Resubmissions
03-09-2024 14:02
240903-rb57sazdqf 1003-09-2024 13:51
240903-q59avszclf 1002-09-2024 19:51
240902-yk8gtsxbpd 1002-09-2024 02:27
240902-cxh7tazflg 1002-09-2024 02:26
240902-cwxc2sygll 1021-06-2024 19:37
240621-yca7cszgnd 1009-06-2024 17:07
240609-vm7rjadd73 1013-05-2024 17:36
240513-v6qblafe3y 1012-05-2024 17:17
240512-vty3zafh5s 10Analysis
-
max time kernel
150s -
max time network
135s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
-
submitted
09-06-2024 17:07
General
-
Target
Stealers/BlackMoon.exe
-
Size
387KB
-
MD5
336efa7460c08e3d47f29121742eb010
-
SHA1
f41c36cd83879d170309dede056563d35741b87b
-
SHA256
e6dd3fa33ad938b07c8978691f86b73e9f6fd84104b92f42566498bdb6b2930e
-
SHA512
e8d118fbe907a00d89c2514af4de475a0ea54943076bf90174234f77f2ec093a1246a0d4e78d1104a0dcda150b5441d28f4f3d1e768ecb20ae86383a99863c14
-
SSDEEP
12288:n3C9ytvngQjpUXoSWlnwJv90aKToFqwfN:SgdnJVU4TlnwJ6Goo
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 28 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 37 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Stealers\BlackMoon.exe"C:\Users\Admin\AppData\Local\Temp\Stealers\BlackMoon.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\fflrxxx.exec:\fflrxxx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\htttbh.exec:\htttbh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7dpjp.exec:\7dpjp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nnbbhb.exec:\nnbbhb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjdvj.exec:\pjdvj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjvpd.exec:\jjvpd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ntbhht.exec:\ntbhht.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhnhtn.exec:\nhnhtn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnnbnb.exec:\tnnbnb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvpjj.exec:\dvpjj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxfflrx.exec:\fxfflrx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\htttnh.exec:\htttnh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjjdd.exec:\pjjdd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rflfxrr.exec:\rflfxrr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tbbtnh.exec:\tbbtnh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\djpjj.exec:\djpjj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvjpj.exec:\vvjpj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rffrlfx.exec:\rffrlfx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nnnhtn.exec:\nnnhtn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1vpdv.exec:\1vpdv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlxlllr.exec:\rlxlllr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3ppjj.exec:\3ppjj.exe23⤵
- Executes dropped EXE
-
\??\c:\jjpjp.exec:\jjpjp.exe24⤵
- Executes dropped EXE
-
\??\c:\7xxrllx.exec:\7xxrllx.exe25⤵
- Executes dropped EXE
-
\??\c:\nbnnhb.exec:\nbnnhb.exe26⤵
- Executes dropped EXE
-
\??\c:\fxxrlll.exec:\fxxrlll.exe27⤵
- Executes dropped EXE
-
\??\c:\rlllfrl.exec:\rlllfrl.exe28⤵
- Executes dropped EXE
-
\??\c:\hhhhhh.exec:\hhhhhh.exe29⤵
- Executes dropped EXE
-
\??\c:\rxfxlfx.exec:\rxfxlfx.exe30⤵
- Executes dropped EXE
-
\??\c:\rxlrlrf.exec:\rxlrlrf.exe31⤵
- Executes dropped EXE
-
\??\c:\bttnhb.exec:\bttnhb.exe32⤵
- Executes dropped EXE
-
\??\c:\rxfxlfx.exec:\rxfxlfx.exe33⤵
- Executes dropped EXE
-
\??\c:\frrfrlf.exec:\frrfrlf.exe34⤵
- Executes dropped EXE
-
\??\c:\hhbbth.exec:\hhbbth.exe35⤵
- Executes dropped EXE
-
\??\c:\7vvvv.exec:\7vvvv.exe36⤵
- Executes dropped EXE
-
\??\c:\ppjpp.exec:\ppjpp.exe37⤵
- Executes dropped EXE
-
\??\c:\rfrrllr.exec:\rfrrllr.exe38⤵
- Executes dropped EXE
-
\??\c:\xxxxrfx.exec:\xxxxrfx.exe39⤵
