blackmoon | 6dcce825c476e5329299ac78c8d10e5f01a4ca034d3c1474d54f2fdf74457df5

Analysis

max time kernel
137s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
12-06-2023 20:14

Target

6dcce825c476e5329299ac78c8d10e5f01a4ca034d3c1474d54f2fdf74457df5.dll
Size

1.2MB
MD5

03d5a0d3f0b25b77b4fc17ed52345083
SHA1

bb4f6515c51daed125a20ce0a6520603cd745087
SHA256

6dcce825c476e5329299ac78c8d10e5f01a4ca034d3c1474d54f2fdf74457df5
SHA512

15bf516fbb4451a6637538b8fb281c2381a720c37fa05ee9992091b98e5f4477395891d531aa1b5147080f1136528802c8c0dbfe26315f3d707a1edda8085271
SSDEEP

24576:sodLs/HI52UTJes5OGLEh2UwlZI1ncWB4fGHTL9EB:sodwaRF75GoI1ncJfGHTJEB

Score

10^/10

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4980-133-0x0000000010000000-0x000000001013E000-memory.dmp	family_blackmoon
behavioral2/memory/4980-134-0x0000000010000000-0x000000001013E000-memory.dmp	family_blackmoon

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 4900 wrote to memory of 4980	4900	rundll32.exe	rundll32.exe
PID 4900 wrote to memory of 4980	4900	rundll32.exe	rundll32.exe
PID 4900 wrote to memory of 4980	4900	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6dcce825c476e5329299ac78c8d10e5f01a4ca034d3c1474d54f2fdf74457df5.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4900

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6dcce825c476e5329299ac78c8d10e5f01a4ca034d3c1474d54f2fdf74457df5.dll,#1
2⤵
PID:4980

memory/4980-133-0x0000000010000000-0x000000001013E000-memory.dmp

Filesize
1.2MB

Download
memory/4980-134-0x0000000010000000-0x000000001013E000-memory.dmp

Filesize
1.2MB

Download