blackmoon | 6cf85dcd95b980a0d1ff4f2166b3bc18ca4f77f55a2b8d95bea6a8fff4618fcc

Analysis

max time kernel
163s
max time network
191s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
01/12/2022, 03:53

Target

6cf85dcd95b980a0d1ff4f2166b3bc18ca4f77f55a2b8d95bea6a8fff4618fcc.dll
Size

355KB
MD5

3c8a34502a56c66464799a18a0f37570
SHA1

6ee0ed53c3c2e0077a29b7f0deec1cfe2e26df51
SHA256

6cf85dcd95b980a0d1ff4f2166b3bc18ca4f77f55a2b8d95bea6a8fff4618fcc
SHA512

494dd9ecb83e5a07ed4e22b4d9a18525980c8c6044a7953ce1172e31f7fe1e7827bafa37180094929ba67382243d391422809a604ac6c740dc428d4797d47187
SSDEEP

6144:tHWao/MtE0rOcx0J1ypTuNBpXgi2QDh0ICLy8NoH1vszYDbuRLpqluWnXCW+mhsJ:1Wao/vU41ybE90dLGEzwSRQbQmhz2s2y

Score

10^/10

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 3 IoCs

resource	yara_rule
behavioral2/memory/1268-133-0x0000000010000000-0x00000000100C1000-memory.dmp	family_blackmoon
behavioral2/memory/1268-135-0x0000000010000000-0x00000000100C1000-memory.dmp	family_blackmoon
behavioral2/memory/1268-136-0x0000000010000000-0x00000000100C1000-memory.dmp	family_blackmoon

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

resource	yara_rule
behavioral2/memory/1268-133-0x0000000010000000-0x00000000100C1000-memory.dmp	vmprotect
behavioral2/memory/1268-135-0x0000000010000000-0x00000000100C1000-memory.dmp	vmprotect
behavioral2/memory/1268-136-0x0000000010000000-0x00000000100C1000-memory.dmp	vmprotect

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3628 wrote to memory of 1268	3628	rundll32.exe	82
PID 3628 wrote to memory of 1268	3628	rundll32.exe	82
PID 3628 wrote to memory of 1268	3628	rundll32.exe	82

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6cf85dcd95b980a0d1ff4f2166b3bc18ca4f77f55a2b8d95bea6a8fff4618fcc.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3628
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\6cf85dcd95b980a0d1ff4f2166b3bc18ca4f77f55a2b8d95bea6a8fff4618fcc.dll,#1
  2⤵
  PID:1268

memory/1268-133-0x0000000010000000-0x00000000100C1000-memory.dmp

Filesize
772KB

Download
memory/1268-135-0x0000000010000000-0x00000000100C1000-memory.dmp

Filesize
772KB

Download
memory/1268-136-0x0000000010000000-0x00000000100C1000-memory.dmp

Filesize
772KB

Download