blackmoon | 5289d89b6b479f9b46ebf6080d21300b0ea8fa767046e0dfd68183e6a6145e91 | Triage

Analysis

max time kernel
410s
max time network
334s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
23-03-2023 02:04

Sharing

Report Analysis Logs

General

Target

keyiso.dll
Size

17KB
MD5

d0d44ca70e15a780c1873d0807709d7c
SHA1

c67d3af5c48dd877883af6cc9afd30031f99b069
SHA256

c7eedd9c1bb9a4a99b6caf37a5b6e061de48cc98a180808782a40957a0a576ed
SHA512

637402aaa4ff4e8e16785dbcb7ff622af77cd84b9c2588645bf6faef3dbc0578a83d7e4f32028fa64db3a3673a51b8979890dd39cd2ad6ed40f3033d364e55b2
SSDEEP

384:1BSgeNZZWY5YyaImzDvPhHAarm6Abo4bPg096f1esWlTW:1jjGYQmXvpHpm6AkMPE1E

Score

10^/10

blackmoon banker trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/632-54-0x0000000010000000-0x0000000010022000-memory.dmp	family_blackmoon
behavioral1/memory/632-55-0x0000000010000000-0x0000000010022000-memory.dmp	family_blackmoon
behavioral1/memory/632-89-0x0000000010000000-0x0000000010022000-memory.dmp	family_blackmoon

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

Processes:

resource	yara_rule
behavioral1/memory/632-54-0x0000000010000000-0x0000000010022000-memory.dmp	upx
behavioral1/memory/632-55-0x0000000010000000-0x0000000010022000-memory.dmp	upx
behavioral1/memory/632-89-0x0000000010000000-0x0000000010022000-memory.dmp	upx

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1444 wrote to memory of 632	1444	rundll32.exe	rundll32.exe
PID 1444 wrote to memory of 632	1444	rundll32.exe	rundll32.exe
PID 1444 wrote to memory of 632	1444	rundll32.exe	rundll32.exe
PID 1444 wrote to memory of 632	1444	rundll32.exe	rundll32.exe
PID 1444 wrote to memory of 632	1444	rundll32.exe	rundll32.exe
PID 1444 wrote to memory of 632	1444	rundll32.exe	rundll32.exe
PID 1444 wrote to memory of 632	1444	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\keyiso.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1444

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\keyiso.dll,#1
2⤵
PID:632

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/632-54-0x0000000010000000-0x0000000010022000-memory.dmp

Filesize
136KB

Download
memory/632-55-0x0000000010000000-0x0000000010022000-memory.dmp

Filesize
136KB

Download
memory/632-89-0x0000000010000000-0x0000000010022000-memory.dmp

Filesize
136KB

Download