blackmoon | b3b6418bd2db6b77bffcc3986d1657f702a5f3252152243d3339ef3ee90b2139

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 01:42

Target

b3b6418bd2db6b77bffcc3986d1657f702a5f3252152243d3339ef3ee90b2139.dll
Size

684KB
MD5

6178f5cf28a1b4e77a7886ed0ae2e105
SHA1

66a7ace54526425f5b6e08d60dd4cd2a3c82bc15
SHA256

b3b6418bd2db6b77bffcc3986d1657f702a5f3252152243d3339ef3ee90b2139
SHA512

533b118d5eb3749cc22bcabcf66095eaddeb7192755ea1d42b3cdfb62596e206acaa5768b8caa21c54083c64b8366b9c5147f3dd260c9ed23a0869539233440f
SSDEEP

12288:fj4nQ9X7RZn4WXd+GXZVb7Zjbc8MKi1bvwuH:f8krRZn4Wt+GXZVb7Zjbc8MKavx

Score

10^/10

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon
Detect Blackmoon payload 1 IoCs

Processes:

resource yara_rule

behavioral1/memory/956-27-0x0000000000360000-0x00000000003EF000-memory.dmp family_blackmoon
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rundll32.exe

pid process

956 rundll32.exe
956 rundll32.exe
956 rundll32.exe
956 rundll32.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

rundll32.exe

description pid process

Token: SeDebugPrivilege 956 rundll32.exe
Token: SeDebugPrivilege 956 rundll32.exe

resource	yara_rule
behavioral1/memory/956-27-0x0000000000360000-0x00000000003EF000-memory.dmp	family_blackmoon

description	pid	process
Token: SeDebugPrivilege	956	rundll32.exe
Token: SeDebugPrivilege	956	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 2112 wrote to memory of 956	2112	rundll32.exe	rundll32.exe
PID 2112 wrote to memory of 956	2112	rundll32.exe	rundll32.exe
PID 2112 wrote to memory of 956	2112	rundll32.exe	rundll32.exe
PID 2112 wrote to memory of 956	2112	rundll32.exe	rundll32.exe
PID 2112 wrote to memory of 956	2112	rundll32.exe	rundll32.exe
PID 2112 wrote to memory of 956	2112	rundll32.exe	rundll32.exe
PID 2112 wrote to memory of 956	2112	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b3b6418bd2db6b77bffcc3986d1657f702a5f3252152243d3339ef3ee90b2139.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2112

memory/956-18-0x0000000000360000-0x00000000003EF000-memory.dmp

Filesize
572KB

Download
memory/956-23-0x0000000000360000-0x00000000003EF000-memory.dmp

Filesize
572KB

Download
memory/956-33-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/956-29-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/956-27-0x0000000000360000-0x00000000003EF000-memory.dmp

Filesize
572KB

Download
memory/956-25-0x0000000000360000-0x00000000003EF000-memory.dmp

Filesize
572KB

Download
memory/956-21-0x0000000000360000-0x00000000003EF000-memory.dmp

Filesize
572KB

Download
memory/956-34-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download