Resubmissions
03-09-2024 14:02
240903-rb57sazdqf 1003-09-2024 13:51
240903-q59avszclf 1002-09-2024 19:51
240902-yk8gtsxbpd 1002-09-2024 02:27
240902-cxh7tazflg 1002-09-2024 02:26
240902-cwxc2sygll 1021-06-2024 19:37
240621-yca7cszgnd 1009-06-2024 17:07
240609-vm7rjadd73 1013-05-2024 17:36
240513-v6qblafe3y 1012-05-2024 17:17
240512-vty3zafh5s 10Analysis
-
max time kernel
150s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
02-09-2024 19:51
General
-
Target
Stealers/BlackMoon.exe
-
Size
387KB
-
MD5
336efa7460c08e3d47f29121742eb010
-
SHA1
f41c36cd83879d170309dede056563d35741b87b
-
SHA256
e6dd3fa33ad938b07c8978691f86b73e9f6fd84104b92f42566498bdb6b2930e
-
SHA512
e8d118fbe907a00d89c2514af4de475a0ea54943076bf90174234f77f2ec093a1246a0d4e78d1104a0dcda150b5441d28f4f3d1e768ecb20ae86383a99863c14
-
SSDEEP
12288:n3C9ytvngQjpUXoSWlnwJv90aKToFqwfN:SgdnJVU4TlnwJ6Goo
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 19 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 28 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Stealers\BlackMoon.exe"C:\Users\Admin\AppData\Local\Temp\Stealers\BlackMoon.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\lxllfff.exec:\lxllfff.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjpdd.exec:\pjpdd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jddjp.exec:\jddjp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btbtbt.exec:\btbtbt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddppv.exec:\ddppv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7nthht.exec:\7nthht.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhbtnb.exec:\nhbtnb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xxflrfr.exec:\xxflrfr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1httnt.exec:\1httnt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fflrxlx.exec:\fflrxlx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bnhthn.exec:\bnhthn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lrlrxfl.exec:\lrlrxfl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rrflfff.exec:\rrflfff.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjpjj.exec:\jjpjj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnbttt.exec:\tnbttt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddpvj.exec:\ddpvj.exe17⤵
- Executes dropped EXE
-
\??\c:\xfffxxl.exec:\xfffxxl.exe18⤵
- Executes dropped EXE
-
\??\c:\vvjjd.exec:\vvjjd.exe19⤵
- Executes dropped EXE
-
