Resubmissions
12-09-2024 02:23
240912-cvfznswere 1004-09-2024 00:09
240904-afvheascla 1003-09-2024 18:57
240903-xl8csavfrb 1003-09-2024 18:12
240903-ws828asgnm 10Analysis
-
max time kernel
150s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
03-09-2024 18:12
General
-
Target
Stealers/BlackMoon.exe
-
Size
387KB
-
MD5
336efa7460c08e3d47f29121742eb010
-
SHA1
f41c36cd83879d170309dede056563d35741b87b
-
SHA256
e6dd3fa33ad938b07c8978691f86b73e9f6fd84104b92f42566498bdb6b2930e
-
SHA512
e8d118fbe907a00d89c2514af4de475a0ea54943076bf90174234f77f2ec093a1246a0d4e78d1104a0dcda150b5441d28f4f3d1e768ecb20ae86383a99863c14
-
SSDEEP
12288:n3C9ytvngQjpUXoSWlnwJv90aKToFqwfN:SgdnJVU4TlnwJ6Goo
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 25 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 36 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Stealers\BlackMoon.exe"C:\Users\Admin\AppData\Local\Temp\Stealers\BlackMoon.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\vjdvd.exec:\vjdvd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bnbbtb.exec:\bnbbtb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\djddj.exec:\djddj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tttnnh.exec:\tttnnh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7pjpp.exec:\7pjpp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5flffff.exec:\5flffff.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bthbbb.exec:\bthbbb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5htnbt.exec:\5htnbt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pvdvd.exec:\pvdvd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rxlrlxx.exec:\rxlrlxx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ttbthn.exec:\ttbthn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hnhnht.exec:\hnhnht.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1ppjd.exec:\1ppjd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rrxrlll.exec:\rrxrlll.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhnhbb.exec:\nhnhbb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vppjd.exec:\vppjd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bnbttt.exec:\bnbttt.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjvpj.exec:\jjvpj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxffxxr.exec:\fxffxxr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\htbhbt.exec:\htbhbt.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdjdd.exec:\jdjdd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxxxxll.exec:\lxxxxll.exe23⤵
- Executes dropped EXE
-
\??\c:\hnnhhn.exec:\hnnhhn.exe24⤵
- Executes dropped EXE
-
\??\c:\9vdvp.exec:\9vdvp.exe25⤵
- Executes dropped EXE
-
\??\c:\7pjdv.exec:\7pjdv.exe26⤵
- Executes dropped EXE
-
\??\c:\rxlllrr.exec:\rxlllrr.exe27⤵
- Executes dropped EXE
-
\??\c:\hnbbbt.exec:\hnbbbt.exe28⤵
- Executes dropped EXE
-
\??\c:\frxrlll.exec:\frxrlll.exe29⤵
- Executes dropped EXE
-
\??\c:\nnnnth.exec:\nnnnth.exe30⤵
- Executes dropped EXE
-
\??\c:\pvdvp.exec:\pvdvp.exe31⤵
- Executes dropped EXE
-
\??\c:\fffrrlf.exec:\fffrrlf.exe32⤵
- Executes dropped EXE
-
\??\c:\xffxfrr.exec:\xffxfrr.exe33⤵
- Executes dropped EXE
-
\??\c:\nbhbbh.exec:\nbhbbh.exe34⤵
- Executes dropped EXE
-
\??\c:\jjppj.exec:\jjppj.exe35⤵
- Executes dropped EXE
-
\??\c:\rxxrrrl.exec:\rxxrrrl.exe36⤵
- Executes dropped EXE
-
\??\c:\lllllff.exec:\lllllff.exe37⤵
- Executes dropped EXE
-
\??\c:\nhtbbn.exec:\nhtbbn.exe38⤵
- Executes dropped EXE
-
\??\c:\vpdvv.exec:\vpdvv.exe39⤵
- Executes dropped EXE
-
\??\c:\3dpdj.exec:\3dpdj.exe40⤵
- Executes dropped EXE
-
\??\c:\xfxrrxx.exec:\xfxrrxx.exe41⤵
