Resubmissions
12-09-2024 02:23
240912-cvfznswere 1004-09-2024 00:09
240904-afvheascla 1003-09-2024 18:57
240903-xl8csavfrb 1003-09-2024 18:12
240903-ws828asgnm 10Analysis
-
max time kernel
1791s -
max time network
1591s -
platform
windows10-1703_x64 -
resource
win10-20240611-en -
resource tags
-
submitted
04-09-2024 00:09
General
-
Target
Stealers/BlackMoon.exe
-
Size
387KB
-
MD5
336efa7460c08e3d47f29121742eb010
-
SHA1
f41c36cd83879d170309dede056563d35741b87b
-
SHA256
e6dd3fa33ad938b07c8978691f86b73e9f6fd84104b92f42566498bdb6b2930e
-
SHA512
e8d118fbe907a00d89c2514af4de475a0ea54943076bf90174234f77f2ec093a1246a0d4e78d1104a0dcda150b5441d28f4f3d1e768ecb20ae86383a99863c14
-
SSDEEP
12288:n3C9ytvngQjpUXoSWlnwJv90aKToFqwfN:SgdnJVU4TlnwJ6Goo
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 28 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 35 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Stealers\BlackMoon.exe"C:\Users\Admin\AppData\Local\Temp\Stealers\BlackMoon.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\lprnpr.exec:\lprnpr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hvnjn.exec:\hvnjn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hljdb.exec:\hljdb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xlrbhln.exec:\xlrbhln.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fjrfh.exec:\fjrfh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rhrnfh.exec:\rhrnfh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjvbl.exec:\jjvbl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xtbjj.exec:\xtbjj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bxfbnrv.exec:\bxfbnrv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dflvbfb.exec:\dflvbfb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\njpnbv.exec:\njpnbv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ltlnhx.exec:\ltlnhx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hhhjh.exec:\hhhjh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bphnbht.exec:\bphnbht.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xjrnlb.exec:\xjrnlb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrrnrrx.exec:\xrrnrrx.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nvbrd.exec:\nvbrd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pbvfrrb.exec:\pbvfrrb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\prvxx.exec:\prvxx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hhppprt.exec:\hhppprt.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hprpdv.exec:\hprpdv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vxjvfv.exec:\vxjvfv.exe23⤵
- Executes dropped EXE
-
\??\c:\jrtljh.exec:\jrtljh.exe24⤵
- Executes dropped EXE
-
\??\c:\jnlfpff.exec:\jnlfpff.exe25⤵
- Executes dropped EXE
-
\??\c:\xfftlhl.exec:\xfftlhl.exe26⤵
- Executes dropped EXE
-
\??\c:\bdhdtbj.exec:\bdhdtbj.exe27⤵
- Executes dropped EXE
-
\??\c:\vbrxnf.exec:\vbrxnf.exe28⤵
- Executes dropped EXE
-
\??\c:\rtjlvvp.exec:\rtjlvvp.exe29⤵
- Executes dropped EXE
-
\??\c:\xxrbltn.exec:\xxrbltn.exe30⤵
- Executes dropped EXE
-
\??\c:\vnnhndb.exec:\vnnhndb.exe31⤵
- Executes dropped EXE
-
\??\c:\tjjdj.exec:\tjjdj.exe32⤵
- Executes dropped EXE
-
\??\c:\bpvxdh.exec:\bpvxdh.exe33⤵
- Executes dropped EXE
