blackmoon | 614b12c79ce95271bf3a0cefd9cae72fada16284541df85559bcf831540866fd

Analysis

max time kernel
224s
max time network
336s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
29-11-2022 08:37

Target

614b12c79ce95271bf3a0cefd9cae72fada16284541df85559bcf831540866fd.dll
Size

369KB
MD5

4e3afe2ed0f0f3ba785d38ab11c41840
SHA1

c9b6fd7f5d66e0b2a1615e6dd9115ebf8d54de5d
SHA256

614b12c79ce95271bf3a0cefd9cae72fada16284541df85559bcf831540866fd
SHA512

2999a716d871a730ff18472b4b06bd7e881d6a1b0460cb33bda694fac326b39de754d8b896fc304c2c35fa8236f5c4ed4a51a5d28a9bf76e1a58679745799569
SSDEEP

6144:tHWao/MtE0rOcx0J1ypTuNBpXgi2QDh0ICLy8NoH1vszYDbuRLpqluWnXCW+mhsJ:1Wao/vU41ybE90dLGEzwSRQbQmhz2s2y

Score

10^/10

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1100-56-0x0000000010000000-0x00000000100C1000-memory.dmp	family_blackmoon

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

Processes:

resource	yara_rule
behavioral1/memory/1100-56-0x0000000010000000-0x00000000100C1000-memory.dmp	vmprotect

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1484 wrote to memory of 1100	1484	rundll32.exe	rundll32.exe
PID 1484 wrote to memory of 1100	1484	rundll32.exe	rundll32.exe
PID 1484 wrote to memory of 1100	1484	rundll32.exe	rundll32.exe
PID 1484 wrote to memory of 1100	1484	rundll32.exe	rundll32.exe
PID 1484 wrote to memory of 1100	1484	rundll32.exe	rundll32.exe
PID 1484 wrote to memory of 1100	1484	rundll32.exe	rundll32.exe
PID 1484 wrote to memory of 1100	1484	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\614b12c79ce95271bf3a0cefd9cae72fada16284541df85559bcf831540866fd.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1484

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\614b12c79ce95271bf3a0cefd9cae72fada16284541df85559bcf831540866fd.dll,#1
2⤵
PID:1100

memory/1100-54-0x0000000000000000-mapping.dmp

Download
memory/1100-55-0x00000000763A1000-0x00000000763A3000-memory.dmp

Filesize
8KB

Download
memory/1100-56-0x0000000010000000-0x00000000100C1000-memory.dmp

Filesize
772KB

Download