blackmoon | 0dfdac421c42ab159a900fa1b7d08e74958a97a1aa86ab3e820996d8bf786eb7

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
31/08/2023, 07:04

Target

0dfdac421c42ab159a900fa1b7d08e74958a97a1aa86ab3e820996d8bf786eb7.dll
Size

200KB
MD5

82ec291fa3647b1b2d53d5b97282acef
SHA1

79555facd6b891116639d0d3dfc3d23247a97462
SHA256

0dfdac421c42ab159a900fa1b7d08e74958a97a1aa86ab3e820996d8bf786eb7
SHA512

a14111c7424d1ef4211fccd9c3179edd4f57ed570da249fce0f5df81fc47c9fafa32805072f0cf4dcc982821d433251be02d53146b807deeb27daae9d57a8c4a
SSDEEP

3072:kpzqxDDiuxeXWULk5+jJt6Gj3fZaXpygEUPexacpUotETUfB:sEDDiuxeXW4iCbopyqnZ

Score

10^/10

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
behavioral2/memory/1956-1-0x0000000010000000-0x000000001004B000-memory.dmp	family_blackmoon

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 1956	1740	rundll32.exe	83
PID 1740 wrote to memory of 1956	1740	rundll32.exe	83
PID 1740 wrote to memory of 1956	1740	rundll32.exe	83
PID 1956 wrote to memory of 348	1956	rundll32.exe	84
PID 1956 wrote to memory of 348	1956	rundll32.exe	84
PID 1956 wrote to memory of 348	1956	rundll32.exe	84
PID 348 wrote to memory of 552	348	cmd.exe	86
PID 348 wrote to memory of 552	348	cmd.exe	86
PID 348 wrote to memory of 552	348	cmd.exe	86
PID 348 wrote to memory of 4504	348	cmd.exe	87
PID 348 wrote to memory of 4504	348	cmd.exe	87
PID 348 wrote to memory of 4504	348	cmd.exe	87

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0dfdac421c42ab159a900fa1b7d08e74958a97a1aa86ab3e820996d8bf786eb7.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\0dfdac421c42ab159a900fa1b7d08e74958a97a1aa86ab3e820996d8bf786eb7.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1956
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c C:&dir|find "ÐòÁÐºÅ">C:\Users\Admin\AppData\Local\Temp\22176.txt
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:348
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" dir"
      4⤵
      PID:552
  - - C:\Windows\SysWOW64\find.exe
      find "ÐòÁÐºÅ"
      4⤵
      PID:4504

memory/1956-0-0x0000000010000000-0x000000001004B000-memory.dmp

Filesize
300KB

Download
memory/1956-1-0x0000000010000000-0x000000001004B000-memory.dmp

Filesize
300KB

Download