blackmoon | 3bb0283bf7232503e18b72d8a353685fc0c48a736a2aa55a3f74b7426ecd3b76

Analysis

max time kernel
153s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08/03/2024, 14:13

Target

3bb0283bf7232503e18b72d8a353685fc0c48a736a2aa55a3f74b7426ecd3b76.dll
Size

4.2MB
MD5

99affed33e9d3fef1746277094171f1e
SHA1

de1fb94458e262b10cbf3bab7fbb3bea9fd95afe
SHA256

3bb0283bf7232503e18b72d8a353685fc0c48a736a2aa55a3f74b7426ecd3b76
SHA512

c4079c00eb301a4d6b2abfad0569e43632a30b4aa2411148cfd68e6a517f78305d9b68a5a68ac0cdb7960db7eb61d97db37bc818fb2f2b1c64a021da598ed963
SSDEEP

98304:SfO9FDNhyAHVO+FZeQtJXjt4FSIb/1bQeWooa8DT:agFD6yQOsQt1jSSE/1EFva

Score

10^/10

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
behavioral2/memory/828-9-0x0000000010000000-0x0000000010BCB000-memory.dmp	family_blackmoon

Loads dropped DLL 1 IoCs

pid	Process
828	rundll32.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/memory/828-0-0x0000000010000000-0x0000000010BCB000-memory.dmp	upx
behavioral2/memory/828-8-0x00000000030A0000-0x00000000030B5000-memory.dmp	upx
behavioral2/memory/828-9-0x0000000010000000-0x0000000010BCB000-memory.dmp	upx

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4184	828	WerFault.exe	94

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
828	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 720 wrote to memory of 828	720	rundll32.exe	94
PID 720 wrote to memory of 828	720	rundll32.exe	94
PID 720 wrote to memory of 828	720	rundll32.exe	94

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3bb0283bf7232503e18b72d8a353685fc0c48a736a2aa55a3f74b7426ecd3b76.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:720
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\3bb0283bf7232503e18b72d8a353685fc0c48a736a2aa55a3f74b7426ecd3b76.dll,#1
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:828
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 828 -s 844
    3⤵
    - Program crash
    PID:4184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 828 -ip 828
1⤵
PID:4680

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3428 --field-trial-handle=3488,i,1267426273081718772,6254127258555406296,262144 --variations-seed-version /prefetch:8
1⤵
PID:2960

C:\Users\Admin\AppData\Local\Temp\E2EECore.2.7.2.dll

Filesize
8.4MB

MD5
8b6c94bbdbfb213e94a5dcb4fac28ce3

SHA1
b56102ca4f03556f387f8b30e2b404efabe0cb65

SHA256
982a177924762f270b36fe34c7d6847392b48ae53151dc2011078dceef487a53

SHA512
9d6d63b5d8cf7a978d7e91126d7a343c2f7acd00022da9d692f63e50835fdd84a59a93328564f10622f2b1f6adfd7febdd98b8ddb294d0754ed45cc9c165d25a

Download Submit
memory/828-0-0x0000000010000000-0x0000000010BCB000-memory.dmp

Filesize
11.8MB

Download
memory/828-6-0x00000000031D0000-0x00000000031F7000-memory.dmp

Filesize
156KB

Download
memory/828-8-0x00000000030A0000-0x00000000030B5000-memory.dmp

Filesize
84KB

Download
memory/828-9-0x0000000010000000-0x0000000010BCB000-memory.dmp

Filesize
11.8MB

Download