blackmoon | fee045cc4bd2b1db0cc08b874eaa644502a977426639a4ed3892db0453227685

Analysis

max time kernel
43s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29-11-2022 10:32

Target

fee045cc4bd2b1db0cc08b874eaa644502a977426639a4ed3892db0453227685.dll
Size

358KB
MD5

3e42b20fe559d7abc3daa666ffc581d0
SHA1

76e8346b73d9b86d2fc2aa5ac57326dc42be5f08
SHA256

fee045cc4bd2b1db0cc08b874eaa644502a977426639a4ed3892db0453227685
SHA512

670948acf5e2da10be68666c2d559ae8c6a5d039ed49419ec21bbf64f00f0339124da5694282d0276d4c559512f42c33fbb021983477668a13f2dfd54aac33c4
SSDEEP

6144:qklQbs3kBMdnHSun9NmE0qfd6GlqNCfRto7umCW0nKS8oQL7e+HsSDbxf:/93kBIHSMKENFOCn+CWe8o6bMkbx

Score

10^/10

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
behavioral1/memory/1676-56-0x0000000010000000-0x00000000100BC000-memory.dmp	family_blackmoon

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

resource	yara_rule
behavioral1/memory/1676-56-0x0000000010000000-0x00000000100BC000-memory.dmp	vmprotect

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1092 wrote to memory of 1676	1092	rundll32.exe	27
PID 1092 wrote to memory of 1676	1092	rundll32.exe	27
PID 1092 wrote to memory of 1676	1092	rundll32.exe	27
PID 1092 wrote to memory of 1676	1092	rundll32.exe	27
PID 1092 wrote to memory of 1676	1092	rundll32.exe	27
PID 1092 wrote to memory of 1676	1092	rundll32.exe	27
PID 1092 wrote to memory of 1676	1092	rundll32.exe	27

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\fee045cc4bd2b1db0cc08b874eaa644502a977426639a4ed3892db0453227685.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1092
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\fee045cc4bd2b1db0cc08b874eaa644502a977426639a4ed3892db0453227685.dll,#1
  2⤵
  PID:1676

memory/1676-54-0x0000000000000000-mapping.dmp

Download
memory/1676-55-0x0000000074C91000-0x0000000074C93000-memory.dmp

Filesize
8KB

Download
memory/1676-56-0x0000000010000000-0x00000000100BC000-memory.dmp

Filesize
752KB

Download