Resubmissions
03-09-2024 14:02
240903-rb57sazdqf 1003-09-2024 13:51
240903-q59avszclf 1002-09-2024 19:51
240902-yk8gtsxbpd 1002-09-2024 02:27
240902-cxh7tazflg 1002-09-2024 02:26
240902-cwxc2sygll 1021-06-2024 19:37
240621-yca7cszgnd 1009-06-2024 17:07
240609-vm7rjadd73 1013-05-2024 17:36
240513-v6qblafe3y 1012-05-2024 17:17
240512-vty3zafh5s 10Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
-
submitted
12-05-2024 17:17
General
-
Target
Stealers/BlackMoon.exe
-
Size
387KB
-
MD5
336efa7460c08e3d47f29121742eb010
-
SHA1
f41c36cd83879d170309dede056563d35741b87b
-
SHA256
e6dd3fa33ad938b07c8978691f86b73e9f6fd84104b92f42566498bdb6b2930e
-
SHA512
e8d118fbe907a00d89c2514af4de475a0ea54943076bf90174234f77f2ec093a1246a0d4e78d1104a0dcda150b5441d28f4f3d1e768ecb20ae86383a99863c14
-
SSDEEP
12288:n3C9ytvngQjpUXoSWlnwJv90aKToFqwfN:SgdnJVU4TlnwJ6Goo
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 19 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 21 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Stealers\BlackMoon.exe"C:\Users\Admin\AppData\Local\Temp\Stealers\BlackMoon.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\3pjpv.exec:\3pjpv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvppp.exec:\dvppp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxlrxff.exec:\fxlrxff.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvpdj.exec:\dvpdj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5llxlll.exec:\5llxlll.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vdvvj.exec:\vdvvj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hhtntb.exec:\hhtntb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbnbth.exec:\bbnbth.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frfxrfx.exec:\frfxrfx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ntnbbn.exec:\ntnbbn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3lfrlrl.exec:\3lfrlrl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7llxfrr.exec:\7llxfrr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hhnntb.exec:\hhnntb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5rflxlx.exec:\5rflxlx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jpdjd.exec:\jpdjd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9rrrxxl.exec:\9rrrxxl.exe17⤵
- Executes dropped EXE
-
\??\c:\pjddj.exec:\pjddj.exe18⤵
- Executes dropped EXE
-
\??\c:\lrlxllr.exec:\lrlxllr.exe19⤵
- Executes dropped EXE
-
