blackmoon | 47402e79d69e9175aeb4fec7c7de1da0eef55f32b5fcff154e09113d76ac4335

Analysis

max time kernel
43s
max time network
48s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
11/10/2022, 21:35

Target

47402e79d69e9175aeb4fec7c7de1da0eef55f32b5fcff154e09113d76ac4335.dll
Size

1.5MB
MD5

79737781daf4722e1ab2f9352432bace
SHA1

18b0be640606f18568bb99fa855cd92c1187fdc0
SHA256

47402e79d69e9175aeb4fec7c7de1da0eef55f32b5fcff154e09113d76ac4335
SHA512

db551edaebab25534073f24abff0923243a024180fead9d8578731efb2a8a6c1d5d5c75b9bf3d5ece705fedb8db0b3447d48689749b4b43ced7bc00bec16362f
SSDEEP

24576:bLdO8OuXuAdZfbEDgh5tos05jvzMsyyXDYPFH0wevdEVNskchy7JGxmpSfUJWUuG:bJfOuejDghStDkPovdoUy9jpHuX

Score

10^/10

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
behavioral1/memory/2044-56-0x0000000010000000-0x00000000103C6000-memory.dmp	family_blackmoon

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	2044	rundll32.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\mghrLua.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\mghrLua.dll	rundll32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2044	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1184 wrote to memory of 2044	1184	rundll32.exe	27
PID 1184 wrote to memory of 2044	1184	rundll32.exe	27
PID 1184 wrote to memory of 2044	1184	rundll32.exe	27
PID 1184 wrote to memory of 2044	1184	rundll32.exe	27
PID 1184 wrote to memory of 2044	1184	rundll32.exe	27
PID 1184 wrote to memory of 2044	1184	rundll32.exe	27
PID 1184 wrote to memory of 2044	1184	rundll32.exe	27

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\47402e79d69e9175aeb4fec7c7de1da0eef55f32b5fcff154e09113d76ac4335.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1184
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\47402e79d69e9175aeb4fec7c7de1da0eef55f32b5fcff154e09113d76ac4335.dll,#1
  2⤵
  - Blocklisted process makes network request
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  PID:2044

memory/2044-55-0x0000000075A11000-0x0000000075A13000-memory.dmp

Filesize
8KB

Download
memory/2044-56-0x0000000010000000-0x00000000103C6000-memory.dmp

Filesize
3.8MB

Download
memory/2044-57-0x00000000000B0000-0x00000000000B3000-memory.dmp

Filesize
12KB

Download