- Executes dropped EXE
-
\??\c:\hhhbbt.exec:\hhhbbt.exe40⤵
- Executes dropped EXE
-
\??\c:\dddvv.exec:\dddvv.exe41⤵
- Executes dropped EXE
-
\??\c:\dpppj.exec:\dpppj.exe42⤵
- Executes dropped EXE
-
\??\c:\lflflfx.exec:\lflflfx.exe43⤵
- Executes dropped EXE
-
\??\c:\5rlfrll.exec:\5rlfrll.exe44⤵
- Executes dropped EXE
-
\??\c:\nnttnh.exec:\nnttnh.exe45⤵
- Executes dropped EXE
-
\??\c:\jvjvj.exec:\jvjvj.exe46⤵
- Executes dropped EXE
-
\??\c:\nbbthb.exec:\nbbthb.exe47⤵
- Executes dropped EXE
-
\??\c:\7vddd.exec:\7vddd.exe48⤵
- Executes dropped EXE
-
\??\c:\rllxxxf.exec:\rllxxxf.exe49⤵
- Executes dropped EXE
-
\??\c:\htnbtn.exec:\htnbtn.exe50⤵
- Executes dropped EXE
-
\??\c:\jvvvp.exec:\jvvvp.exe51⤵
- Executes dropped EXE
-
\??\c:\rxxxrrl.exec:\rxxxrrl.exe52⤵
- Executes dropped EXE
-
\??\c:\httnnt.exec:\httnnt.exe53⤵
- Executes dropped EXE
-
\??\c:\xxlfxrl.exec:\xxlfxrl.exe54⤵
- Executes dropped EXE
-
\??\c:\1bbthh.exec:\1bbthh.exe55⤵
- Executes dropped EXE
-
\??\c:\lxrllrr.exec:\lxrllrr.exe56⤵
- Executes dropped EXE
-
\??\c:\ppvvd.exec:\ppvvd.exe57⤵
- Executes dropped EXE
-
\??\c:\1nhntt.exec:\1nhntt.exe58⤵
- Executes dropped EXE
-
\??\c:\jjdjd.exec:\jjdjd.exe59⤵
- Executes dropped EXE
-
\??\c:\lrrlfxr.exec:\lrrlfxr.exe60⤵
- Executes dropped EXE
-
\??\c:\9frrlfx.exec:\9frrlfx.exe61⤵
- Executes dropped EXE
-
\??\c:\btbbnn.exec:\btbbnn.exe62⤵
- Executes dropped EXE
-
\??\c:\9bbthh.exec:\9bbthh.exe63⤵
- Executes dropped EXE
-
\??\c:\vjvjd.exec:\vjvjd.exe64⤵
- Executes dropped EXE
-
\??\c:\xrlfxxx.exec:\xrlfxxx.exe65⤵
- Executes dropped EXE
-
\??\c:\lfrrlxr.exec:\lfrrlxr.exe66⤵
-
\??\c:\hthttt.exec:\hthttt.exe67⤵
-
\??\c:\jjpjp.exec:\jjpjp.exe68⤵
-
\??\c:\xfffxxl.exec:\xfffxxl.exe69⤵
-
\??\c:\3llfxxf.exec:\3llfxxf.exe70⤵
-
\??\c:\1bbthn.exec:\1bbthn.exe71⤵
-
\??\c:\pjdpj.exec:\pjdpj.exe72⤵
-
\??\c:\lllxfxr.exec:\lllxfxr.exe73⤵
-
\??\c:\htntbn.exec:\htntbn.exe74⤵
-
\??\c:\djjdv.exec:\djjdv.exe75⤵
-
\??\c:\ddddv.exec:\ddddv.exe76⤵
-
\??\c:\xfrrxfl.exec:\xfrrxfl.exe77⤵
-
\??\c:\nhhhbb.exec:\nhhhbb.exe78⤵
-
\??\c:\5jddp.exec:\5jddp.exe79⤵
-
\??\c:\5fxlrlf.exec:\5fxlrlf.exe80⤵
-
\??\c:\rflfxfx.exec:\rflfxfx.exe81⤵
-
\??\c:\ttbhht.exec:\ttbhht.exe82⤵
-
\??\c:\7jjdv.exec:\7jjdv.exe83⤵
-
\??\c:\3pvpp.exec:\3pvpp.exe84⤵
-
\??\c:\lflxlxr.exec:\lflxlxr.exe85⤵
-
\??\c:\hbbtnt.exec:\hbbtnt.exe86⤵
-
\??\c:\ppjdp.exec:\ppjdp.exe87⤵
-
\??\c:\jpppv.exec:\jpppv.exe88⤵
-
\??\c:\llxrlfx.exec:\llxrlfx.exe89⤵
-
\??\c:\nnhnth.exec:\nnhnth.exe90⤵
-
\??\c:\bhhhhb.exec:\bhhhhb.exe91⤵
-
\??\c:\vvvvp.exec:\vvvvp.exe92⤵
-
\??\c:\xxxrlff.exec:\xxxrlff.exe93⤵
-
\??\c:\1ffxxfr.exec:\1ffxxfr.exe94⤵
-
\??\c:\bttnnh.exec:\bttnnh.exe95⤵
-
\??\c:\vdjdv.exec:\vdjdv.exe96⤵
-
\??\c:\jdjjj.exec:\jdjjj.exe97⤵
-
\??\c:\fxxfxlx.exec:\fxxfxlx.exe98⤵
-
\??\c:\1nnhhb.exec:\1nnhhb.exe99⤵
-
\??\c:\tntbbh.exec:\tntbbh.exe100⤵
-
\??\c:\dppvv.exec:\dppvv.exe101⤵
-
\??\c:\fxlfffl.exec:\fxlfffl.exe102⤵
-
\??\c:\xxrrxrr.exec:\xxrrxrr.exe103⤵
-
\??\c:\nthbhb.exec:\nthbhb.exe104⤵
-
\??\c:\dvvjv.exec:\dvvjv.exe105⤵
-
\??\c:\rffrlrl.exec:\rffrlrl.exe106⤵
-
\??\c:\xlfrllf.exec:\xlfrllf.exe107⤵
-
\??\c:\hhbtnn.exec:\hhbtnn.exe108⤵
-
\??\c:\flrxfxx.exec:\flrxfxx.exe109⤵
-
\??\c:\5lfxxxr.exec:\5lfxxxr.exe110⤵
-
\??\c:\9tthbn.exec:\9tthbn.exe111⤵
-
\??\c:\1jjjj.exec:\1jjjj.exe112⤵
-
\??\c:\pvjjd.exec:\pvjjd.exe113⤵
-
\??\c:\xrfxxrx.exec:\xrfxxrx.exe114⤵
-
\??\c:\ffffxrr.exec:\ffffxrr.exe115⤵
-
\??\c:\9htnhn.exec:\9htnhn.exe116⤵
-
\??\c:\ddvdv.exec:\ddvdv.exe117⤵
-
\??\c:\1jppv.exec:\1jppv.exe118⤵
-
\??\c:\lxfxrxr.exec:\lxfxrxr.exe119⤵
-
\??\c:\flrlfll.exec:\flrlfll.exe120⤵
-
\??\c:\ttbbnh.exec:\ttbbnh.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-