blackmoon | 2b36a5edccd366c2b4c37dd86680d69fcdd8b6e011ede9c90d51c6a5a862e637

Analysis

max time kernel
122s
max time network
145s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
05/10/2023, 02:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2b36a5edccd366c2b4c37dd86680d69fcdd8b6e011ede9c90d51c6a5a862e637.dll
Size

6.5MB
MD5

9c9e300f744ccd62a86831643b50c671
SHA1

9aefecfb7073e537d48f422722aa48ac21faf19e
SHA256

2b36a5edccd366c2b4c37dd86680d69fcdd8b6e011ede9c90d51c6a5a862e637
SHA512

49abc183bc5f3e07ecc50a6de8d285313d2ff1883252faad92ccff69b69aab06c511625bd5c938d1f8fc69eef139d3241ce82c917335ed45bbc922c4b4707686
SSDEEP

98304:iVEqNYiuw2c5kn3TcYifC3UW8xnufnRMqVe1mUr+EFxFMNEJNJxpWA74:Z+1z6n326EdleSkJUS6MkNJxMe4

Score

10^/10

blackmoon banker trojan vmprotect

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 3 IoCs

resource	yara_rule
behavioral1/memory/1316-2-0x0000000010000000-0x0000000010B68000-memory.dmp	family_blackmoon
behavioral1/memory/1316-5-0x0000000010000000-0x0000000010B68000-memory.dmp	family_blackmoon
behavioral1/memory/1316-47-0x00000000002C0000-0x00000000002D3000-memory.dmp	family_blackmoon

Executes dropped EXE 4 IoCs

pid	Process
2596	svchost.exe
2960	svchost.exe
2328	svchost.exe
2968	svchost.exe

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/1316-2-0x0000000010000000-0x0000000010B68000-memory.dmp	vmprotect
behavioral1/memory/1316-5-0x0000000010000000-0x0000000010B68000-memory.dmp	vmprotect

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1316 set thread context of 2740	1316	rundll32.exe	29
PID 1316 set thread context of 2760	1316	rundll32.exe	30
PID 1316 set thread context of 2592	1316	rundll32.exe	31
PID 1316 set thread context of 2160	1316	rundll32.exe	32

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.exe	svchost.exe
File opened for modification	C:\Windows\svchost.exe	svchost.exe
File opened for modification	C:\Windows\svchost.exe	svchost.exe
File created	C:\Windows\svchost.exe	svchost.exe
File opened for modification	C:\Windows\svchost.exe	svchost.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
1316	rundll32.exe
1316	rundll32.exe
1316	rundll32.exe
1316	rundll32.exe
2760	svchost.exe
2760	svchost.exe
2760	svchost.exe
2760	svchost.exe
2760	svchost.exe
2760	svchost.exe
2760	svchost.exe
2760	svchost.exe
2760	svchost.exe
2760	svchost.exe
2760	svchost.exe
2760	svchost.exe
2760	svchost.exe
2760	svchost.exe
2760	svchost.exe
2760	svchost.exe
2760	svchost.exe
2760	svchost.exe
2760	svchost.exe
2760	svchost.exe
2760	svchost.exe
2760	svchost.exe
2760	svchost.exe
2760	svchost.exe
2760	svchost.exe
2760	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1316	rundll32.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 1316	2096	rundll32.exe	28
PID 2096 wrote to memory of 1316	2096	rundll32.exe	28
PID 2096 wrote to memory of 1316	2096	rundll32.exe	28
PID 2096 wrote to memory of 1316	2096	rundll32.exe	28
PID 2096 wrote to memory of 1316	2096	rundll32.exe	28
PID 2096 wrote to memory of 1316	2096	rundll32.exe	28
PID 2096 wrote to memory of 1316	2096	rundll32.exe	28
PID 1316 wrote to memory of 2740	1316	rundll32.exe	29
PID 1316 wrote to memory of 2740	1316	rundll32.exe	29
PID 1316 wrote to memory of 2740	1316	rundll32.exe	29
PID 1316 wrote to memory of 2740	1316	rundll32.exe	29
PID 1316 wrote to memory of 2740	1316	rundll32.exe	29
PID 1316 wrote to memory of 2740	1316	rundll32.exe	29
PID 1316 wrote to memory of 2740	1316	rundll32.exe	29
PID 1316 wrote to memory of 2740	1316	rundll32.exe	29
PID 1316 wrote to memory of 2760	1316	rundll32.exe	30
PID 1316 wrote to memory of 2760	1316	rundll32.exe	30
PID 1316 wrote to memory of 2760	1316	rundll32.exe	30
PID 1316 wrote to memory of 2760	1316	rundll32.exe	30
PID 1316 wrote to memory of 2760	1316	rundll32.exe	30
PID 1316 wrote to memory of 2760	1316	rundll32.exe	30
PID 1316 wrote to memory of 2760	1316	rundll32.exe	30
PID 1316 wrote to memory of 2760	1316	rundll32.exe	30
PID 1316 wrote to memory of 2592	1316	rundll32.exe	31
PID 1316 wrote to memory of 2592	1316	rundll32.exe	31
PID 1316 wrote to memory of 2592	1316	rundll32.exe	31
PID 1316 wrote to memory of 2592	1316	rundll32.exe	31
PID 1316 wrote to memory of 2592	1316	rundll32.exe	31
PID 1316 wrote to memory of 2592	1316	rundll32.exe	31
PID 1316 wrote to memory of 2592	1316	rundll32.exe	31
PID 1316 wrote to memory of 2592	1316	rundll32.exe	31
PID 1316 wrote to memory of 2160	1316	rundll32.exe	32
PID 1316 wrote to memory of 2160	1316	rundll32.exe	32
PID 1316 wrote to memory of 2160	1316	rundll32.exe	32
PID 1316 wrote to memory of 2160	1316	rundll32.exe	32
PID 1316 wrote to memory of 2160	1316	rundll32.exe	32
PID 1316 wrote to memory of 2160	1316	rundll32.exe	32
PID 1316 wrote to memory of 2160	1316	rundll32.exe	32
PID 1316 wrote to memory of 2160	1316	rundll32.exe	32

