blackmoon | be9233f51e5dc81072100e46a5bce3e673493ed1ba81c61ca4078a2543a8c21a

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
10/10/2023, 20:46

Target

be9233f51e5dc81072100e46a5bce3e673493ed1ba81c61ca4078a2543a8c21a.dll
Size

2.6MB
MD5

521f59276b6f86cddecc2388bfa26ff4
SHA1

5a3e0e90475bd2b3d1aceca9ee61a7dd58cbe1a4
SHA256

be9233f51e5dc81072100e46a5bce3e673493ed1ba81c61ca4078a2543a8c21a
SHA512

fefc9707ac3df5e157da5ebb02d5672677000d2422e5210de338b768293c90a927ad07c550f6c30b27a15802eac76edd26ddfb9b29e8141cf191f516a95178ee
SSDEEP

24576:El7NvGI8N171M1Rp/TUpZJfDP6/O58vmkcLQ8FnYITTb/rPuzM7k3wJmOKMCmLbS:E5du6VE+z53wJWqb2NfX

Score

10^/10

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 4 IoCs

resource	yara_rule
behavioral2/memory/2028-0-0x0000000010000000-0x00000000102A3000-memory.dmp	family_blackmoon
behavioral2/memory/2028-1-0x0000000010000000-0x00000000102A3000-memory.dmp	family_blackmoon
behavioral2/memory/2028-2-0x0000000010000000-0x00000000102A3000-memory.dmp	family_blackmoon
behavioral2/memory/2028-3-0x0000000010000000-0x00000000102A3000-memory.dmp	family_blackmoon

Suspicious use of AdjustPrivilegeToken 4 IoCs

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3536 wrote to memory of 2028	3536	rundll32.exe	84
PID 3536 wrote to memory of 2028	3536	rundll32.exe	84
PID 3536 wrote to memory of 2028	3536	rundll32.exe	84

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\be9233f51e5dc81072100e46a5bce3e673493ed1ba81c61ca4078a2543a8c21a.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3536
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\be9233f51e5dc81072100e46a5bce3e673493ed1ba81c61ca4078a2543a8c21a.dll,#1
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2028

memory/2028-0-0x0000000010000000-0x00000000102A3000-memory.dmp

Filesize
2.6MB

Download
memory/2028-1-0x0000000010000000-0x00000000102A3000-memory.dmp

Filesize
2.6MB

Download
memory/2028-2-0x0000000010000000-0x00000000102A3000-memory.dmp

Filesize
2.6MB

Download
memory/2028-3-0x0000000010000000-0x00000000102A3000-memory.dmp

Filesize
2.6MB

Download