blackmoon | 3dd7f8db8a449765b1e0932394a1b310229ad492ca943ab396fa8d709446dfa9

Analysis

max time kernel
135s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01-06-2023 16:33

Target

01178199.dll
Size

113KB
MD5

82414dead2dfee972e3943c9e26738bc
SHA1

0a77ce21a5e3697e805630953b73911f562ff1b2
SHA256

3dd7f8db8a449765b1e0932394a1b310229ad492ca943ab396fa8d709446dfa9
SHA512

75dd77f3a123203196b968449316281518155d77a48ba26dd4d6fcdcfb358e40c102ec519b992db6e74343712cc361d87b0c7d6dac8ca9a761e47b0089ee8c67
SSDEEP

1536:DooBspOAAkGafox1bZoFcbxM+ebZz+x4X5IPFmSpvXkWfCxaIK7VDIc9Vb:DTB2AkvoiW++ebZcGcmgvXkcC7K7K6F

Score

10^/10

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2840-134-0x0000000002830000-0x0000000002847000-memory.dmp	family_blackmoon

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

Processes:

resource	yara_rule
behavioral2/memory/2840-133-0x0000000010000000-0x0000000010062000-memory.dmp	upx

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 748 wrote to memory of 2840	748	rundll32.exe	rundll32.exe
PID 748 wrote to memory of 2840	748	rundll32.exe	rundll32.exe
PID 748 wrote to memory of 2840	748	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\01178199.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:748

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\01178199.dll,#1
2⤵
PID:2840

memory/2840-133-0x0000000010000000-0x0000000010062000-memory.dmp

Filesize
392KB

Download
memory/2840-134-0x0000000002830000-0x0000000002847000-memory.dmp

Filesize
92KB

Download