blackmoon | da95054c1e18a1079ad1f2fc928163eeeda20e6241103a5076c5d85929780f84

General

Target

da95054c1e18a1079ad1f2fc928163eeeda20e6241103a5076c5d85929780f84.dll
Size

13.6MB
MD5

1f23ff1c601a12142794189305eb2f22
SHA1

a08ca6bc74239b2bfd87d536b9a119641c61da9f
SHA256

da95054c1e18a1079ad1f2fc928163eeeda20e6241103a5076c5d85929780f84
SHA512

499bb2b478a2f286d35652d16624b45d57321cdad73b0b97ff9331af0162342657314d72f868adecf009c4eeeca1e5bd80370e98928a6d2010ea41883dcb3838
SSDEEP

196608:ySJSiIh2IkT64J9lc++HkUuicZHM0w+riPoDLNUMtBMO7NKWPUr9VC2sW:ySkimkTVzmzkPyU+PkrZnywW

Score

10^/10

blackmoon banker trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 2 IoCs

resource	yara_rule
behavioral2/memory/4052-13-0x0000000002B60000-0x0000000002ECC000-memory.dmp	family_blackmoon
behavioral2/memory/4052-20-0x0000000002B60000-0x0000000002ECC000-memory.dmp	family_blackmoon

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	tmp.exe

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0009000000023111-6.dat	acprotect
behavioral2/files/0x0009000000023111-8.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
952	tmp.exe

Loads dropped DLL 4 IoCs

pid	Process
4052	rundll32.exe
4052	rundll32.exe
4052	rundll32.exe
952	tmp.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0009000000023111-6.dat	upx
behavioral2/files/0x0009000000023111-8.dat	upx
behavioral2/memory/4052-13-0x0000000002B60000-0x0000000002ECC000-memory.dmp	upx
behavioral2/memory/4052-20-0x0000000002B60000-0x0000000002ECC000-memory.dmp	upx

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4052	rundll32.exe
952	tmp.exe
952	tmp.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3116 wrote to memory of 4052	3116	rundll32.exe	82
PID 3116 wrote to memory of 4052	3116	rundll32.exe	82
PID 3116 wrote to memory of 4052	3116	rundll32.exe	82
PID 4052 wrote to memory of 952	4052	rundll32.exe	84
PID 4052 wrote to memory of 952	4052	rundll32.exe	84
PID 4052 wrote to memory of 952	4052	rundll32.exe	84

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\da95054c1e18a1079ad1f2fc928163eeeda20e6241103a5076c5d85929780f84.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3116
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\da95054c1e18a1079ad1f2fc928163eeeda20e6241103a5076c5d85929780f84.dll,#1
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4052
- - C:\Users\Admin\AppData\Local\Temp\tmp.exe
    C:\Users\Admin\AppData\Local\Temp\tmp.exe
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:952

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ExuiKrnln_Win32_20230421.lib

Filesize
1.5MB

MD5
ef48d7cc52338513cc0ce843c5e3916b

SHA1
20965d86b7b358edf8b5d819302fa7e0e6159c18

SHA256
835bfef980ad0cedf10d8ade0cf5671d9f56062f2b22d0a0547b07772ceb25a8

SHA512
fd4602bd487eaad5febb5b3e9d8fe75f4190d1e44e538e7ae2d2129087f35b72b254c85d7335a81854aa2bdb4f0f2fa22e02a892ee23ac57b78cdd03a79259b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\HPSocket4C.dll

Filesize
1.8MB

MD5
9c842288aefe97836f56d6b20b078ff8

SHA1
4c28b0112195a5181891022fd999fc8a6236a842

SHA256
8d048151cefb7b07d4b00704fcc858d22c7501d1692902ea363678ad50db603e

SHA512
4e20b932b11b0c5cbce221c1eb947e7b3ddb68d5ad9d5153c713e55d11dde7482ae3164d57b20b7c82015bfcdbcc6c2d579544b324ff3662e207185200172eb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\HPSocket4C.dll

Filesize
1.8MB

MD5
9c842288aefe97836f56d6b20b078ff8

SHA1
4c28b0112195a5181891022fd999fc8a6236a842

SHA256
8d048151cefb7b07d4b00704fcc858d22c7501d1692902ea363678ad50db603e

SHA512
4e20b932b11b0c5cbce221c1eb947e7b3ddb68d5ad9d5153c713e55d11dde7482ae3164d57b20b7c82015bfcdbcc6c2d579544b324ff3662e207185200172eb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\load.dll

Filesize
2.2MB

MD5
abde7ddcc7dca86700ccf9fd3fc25b11

SHA1
e2fabf760f8558db2b2cfcd0fda66948e74e7839

SHA256
4caed7de787af5c26e5091a2733888d5af8605b5851c5f177273b452eb7b02c4

SHA512
a5f7e5e7315701e07b64f3e6a5b5623f9eb31de61ca0de53c0456ed202d341ca839f9e3c6eb41dbae5dd5ddba7d28cd263e3c76a48b53591ba2d5573fdca44a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\load.dll

Filesize
2.2MB

MD5
abde7ddcc7dca86700ccf9fd3fc25b11

SHA1
e2fabf760f8558db2b2cfcd0fda66948e74e7839

SHA256
4caed7de787af5c26e5091a2733888d5af8605b5851c5f177273b452eb7b02c4

SHA512
a5f7e5e7315701e07b64f3e6a5b5623f9eb31de61ca0de53c0456ed202d341ca839f9e3c6eb41dbae5dd5ddba7d28cd263e3c76a48b53591ba2d5573fdca44a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.exe

Filesize
1.6MB

MD5
8e17399c045f0e397c4611d4c9d33e02

SHA1
aac120429b61430ba2a3f618707cd6110604ceb8

SHA256
78778cc786849a8bbbe5931c7c846bd5d759553a9e2b598eeebe018a81a3dea4

SHA512
a0c75717322a81c20bfc6a8045a80f4943d6b75ad5ba79265acbadbc5e39855592de655058bc895b1c5298ca9f5d3bcf0a573654c69925d0558cf87a957e21c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.exe

Filesize
1.6MB

MD5
8e17399c045f0e397c4611d4c9d33e02

SHA1
aac120429b61430ba2a3f618707cd6110604ceb8

SHA256
78778cc786849a8bbbe5931c7c846bd5d759553a9e2b598eeebe018a81a3dea4

SHA512
a0c75717322a81c20bfc6a8045a80f4943d6b75ad5ba79265acbadbc5e39855592de655058bc895b1c5298ca9f5d3bcf0a573654c69925d0558cf87a957e21c1

Download Submit
memory/4052-13-0x0000000002B60000-0x0000000002ECC000-memory.dmp

Filesize
3.4MB

Download
memory/4052-20-0x0000000002B60000-0x0000000002ECC000-memory.dmp

Filesize
3.4MB

Download

Analysis

Sharing