blackmoon | 5ad56cf6ab2162bdb887753bf5a8d41ef9afeefb964974c299b3a7769e97d8d9

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
21-09-2023 01:03

Target

5ad56cf6ab2162bdb887753bf5a8d41ef9afeefb964974c299b3a7769e97d8d9.dll
Size

332KB
MD5

e9208a880b59ccb2f38609e0febe7d17
SHA1

00af2efd5ef651faaa51d0081d7d2c2af3dbf488
SHA256

5ad56cf6ab2162bdb887753bf5a8d41ef9afeefb964974c299b3a7769e97d8d9
SHA512

4c385cb11147ac68611d9113fb545743ba8617d3236355a036538d391dc883d760ffe505b405b44c0957dd83b4f970ef20522fb038263a0675a802bf9768ec15
SSDEEP

6144:2abiijKeKFB4j1rZ0h6GScdBWO0sFw0i7OCoPL7u+mJ:HiijKeKFB4j1rug6LT0sFw0i7OVP3a

Score

10^/10

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
behavioral1/memory/1664-0-0x0000000000170000-0x0000000000183000-memory.dmp	family_blackmoon

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2180	1664	WerFault.exe	28

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1564 wrote to memory of 1664	1564	rundll32.exe	28
PID 1564 wrote to memory of 1664	1564	rundll32.exe	28
PID 1564 wrote to memory of 1664	1564	rundll32.exe	28
PID 1564 wrote to memory of 1664	1564	rundll32.exe	28
PID 1564 wrote to memory of 1664	1564	rundll32.exe	28
PID 1564 wrote to memory of 1664	1564	rundll32.exe	28
PID 1564 wrote to memory of 1664	1564	rundll32.exe	28
PID 1664 wrote to memory of 2180	1664	rundll32.exe	29
PID 1664 wrote to memory of 2180	1664	rundll32.exe	29
PID 1664 wrote to memory of 2180	1664	rundll32.exe	29
PID 1664 wrote to memory of 2180	1664	rundll32.exe	29

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5ad56cf6ab2162bdb887753bf5a8d41ef9afeefb964974c299b3a7769e97d8d9.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1564
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\5ad56cf6ab2162bdb887753bf5a8d41ef9afeefb964974c299b3a7769e97d8d9.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 420
    3⤵
    - Program crash
    PID:2180

memory/1664-0-0x0000000000170000-0x0000000000183000-memory.dmp

Filesize
76KB

Download