blackmoon | 4590f39e816f8249fc5f6db450e4a2fe7834aac9e136c1daf565578d658cf51c

Analysis

max time kernel
142s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
10-07-2023 19:00

Target

4590f39e816f8249fc5f6db450e4a2fe7834aac9e136c1daf565578d658cf51c.dll
Size

265KB
MD5

7aabcb8c71fe4e103b244a458c7e39a6
SHA1

dc9018bc9d730ebc921f6d1a7df151830e716881
SHA256

4590f39e816f8249fc5f6db450e4a2fe7834aac9e136c1daf565578d658cf51c
SHA512

f5af3de595a32bfc4d10a34cfb4bdf37434351f539d04297c542eba0c3c5ddc3db30fbbf4792ac05e9d12d47be4ce1bc0612b08d0c55d0e52c66892081749953
SSDEEP

3072:y1bP42BwhcFfzguuUjZT4/hF0P8qTbyRuVcmtq5y:y1M2BwhefzgzWo8PRIl

Score

10^/10

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2328-133-0x0000000074C50000-0x0000000074CCD000-memory.dmp	family_blackmoon

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 3852 wrote to memory of 2328	3852	rundll32.exe	rundll32.exe
PID 3852 wrote to memory of 2328	3852	rundll32.exe	rundll32.exe
PID 3852 wrote to memory of 2328	3852	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4590f39e816f8249fc5f6db450e4a2fe7834aac9e136c1daf565578d658cf51c.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3852
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\4590f39e816f8249fc5f6db450e4a2fe7834aac9e136c1daf565578d658cf51c.dll,#1
  2⤵
  PID:2328

memory/2328-133-0x0000000074C50000-0x0000000074CCD000-memory.dmp

Filesize
500KB

Download