\??\c:\9bttth.exec:\9bttth.exe20⤵
- Executes dropped EXE
-
\??\c:\dvjvv.exec:\dvjvv.exe21⤵
- Executes dropped EXE
-
\??\c:\1nnhtb.exec:\1nnhtb.exe22⤵
- Executes dropped EXE
-
\??\c:\pppjd.exec:\pppjd.exe23⤵
- Executes dropped EXE
-
\??\c:\lrrlfrx.exec:\lrrlfrx.exe24⤵
- Executes dropped EXE
-
\??\c:\hbnthh.exec:\hbnthh.exe25⤵
- Executes dropped EXE
-
\??\c:\9jdpp.exec:\9jdpp.exe26⤵
- Executes dropped EXE
-
\??\c:\5rllflf.exec:\5rllflf.exe27⤵
- Executes dropped EXE
-
\??\c:\rxlfflf.exec:\rxlfflf.exe28⤵
- Executes dropped EXE
-
\??\c:\3nbtnt.exec:\3nbtnt.exe29⤵
- Executes dropped EXE
-
\??\c:\nhtbnh.exec:\nhtbnh.exe30⤵
- Executes dropped EXE
-
\??\c:\5rxlxlr.exec:\5rxlxlr.exe31⤵
- Executes dropped EXE
-
\??\c:\1nnbhn.exec:\1nnbhn.exe32⤵
- Executes dropped EXE
-
\??\c:\vvpvv.exec:\vvpvv.exe33⤵
- Executes dropped EXE
-
\??\c:\xllxfxl.exec:\xllxfxl.exe34⤵
- Executes dropped EXE
-
\??\c:\tbttbh.exec:\tbttbh.exe35⤵
- Executes dropped EXE
-
\??\c:\jvvdj.exec:\jvvdj.exe36⤵
- Executes dropped EXE
-
\??\c:\ffxfflx.exec:\ffxfflx.exe37⤵
- Executes dropped EXE
-
\??\c:\3rlxlxr.exec:\3rlxlxr.exe38⤵
- Executes dropped EXE
-
\??\c:\btbhnb.exec:\btbhnb.exe39⤵
- Executes dropped EXE
-
\??\c:\vpddp.exec:\vpddp.exe40⤵
- Executes dropped EXE
-
\??\c:\xrrflrl.exec:\xrrflrl.exe41⤵
- Executes dropped EXE
-
\??\c:\bthnhn.exec:\bthnhn.exe42⤵
- Executes dropped EXE
-
\??\c:\nnhbhn.exec:\nnhbhn.exe43⤵
- Executes dropped EXE
-
\??\c:\3pjvj.exec:\3pjvj.exe44⤵
- Executes dropped EXE
-
\??\c:\ffflxfx.exec:\ffflxfx.exe45⤵
- Executes dropped EXE
-
\??\c:\rrlxxxf.exec:\rrlxxxf.exe46⤵
- Executes dropped EXE
-
\??\c:\bbthnb.exec:\bbthnb.exe47⤵
- Executes dropped EXE
-
\??\c:\1dvjd.exec:\1dvjd.exe48⤵
- Executes dropped EXE
-
\??\c:\lfrrrrr.exec:\lfrrrrr.exe49⤵
- Executes dropped EXE
-
\??\c:\fxfrrff.exec:\fxfrrff.exe50⤵
- Executes dropped EXE
-
\??\c:\bhbtnb.exec:\bhbtnb.exe51⤵
- Executes dropped EXE
-
\??\c:\jddjp.exec:\jddjp.exe52⤵
- Executes dropped EXE
-
\??\c:\lfxrlxl.exec:\lfxrlxl.exe53⤵
- Executes dropped EXE
-
\??\c:\xxfxrff.exec:\xxfxrff.exe54⤵
- Executes dropped EXE
-
\??\c:\bbhbhb.exec:\bbhbhb.exe55⤵
- Executes dropped EXE
-
\??\c:\jjjvj.exec:\jjjvj.exe56⤵
- Executes dropped EXE
-
\??\c:\jjjpj.exec:\jjjpj.exe57⤵
- Executes dropped EXE
-
\??\c:\frrxllf.exec:\frrxllf.exe58⤵
- Executes dropped EXE
-
\??\c:\hhhnnt.exec:\hhhnnt.exe59⤵
- Executes dropped EXE
-
\??\c:\tthtnt.exec:\tthtnt.exe60⤵
