blackmoon | 0dfdac421c42ab159a900fa1b7d08e74958a97a1aa86ab3e820996d8bf786eb7

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
31/08/2023, 07:04

Target

0dfdac421c42ab159a900fa1b7d08e74958a97a1aa86ab3e820996d8bf786eb7.dll
Size

200KB
MD5

82ec291fa3647b1b2d53d5b97282acef
SHA1

79555facd6b891116639d0d3dfc3d23247a97462
SHA256

0dfdac421c42ab159a900fa1b7d08e74958a97a1aa86ab3e820996d8bf786eb7
SHA512

a14111c7424d1ef4211fccd9c3179edd4f57ed570da249fce0f5df81fc47c9fafa32805072f0cf4dcc982821d433251be02d53146b807deeb27daae9d57a8c4a
SSDEEP

3072:kpzqxDDiuxeXWULk5+jJt6Gj3fZaXpygEUPexacpUotETUfB:sEDDiuxeXW4iCbopyqnZ

Score

10^/10

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
behavioral1/memory/2028-1-0x0000000010000000-0x000000001004B000-memory.dmp	family_blackmoon

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2028	2240	rundll32.exe	28
PID 2240 wrote to memory of 2028	2240	rundll32.exe	28
PID 2240 wrote to memory of 2028	2240	rundll32.exe	28
PID 2240 wrote to memory of 2028	2240	rundll32.exe	28
PID 2240 wrote to memory of 2028	2240	rundll32.exe	28
PID 2240 wrote to memory of 2028	2240	rundll32.exe	28
PID 2240 wrote to memory of 2028	2240	rundll32.exe	28
PID 2028 wrote to memory of 3024	2028	rundll32.exe	29
PID 2028 wrote to memory of 3024	2028	rundll32.exe	29
PID 2028 wrote to memory of 3024	2028	rundll32.exe	29
PID 2028 wrote to memory of 3024	2028	rundll32.exe	29
PID 3024 wrote to memory of 2616	3024	cmd.exe	31
PID 3024 wrote to memory of 2616	3024	cmd.exe	31
PID 3024 wrote to memory of 2616	3024	cmd.exe	31
PID 3024 wrote to memory of 2616	3024	cmd.exe	31
PID 3024 wrote to memory of 2440	3024	cmd.exe	32
PID 3024 wrote to memory of 2440	3024	cmd.exe	32
PID 3024 wrote to memory of 2440	3024	cmd.exe	32
PID 3024 wrote to memory of 2440	3024	cmd.exe	32

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0dfdac421c42ab159a900fa1b7d08e74958a97a1aa86ab3e820996d8bf786eb7.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\0dfdac421c42ab159a900fa1b7d08e74958a97a1aa86ab3e820996d8bf786eb7.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c C:&dir|find "ÐòÁÐºÅ">C:\Users\Admin\AppData\Local\Temp\5291.txt
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3024
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" dir"
      4⤵
      PID:2616
  - - C:\Windows\SysWOW64\find.exe
      find "ÐòÁÐºÅ"
      4⤵
      PID:2440

memory/2028-0-0x0000000010000000-0x000000001004B000-memory.dmp

Filesize
300KB

Download
memory/2028-1-0x0000000010000000-0x000000001004B000-memory.dmp

Filesize
300KB

Download