\??\c:\frfxfxl.exec:\frfxfxl.exe20⤵
- Executes dropped EXE
-
\??\c:\bnbhth.exec:\bnbhth.exe21⤵
- Executes dropped EXE
-
\??\c:\jvddd.exec:\jvddd.exe22⤵
- Executes dropped EXE
-
\??\c:\hthbhh.exec:\hthbhh.exe23⤵
- Executes dropped EXE
-
\??\c:\tnhtbn.exec:\tnhtbn.exe24⤵
- Executes dropped EXE
-
\??\c:\lfxfrrf.exec:\lfxfrrf.exe25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\thhbnn.exec:\thhbnn.exe26⤵
- Executes dropped EXE
-
\??\c:\rxxffll.exec:\rxxffll.exe27⤵
- Executes dropped EXE
-
\??\c:\bnttbb.exec:\bnttbb.exe28⤵
- Executes dropped EXE
-
\??\c:\lxxlfxl.exec:\lxxlfxl.exe29⤵
- Executes dropped EXE
-
\??\c:\nbhthh.exec:\nbhthh.exe30⤵
- Executes dropped EXE
-
\??\c:\jjdvd.exec:\jjdvd.exe31⤵
- Executes dropped EXE
-
\??\c:\thtnhn.exec:\thtnhn.exe32⤵
- Executes dropped EXE
-
\??\c:\jpddj.exec:\jpddj.exe33⤵
- Executes dropped EXE
-
\??\c:\xflxfff.exec:\xflxfff.exe34⤵
- Executes dropped EXE
-
\??\c:\nnbbbn.exec:\nnbbbn.exe35⤵
- Executes dropped EXE
-
\??\c:\dddjj.exec:\dddjj.exe36⤵
- Executes dropped EXE
-
\??\c:\xfxxxxr.exec:\xfxxxxr.exe37⤵
- Executes dropped EXE
-
\??\c:\tbhbbt.exec:\tbhbbt.exe38⤵
- Executes dropped EXE
-
\??\c:\1pppj.exec:\1pppj.exe39⤵
- Executes dropped EXE
-
\??\c:\lrffrfr.exec:\lrffrfr.exe40⤵
- Executes dropped EXE
-
\??\c:\bbhntt.exec:\bbhntt.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\tntbhh.exec:\tntbhh.exe42⤵
- Executes dropped EXE
-
\??\c:\dpjjv.exec:\dpjjv.exe43⤵
- Executes dropped EXE
-
\??\c:\rrrfrxr.exec:\rrrfrxr.exe44⤵
- Executes dropped EXE
-
\??\c:\nhhhbt.exec:\nhhhbt.exe45⤵
- Executes dropped EXE
-
\??\c:\ddjpv.exec:\ddjpv.exe46⤵
- Executes dropped EXE
-
\??\c:\xrlfflf.exec:\xrlfflf.exe47⤵
- Executes dropped EXE
-
\??\c:\llxrflx.exec:\llxrflx.exe48⤵
- Executes dropped EXE
-
\??\c:\7nthhh.exec:\7nthhh.exe49⤵
- Executes dropped EXE
-
\??\c:\jdvvj.exec:\jdvvj.exe50⤵
- Executes dropped EXE
-
\??\c:\lrfxfrx.exec:\lrfxfrx.exe51⤵
- Executes dropped EXE
-
\??\c:\hbhbhn.exec:\hbhbhn.exe52⤵
- Executes dropped EXE
-
\??\c:\9pppv.exec:\9pppv.exe53⤵
- Executes dropped EXE
-
\??\c:\5dvpd.exec:\5dvpd.exe54⤵
- Executes dropped EXE
-
\??\c:\xxrxxlr.exec:\xxrxxlr.exe55⤵
- Executes dropped EXE
-
\??\c:\bthbhn.exec:\bthbhn.exe56⤵
- Executes dropped EXE
-
\??\c:\dpjpv.exec:\dpjpv.exe57⤵
- Executes dropped EXE
-
\??\c:\frfrfxf.exec:\frfrfxf.exe58⤵
- Executes dropped EXE
-
\??\c:\lffflrf.exec:\lffflrf.exe59⤵
- Executes dropped EXE
-
\??\c:\thnbbn.exec:\thnbbn.exe60⤵
