blackmoon | 3096a5c84f7b93a5ddc0e8bec589dc8968be4a1c5c1fca26f50224f86eed6fff

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
14-11-2023 18:50

Target

3096a5c84f7b93a5ddc0e8bec589dc8968be4a1c5c1fca26f50224f86eed6fff.dll
Size

70KB
MD5

e4ddd4258168696aaf4f6c8c24fb5ab0
SHA1

3d3e9e4a1985862bd106248873dcb46b9ee14d52
SHA256

3096a5c84f7b93a5ddc0e8bec589dc8968be4a1c5c1fca26f50224f86eed6fff
SHA512

e744558d9a5f4147c082c9cb7a39ae8710f12450098538939740abebedf9ac6559b93e509ff3ea29c6af53f0d66ddb2d3f876ae197930851aa2ad685602522fb
SSDEEP

1536:NQ+blHWrUQXsHKJ2uvJ7vXEwMBat9wLu/:NQUWrXsHKfBWatmu

Score

10^/10

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
behavioral1/memory/1456-0-0x0000000010000000-0x0000000010050000-memory.dmp	family_blackmoon

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2152 wrote to memory of 1456	2152	rundll32.exe	28
PID 2152 wrote to memory of 1456	2152	rundll32.exe	28
PID 2152 wrote to memory of 1456	2152	rundll32.exe	28
PID 2152 wrote to memory of 1456	2152	rundll32.exe	28
PID 2152 wrote to memory of 1456	2152	rundll32.exe	28
PID 2152 wrote to memory of 1456	2152	rundll32.exe	28
PID 2152 wrote to memory of 1456	2152	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3096a5c84f7b93a5ddc0e8bec589dc8968be4a1c5c1fca26f50224f86eed6fff.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2152
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\3096a5c84f7b93a5ddc0e8bec589dc8968be4a1c5c1fca26f50224f86eed6fff.dll,#1
  2⤵
  PID:1456

memory/1456-1-0x0000000010000000-0x0000000010050000-memory.dmp

Filesize
320KB

Download
memory/1456-0-0x0000000010000000-0x0000000010050000-memory.dmp

Filesize
320KB

Download