blackmoon | f75d4e38d8c6bf8ebd5b56202ad36ee753e66d29747441b04930a182d8d9f84f

Analysis

max time kernel
45s
max time network
51s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
29/11/2022, 10:38

Target

f75d4e38d8c6bf8ebd5b56202ad36ee753e66d29747441b04930a182d8d9f84f.dll
Size

359KB
MD5

7c8fd573e9f4ea2e8bd6849b87c9b6c0
SHA1

bdbab9ba3759acbd3b217f05efc284c6e600669a
SHA256

f75d4e38d8c6bf8ebd5b56202ad36ee753e66d29747441b04930a182d8d9f84f
SHA512

9bb43eca65850a8a40d29e878d61951ff3be56483dbb3abc4286150f9b012840eded3d08254e66222155620f9f9f536fe5077c011d9cd0b720b57e3a0a3e2019
SSDEEP

6144:BocgrXhqU6TBPkU+89f8fnatcQ4VMagw9cFLKmYDyIl72gI6GV3KfoaV8J:29rRZMhkUx9Snat14WdOcAmYDyy72x6I

Score

10^/10

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
behavioral1/memory/1948-56-0x0000000010000000-0x00000000100BB000-memory.dmp	family_blackmoon

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

resource	yara_rule
behavioral1/memory/1948-56-0x0000000010000000-0x00000000100BB000-memory.dmp	vmprotect

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1444 wrote to memory of 1948	1444	rundll32.exe	27
PID 1444 wrote to memory of 1948	1444	rundll32.exe	27
PID 1444 wrote to memory of 1948	1444	rundll32.exe	27
PID 1444 wrote to memory of 1948	1444	rundll32.exe	27
PID 1444 wrote to memory of 1948	1444	rundll32.exe	27
PID 1444 wrote to memory of 1948	1444	rundll32.exe	27
PID 1444 wrote to memory of 1948	1444	rundll32.exe	27

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f75d4e38d8c6bf8ebd5b56202ad36ee753e66d29747441b04930a182d8d9f84f.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1444
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\f75d4e38d8c6bf8ebd5b56202ad36ee753e66d29747441b04930a182d8d9f84f.dll,#1
  2⤵
  PID:1948

memory/1948-55-0x0000000075D71000-0x0000000075D73000-memory.dmp

Filesize
8KB

Download
memory/1948-56-0x0000000010000000-0x00000000100BB000-memory.dmp

Filesize
748KB

Download