blackmoon | baa6c9da5b502377205f6f9531afecba5f56e7977ea547e521aca7174d260909

General

Target

baa6c9da5b502377205f6f9531afecba5f56e7977ea547e521aca7174d260909.dll
Size

500KB
MD5

d39fd459b42b0807fb0388833305c00d
SHA1

2193dc7415dcfc3ba64c7d630a3addd557db1e10
SHA256

baa6c9da5b502377205f6f9531afecba5f56e7977ea547e521aca7174d260909
SHA512

80376f28e47ac4f196fd6da8f6aa0ec17e400e1e809bbc9ec0ccca0c1ba812ff40a7a05e2e59d081d472bae05c8984418b940283d6c78a41ae88a218ec072b1b
SSDEEP

12288:ufxf2hROSRDLR5nWFpPoSNeN2XoSFv692ezH+bw:ufBoROs6bveUjv692eEw

Score

10^/10

blackmoon banker trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2576-1-0x0000000010000000-0x000000001007D000-memory.dmp	family_blackmoon
behavioral2/memory/2576-37-0x0000000010000000-0x000000001007D000-memory.dmp	family_blackmoon

Executes dropped EXE 1 IoCs

Processes:

rundll32mgr.exe

pid process

2800 rundll32mgr.exe

pid	process
2800	rundll32mgr.exe

UPX packed file 30 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2576-1-0x0000000010000000-0x000000001007D000-memory.dmp	upx
C:\Windows\SysWOW64\rundll32mgr.exe	upx
C:\Windows\SysWOW64\rundll32mgr.exe	upx
behavioral2/memory/2800-5-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/2576-17-0x0000000000E30000-0x0000000000E6E000-memory.dmp	upx
behavioral2/memory/2576-18-0x0000000000E30000-0x0000000000E6E000-memory.dmp	upx
behavioral2/memory/2576-19-0x0000000000E30000-0x0000000000E6E000-memory.dmp	upx
behavioral2/memory/2576-16-0x0000000000E30000-0x0000000000E6E000-memory.dmp	upx
behavioral2/memory/2576-21-0x0000000000E30000-0x0000000000E6E000-memory.dmp	upx
behavioral2/memory/2576-23-0x0000000000E30000-0x0000000000E6E000-memory.dmp	upx
behavioral2/memory/2576-25-0x0000000000E30000-0x0000000000E6E000-memory.dmp	upx
behavioral2/memory/2576-27-0x0000000000E30000-0x0000000000E6E000-memory.dmp	upx
behavioral2/memory/2576-29-0x0000000000E30000-0x0000000000E6E000-memory.dmp	upx
behavioral2/memory/2576-31-0x0000000000E30000-0x0000000000E6E000-memory.dmp	upx
behavioral2/memory/2576-33-0x0000000000E30000-0x0000000000E6E000-memory.dmp	upx
behavioral2/memory/2576-35-0x0000000000E30000-0x0000000000E6E000-memory.dmp	upx
behavioral2/memory/2576-37-0x0000000010000000-0x000000001007D000-memory.dmp	upx
behavioral2/memory/2576-38-0x0000000000E30000-0x0000000000E6E000-memory.dmp	upx
behavioral2/memory/2576-41-0x0000000000E30000-0x0000000000E6E000-memory.dmp	upx
behavioral2/memory/2576-43-0x0000000000E30000-0x0000000000E6E000-memory.dmp	upx
behavioral2/memory/2576-45-0x0000000000E30000-0x0000000000E6E000-memory.dmp	upx
behavioral2/memory/2576-47-0x0000000000E30000-0x0000000000E6E000-memory.dmp	upx
behavioral2/memory/2576-49-0x0000000000E30000-0x0000000000E6E000-memory.dmp	upx
behavioral2/memory/2576-51-0x0000000000E30000-0x0000000000E6E000-memory.dmp	upx
behavioral2/memory/2576-53-0x0000000000E30000-0x0000000000E6E000-memory.dmp	upx
behavioral2/memory/2576-55-0x0000000000E30000-0x0000000000E6E000-memory.dmp	upx
behavioral2/memory/2576-58-0x0000000000E30000-0x0000000000E6E000-memory.dmp	upx
behavioral2/memory/2576-60-0x0000000000E30000-0x0000000000E6E000-memory.dmp	upx
behavioral2/memory/2576-62-0x0000000000E30000-0x0000000000E6E000-memory.dmp	upx
behavioral2/memory/2576-64-0x0000000000E30000-0x0000000000E6E000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3924 2800 WerFault.exe rundll32mgr.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

rundll32.exe

pid process

2576 rundll32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

pid	pid_target	process	target process
3924	2800	WerFault.exe	rundll32mgr.exe

pid	process
2576	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 3488 wrote to memory of 2576	3488	rundll32.exe	rundll32.exe
PID 3488 wrote to memory of 2576	3488	rundll32.exe	rundll32.exe
PID 3488 wrote to memory of 2576	3488	rundll32.exe	rundll32.exe
PID 2576 wrote to memory of 2800	2576	rundll32.exe	rundll32mgr.exe
PID 2576 wrote to memory of 2800	2576	rundll32.exe	rundll32mgr.exe
PID 2576 wrote to memory of 2800	2576	rundll32.exe	rundll32mgr.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\baa6c9da5b502377205f6f9531afecba5f56e7977ea547e521aca7174d260909.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3488