- Executes dropped EXE
-
\??\c:\9djdd.exec:\9djdd.exe61⤵
- Executes dropped EXE
-
\??\c:\frrlxfl.exec:\frrlxfl.exe62⤵
- Executes dropped EXE
-
\??\c:\rrfxfxr.exec:\rrfxfxr.exe63⤵
- Executes dropped EXE
-
\??\c:\tbhtnb.exec:\tbhtnb.exe64⤵
- Executes dropped EXE
-
\??\c:\dpjjv.exec:\dpjjv.exe65⤵
- Executes dropped EXE
-
\??\c:\xrlfllx.exec:\xrlfllx.exe66⤵
-
\??\c:\xrxfflf.exec:\xrxfflf.exe67⤵
-
\??\c:\rfflxlf.exec:\rfflxlf.exe68⤵
-
\??\c:\httnnt.exec:\httnnt.exe69⤵
-
\??\c:\vjvdv.exec:\vjvdv.exe70⤵
-
\??\c:\frfrffx.exec:\frfrffx.exe71⤵
-
\??\c:\frlrfxl.exec:\frlrfxl.exe72⤵
-
\??\c:\bhbnht.exec:\bhbnht.exe73⤵
-
\??\c:\vvvjv.exec:\vvvjv.exe74⤵
-
\??\c:\fxrrxxl.exec:\fxrrxxl.exe75⤵
-
\??\c:\9nhnbn.exec:\9nhnbn.exe76⤵
-
\??\c:\jvvvj.exec:\jvvvj.exe77⤵
-
\??\c:\xxxlxfx.exec:\xxxlxfx.exe78⤵
-
\??\c:\nbhtht.exec:\nbhtht.exe79⤵
-
\??\c:\hhhnhn.exec:\hhhnhn.exe80⤵
-
\??\c:\pdpvp.exec:\pdpvp.exe81⤵
-
\??\c:\xxllxfr.exec:\xxllxfr.exe82⤵
-
\??\c:\lxfxlxf.exec:\lxfxlxf.exe83⤵
-
\??\c:\tnthnb.exec:\tnthnb.exe84⤵
-
\??\c:\jdpdp.exec:\jdpdp.exe85⤵
-
\??\c:\rlxflxf.exec:\rlxflxf.exe86⤵
-
\??\c:\ttnbtb.exec:\ttnbtb.exe87⤵
-
\??\c:\bthhnh.exec:\bthhnh.exe88⤵
-
\??\c:\7dvjd.exec:\7dvjd.exe89⤵
-
\??\c:\flxfrll.exec:\flxfrll.exe90⤵
-
\??\c:\bnhttt.exec:\bnhttt.exe91⤵
-
\??\c:\xfrrllx.exec:\xfrrllx.exe92⤵
-
\??\c:\nnhthn.exec:\nnhthn.exe93⤵
-
\??\c:\tbbbtt.exec:\tbbbtt.exe94⤵
-
\??\c:\vpdvv.exec:\vpdvv.exe95⤵
-
\??\c:\xrrrfrf.exec:\xrrrfrf.exe96⤵
-
\??\c:\tbhhbh.exec:\tbhhbh.exe97⤵
-
\??\c:\xrllflx.exec:\xrllflx.exe98⤵
-
\??\c:\ttnhtb.exec:\ttnhtb.exe99⤵
-
\??\c:\jpdvj.exec:\jpdvj.exe100⤵
-
\??\c:\lflxlxf.exec:\lflxlxf.exe101⤵
-
\??\c:\ddjvv.exec:\ddjvv.exe102⤵
-
\??\c:\xfxlfrf.exec:\xfxlfrf.exe103⤵
-
\??\c:\htbnnh.exec:\htbnnh.exe104⤵
-
\??\c:\pjdvv.exec:\pjdvv.exe105⤵
-
\??\c:\rflxlfx.exec:\rflxlfx.exe106⤵
-
\??\c:\bnnbbt.exec:\bnnbbt.exe107⤵
-
\??\c:\tbnhnn.exec:\tbnhnn.exe108⤵
-
\??\c:\jvjvv.exec:\jvjvv.exe109⤵
-
\??\c:\xrrrrrr.exec:\xrrrrrr.exe110⤵
-
\??\c:\bhbbhn.exec:\bhbbhn.exe111⤵
-
\??\c:\jpvjj.exec:\jpvjj.exe112⤵
-
\??\c:\lfrrxlr.exec:\lfrrxlr.exe113⤵
-
\??\c:\flllxfr.exec:\flllxfr.exe114⤵
-
\??\c:\tbbbnh.exec:\tbbbnh.exe115⤵
-
\??\c:\vdjjj.exec:\vdjjj.exe116⤵
-
\??\c:\flrrxxr.exec:\flrrxxr.exe117⤵
-
\??\c:\nbhhnb.exec:\nbhhnb.exe118⤵
-
\??\c:\jvvdp.exec:\jvvdp.exe119⤵
-
\??\c:\rrrflrr.exec:\rrrflrr.exe120⤵
-
\??\c:\hhtbhh.exec:\hhtbhh.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-