blackmoon | 9dac1d8d77b7ec8b54c31d0a5dcacf67064343161b24e5c93099a14d10849b5a

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
29/08/2023, 21:57

Target

9dac1d8d77b7ec8b54c31d0a5dcacf67064343161b24e5c93099a14d10849b5a.dll
Size

13.7MB
MD5

e14bb95591f7c20dcd8809efea702cf7
SHA1

feac83876c81fe2652120bb35e1a83a291b0be5c
SHA256

9dac1d8d77b7ec8b54c31d0a5dcacf67064343161b24e5c93099a14d10849b5a
SHA512

7e0634c1f6ef339f166eaf747f331fba746a3b2c26de17d072cf59765c46d763b813672b0250c140e62a1631f90a5e8e27740f589ff6851f168069cba92f2bbd
SSDEEP

393216:y83AEHXpbvYjkkbiPED+zeiQwbuWFyp6Afcb0ZOf6ppsHe9zR:BQExvUN0ED+zeiznY/cb0Z/s+9zR

Score

10^/10

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 4 IoCs

resource	yara_rule
behavioral1/memory/2268-5-0x0000000002180000-0x00000000023B4000-memory.dmp	family_blackmoon
behavioral1/memory/2268-2-0x0000000010000000-0x0000000011B34000-memory.dmp	family_blackmoon
behavioral1/memory/2268-3-0x0000000010000000-0x0000000011B34000-memory.dmp	family_blackmoon
behavioral1/memory/2268-1-0x0000000010000000-0x0000000011B34000-memory.dmp	family_blackmoon

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

resource	yara_rule
behavioral1/memory/2268-2-0x0000000010000000-0x0000000011B34000-memory.dmp	vmprotect
behavioral1/memory/2268-3-0x0000000010000000-0x0000000011B34000-memory.dmp	vmprotect
behavioral1/memory/2268-1-0x0000000010000000-0x0000000011B34000-memory.dmp	vmprotect
behavioral1/memory/2268-0-0x0000000010000000-0x0000000011B34000-memory.dmp	vmprotect

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2268	rundll32.exe
2268	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 2268	2352	rundll32.exe	1
PID 2352 wrote to memory of 2268	2352	rundll32.exe	1
PID 2352 wrote to memory of 2268	2352	rundll32.exe	1
PID 2352 wrote to memory of 2268	2352	rundll32.exe	1
PID 2352 wrote to memory of 2268	2352	rundll32.exe	1
PID 2352 wrote to memory of 2268	2352	rundll32.exe	1
PID 2352 wrote to memory of 2268	2352	rundll32.exe	1

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9dac1d8d77b7ec8b54c31d0a5dcacf67064343161b24e5c93099a14d10849b5a.dll,#1
1⤵
- Suspicious use of SetWindowsHookEx
PID:2268

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9dac1d8d77b7ec8b54c31d0a5dcacf67064343161b24e5c93099a14d10849b5a.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2352

memory/2268-5-0x0000000002180000-0x00000000023B4000-memory.dmp

Filesize
2.2MB

Download
memory/2268-2-0x0000000010000000-0x0000000011B34000-memory.dmp

Filesize
27.2MB

Download
memory/2268-3-0x0000000010000000-0x0000000011B34000-memory.dmp

Filesize
27.2MB

Download
memory/2268-1-0x0000000010000000-0x0000000011B34000-memory.dmp

Filesize
27.2MB

Download
memory/2268-0-0x0000000010000000-0x0000000011B34000-memory.dmp

Filesize
27.2MB

Download