blackmoon | 7e4d8f72078d038543e4ca22e33c0fe6a2f1b66a2f819ff4e0e068a0ef6a961f

Analysis

max time kernel
121s
max time network
128s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12/10/2023, 16:52

Target

7e4d8f72078d038543e4ca22e33c0fe6a2f1b66a2f819ff4e0e068a0ef6a961f.dll
Size

4.0MB
MD5

8c7beeca76f1f6fe192d9410e277ded1
SHA1

95a342170ead9b27f6985094d4327c07b4ebc620
SHA256

7e4d8f72078d038543e4ca22e33c0fe6a2f1b66a2f819ff4e0e068a0ef6a961f
SHA512

077482daad7e5c354c07ddcc0f9668d2f6c9b225e67e2ede395f98219f66a361f65ea7b2fbcf21b4fcfa15bebf6cf64c5af97f82c5eb76378e31d41e35c2e284
SSDEEP

98304:HVhQPBcNX7FYvbkhb9/DjQDO7ezvS5jPZDAVKC4NMAeU:1h8YX7iv4hFDkCevGjPKVKCQm

Score

10^/10

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 3 IoCs

resource	yara_rule
behavioral1/memory/900-2-0x0000000010000000-0x00000000108CB000-memory.dmp	family_blackmoon
behavioral1/memory/900-3-0x0000000010000000-0x00000000108CB000-memory.dmp	family_blackmoon
behavioral1/memory/900-10-0x0000000010000000-0x00000000108CB000-memory.dmp	family_blackmoon

Loads dropped DLL 1 IoCs

pid	Process
900	rundll32.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/memory/900-0-0x0000000010000000-0x00000000108CB000-memory.dmp	upx
behavioral1/memory/900-1-0x0000000010000000-0x00000000108CB000-memory.dmp	upx
behavioral1/memory/900-2-0x0000000010000000-0x00000000108CB000-memory.dmp	upx
behavioral1/memory/900-3-0x0000000010000000-0x00000000108CB000-memory.dmp	upx
behavioral1/memory/900-9-0x0000000000150000-0x0000000000165000-memory.dmp	upx
behavioral1/memory/900-10-0x0000000010000000-0x00000000108CB000-memory.dmp	upx

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
900	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 900	2372	rundll32.exe	26
PID 2372 wrote to memory of 900	2372	rundll32.exe	26
PID 2372 wrote to memory of 900	2372	rundll32.exe	26
PID 2372 wrote to memory of 900	2372	rundll32.exe	26
PID 2372 wrote to memory of 900	2372	rundll32.exe	26
PID 2372 wrote to memory of 900	2372	rundll32.exe	26
PID 2372 wrote to memory of 900	2372	rundll32.exe	26

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7e4d8f72078d038543e4ca22e33c0fe6a2f1b66a2f819ff4e0e068a0ef6a961f.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\7e4d8f72078d038543e4ca22e33c0fe6a2f1b66a2f819ff4e0e068a0ef6a961f.dll,#1
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:900

\Users\Admin\AppData\Local\Temp\E2EECore.2.7.2.dll

Filesize
8.4MB

MD5
8b6c94bbdbfb213e94a5dcb4fac28ce3

SHA1
b56102ca4f03556f387f8b30e2b404efabe0cb65

SHA256
982a177924762f270b36fe34c7d6847392b48ae53151dc2011078dceef487a53

SHA512
9d6d63b5d8cf7a978d7e91126d7a343c2f7acd00022da9d692f63e50835fdd84a59a93328564f10622f2b1f6adfd7febdd98b8ddb294d0754ed45cc9c165d25a

Download Submit
memory/900-0-0x0000000010000000-0x00000000108CB000-memory.dmp

Filesize
8.8MB

Download
memory/900-1-0x0000000010000000-0x00000000108CB000-memory.dmp

Filesize
8.8MB

Download
memory/900-2-0x0000000010000000-0x00000000108CB000-memory.dmp

Filesize
8.8MB

Download
memory/900-3-0x0000000010000000-0x00000000108CB000-memory.dmp

Filesize
8.8MB

Download
memory/900-9-0x0000000000150000-0x0000000000165000-memory.dmp

Filesize
84KB

Download
memory/900-10-0x0000000010000000-0x00000000108CB000-memory.dmp

Filesize
8.8MB

Download