- Executes dropped EXE
-
\??\c:\vjjpp.exec:\vjjpp.exe61⤵
- Executes dropped EXE
-
\??\c:\rfrfxrl.exec:\rfrfxrl.exe62⤵
- Executes dropped EXE
-
\??\c:\ffrfllx.exec:\ffrfllx.exe63⤵
- Executes dropped EXE
-
\??\c:\hbnbhh.exec:\hbnbhh.exe64⤵
- Executes dropped EXE
-
\??\c:\1jdjv.exec:\1jdjv.exe65⤵
- Executes dropped EXE
-
\??\c:\xxxfrxx.exec:\xxxfrxx.exe66⤵
-
\??\c:\1ffrrfl.exec:\1ffrrfl.exe67⤵
-
\??\c:\btnhnn.exec:\btnhnn.exe68⤵
-
\??\c:\vvjpj.exec:\vvjpj.exe69⤵
-
\??\c:\ppddp.exec:\ppddp.exe70⤵
-
\??\c:\rxrxrrf.exec:\rxrxrrf.exe71⤵
-
\??\c:\tnnthn.exec:\tnnthn.exe72⤵
-
\??\c:\pjddp.exec:\pjddp.exe73⤵
-
\??\c:\dvvdj.exec:\dvvdj.exe74⤵
-
\??\c:\xrxxffr.exec:\xrxxffr.exe75⤵
-
\??\c:\ttnbth.exec:\ttnbth.exe76⤵
-
\??\c:\bbnhnh.exec:\bbnhnh.exe77⤵
-
\??\c:\jppvp.exec:\jppvp.exe78⤵
-
\??\c:\1frxfxl.exec:\1frxfxl.exe79⤵
-
\??\c:\1nbbhh.exec:\1nbbhh.exe80⤵
-
\??\c:\djpjj.exec:\djpjj.exe81⤵
-
\??\c:\ppjjd.exec:\ppjjd.exe82⤵
-
\??\c:\lllxrxr.exec:\lllxrxr.exe83⤵
-
\??\c:\1tbhth.exec:\1tbhth.exe84⤵
-
\??\c:\9vjpj.exec:\9vjpj.exe85⤵
-
\??\c:\lfxflrf.exec:\lfxflrf.exe86⤵
-
\??\c:\fxfffll.exec:\fxfffll.exe87⤵
-
\??\c:\5nnbht.exec:\5nnbht.exe88⤵
-
\??\c:\ppjpd.exec:\ppjpd.exe89⤵
-
\??\c:\xxxrxxr.exec:\xxxrxxr.exe90⤵
-
\??\c:\xrlxxlr.exec:\xrlxxlr.exe91⤵
-
\??\c:\hbtthh.exec:\hbtthh.exe92⤵
-
\??\c:\pvjjp.exec:\pvjjp.exe93⤵
-
\??\c:\xrlrflr.exec:\xrlrflr.exe94⤵
-
\??\c:\rxllfxf.exec:\rxllfxf.exe95⤵
-
\??\c:\nhbbtt.exec:\nhbbtt.exe96⤵
-
\??\c:\ppvjp.exec:\ppvjp.exe97⤵
-
\??\c:\rrlfffr.exec:\rrlfffr.exe98⤵
-
\??\c:\3lxlxlx.exec:\3lxlxlx.exe99⤵
-
\??\c:\hhnhht.exec:\hhnhht.exe100⤵
-
\??\c:\vvvjd.exec:\vvvjd.exe101⤵
-
\??\c:\xfxrxrf.exec:\xfxrxrf.exe102⤵
-
\??\c:\xffrlrl.exec:\xffrlrl.exe103⤵
-
\??\c:\bbthth.exec:\bbthth.exe104⤵
-
\??\c:\dpvvp.exec:\dpvvp.exe105⤵
-
\??\c:\lllxxxl.exec:\lllxxxl.exe106⤵
-
\??\c:\rrxfxll.exec:\rrxfxll.exe107⤵
-
\??\c:\hhbhtt.exec:\hhbhtt.exe108⤵
-
\??\c:\jpjjv.exec:\jpjjv.exe109⤵
-
\??\c:\ddvjd.exec:\ddvjd.exe110⤵
-
\??\c:\lflfxlr.exec:\lflfxlr.exe111⤵
-
\??\c:\nhbhtt.exec:\nhbhtt.exe112⤵
-
\??\c:\dvppv.exec:\dvppv.exe113⤵
-
\??\c:\dvpvv.exec:\dvpvv.exe114⤵
-
\??\c:\ffxflxl.exec:\ffxflxl.exe115⤵
-
\??\c:\bbhbbn.exec:\bbhbbn.exe116⤵
-
\??\c:\nthnth.exec:\nthnth.exe117⤵
-
\??\c:\pjdjp.exec:\pjdjp.exe118⤵
-
\??\c:\xrxfrrx.exec:\xrxfrrx.exe119⤵
-
\??\c:\7bhtbb.exec:\7bhtbb.exe120⤵
-
\??\c:\ppjvj.exec:\ppjvj.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-