blackmoon | 132b920cc6930a2c466124bf941a8b34ba6208cfa3e4965468e0d09ce57bad58

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
26/11/2023, 15:03

Target

132b920cc6930a2c466124bf941a8b34ba6208cfa3e4965468e0d09ce57bad58.dll
Size

25KB
MD5

c103e7fb16372aa0204232d95ef98632
SHA1

5ef4664b35f0cd6d958e9e37bff44c776ab52d3f
SHA256

132b920cc6930a2c466124bf941a8b34ba6208cfa3e4965468e0d09ce57bad58
SHA512

139f3736b1852d16e9f34cc819bb48ca433ac72d71d4e983901abf0688ad09c36bee8067e3120540751eea052aec35549ccfd684d108cacebf4877c2d4b0a492
SSDEEP

384:RJpGZSGpokouhsRbmb6x4RmzX7LiMXR/aaOiBj8OrYhU3YgM1VP7VesiZ+E6:RJpsSOoRbmb6x4UX7F/IiBZshUIpYJ6

Score

10^/10

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 3 IoCs

resource	yara_rule
behavioral1/memory/1712-2-0x0000000010000000-0x000000001002E000-memory.dmp	family_blackmoon
behavioral1/memory/1712-3-0x0000000010000000-0x000000001002E000-memory.dmp	family_blackmoon
behavioral1/memory/1712-12-0x0000000010000000-0x000000001002E000-memory.dmp	family_blackmoon

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	1712	rundll32.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/memory/1712-0-0x0000000010000000-0x000000001002E000-memory.dmp	upx
behavioral1/memory/1712-1-0x0000000010000000-0x000000001002E000-memory.dmp	upx
behavioral1/memory/1712-2-0x0000000010000000-0x000000001002E000-memory.dmp	upx
behavioral1/memory/1712-3-0x0000000010000000-0x000000001002E000-memory.dmp	upx
behavioral1/memory/1712-12-0x0000000010000000-0x000000001002E000-memory.dmp	upx

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1712	rundll32.exe
1712	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 1712	3048	rundll32.exe	28
PID 3048 wrote to memory of 1712	3048	rundll32.exe	28
PID 3048 wrote to memory of 1712	3048	rundll32.exe	28
PID 3048 wrote to memory of 1712	3048	rundll32.exe	28
PID 3048 wrote to memory of 1712	3048	rundll32.exe	28
PID 3048 wrote to memory of 1712	3048	rundll32.exe	28
PID 3048 wrote to memory of 1712	3048	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\132b920cc6930a2c466124bf941a8b34ba6208cfa3e4965468e0d09ce57bad58.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\132b920cc6930a2c466124bf941a8b34ba6208cfa3e4965468e0d09ce57bad58.dll,#1
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  PID:1712

memory/1712-0-0x0000000010000000-0x000000001002E000-memory.dmp

Filesize
184KB

Download
memory/1712-1-0x0000000010000000-0x000000001002E000-memory.dmp

Filesize
184KB

Download
memory/1712-2-0x0000000010000000-0x000000001002E000-memory.dmp

Filesize
184KB

Download
memory/1712-3-0x0000000010000000-0x000000001002E000-memory.dmp

Filesize
184KB

Download
memory/1712-12-0x0000000010000000-0x000000001002E000-memory.dmp

Filesize
184KB

Download