Resubmissions
03-09-2024 14:02
240903-rb57sazdqf 1003-09-2024 13:51
240903-q59avszclf 1002-09-2024 19:51
240902-yk8gtsxbpd 1002-09-2024 02:27
240902-cxh7tazflg 1002-09-2024 02:26
240902-cwxc2sygll 1021-06-2024 19:37
240621-yca7cszgnd 1009-06-2024 17:07
240609-vm7rjadd73 1013-05-2024 17:36
240513-v6qblafe3y 1012-05-2024 17:17
240512-vty3zafh5s 10Analysis
-
max time kernel
150s -
max time network
138s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
-
submitted
02-09-2024 02:27
General
-
Target
Stealers/BlackMoon.exe
-
Size
387KB
-
MD5
336efa7460c08e3d47f29121742eb010
-
SHA1
f41c36cd83879d170309dede056563d35741b87b
-
SHA256
e6dd3fa33ad938b07c8978691f86b73e9f6fd84104b92f42566498bdb6b2930e
-
SHA512
e8d118fbe907a00d89c2514af4de475a0ea54943076bf90174234f77f2ec093a1246a0d4e78d1104a0dcda150b5441d28f4f3d1e768ecb20ae86383a99863c14
-
SSDEEP
12288:n3C9ytvngQjpUXoSWlnwJv90aKToFqwfN:SgdnJVU4TlnwJ6Goo
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 30 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 32 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Stealers\BlackMoon.exe"C:\Users\Admin\AppData\Local\Temp\Stealers\BlackMoon.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\djddv.exec:\djddv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ppvdd.exec:\ppvdd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvdpj.exec:\dvdpj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjjdv.exec:\pjjdv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\llfxflr.exec:\llfxflr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bthbhh.exec:\bthbhh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pvvdp.exec:\pvvdp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1rxlrll.exec:\1rxlrll.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbhbbh.exec:\bbhbbh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjpjd.exec:\pjpjd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lffrlll.exec:\lffrlll.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dppdp.exec:\dppdp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlflrrx.exec:\rlflrrx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1djdd.exec:\1djdd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lrxfxxx.exec:\lrxfxxx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bnhhbt.exec:\bnhhbt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vjjdd.exec:\vjjdd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ttbntn.exec:\ttbntn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvjdd.exec:\dvjdd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xflxrrr.exec:\xflxrrr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pvdvp.exec:\pvdvp.exe22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\9rlrllf.exec:\9rlrllf.exe23⤵
- Executes dropped EXE
-
\??\c:\vpjpv.exec:\vpjpv.exe24⤵
- Executes dropped EXE
-
\??\c:\xxlrlff.exec:\xxlrlff.exe25⤵
- Executes dropped EXE
-
\??\c:\bttttt.exec:\bttttt.exe26⤵
- Executes dropped EXE
-
\??\c:\ddpjp.exec:\ddpjp.exe27⤵
- Executes dropped EXE
-
\??\c:\9vjjj.exec:\9vjjj.exe28⤵
- Executes dropped EXE
-
\??\c:\tnnhhh.exec:\tnnhhh.exe29⤵
- Executes dropped EXE
-
\??\c:\5dpjv.exec:\5dpjv.exe30⤵
- Executes dropped EXE
-
\??\c:\xfrfrlr.exec:\xfrfrlr.exe31⤵
- Executes dropped EXE
-
\??\c:\hbnhhn.exec:\hbnhhn.exe32⤵
- Executes dropped EXE
-
\??\c:\vjjjd.exec:\vjjjd.exe33⤵
- Executes dropped EXE
-
\??\c:\5lllrlr.exec:\5lllrlr.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\hhhbbt.exec:\hhhbbt.exe35⤵
- Executes dropped EXE
-
\??\c:\3rxrlrr.exec:\3rxrlrr.exe36⤵
- Executes dropped EXE
-
\??\c:\nhtntt.exec:\nhtntt.exe37⤵
- Executes dropped EXE
-
\??\c:\dpvvj.exec:\dpvvj.exe38⤵
- Executes dropped EXE
-
