Resubmissions
12-09-2024 02:23
240912-cvfznswere 1004-09-2024 00:09
240904-afvheascla 1003-09-2024 18:57
240903-xl8csavfrb 1003-09-2024 18:12
240903-ws828asgnm 10Analysis
-
max time kernel
72s -
max time network
66s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
03-09-2024 18:57
General
-
Target
Stealers/BlackMoon.exe
-
Size
387KB
-
MD5
336efa7460c08e3d47f29121742eb010
-
SHA1
f41c36cd83879d170309dede056563d35741b87b
-
SHA256
e6dd3fa33ad938b07c8978691f86b73e9f6fd84104b92f42566498bdb6b2930e
-
SHA512
e8d118fbe907a00d89c2514af4de475a0ea54943076bf90174234f77f2ec093a1246a0d4e78d1104a0dcda150b5441d28f4f3d1e768ecb20ae86383a99863c14
-
SSDEEP
12288:n3C9ytvngQjpUXoSWlnwJv90aKToFqwfN:SgdnJVU4TlnwJ6Goo
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 30 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 31 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Stealers\BlackMoon.exe"C:\Users\Admin\AppData\Local\Temp\Stealers\BlackMoon.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\pjdjj.exec:\pjdjj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5xxrrrr.exec:\5xxrrrr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvjpd.exec:\dvjpd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thtnnn.exec:\thtnnn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pvdvv.exec:\pvdvv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlxxffr.exec:\rlxxffr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xlllfff.exec:\xlllfff.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\vvvvv.exec:\vvvvv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpdvv.exec:\vpdvv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvddd.exec:\vvddd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbtntb.exec:\hbtntb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjvpp.exec:\pjvpp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7htntn.exec:\7htntn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxllllr.exec:\fxllllr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thbbtt.exec:\thbbtt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjpvp.exec:\pjpvp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rfrlfff.exec:\rfrlfff.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddddj.exec:\ddddj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ffrlllr.exec:\ffrlllr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nntnnn.exec:\nntnnn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdjjj.exec:\jdjjj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfffxxr.exec:\lfffxxr.exe23⤵
- Executes dropped EXE
-
\??\c:\pjpvd.exec:\pjpvd.exe24⤵
- Executes dropped EXE
-
\??\c:\jvdvp.exec:\jvdvp.exe25⤵
- Executes dropped EXE
-
\??\c:\rlrfxrl.exec:\rlrfxrl.exe26⤵
- Executes dropped EXE
-
\??\c:\1nnnhb.exec:\1nnnhb.exe27⤵
- Executes dropped EXE
-
\??\c:\vpvvv.exec:\vpvvv.exe28⤵
- Executes dropped EXE
-
\??\c:\hhtbhn.exec:\hhtbhn.exe29⤵
- Executes dropped EXE
-
\??\c:\dvvvj.exec:\dvvvj.exe30⤵
- Executes dropped EXE
-
\??\c:\vvpvp.exec:\vvpvp.exe31⤵
- Executes dropped EXE
-
\??\c:\rlxrrll.exec:\rlxrrll.exe32⤵
- Executes dropped EXE
-
\??\c:\jvvdd.exec:\jvvdd.exe33⤵
- Executes dropped EXE
-
\??\c:\thtnnn.exec:\thtnnn.exe34⤵
- Executes dropped EXE
-
\??\c:\9jjdv.exec:\9jjdv.exe35⤵
- Executes dropped EXE
-
\??\c:\ffxxlfl.exec:\ffxxlfl.exe36⤵
- Executes dropped EXE
-
\??\c:\xxfxffl.exec:\xxfxffl.exe37⤵
- Executes dropped EXE
-
\??\c:\pdjdv.exec:\pdjdv.exe38⤵
- Executes dropped EXE
-
\??\c:\lxlfxxr.exec:\lxlfxxr.exe39⤵
- Executes dropped EXE
-
\??\c:\xlfxrrl.exec:\xlfxrrl.exe40⤵
- Executes dropped EXE
-
\??\c:\ddppv.exec:\ddppv.exe41⤵
- Executes dropped EXE
-
\??\c:\xxlfllf.exec:\xxlfllf.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\7xfxxxr.exec:\7xfxxxr.exe43⤵
