Resubmissions
12-09-2024 02:23
240912-cvfznswere 1004-09-2024 00:09
240904-afvheascla 1003-09-2024 18:57
240903-xl8csavfrb 1003-09-2024 18:12
240903-ws828asgnm 10Analysis
-
max time kernel
104s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
03-09-2024 18:57
General
-
Target
Stealers/BlackMoon.exe
-
Size
387KB
-
MD5
336efa7460c08e3d47f29121742eb010
-
SHA1
f41c36cd83879d170309dede056563d35741b87b
-
SHA256
e6dd3fa33ad938b07c8978691f86b73e9f6fd84104b92f42566498bdb6b2930e
-
SHA512
e8d118fbe907a00d89c2514af4de475a0ea54943076bf90174234f77f2ec093a1246a0d4e78d1104a0dcda150b5441d28f4f3d1e768ecb20ae86383a99863c14
-
SSDEEP
12288:n3C9ytvngQjpUXoSWlnwJv90aKToFqwfN:SgdnJVU4TlnwJ6Goo
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 23 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 32 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Stealers\BlackMoon.exe"C:\Users\Admin\AppData\Local\Temp\Stealers\BlackMoon.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\xfdfh.exec:\xfdfh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpxjh.exec:\vpxjh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnbrf.exec:\tnbrf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xxbnd.exec:\xxbnd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rjbpb.exec:\rjbpb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lvdvnt.exec:\lvdvnt.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\pjvxh.exec:\pjvxh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thvdtfr.exec:\thvdtfr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dbjbjdt.exec:\dbjbjdt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jbdpxvd.exec:\jbdpxvd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbnfjb.exec:\bbnfjb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rjbtlbx.exec:\rjbtlbx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rddjn.exec:\rddjn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvnhvlv.exec:\dvnhvlv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjhvp.exec:\pjhvp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fdjjdrp.exec:\fdjjdrp.exe17⤵
- Executes dropped EXE
-
\??\c:\dvrnnjh.exec:\dvrnnjh.exe18⤵
- Executes dropped EXE
-
\??\c:\ltnndj.exec:\ltnndj.exe19⤵
- Executes dropped EXE
-
\??\c:\lbthrt.exec:\lbthrt.exe20⤵
- Executes dropped EXE
-
\??\c:\tvhnxhr.exec:\tvhnxhr.exe21⤵
- Executes dropped EXE
-
\??\c:\dhrlb.exec:\dhrlb.exe22⤵
- Executes dropped EXE
