blackmoon | 7fd10abd56e2e5b324be359c0b054b3a52aab4897b3aec821d17f711d036fe2b

Analysis

max time kernel
91s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
08-10-2022 18:43

Target

7fd10abd56e2e5b324be359c0b054b3a52aab4897b3aec821d17f711d036fe2b.dll
Size

1.1MB
MD5

1af00924ee16348b25651eef36066f9c
SHA1

6b6d86bee8ca36395d978d88116ed9d58b46abae
SHA256

7fd10abd56e2e5b324be359c0b054b3a52aab4897b3aec821d17f711d036fe2b
SHA512

56d132de8e08d10cfbcd6f4ce0a408c864c9029b34b43c998f16afe0f16e14ace01525890d6d9d79623b7bb7b26d882cf16e7c21dedb65961c350b827143986b
SSDEEP

24576:cdxKK+Z3z0jetmSpSqQwxk8HLTKW2ZII6F3DejNN2fgd9Y:cdF+FBmgie/Gk6r2fgXY

Score

10^/10

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
behavioral2/memory/2152-133-0x0000000010000000-0x000000001025D000-memory.dmp	family_blackmoon

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

resource	yara_rule
behavioral2/memory/2152-133-0x0000000010000000-0x000000001025D000-memory.dmp	vmprotect

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1944 wrote to memory of 2152	1944	rundll32.exe	81
PID 1944 wrote to memory of 2152	1944	rundll32.exe	81
PID 1944 wrote to memory of 2152	1944	rundll32.exe	81

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7fd10abd56e2e5b324be359c0b054b3a52aab4897b3aec821d17f711d036fe2b.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1944
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\7fd10abd56e2e5b324be359c0b054b3a52aab4897b3aec821d17f711d036fe2b.dll,#1
  2⤵
  PID:2152

memory/2152-132-0x0000000000000000-mapping.dmp

Download
memory/2152-133-0x0000000010000000-0x000000001025D000-memory.dmp

Filesize
2.4MB

Download