- Executes dropped EXE
-
\??\c:\hhhtbb.exec:\hhhtbb.exe42⤵
- Executes dropped EXE
-
\??\c:\nbnhbb.exec:\nbnhbb.exe43⤵
- Executes dropped EXE
-
\??\c:\3vvpv.exec:\3vvpv.exe44⤵
- Executes dropped EXE
-
\??\c:\7fxxrxr.exec:\7fxxrxr.exe45⤵
- Executes dropped EXE
-
\??\c:\xrxllll.exec:\xrxllll.exe46⤵
- Executes dropped EXE
-
\??\c:\ttnhbb.exec:\ttnhbb.exe47⤵
- Executes dropped EXE
-
\??\c:\vdpvd.exec:\vdpvd.exe48⤵
- Executes dropped EXE
-
\??\c:\jpvpj.exec:\jpvpj.exe49⤵
- Executes dropped EXE
-
\??\c:\rfrllrr.exec:\rfrllrr.exe50⤵
- Executes dropped EXE
-
\??\c:\nbbbtt.exec:\nbbbtt.exe51⤵
- Executes dropped EXE
-
\??\c:\3btnhh.exec:\3btnhh.exe52⤵
- Executes dropped EXE
-
\??\c:\vvjjv.exec:\vvjjv.exe53⤵
- Executes dropped EXE
-
\??\c:\jjppp.exec:\jjppp.exe54⤵
- Executes dropped EXE
-
\??\c:\flfxrrr.exec:\flfxrrr.exe55⤵
- Executes dropped EXE
-
\??\c:\thnnhh.exec:\thnnhh.exe56⤵
- Executes dropped EXE
-
\??\c:\tntttt.exec:\tntttt.exe57⤵
- Executes dropped EXE
-
\??\c:\pvvpj.exec:\pvvpj.exe58⤵
- Executes dropped EXE
-
\??\c:\frxlflf.exec:\frxlflf.exe59⤵
- Executes dropped EXE
-
\??\c:\rxffxxx.exec:\rxffxxx.exe60⤵
- Executes dropped EXE
-
\??\c:\7ntnhh.exec:\7ntnhh.exe61⤵
- Executes dropped EXE
-
\??\c:\3tbtnn.exec:\3tbtnn.exe62⤵
- Executes dropped EXE
-
\??\c:\vddvp.exec:\vddvp.exe63⤵
- Executes dropped EXE
-
\??\c:\xrxrlfx.exec:\xrxrlfx.exe64⤵
- Executes dropped EXE
-
\??\c:\rxrlfff.exec:\rxrlfff.exe65⤵
- Executes dropped EXE
-
\??\c:\bntnnh.exec:\bntnnh.exe66⤵
-
\??\c:\nbbbtt.exec:\nbbbtt.exe67⤵
-
\??\c:\pvjjj.exec:\pvjjj.exe68⤵
-
\??\c:\xffxlfr.exec:\xffxlfr.exe69⤵
-
\??\c:\xfrrrxx.exec:\xfrrrxx.exe70⤵
-
\??\c:\httttt.exec:\httttt.exe71⤵
- System Location Discovery: System Language Discovery
-
\??\c:\jvdvv.exec:\jvdvv.exe72⤵
-
\??\c:\vpddv.exec:\vpddv.exe73⤵
-
\??\c:\rlxrllf.exec:\rlxrllf.exe74⤵
-
\??\c:\rrllfxx.exec:\rrllfxx.exe75⤵
-
\??\c:\nhbnbb.exec:\nhbnbb.exe76⤵
-
\??\c:\3hhbtt.exec:\3hhbtt.exe77⤵
-
\??\c:\1pjdp.exec:\1pjdp.exe78⤵
-
\??\c:\jjpjj.exec:\jjpjj.exe79⤵
-
\??\c:\7flfffx.exec:\7flfffx.exe80⤵
-
\??\c:\nbnhbb.exec:\nbnhbb.exe81⤵
-
\??\c:\nhtnhn.exec:\nhtnhn.exe82⤵
-
\??\c:\vvdvd.exec:\vvdvd.exe83⤵
-
\??\c:\1pdvp.exec:\1pdvp.exe84⤵
-
\??\c:\llrrllf.exec:\llrrllf.exe85⤵
-
\??\c:\rrxrxfx.exec:\rrxrxfx.exe86⤵
-
\??\c:\bnbbbb.exec:\bnbbbb.exe87⤵
-
\??\c:\tbnhbb.exec:\tbnhbb.exe88⤵
-
\??\c:\5pdvv.exec:\5pdvv.exe89⤵
-
\??\c:\dvddj.exec:\dvddj.exe90⤵
-
\??\c:\ffrlfff.exec:\ffrlfff.exe91⤵
-
\??\c:\hbtnhh.exec:\hbtnhh.exe92⤵
-
\??\c:\bntbtt.exec:\bntbtt.exe93⤵
-
\??\c:\pppjj.exec:\pppjj.exe94⤵
-
\??\c:\ddvjp.exec:\ddvjp.exe95⤵
-
\??\c:\rxlrfxx.exec:\rxlrfxx.exe96⤵
-
\??\c:\xfffxxf.exec:\xfffxxf.exe97⤵
-
\??\c:\tbbhbh.exec:\tbbhbh.exe98⤵
-
\??\c:\jjpdv.exec:\jjpdv.exe99⤵
-
\??\c:\jddvv.exec:\jddvv.exe100⤵
-
\??\c:\frfxrlf.exec:\frfxrlf.exe101⤵
-
\??\c:\fffxxrl.exec:\fffxxrl.exe102⤵
-
\??\c:\tnbthb.exec:\tnbthb.exe103⤵
-
\??\c:\ddddv.exec:\ddddv.exe104⤵
-
\??\c:\ddjdv.exec:\ddjdv.exe105⤵
-
\??\c:\ffrflrx.exec:\ffrflrx.exe106⤵
-
\??\c:\llrfrll.exec:\llrfrll.exe107⤵
-
\??\c:\bnbtnn.exec:\bnbtnn.exe108⤵
-
\??\c:\vdpjd.exec:\vdpjd.exe109⤵
-
\??\c:\vvvjp.exec:\vvvjp.exe110⤵
-
\??\c:\xrrrrxx.exec:\xrrrrxx.exe111⤵
-
\??\c:\bbbtnn.exec:\bbbtnn.exe112⤵
-
\??\c:\bthhbb.exec:\bthhbb.exe113⤵
-
\??\c:\djddv.exec:\djddv.exe114⤵
-
\??\c:\rrrlfxr.exec:\rrrlfxr.exe115⤵
-
\??\c:\xlrlffx.exec:\xlrlffx.exe116⤵
-
\??\c:\7tbtnn.exec:\7tbtnn.exe117⤵
-
\??\c:\nthbbb.exec:\nthbbb.exe118⤵
-
\??\c:\jdvvp.exec:\jdvvp.exe119⤵
-
\??\c:\9lxrfff.exec:\9lxrfff.exe120⤵
-
\??\c:\fxfxrfx.exec:\fxfxrfx.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-