-
\??\c:\vrddx.exec:\vrddx.exe23⤵
- Executes dropped EXE
-
\??\c:\hvphx.exec:\hvphx.exe24⤵
- Executes dropped EXE
-
\??\c:\jdbpp.exec:\jdbpp.exe25⤵
- Executes dropped EXE
-
\??\c:\dpnll.exec:\dpnll.exe26⤵
- Executes dropped EXE
-
\??\c:\bdjlx.exec:\bdjlx.exe27⤵
- Executes dropped EXE
-
\??\c:\rfhvtrn.exec:\rfhvtrn.exe28⤵
- Executes dropped EXE
-
\??\c:\rhlvxn.exec:\rhlvxn.exe29⤵
- Executes dropped EXE
-
\??\c:\hxxppdd.exec:\hxxppdd.exe30⤵
- Executes dropped EXE
-
\??\c:\rhrdb.exec:\rhrdb.exe31⤵
- Executes dropped EXE
-
\??\c:\tvnjhp.exec:\tvnjhp.exe32⤵
- Executes dropped EXE
-
\??\c:\pnpltb.exec:\pnpltb.exe33⤵
- Executes dropped EXE
-
\??\c:\xldnpbb.exec:\xldnpbb.exe34⤵
- Executes dropped EXE
-
\??\c:\vpxljb.exec:\vpxljb.exe35⤵
- Executes dropped EXE
-
\??\c:\bdfptfl.exec:\bdfptfl.exe36⤵
- Executes dropped EXE
-
\??\c:\drxdnrt.exec:\drxdnrt.exe37⤵
- Executes dropped EXE
-
\??\c:\vbtlrt.exec:\vbtlrt.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\prpvhl.exec:\prpvhl.exe39⤵
- Executes dropped EXE
-
\??\c:\lhxpx.exec:\lhxpx.exe40⤵
- Executes dropped EXE
-
\??\c:\ljxll.exec:\ljxll.exe41⤵
- Executes dropped EXE
-
\??\c:\jbvvhh.exec:\jbvvhh.exe42⤵
- Executes dropped EXE
-
\??\c:\xxhjj.exec:\xxhjj.exe43⤵
- Executes dropped EXE
-
\??\c:\jhhpbp.exec:\jhhpbp.exe44⤵
- Executes dropped EXE
-
\??\c:\prldf.exec:\prldf.exe45⤵
- Executes dropped EXE
-
\??\c:\dbtjtb.exec:\dbtjtb.exe46⤵
- Executes dropped EXE
-
\??\c:\bxlnfbd.exec:\bxlnfbd.exe47⤵
- Executes dropped EXE
-
\??\c:\vddfxl.exec:\vddfxl.exe48⤵
- Executes dropped EXE
-
\??\c:\fldttpv.exec:\fldttpv.exe49⤵
- Executes dropped EXE
-
\??\c:\rtrdh.exec:\rtrdh.exe50⤵
- Executes dropped EXE
-
\??\c:\rbxtf.exec:\rbxtf.exe51⤵
- Executes dropped EXE
-
\??\c:\jjhdnj.exec:\jjhdnj.exe52⤵
- Executes dropped EXE
-
\??\c:\rbjhp.exec:\rbjhp.exe53⤵
- Executes dropped EXE
-
\??\c:\tvdnljb.exec:\tvdnljb.exe54⤵
- Executes dropped EXE
-
\??\c:\jtjldv.exec:\jtjldv.exe55⤵
- Executes dropped EXE
-
\??\c:\hpbhp.exec:\hpbhp.exe56⤵
- Executes dropped EXE
-
\??\c:\fljtlj.exec:\fljtlj.exe57⤵
- Executes dropped EXE
-
\??\c:\xbbnph.exec:\xbbnph.exe58⤵
- Executes dropped EXE
-
\??\c:\fflbf.exec:\fflbf.exe59⤵
- Executes dropped EXE
-
\??\c:\bfbnxv.exec:\bfbnxv.exe60⤵
- Executes dropped EXE
-
\??\c:\hfjvxjn.exec:\hfjvxjn.exe61⤵
- Executes dropped EXE
-
\??\c:\vtlbjjl.exec:\vtlbjjl.exe62⤵
- Executes dropped EXE
-
