blackmoon | 7aed80f9c4cadc43e40b56f8cd8e70509a46918d87b87c91ae8a2d729a23afb7

Analysis

max time kernel
153s
max time network
210s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
29/11/2022, 12:10

Target

7aed80f9c4cadc43e40b56f8cd8e70509a46918d87b87c91ae8a2d729a23afb7.dll
Size

366KB
MD5

3d71c09344a0159188ca85f7a6c1eeb0
SHA1

86069c3f28bcbbeef3c29a038d67402eada1d5a1
SHA256

7aed80f9c4cadc43e40b56f8cd8e70509a46918d87b87c91ae8a2d729a23afb7
SHA512

3b484337793e594df68c79a7f35373cc19cf31d2a2c1cbab837e7f700cdfe691a38e9439ac9fb92577ff2c0cbf46883e8752fccad494824d969eb95a9e892405
SSDEEP

6144:GoiItmwgmFLHUJAL+dlgeUtHdwAyPnfC1n7rD9WU259w0Ky:zBygL06klgeU5dwAHJ7P9W15w

Score

10^/10

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
behavioral2/memory/1440-133-0x0000000010000000-0x00000000100C1000-memory.dmp	family_blackmoon

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

resource	yara_rule
behavioral2/memory/1440-133-0x0000000010000000-0x00000000100C1000-memory.dmp	vmprotect

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1008 wrote to memory of 1440	1008	rundll32.exe	82
PID 1008 wrote to memory of 1440	1008	rundll32.exe	82
PID 1008 wrote to memory of 1440	1008	rundll32.exe	82

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7aed80f9c4cadc43e40b56f8cd8e70509a46918d87b87c91ae8a2d729a23afb7.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1008
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\7aed80f9c4cadc43e40b56f8cd8e70509a46918d87b87c91ae8a2d729a23afb7.dll,#1
  2⤵
  PID:1440

memory/1440-133-0x0000000010000000-0x00000000100C1000-memory.dmp

Filesize
772KB

Download