blackmoon | 3deaa40dd6363ac76b050054fcecc46192f70321f47438bf112e2ee8dbca2f5b

Analysis

max time kernel
142s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29-11-2022 09:40

Target

3deaa40dd6363ac76b050054fcecc46192f70321f47438bf112e2ee8dbca2f5b.dll
Size

364KB
MD5

13724826c0972a6a947109d5be7012d0
SHA1

0b465b0aaf3b01d385029b48c9c1996d055113e6
SHA256

3deaa40dd6363ac76b050054fcecc46192f70321f47438bf112e2ee8dbca2f5b
SHA512

5b217d1793c2033c0700e7f86c63a890ebeeaf4b4ade2326795a0bb34c74f56cb935d6497f57236ef7fb50d7243ea831975f860fd1573a2d4bc56e0dec8ed9d6
SSDEEP

6144:3ypyJE1S5ND31zwdHlWbEaScp8FSBuRTY2o56oxW8eYkYM6y:3ysJE1SrDlzulWbEaNp8ABATY246oMTD

Score

10^/10

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4088-133-0x0000000010000000-0x00000000100C1000-memory.dmp	family_blackmoon
behavioral2/memory/4088-135-0x0000000010000000-0x00000000100C1000-memory.dmp	family_blackmoon
behavioral2/memory/4088-136-0x0000000010000000-0x00000000100C1000-memory.dmp	family_blackmoon

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

Processes:

resource	yara_rule
behavioral2/memory/4088-133-0x0000000010000000-0x00000000100C1000-memory.dmp	vmprotect
behavioral2/memory/4088-135-0x0000000010000000-0x00000000100C1000-memory.dmp	vmprotect
behavioral2/memory/4088-136-0x0000000010000000-0x00000000100C1000-memory.dmp	vmprotect

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 2652 wrote to memory of 4088	2652	rundll32.exe	rundll32.exe
PID 2652 wrote to memory of 4088	2652	rundll32.exe	rundll32.exe
PID 2652 wrote to memory of 4088	2652	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3deaa40dd6363ac76b050054fcecc46192f70321f47438bf112e2ee8dbca2f5b.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2652

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3deaa40dd6363ac76b050054fcecc46192f70321f47438bf112e2ee8dbca2f5b.dll,#1
2⤵
PID:4088

memory/4088-132-0x0000000000000000-mapping.dmp

Download
memory/4088-133-0x0000000010000000-0x00000000100C1000-memory.dmp

Filesize
772KB

Download
memory/4088-135-0x0000000010000000-0x00000000100C1000-memory.dmp

Filesize
772KB

Download
memory/4088-136-0x0000000010000000-0x00000000100C1000-memory.dmp

Filesize
772KB

Download