blackmoon | a60616650b4d63c0aade8adb1d62254dc2dc7b9f33a2d6f48bcc36f9d9a514e3

Analysis

max time kernel
42s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07-11-2022 08:46

Target

a60616650b4d63c0aade8adb1d62254dc2dc7b9f33a2d6f48bcc36f9d9a514e3.dll
Size

801KB
MD5

0851ddf2468525905ac84b6afc397d40
SHA1

539baa1c128bb50389d9f3173875638c0f859005
SHA256

a60616650b4d63c0aade8adb1d62254dc2dc7b9f33a2d6f48bcc36f9d9a514e3
SHA512

127f077eb01c320a6551e6555698835950bec3c9151c2b5f0e17acd2d218b907082b85d463afed87165d52085e793c18b370a1a47ea4211ad880456696f3b024
SSDEEP

24576:W1TnaIajDr1HkJ/orzi1Y5TagXN630pYZFw:wmpH7IYRd630GZ6

Score

10^/10

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 3 IoCs

resource	yara_rule
behavioral1/memory/976-56-0x0000000074770000-0x000000007483F000-memory.dmp	family_blackmoon
behavioral1/memory/976-57-0x0000000010000000-0x0000000010081000-memory.dmp	family_blackmoon
behavioral1/memory/976-63-0x0000000002290000-0x0000000002311000-memory.dmp	family_blackmoon

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
976	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1916 wrote to memory of 976	1916	rundll32.exe	27
PID 1916 wrote to memory of 976	1916	rundll32.exe	27
PID 1916 wrote to memory of 976	1916	rundll32.exe	27
PID 1916 wrote to memory of 976	1916	rundll32.exe	27
PID 1916 wrote to memory of 976	1916	rundll32.exe	27
PID 1916 wrote to memory of 976	1916	rundll32.exe	27
PID 1916 wrote to memory of 976	1916	rundll32.exe	27

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a60616650b4d63c0aade8adb1d62254dc2dc7b9f33a2d6f48bcc36f9d9a514e3.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\a60616650b4d63c0aade8adb1d62254dc2dc7b9f33a2d6f48bcc36f9d9a514e3.dll,#1
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:976

memory/976-54-0x0000000000000000-mapping.dmp

Download
memory/976-55-0x0000000075A81000-0x0000000075A83000-memory.dmp

Filesize
8KB

Download
memory/976-56-0x0000000074770000-0x000000007483F000-memory.dmp

Filesize
828KB

Download
memory/976-57-0x0000000010000000-0x0000000010081000-memory.dmp

Filesize
516KB

Download
memory/976-63-0x0000000002290000-0x0000000002311000-memory.dmp

Filesize
516KB

Download