\??\c:\dpjpp.exec:\dpjpp.exe39⤵
- Executes dropped EXE
-
\??\c:\lfxlrfx.exec:\lfxlrfx.exe40⤵
- Executes dropped EXE
-
\??\c:\bbhnth.exec:\bbhnth.exe41⤵
- Executes dropped EXE
-
\??\c:\pvvpj.exec:\pvvpj.exe42⤵
- Executes dropped EXE
-
\??\c:\llllrfr.exec:\llllrfr.exe43⤵
- Executes dropped EXE
-
\??\c:\nnbhbh.exec:\nnbhbh.exe44⤵
- Executes dropped EXE
-
\??\c:\nhnnhb.exec:\nhnnhb.exe45⤵
- Executes dropped EXE
-
\??\c:\jvdpd.exec:\jvdpd.exe46⤵
- Executes dropped EXE
-
\??\c:\rrfrffr.exec:\rrfrffr.exe47⤵
- Executes dropped EXE
-
\??\c:\1thbtn.exec:\1thbtn.exe48⤵
- Executes dropped EXE
-
\??\c:\nhhhhb.exec:\nhhhhb.exe49⤵
- Executes dropped EXE
-
\??\c:\jpdjp.exec:\jpdjp.exe50⤵
- Executes dropped EXE
-
\??\c:\fffrrlf.exec:\fffrrlf.exe51⤵
- Executes dropped EXE
-
\??\c:\xrrrlfx.exec:\xrrrlfx.exe52⤵
- Executes dropped EXE
-
\??\c:\htthbh.exec:\htthbh.exe53⤵
- Executes dropped EXE
-
\??\c:\jdddv.exec:\jdddv.exe54⤵
- Executes dropped EXE
-
\??\c:\ffrrrrr.exec:\ffrrrrr.exe55⤵
- Executes dropped EXE
-
\??\c:\tnnttb.exec:\tnnttb.exe56⤵
- Executes dropped EXE
-
\??\c:\dddvj.exec:\dddvj.exe57⤵
- Executes dropped EXE
-
\??\c:\jvpdp.exec:\jvpdp.exe58⤵
- Executes dropped EXE
-
\??\c:\llfffxx.exec:\llfffxx.exe59⤵
- Executes dropped EXE
-
\??\c:\3hhbhb.exec:\3hhbhb.exe60⤵
- Executes dropped EXE
-
\??\c:\nhthbb.exec:\nhthbb.exe61⤵
- Executes dropped EXE
-
\??\c:\jdvpj.exec:\jdvpj.exe62⤵
- Executes dropped EXE
-
\??\c:\xrxffxl.exec:\xrxffxl.exe63⤵
- Executes dropped EXE
-
\??\c:\xfffxrl.exec:\xfffxrl.exe64⤵
- Executes dropped EXE
-
\??\c:\bnnhbh.exec:\bnnhbh.exe65⤵
- Executes dropped EXE
-
\??\c:\jdjpj.exec:\jdjpj.exe66⤵
-
\??\c:\rlxxfxf.exec:\rlxxfxf.exe67⤵
-
\??\c:\ttnttt.exec:\ttnttt.exe68⤵
-
\??\c:\bhhhbh.exec:\bhhhbh.exe69⤵
-
\??\c:\djvvp.exec:\djvvp.exe70⤵
-
\??\c:\jvjdj.exec:\jvjdj.exe71⤵
-
\??\c:\lxlllxr.exec:\lxlllxr.exe72⤵
-
\??\c:\ntbbtb.exec:\ntbbtb.exe73⤵
-
\??\c:\jppvj.exec:\jppvj.exe74⤵
-
\??\c:\dpjjd.exec:\dpjjd.exe75⤵
-
\??\c:\9rlxxrf.exec:\9rlxxrf.exe76⤵
-
\??\c:\bntbhb.exec:\bntbhb.exe77⤵
-
\??\c:\jpvjd.exec:\jpvjd.exe78⤵
-
\??\c:\7rxrfxf.exec:\7rxrfxf.exe79⤵
-
\??\c:\rrlxfxf.exec:\rrlxfxf.exe80⤵
-
\??\c:\ntnhnt.exec:\ntnhnt.exe81⤵
-
\??\c:\pddpd.exec:\pddpd.exe82⤵
-
\??\c:\xxllrrl.exec:\xxllrrl.exe83⤵
-
\??\c:\thhbnb.exec:\thhbnb.exe84⤵
-
\??\c:\htttnh.exec:\htttnh.exe85⤵
-
\??\c:\vvvpv.exec:\vvvpv.exe86⤵
-
\??\c:\xxxlfrl.exec:\xxxlfrl.exe87⤵
-
\??\c:\fxxllfx.exec:\fxxllfx.exe88⤵
-
\??\c:\bbhhhn.exec:\bbhhhn.exe89⤵
-
\??\c:\nhtbht.exec:\nhtbht.exe90⤵
-
\??\c:\jjppj.exec:\jjppj.exe91⤵
-
\??\c:\tnnbth.exec:\tnnbth.exe92⤵
-
\??\c:\pjpdd.exec:\pjpdd.exe93⤵
-
\??\c:\vvvpp.exec:\vvvpp.exe94⤵
-
\??\c:\xfxxrrr.exec:\xfxxrrr.exe95⤵
-
\??\c:\9hhtnh.exec:\9hhtnh.exe96⤵
-
\??\c:\pppjp.exec:\pppjp.exe97⤵
-
\??\c:\pjjdp.exec:\pjjdp.exe98⤵
-
\??\c:\9flxffx.exec:\9flxffx.exe99⤵
-
\??\c:\nttnbh.exec:\nttnbh.exe100⤵
-
\??\c:\7nhtnb.exec:\7nhtnb.exe101⤵
-
\??\c:\vppjd.exec:\vppjd.exe102⤵
-
\??\c:\llllrrx.exec:\llllrrx.exe103⤵
-
\??\c:\xrlfxxx.exec:\xrlfxxx.exe104⤵
-
\??\c:\7thttn.exec:\7thttn.exe105⤵
-
\??\c:\9vvjv.exec:\9vvjv.exe106⤵
-
\??\c:\dvvjd.exec:\dvvjd.exe107⤵
-
\??\c:\xllffrr.exec:\xllffrr.exe108⤵
-
\??\c:\hhbthn.exec:\hhbthn.exe109⤵
-
\??\c:\pjjjd.exec:\pjjjd.exe110⤵
-
\??\c:\bnnhbb.exec:\bnnhbb.exe111⤵
-
\??\c:\jjjvv.exec:\jjjvv.exe112⤵
-
\??\c:\xlllffx.exec:\xlllffx.exe113⤵
-
\??\c:\nbbnhn.exec:\nbbnhn.exe114⤵
-
\??\c:\hhhbbb.exec:\hhhbbb.exe115⤵
-
\??\c:\pjdjd.exec:\pjdjd.exe116⤵
-
\??\c:\xxxllrr.exec:\xxxllrr.exe117⤵
-
\??\c:\lfrrrxf.exec:\lfrrrxf.exe118⤵
-
\??\c:\bhthth.exec:\bhthth.exe119⤵
-
\??\c:\jjdvp.exec:\jjdvp.exe120⤵
-
\??\c:\vjpvj.exec:\vjpvj.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-