blackmoon | 5ff5e8e04a6614b0465ad7893c5cfee3a66cc150442b331a3d7d40b6117640e9

Analysis

max time kernel
137s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
07-05-2023 02:36

Target

5ff5e8e04a6614b0465ad7893c5cfee3a66cc150442b331a3d7d40b6117640e9.dll
Size

224KB
MD5

ec440b6005f10d86055bee77759ca9ae
SHA1

dd084d3d2e1c69241b0331aa9786b4eaa41f2128
SHA256

5ff5e8e04a6614b0465ad7893c5cfee3a66cc150442b331a3d7d40b6117640e9
SHA512

907c7f09d1aac22b8032c3284550cdb7ea00809602719dfcce59252d85afb81c8fa6a819438e510096451f0142f3119632538d0bae665642a2f191cc64d6dc6e
SSDEEP

1536:y0RjLxJ6ayZ+BjfJCp7Mg0NSLfG6amTH/1eq2GjNhXxyr1b/U4gguBKgBnouy8:yIHSTMgISlaWEq2Gjnxyh/U4gguJout

Score

10^/10

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3528-134-0x0000000075890000-0x00000000758C8000-memory.dmp	family_blackmoon

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

Processes:

resource	yara_rule
behavioral2/memory/3528-134-0x0000000075890000-0x00000000758C8000-memory.dmp	upx

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2356 3528 WerFault.exe rundll32.exe

pid	pid_target	process	target process
2356	3528	WerFault.exe	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 4568 wrote to memory of 3528	4568	rundll32.exe	rundll32.exe
PID 4568 wrote to memory of 3528	4568	rundll32.exe	rundll32.exe
PID 4568 wrote to memory of 3528	4568	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5ff5e8e04a6614b0465ad7893c5cfee3a66cc150442b331a3d7d40b6117640e9.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4568

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5ff5e8e04a6614b0465ad7893c5cfee3a66cc150442b331a3d7d40b6117640e9.dll,#1
2⤵
PID:3528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3528 -s 544
3⤵
- Program crash
PID:2356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3528 -ip 3528
1⤵
PID:632

memory/3528-134-0x0000000075890000-0x00000000758C8000-memory.dmp

Filesize
224KB

Download