blackmoon | a60616650b4d63c0aade8adb1d62254dc2dc7b9f33a2d6f48bcc36f9d9a514e3

Analysis

max time kernel
155s
max time network
173s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07/11/2022, 08:46

Target

a60616650b4d63c0aade8adb1d62254dc2dc7b9f33a2d6f48bcc36f9d9a514e3.dll
Size

801KB
MD5

0851ddf2468525905ac84b6afc397d40
SHA1

539baa1c128bb50389d9f3173875638c0f859005
SHA256

a60616650b4d63c0aade8adb1d62254dc2dc7b9f33a2d6f48bcc36f9d9a514e3
SHA512

127f077eb01c320a6551e6555698835950bec3c9151c2b5f0e17acd2d218b907082b85d463afed87165d52085e793c18b370a1a47ea4211ad880456696f3b024
SSDEEP

24576:W1TnaIajDr1HkJ/orzi1Y5TagXN630pYZFw:wmpH7IYRd630GZ6

Score

10^/10

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 4 IoCs

resource	yara_rule
behavioral2/memory/4940-133-0x0000000074CA0000-0x0000000074D6F000-memory.dmp	family_blackmoon
behavioral2/memory/4940-134-0x0000000010000000-0x0000000010081000-memory.dmp	family_blackmoon
behavioral2/memory/4940-140-0x0000000074CA0000-0x0000000074D6F000-memory.dmp	family_blackmoon
behavioral2/memory/4940-141-0x00000000022F0000-0x0000000002371000-memory.dmp	family_blackmoon

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4940	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3708 wrote to memory of 4940	3708	rundll32.exe	81
PID 3708 wrote to memory of 4940	3708	rundll32.exe	81
PID 3708 wrote to memory of 4940	3708	rundll32.exe	81

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a60616650b4d63c0aade8adb1d62254dc2dc7b9f33a2d6f48bcc36f9d9a514e3.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3708
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\a60616650b4d63c0aade8adb1d62254dc2dc7b9f33a2d6f48bcc36f9d9a514e3.dll,#1
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:4940

memory/4940-133-0x0000000074CA0000-0x0000000074D6F000-memory.dmp

Filesize
828KB

Download
memory/4940-134-0x0000000010000000-0x0000000010081000-memory.dmp

Filesize
516KB

Download
memory/4940-140-0x0000000074CA0000-0x0000000074D6F000-memory.dmp

Filesize
828KB

Download
memory/4940-141-0x00000000022F0000-0x0000000002371000-memory.dmp

Filesize
516KB

Download