\??\c:\xddhbxt.exec:\xddhbxt.exe63⤵
- Executes dropped EXE
-
\??\c:\ntrvxd.exec:\ntrvxd.exe64⤵
- Executes dropped EXE
-
\??\c:\rrrxdvh.exec:\rrrxdvh.exe65⤵
- Executes dropped EXE
-
\??\c:\pjhrn.exec:\pjhrn.exe66⤵
-
\??\c:\dhhhl.exec:\dhhhl.exe67⤵
-
\??\c:\nxxbrtt.exec:\nxxbrtt.exe68⤵
-
\??\c:\htlpdv.exec:\htlpdv.exe69⤵
-
\??\c:\drvhhv.exec:\drvhhv.exe70⤵
-
\??\c:\hhnrpd.exec:\hhnrpd.exe71⤵
-
\??\c:\ffnfb.exec:\ffnfb.exe72⤵
-
\??\c:\pjtbn.exec:\pjtbn.exe73⤵
-
\??\c:\lllln.exec:\lllln.exe74⤵
-
\??\c:\fxtftr.exec:\fxtftr.exe75⤵
-
\??\c:\tjjlh.exec:\tjjlh.exe76⤵
-
\??\c:\hhxpndv.exec:\hhxpndv.exe77⤵
-
\??\c:\lftjpr.exec:\lftjpr.exe78⤵
-
\??\c:\vdhvlj.exec:\vdhvlj.exe79⤵
-
\??\c:\fjbtv.exec:\fjbtv.exe80⤵
-
\??\c:\pntjdfh.exec:\pntjdfh.exe81⤵
-
\??\c:\rhpblb.exec:\rhpblb.exe82⤵
-
\??\c:\jlnfft.exec:\jlnfft.exe83⤵
-
\??\c:\jrbrd.exec:\jrbrd.exe84⤵
- System Location Discovery: System Language Discovery
-
\??\c:\hjvrrj.exec:\hjvrrj.exe85⤵
-
\??\c:\rtnxhr.exec:\rtnxhr.exe86⤵
-
\??\c:\tjbtbtx.exec:\tjbtbtx.exe87⤵
-
\??\c:\bpjfptj.exec:\bpjfptj.exe88⤵
-
\??\c:\nbprjxp.exec:\nbprjxp.exe89⤵
-
\??\c:\tfxlrb.exec:\tfxlrb.exe90⤵
-
\??\c:\ltxppt.exec:\ltxppt.exe91⤵
-
\??\c:\hbtfxh.exec:\hbtfxh.exe92⤵
-
\??\c:\lbbfpbr.exec:\lbbfpbr.exe93⤵
-
\??\c:\ndphn.exec:\ndphn.exe94⤵
-
\??\c:\pjxjvn.exec:\pjxjvn.exe95⤵
-
\??\c:\bpndxf.exec:\bpndxf.exe96⤵
- System Location Discovery: System Language Discovery
-
\??\c:\dntpl.exec:\dntpl.exe97⤵
-
\??\c:\txbbbdr.exec:\txbbbdr.exe98⤵
-
\??\c:\lrbrnth.exec:\lrbrnth.exe99⤵
-
\??\c:\jvjnjh.exec:\jvjnjh.exe100⤵
-
\??\c:\txttf.exec:\txttf.exe101⤵
-
\??\c:\prptrd.exec:\prptrd.exe102⤵
-
\??\c:\ftfxrv.exec:\ftfxrv.exe103⤵
- System Location Discovery: System Language Discovery
-
\??\c:\bftflx.exec:\bftflx.exe104⤵
-
\??\c:\rftjr.exec:\rftjr.exe105⤵
-
\??\c:\jljxvb.exec:\jljxvb.exe106⤵
-
\??\c:\ntvhth.exec:\ntvhth.exe107⤵
-
\??\c:\tljjn.exec:\tljjn.exe108⤵
-
\??\c:\nxjpvth.exec:\nxjpvth.exe109⤵
-
\??\c:\bddlx.exec:\bddlx.exe110⤵
-
\??\c:\bfrhnx.exec:\bfrhnx.exe111⤵
-
\??\c:\llbpl.exec:\llbpl.exe112⤵
-
\??\c:\vxrhvhh.exec:\vxrhvhh.exe113⤵
-
\??\c:\vjhdtb.exec:\vjhdtb.exe114⤵
-
\??\c:\dlhhnx.exec:\dlhhnx.exe115⤵
-
\??\c:\pdlvx.exec:\pdlvx.exe116⤵
-
\??\c:\lrnfh.exec:\lrnfh.exe117⤵
-
\??\c:\plffth.exec:\plffth.exe118⤵
-
\??\c:\fdhdx.exec:\fdhdx.exe119⤵
-
\??\c:\jfllb.exec:\jfllb.exe120⤵
-
\??\c:\fdlpp.exec:\fdlpp.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-