blackmoon | d2fe840c45bc4f60cba85e7e1709c3e993e9faed230f88e785988aacae68c3d3

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19-05-2024 12:19

Target

d2fe840c45bc4f60cba85e7e1709c3e993e9faed230f88e785988aacae68c3d3.dll
Size

15.1MB
MD5

ca455757a490342d08ddd0636282d1db
SHA1

bfc05e1baa642475b06048aeb09f4e90cd709e87
SHA256

d2fe840c45bc4f60cba85e7e1709c3e993e9faed230f88e785988aacae68c3d3
SHA512

954b9925669ce2fe44c65ee589a45b47588496d4a62facf583bb0a952ee9c44686f754a1df773713a12c8e7f1dcebef749b895c6cf383006518118ae57f2989f
SSDEEP

393216:aiIPTObyuJIOmTnMTW6vBfK+DlV3y7Prqt:aLPWGOpS+X36PWt

Score

10^/10

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 11 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2188-9-0x0000000010000000-0x00000000120DA000-memory.dmp	family_blackmoon
behavioral1/memory/2188-7-0x0000000010000000-0x00000000120DA000-memory.dmp	family_blackmoon
behavioral1/memory/2188-13-0x0000000010000000-0x00000000120DA000-memory.dmp	family_blackmoon
behavioral1/memory/2188-16-0x0000000010000000-0x00000000120DA000-memory.dmp	family_blackmoon
behavioral1/memory/2188-23-0x0000000010000000-0x00000000120DA000-memory.dmp	family_blackmoon
behavioral1/memory/2188-19-0x0000000010000000-0x00000000120DA000-memory.dmp	family_blackmoon
behavioral1/memory/2188-30-0x0000000010000000-0x00000000120DA000-memory.dmp	family_blackmoon
behavioral1/memory/2188-29-0x0000000010000000-0x00000000120DA000-memory.dmp	family_blackmoon
behavioral1/memory/2188-37-0x0000000003050000-0x0000000003236000-memory.dmp	family_blackmoon
behavioral1/memory/2188-41-0x0000000010000000-0x00000000120DA000-memory.dmp	family_blackmoon
behavioral1/memory/2188-42-0x0000000010000000-0x00000000120DA000-memory.dmp	family_blackmoon

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

rundll32.exe

pid process

2188 rundll32.exe

pid	process
2188	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 2388 wrote to memory of 2188	2388	rundll32.exe	rundll32.exe
PID 2388 wrote to memory of 2188	2388	rundll32.exe	rundll32.exe
PID 2388 wrote to memory of 2188	2388	rundll32.exe	rundll32.exe
PID 2388 wrote to memory of 2188	2388	rundll32.exe	rundll32.exe
PID 2388 wrote to memory of 2188	2388	rundll32.exe	rundll32.exe
PID 2388 wrote to memory of 2188	2388	rundll32.exe	rundll32.exe
PID 2388 wrote to memory of 2188	2388	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d2fe840c45bc4f60cba85e7e1709c3e993e9faed230f88e785988aacae68c3d3.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2388

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d2fe840c45bc4f60cba85e7e1709c3e993e9faed230f88e785988aacae68c3d3.dll,#1
2⤵
- Suspicious use of SetWindowsHookEx
PID:2188

memory/2188-3-0x0000000010000000-0x00000000120DA000-memory.dmp

Filesize
32.9MB

Download
memory/2188-0-0x0000000010000000-0x00000000120DA000-memory.dmp

Filesize
32.9MB

Download
memory/2188-9-0x0000000010000000-0x00000000120DA000-memory.dmp

Filesize
32.9MB

Download
memory/2188-7-0x0000000010000000-0x00000000120DA000-memory.dmp

Filesize
32.9MB

Download
memory/2188-13-0x0000000010000000-0x00000000120DA000-memory.dmp

Filesize
32.9MB

Download
memory/2188-16-0x0000000010000000-0x00000000120DA000-memory.dmp

Filesize
32.9MB

Download
memory/2188-23-0x0000000010000000-0x00000000120DA000-memory.dmp

Filesize
32.9MB

Download
memory/2188-19-0x0000000010000000-0x00000000120DA000-memory.dmp

Filesize
32.9MB

Download
memory/2188-30-0x0000000010000000-0x00000000120DA000-memory.dmp

Filesize
32.9MB

Download
memory/2188-29-0x0000000010000000-0x00000000120DA000-memory.dmp

Filesize
32.9MB

Download
memory/2188-31-0x00000000020E0000-0x0000000002394000-memory.dmp

Filesize
2.7MB

Download
memory/2188-37-0x0000000003050000-0x0000000003236000-memory.dmp

Filesize
1.9MB

Download
memory/2188-41-0x0000000010000000-0x00000000120DA000-memory.dmp

Filesize
32.9MB

Download
memory/2188-42-0x0000000010000000-0x00000000120DA000-memory.dmp

Filesize
32.9MB

Download