blackmoon | 3c1a75a87393c89d1d2853a21e349055f6d1648d519486cba809b2e5b6ccae04

Analysis

max time kernel
72s
max time network
76s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
10/07/2023, 18:11

Target

3c1a75a87393c89d1d2853a21e349055f6d1648d519486cba809b2e5b6ccae04.dll
Size

265KB
MD5

b1c0fe28b890842d226c98ce21115592
SHA1

b1b561980578c5ce97e8f5efdbb7d7964a056a2d
SHA256

3c1a75a87393c89d1d2853a21e349055f6d1648d519486cba809b2e5b6ccae04
SHA512

bff6de8a793f35e8d63a3403b9ee4d28f5740d7f1714566c1914c75c7a067078daa744880a95bd344d7d43cd90ba6dcb7763f4b8db340209490973aadcc53f58
SSDEEP

3072:71bP42BwhcFfzguuUjZT4/hF0POqTbXRwVcmtqNz:71M2BwhefzgzWo8Prbl

Score

10^/10

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
behavioral1/memory/2320-54-0x0000000075010000-0x000000007508D000-memory.dmp	family_blackmoon

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 2320	2316	rundll32.exe	28
PID 2316 wrote to memory of 2320	2316	rundll32.exe	28
PID 2316 wrote to memory of 2320	2316	rundll32.exe	28
PID 2316 wrote to memory of 2320	2316	rundll32.exe	28
PID 2316 wrote to memory of 2320	2316	rundll32.exe	28
PID 2316 wrote to memory of 2320	2316	rundll32.exe	28
PID 2316 wrote to memory of 2320	2316	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3c1a75a87393c89d1d2853a21e349055f6d1648d519486cba809b2e5b6ccae04.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\3c1a75a87393c89d1d2853a21e349055f6d1648d519486cba809b2e5b6ccae04.dll,#1
  2⤵
  PID:2320

memory/2320-54-0x0000000075010000-0x000000007508D000-memory.dmp

Filesize
500KB

Download