blackmoon | 2c193a7ae021ac695125b45017b325ef68d2895c71f2cf88a8a1c66bc85c82a3

Analysis

max time kernel
13s
max time network
17s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29-11-2022 12:59

Target

2c193a7ae021ac695125b45017b325ef68d2895c71f2cf88a8a1c66bc85c82a3.dll
Size

331KB
MD5

967ffab34af15c3b341429a2c87d0bd0
SHA1

4b219dc8b063b67c566e57a957bb9ca86bfae3d2
SHA256

2c193a7ae021ac695125b45017b325ef68d2895c71f2cf88a8a1c66bc85c82a3
SHA512

d8a06e22f4b692838197a0627bac647e2a7e1cc5c4e4132f3d68cb391a8c068f7d5d43b3efd25a574bb3e77bc15d6b9451ba2600dc0a3e34ddd4dc93210c5905
SSDEEP

6144:Ag8qAFmLoT7cqANKKi8zbGvrEfyv3cGrvwsUxF5rvnwbiZy0vgP3ZGT:Ag7Ah7cqANKKiubGYfyvM6vwT3i0vIJQ

Score

10^/10

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
behavioral2/memory/3204-133-0x0000000010000000-0x00000000100B7000-memory.dmp	family_blackmoon

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

resource	yara_rule
behavioral2/memory/3204-133-0x0000000010000000-0x00000000100B7000-memory.dmp	vmprotect

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1348 wrote to memory of 3204	1348	rundll32.exe	76
PID 1348 wrote to memory of 3204	1348	rundll32.exe	76
PID 1348 wrote to memory of 3204	1348	rundll32.exe	76

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2c193a7ae021ac695125b45017b325ef68d2895c71f2cf88a8a1c66bc85c82a3.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1348
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\2c193a7ae021ac695125b45017b325ef68d2895c71f2cf88a8a1c66bc85c82a3.dll,#1
  2⤵
  PID:3204

memory/3204-133-0x0000000010000000-0x00000000100B7000-memory.dmp

Filesize
732KB

Download