- Executes dropped EXE
-
\??\c:\thhhtt.exec:\thhhtt.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\ppdvp.exec:\ppdvp.exe45⤵
- Executes dropped EXE
-
\??\c:\ddppj.exec:\ddppj.exe46⤵
- Executes dropped EXE
-
\??\c:\lfrrrrr.exec:\lfrrrrr.exe47⤵
- Executes dropped EXE
-
\??\c:\7btnbb.exec:\7btnbb.exe48⤵
- Executes dropped EXE
-
\??\c:\vpppp.exec:\vpppp.exe49⤵
- Executes dropped EXE
-
\??\c:\1djdj.exec:\1djdj.exe50⤵
- Executes dropped EXE
-
\??\c:\1nnhtb.exec:\1nnhtb.exe51⤵
- Executes dropped EXE
-
\??\c:\1djjd.exec:\1djjd.exe52⤵
- Executes dropped EXE
-
\??\c:\frxrffx.exec:\frxrffx.exe53⤵
- Executes dropped EXE
-
\??\c:\fxfxxxr.exec:\fxfxxxr.exe54⤵
- Executes dropped EXE
-
\??\c:\bnhbtb.exec:\bnhbtb.exe55⤵
- Executes dropped EXE
-
\??\c:\dpvvv.exec:\dpvvv.exe56⤵
- Executes dropped EXE
-
\??\c:\fxllllr.exec:\fxllllr.exe57⤵
- Executes dropped EXE
-
\??\c:\rrfxxxr.exec:\rrfxxxr.exe58⤵
- Executes dropped EXE
-
\??\c:\tnbtbb.exec:\tnbtbb.exe59⤵
- Executes dropped EXE
-
\??\c:\ppvpp.exec:\ppvpp.exe60⤵
- Executes dropped EXE
-
\??\c:\9nttht.exec:\9nttht.exe61⤵
- Executes dropped EXE
-
\??\c:\pdjjj.exec:\pdjjj.exe62⤵
- Executes dropped EXE
-
\??\c:\vjppd.exec:\vjppd.exe63⤵
- Executes dropped EXE
-
\??\c:\llxrxxf.exec:\llxrxxf.exe64⤵
- Executes dropped EXE
-
\??\c:\htbttt.exec:\htbttt.exe65⤵
- Executes dropped EXE
-
\??\c:\jjddv.exec:\jjddv.exe66⤵
-
\??\c:\lxrrflf.exec:\lxrrflf.exe67⤵
-
\??\c:\ttthtb.exec:\ttthtb.exe68⤵
-
\??\c:\jvppd.exec:\jvppd.exe69⤵
-
\??\c:\7vvjd.exec:\7vvjd.exe70⤵
-
\??\c:\hnbtnt.exec:\hnbtnt.exe71⤵
-
\??\c:\5bnhnn.exec:\5bnhnn.exe72⤵
-
\??\c:\pvpjp.exec:\pvpjp.exe73⤵
-
\??\c:\xfrllrl.exec:\xfrllrl.exe74⤵
-
\??\c:\tthhbb.exec:\tthhbb.exe75⤵
- System Location Discovery: System Language Discovery
-
\??\c:\1ddvv.exec:\1ddvv.exe76⤵
- System Location Discovery: System Language Discovery
-
\??\c:\fxxrllf.exec:\fxxrllf.exe77⤵
-
\??\c:\frxrrxl.exec:\frxrrxl.exe78⤵
-
\??\c:\hhnnnn.exec:\hhnnnn.exe79⤵
- System Location Discovery: System Language Discovery
-
\??\c:\pvvvp.exec:\pvvvp.exe80⤵
-
\??\c:\1rfxrrr.exec:\1rfxrrr.exe81⤵
-
\??\c:\bnbtbb.exec:\bnbtbb.exe82⤵
-
\??\c:\nnbbnn.exec:\nnbbnn.exe83⤵
-
\??\c:\ddvdj.exec:\ddvdj.exe84⤵
-
\??\c:\xrxfrxr.exec:\xrxfrxr.exe85⤵
-
\??\c:\bthhtt.exec:\bthhtt.exe86⤵
-
\??\c:\9tnnbn.exec:\9tnnbn.exe87⤵
- System Location Discovery: System Language Discovery
-
\??\c:\3vvpp.exec:\3vvpp.exe88⤵
-
\??\c:\ntnbbb.exec:\ntnbbb.exe89⤵
-
\??\c:\vvdvp.exec:\vvdvp.exe90⤵
-
\??\c:\flxrlfx.exec:\flxrlfx.exe91⤵
-
\??\c:\nnthhh.exec:\nnthhh.exe92⤵
-
\??\c:\jvvjj.exec:\jvvjj.exe93⤵
-
\??\c:\5fffxff.exec:\5fffxff.exe94⤵
-
\??\c:\fxxxfff.exec:\fxxxfff.exe95⤵
-
\??\c:\bbbbtb.exec:\bbbbtb.exe96⤵
-
\??\c:\ppvvp.exec:\ppvvp.exe97⤵
-
\??\c:\rrrfffl.exec:\rrrfffl.exe98⤵
-
\??\c:\httbnt.exec:\httbnt.exe99⤵
-
\??\c:\hnnntb.exec:\hnnntb.exe100⤵
-
\??\c:\jpppp.exec:\jpppp.exe101⤵
-
\??\c:\rrlxfrx.exec:\rrlxfrx.exe102⤵
-
\??\c:\hthhhh.exec:\hthhhh.exe103⤵
-
\??\c:\ddddv.exec:\ddddv.exe104⤵
-
\??\c:\3xlfrlf.exec:\3xlfrlf.exe105⤵
-
\??\c:\3nbbtt.exec:\3nbbtt.exe106⤵
-
\??\c:\thhbbb.exec:\thhbbb.exe107⤵
-
\??\c:\pjjvv.exec:\pjjvv.exe108⤵
-
\??\c:\3fffrrl.exec:\3fffrrl.exe109⤵
-
\??\c:\btttnh.exec:\btttnh.exe110⤵
-
\??\c:\vdjdj.exec:\vdjdj.exe111⤵
-
\??\c:\jdvvj.exec:\jdvvj.exe112⤵
-
\??\c:\frfxrxx.exec:\frfxrxx.exe113⤵
-
\??\c:\9ntbtt.exec:\9ntbtt.exe114⤵
-
\??\c:\ppdvp.exec:\ppdvp.exe115⤵
-
\??\c:\ppvvp.exec:\ppvvp.exe116⤵
-
\??\c:\rrxlflf.exec:\rrxlflf.exe117⤵
-
\??\c:\hbhhtn.exec:\hbhhtn.exe118⤵
-
\??\c:\pvjpj.exec:\pvjpj.exe119⤵
-
\??\c:\ffrlllr.exec:\ffrlllr.exe120⤵
-
\??\c:\nntnnn.exec:\nntnnn.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-