d29b039a966f85c183d

          SHA1

          8a021015de3684ab8a94af5d7af3342fd4d71568

          SHA256

          89ea05c90a691024780c94976f7487b3700a6f25c161b9e8c5471be4a7ef7b4f

          SHA512

          ea37e48ae6069999e23e90b9586a2f211c19fa048e1dda6652bee34e0e5fdf899ddfe09638eec1ff111118554819b0481a8c9a2ef908c8487863fc1fa4aa45e2

          Download Submit

        • C:\Windows\SysWOW64\hErHcp.dll
          Filesize

          205KB

          MD5

          5d4dc7d4d1601d29b039a966f85c183d

          SHA1

          8a021015de3684ab8a94af5d7af3342fd4d71568

          SHA256

          89ea05c90a691024780c94976f7487b3700a6f25c161b9e8c5471be4a7ef7b4f

          SHA512

          ea37e48ae6069999e23e90b9586a2f211c19fa048e1dda6652bee34e0e5fdf899ddfe09638eec1ff111118554819b0481a8c9a2ef908c8487863fc1fa4aa45e2

          Download Submit

        • memory/5092-133-0x0000000010000000-0x000000001007E000-memory.dmp

          Filesize

          504KB

          Download

        • memory/5092-156-0x0000000004E50000-0x0000000004EA6000-memory.dmp

          Filesize

          344KB

          Download

        • memory/5092-155-0x0000000004E50000-0x0000000004EA6000-memory.dmp

          Filesize

          344KB

          Download

        • memory/5092-163-0x0000000004E50000-0x0000000004EA6000-memory.dmp

          Filesize

          344KB

          Download