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2b36a5edccd366c2b4c37dd86680d69fcdd8b6e011ede9c90d51c6a5a862e637.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\2b36a5edccd366c2b4c37dd86680d69fcdd8b6e011ede9c90d51c6a5a862e637.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1316
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe C:\Windows\SysWOW64
    3⤵
    - Drops file in Windows directory
    PID:2740
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe C:\Windows\SysWOW64
    3⤵
    - Drops file in Windows directory
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:2760
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe C:\Windows\SysWOW64
    3⤵
    - Drops file in Windows directory
    PID:2592
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe C:\Windows\SysWOW64
    3⤵
    - Drops file in Windows directory
    PID:2160

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
PID:2596

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
PID:2960

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
PID:2328

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
PID:2968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\svchost.exe

Filesize
20KB

MD5
54a47f6b5e09a77e61649109c6a08866

SHA1
4af001b3c3816b860660cf2de2c0fd3c1dfb4878

SHA256
121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2

SHA512
88ee0ef5af1b0b38c19ab4c307636352fc403ea74f3bfb17e246f7fd815ac042183086133cd9fe805bd47e15854776871bb7d384e419862c91503eeb82bfb419

Download Submit
C:\Windows\svchost.exe

Filesize
20KB

MD5
54a47f6b5e09a77e61649109c6a08866

SHA1
4af001b3c3816b860660cf2de2c0fd3c1dfb4878

SHA256
121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2

SHA512
88ee0ef5af1b0b38c19ab4c307636352fc403ea74f3bfb17e246f7fd815ac042183086133cd9fe805bd47e15854776871bb7d384e419862c91503eeb82bfb419

Download Submit
C:\Windows\svchost.exe

Filesize
20KB

MD5
54a47f6b5e09a77e61649109c6a08866

SHA1
4af001b3c3816b860660cf2de2c0fd3c1dfb4878

SHA256
121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2

SHA512
88ee0ef5af1b0b38c19ab4c307636352fc403ea74f3bfb17e246f7fd815ac042183086133cd9fe805bd47e15854776871bb7d384e419862c91503eeb82bfb419

Download Submit
C:\Windows\svchost.exe

Filesize
20KB

MD5
54a47f6b5e09a77e61649109c6a08866

SHA1
4af001b3c3816b860660cf2de2c0fd3c1dfb4878

SHA256
121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2

SHA512
88ee0ef5af1b0b38c19ab4c307636352fc403ea74f3bfb17e246f7fd815ac042183086133cd9fe805bd47e15854776871bb7d384e419862c91503eeb82bfb419

Download Submit
C:\Windows\svchost.exe

Filesize
20KB

MD5
54a47f6b5e09a77e61649109c6a08866

SHA1
4af001b3c3816b860660cf2de2c0fd3c1dfb4878

SHA256
121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2

SHA512
88ee0ef5af1b0b38c19ab4c307636352fc403ea74f3bfb17e246f7fd815ac042183086133cd9fe805bd47e15854776871bb7d384e419862c91503eeb82bfb419

Download Submit
C:\Windows\svchost.exe

Filesize
20KB

MD5
54a47f6b5e09a77e61649109c6a08866

SHA1
4af001b3c3816b860660cf2de2c0fd3c1dfb4878

SHA256
121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2

SHA512
88ee0ef5af1b0b38c19ab4c307636352fc403ea74f3bfb17e246f7fd815ac042183086133cd9fe805bd47e15854776871bb7d384e419862c91503eeb82bfb419

Download Submit
C:\Windows\svchost.exe

Filesize
20KB

MD5
54a47f6b5e09a77e61649109c6a08866

SHA1
4af001b3c3816b860660cf2de2c0fd3c1dfb4878

SHA256
121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2

SHA512
88ee0ef5af1b0b38c19ab4c307636352fc403ea74f3bfb17e246f7fd815ac042183086133cd9fe805bd47e15854776871bb7d384e419862c91503eeb82bfb419

Download Submit
memory/1316-30-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1316-9-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/1316-14-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/1316-17-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1316-19-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1316-22-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1316-24-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1316-27-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1316-29-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1316-2-0x0000000010000000-0x0000000010B68000-memory.dmp

Filesize
11.4MB

Download
memory/1316-32-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1316-34-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1316-1-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/1316-0-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/1316-3-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/1316-5-0x0000000010000000-0x0000000010B68000-memory.dmp

Filesize
11.4MB

Download
memory/1316-7-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/1316-47-0x00000000002C0000-0x00000000002D3000-memory.dmp

Filesize
76KB

Download
memory/1316-4-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/1316-12-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/2740-46-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2740-43-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2740-42-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2740-40-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2740-39-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2740-38-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download