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\baa6c9da5b502377205f6f9531afecba5f56e7977ea547e521aca7174d260909.dll,#1
2⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2576

C:\Windows\SysWOW64\rundll32mgr.exe
C:\Windows\SysWOW64\rundll32mgr.exe
3⤵
- Executes dropped EXE
PID:2800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2800 -s 264
4⤵
- Program crash
PID:3924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2800 -ip 2800
1⤵
PID:1688

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
105KB

MD5
dfb5daabb95dcfad1a5faf9ab1437076

SHA1
4a199569a9b52911bee7fb19ab80570cc5ff9ed1

SHA256
54282ec29d4993ed6e9972122cfbb70bba4898a21d527bd9e72a166d7ec2fdc0

SHA512
5d31c34403ab5f8db4a6d84f2b5579d4ea18673914b626d78e458a648ac20ddd8e342818e807331036d7bb064f596a02b9737acac42fbead29260343a30717e8

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
105KB

MD5
dfb5daabb95dcfad1a5faf9ab1437076

SHA1
4a199569a9b52911bee7fb19ab80570cc5ff9ed1

SHA256
54282ec29d4993ed6e9972122cfbb70bba4898a21d527bd9e72a166d7ec2fdc0

SHA512
5d31c34403ab5f8db4a6d84f2b5579d4ea18673914b626d78e458a648ac20ddd8e342818e807331036d7bb064f596a02b9737acac42fbead29260343a30717e8

Download Submit
memory/2576-35-0x0000000000E30000-0x0000000000E6E000-memory.dmp

Filesize
248KB

Download
memory/2576-65-0x0000000075F00000-0x0000000075FF0000-memory.dmp

Filesize
960KB

Download
memory/2576-1-0x0000000010000000-0x000000001007D000-memory.dmp

Filesize
500KB

Download
memory/2576-17-0x0000000000E30000-0x0000000000E6E000-memory.dmp

Filesize
248KB

Download
memory/2576-18-0x0000000000E30000-0x0000000000E6E000-memory.dmp

Filesize
248KB

Download
memory/2576-19-0x0000000000E30000-0x0000000000E6E000-memory.dmp

Filesize
248KB

Download
memory/2576-16-0x0000000000E30000-0x0000000000E6E000-memory.dmp

Filesize
248KB

Download
memory/2576-21-0x0000000000E30000-0x0000000000E6E000-memory.dmp

Filesize
248KB

Download
memory/2576-23-0x0000000000E30000-0x0000000000E6E000-memory.dmp

Filesize
248KB

Download
memory/2576-25-0x0000000000E30000-0x0000000000E6E000-memory.dmp

Filesize
248KB

Download
memory/2576-27-0x0000000000E30000-0x0000000000E6E000-memory.dmp

Filesize
248KB

Download
memory/2576-29-0x0000000000E30000-0x0000000000E6E000-memory.dmp

Filesize
248KB

Download
memory/2576-31-0x0000000000E30000-0x0000000000E6E000-memory.dmp

Filesize
248KB

Download
memory/2576-33-0x0000000000E30000-0x0000000000E6E000-memory.dmp

Filesize
248KB

Download
memory/2576-37-0x0000000010000000-0x000000001007D000-memory.dmp

Filesize
500KB

Download
memory/2576-38-0x0000000000E30000-0x0000000000E6E000-memory.dmp

Filesize
248KB

Download
memory/2576-64-0x0000000000E30000-0x0000000000E6E000-memory.dmp

Filesize
248KB

Download
memory/2576-41-0x0000000000E30000-0x0000000000E6E000-memory.dmp

Filesize
248KB

Download
memory/2576-43-0x0000000000E30000-0x0000000000E6E000-memory.dmp

Filesize
248KB

Download
memory/2576-45-0x0000000000E30000-0x0000000000E6E000-memory.dmp

Filesize
248KB

Download
memory/2576-47-0x0000000000E30000-0x0000000000E6E000-memory.dmp

Filesize
248KB

Download
memory/2576-49-0x0000000000E30000-0x0000000000E6E000-memory.dmp

Filesize
248KB

Download
memory/2576-51-0x0000000000E30000-0x0000000000E6E000-memory.dmp

Filesize
248KB

Download
memory/2576-53-0x0000000000E30000-0x0000000000E6E000-memory.dmp

Filesize
248KB

Download
memory/2576-55-0x0000000000E30000-0x0000000000E6E000-memory.dmp

Filesize
248KB

Download
memory/2576-58-0x0000000000E30000-0x0000000000E6E000-memory.dmp

Filesize
248KB

Download
memory/2576-60-0x0000000000E30000-0x0000000000E6E000-memory.dmp

Filesize
248KB

Download
memory/2576-62-0x0000000000E30000-0x0000000000E6E000-memory.dmp

Filesize
248KB

Download
memory/2576-63-0x0000000075F00000-0x0000000075FF0000-memory.dmp

Filesize
960KB

Download
memory/2800-5-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2800-10-0x00000000004A0000-0x00000000004A1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads