blackmoon | b24e99b6426707c06be5b965386fa2c8f9007151f508f95670cae7ba7117efbf

Analysis

max time kernel
42s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30/11/2022, 23:07

Target

b24e99b6426707c06be5b965386fa2c8f9007151f508f95670cae7ba7117efbf.dll
Size

356KB
MD5

58b2abdcf646a3ec6d1b3b39f65f7bd0
SHA1

5f8014061fe4752d7793dcc1a576cbfe8a8c2b46
SHA256

b24e99b6426707c06be5b965386fa2c8f9007151f508f95670cae7ba7117efbf
SHA512

02d0998364401b66f644cc7738eba9e49fa82d8288f8ccd6170daa3c404f6fa0f230b3a35edeb82bd4b406b6c0d5d1cee72edd60d8bfe0d315697e16e9c9eb8f
SSDEEP

6144:3ypyJE1S5ND31zwdHlWbEaScp8FSBuRTY2o56oxW8eYkYM6y:3ysJE1SrDlzulWbEaNp8ABATY246oMTD

Score

10^/10

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
behavioral1/memory/900-56-0x0000000010000000-0x00000000100C1000-memory.dmp	family_blackmoon

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

resource	yara_rule
behavioral1/memory/900-56-0x0000000010000000-0x00000000100C1000-memory.dmp	vmprotect

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 900	1956	rundll32.exe	27
PID 1956 wrote to memory of 900	1956	rundll32.exe	27
PID 1956 wrote to memory of 900	1956	rundll32.exe	27
PID 1956 wrote to memory of 900	1956	rundll32.exe	27
PID 1956 wrote to memory of 900	1956	rundll32.exe	27
PID 1956 wrote to memory of 900	1956	rundll32.exe	27
PID 1956 wrote to memory of 900	1956	rundll32.exe	27

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b24e99b6426707c06be5b965386fa2c8f9007151f508f95670cae7ba7117efbf.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\b24e99b6426707c06be5b965386fa2c8f9007151f508f95670cae7ba7117efbf.dll,#1
  2⤵
  PID:900

memory/900-55-0x0000000075141000-0x0000000075143000-memory.dmp

Filesize
8KB

Download
memory/900-56-0x0000000010000000-0x00000000100C1000-memory.dmp

Filesize
772KB

Download