blackmoon | 1415725c5fd073e1a9ec1afdaef50afe818758f61a9b64fd709e10202d70dd9d

Analysis

max time kernel
91s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02/12/2022, 19:00

Target

1415725c5fd073e1a9ec1afdaef50afe818758f61a9b64fd709e10202d70dd9d.dll
Size

356KB
MD5

1147eb617924f80f56ca2054c3e59ae0
SHA1

f59d12dd58a34c8733c62c99a1a82c37fa89fbf0
SHA256

1415725c5fd073e1a9ec1afdaef50afe818758f61a9b64fd709e10202d70dd9d
SHA512

abd24a0b46b981eae39f33dca0f9463b73e10ccdf372a3ae6bb751bca0d12496800dc2fc82f660a325637de02c43c561fbf9dbc8637c9bebd40711cd8cc32b2e
SSDEEP

6144:5H3iKH31w8D2L3vVTqTsd6RuBpcnlbF913VRutHBjT8B5VjVLMqh:x3iKHB27v96skCAbwHBjT8B5rLVh

Score

10^/10

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 2 IoCs

resource	yara_rule
behavioral2/memory/3108-133-0x0000000010000000-0x00000000100BE000-memory.dmp	family_blackmoon
behavioral2/memory/3108-135-0x0000000010000000-0x00000000100BE000-memory.dmp	family_blackmoon

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

resource	yara_rule
behavioral2/memory/3108-133-0x0000000010000000-0x00000000100BE000-memory.dmp	vmprotect
behavioral2/memory/3108-135-0x0000000010000000-0x00000000100BE000-memory.dmp	vmprotect

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1264 wrote to memory of 3108	1264	rundll32.exe	81
PID 1264 wrote to memory of 3108	1264	rundll32.exe	81
PID 1264 wrote to memory of 3108	1264	rundll32.exe	81

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1415725c5fd073e1a9ec1afdaef50afe818758f61a9b64fd709e10202d70dd9d.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1264
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\1415725c5fd073e1a9ec1afdaef50afe818758f61a9b64fd709e10202d70dd9d.dll,#1
  2⤵
  PID:3108

memory/3108-133-0x0000000010000000-0x00000000100BE000-memory.dmp

Filesize
760KB

Download
memory/3108-135-0x0000000010000000-0x00000000100BE000-memory.dmp

Filesize
760KB

Download