-
\??\c:\vxjjnr.exec:\vxjjnr.exe34⤵
- Executes dropped EXE
-
\??\c:\tdtvr.exec:\tdtvr.exe35⤵
- Executes dropped EXE
-
\??\c:\bxdfj.exec:\bxdfj.exe36⤵
- Executes dropped EXE
-
\??\c:\jxpndfp.exec:\jxpndfp.exe37⤵
- Executes dropped EXE
-
\??\c:\hrxjfj.exec:\hrxjfj.exe38⤵
- Executes dropped EXE
-
\??\c:\drdbx.exec:\drdbx.exe39⤵
- Executes dropped EXE
-
\??\c:\ppbfdx.exec:\ppbfdx.exe40⤵
- Executes dropped EXE
-
\??\c:\trlrjn.exec:\trlrjn.exe41⤵
- Executes dropped EXE
-
\??\c:\dxbvvx.exec:\dxbvvx.exe42⤵
- Executes dropped EXE
-
\??\c:\rnvrrp.exec:\rnvrrp.exe43⤵
- Executes dropped EXE
-
\??\c:\tjnxpxr.exec:\tjnxpxr.exe44⤵
- Executes dropped EXE
-
\??\c:\bplrx.exec:\bplrx.exe45⤵
- Executes dropped EXE
-
\??\c:\phhfh.exec:\phhfh.exe46⤵
- Executes dropped EXE
-
\??\c:\tnrnr.exec:\tnrnr.exe47⤵
- Executes dropped EXE
-
\??\c:\nrbpbbf.exec:\nrbpbbf.exe48⤵
- Executes dropped EXE
-
\??\c:\rrflbjn.exec:\rrflbjn.exe49⤵
- Executes dropped EXE
-
\??\c:\nrbbhtf.exec:\nrbbhtf.exe50⤵
- Executes dropped EXE
-
\??\c:\ldrdxb.exec:\ldrdxb.exe51⤵
- Executes dropped EXE
-
\??\c:\pnrvd.exec:\pnrvd.exe52⤵
- Executes dropped EXE
-
\??\c:\jlvrdvj.exec:\jlvrdvj.exe53⤵
- Executes dropped EXE
-
\??\c:\tprhjt.exec:\tprhjt.exe54⤵
- Executes dropped EXE
-
\??\c:\vrnbh.exec:\vrnbh.exe55⤵
- Executes dropped EXE
-
\??\c:\lrjxv.exec:\lrjxv.exe56⤵
- Executes dropped EXE
-
\??\c:\rjjfbt.exec:\rjjfbt.exe57⤵
- Executes dropped EXE
-
\??\c:\rhdpnbj.exec:\rhdpnbj.exe58⤵
- Executes dropped EXE
-
\??\c:\hxxhnn.exec:\hxxhnn.exe59⤵
- Executes dropped EXE
-
\??\c:\hprxx.exec:\hprxx.exe60⤵
- Executes dropped EXE
-
\??\c:\bpxhl.exec:\bpxhl.exe61⤵
- Executes dropped EXE
-
\??\c:\lxvhxl.exec:\lxvhxl.exe62⤵
- Executes dropped EXE
-
\??\c:\vntfdj.exec:\vntfdj.exe63⤵
- Executes dropped EXE
-
\??\c:\hbfjpv.exec:\hbfjpv.exe64⤵
- Executes dropped EXE
-
\??\c:\rftxrn.exec:\rftxrn.exe65⤵
- Executes dropped EXE
-
\??\c:\rvvhjrn.exec:\rvvhjrn.exe66⤵
-
\??\c:\jphjpf.exec:\jphjpf.exe67⤵
-
\??\c:\tvrfhhn.exec:\tvrfhhn.exe68⤵
-
\??\c:\fvjbvv.exec:\fvjbvv.exe69⤵
-
\??\c:\xjbjtfx.exec:\xjbjtfx.exe70⤵
-
\??\c:\tdhltr.exec:\tdhltr.exe71⤵
-
\??\c:\vfrnhj.exec:\vfrnhj.exe72⤵
-
\??\c:\xxbldvb.exec:\xxbldvb.exe73⤵
-
\??\c:\hvxtj.exec:\hvxtj.exe74⤵
-
\??\c:\htlnj.exec:\htlnj.exe75⤵
-
\??\c:\trpvx.exec:\trpvx.exe76⤵
-
\??\c:\pblbnt.exec:\pblbnt.exe77⤵
-
\??\c:\xrfjj.exec:\xrfjj.exe78⤵
-
\??\c:\vhjdhhf.exec:\vhjdhhf.exe79⤵
-
\??\c:\npdbxdj.exec:\npdbxdj.exe80⤵
-
\??\c:\vrdtn.exec:\vrdtn.exe81⤵
-
\??\c:\rrbtpr.exec:\rrbtpr.exe82⤵
-
\??\c:\lfljndb.exec:\lfljndb.exe83⤵
-
\??\c:\nbnjt.exec:\nbnjt.exe84⤵
-
\??\c:\jthplnj.exec:\jthplnj.exe85⤵
-
\??\c:\jlplpnv.exec:\jlplpnv.exe86⤵
-
\??\c:\vrbdjd.exec:\vrbdjd.exe87⤵
-
\??\c:\nrnlbp.exec:\nrnlbp.exe88⤵
-
\??\c:\hprbft.exec:\hprbft.exe89⤵
-
\??\c:\trdxvdx.exec:\trdxvdx.exe90⤵
-
\??\c:\txjxt.exec:\txjxt.exe91⤵
-
\??\c:\ppxvt.exec:\ppxvt.exe92⤵
-
\??\c:\nfnfj.exec:\nfnfj.exe93⤵
-
\??\c:\nhtjjjj.exec:\nhtjjjj.exe94⤵
-
\??\c:\blvnj.exec:\blvnj.exe95⤵
-
\??\c:\xhpttj.exec:\xhpttj.exe96⤵
-
\??\c:\vbdbv.exec:\vbdbv.exe97⤵
-
\??\c:\bhjxl.exec:\bhjxl.exe98⤵
-
\??\c:\hdlrh.exec:\hdlrh.exe99⤵
-
\??\c:\pnjhbx.exec:\pnjhbx.exe100⤵
-
\??\c:\ndnvbh.exec:\ndnvbh.exe101⤵
-
\??\c:\vvfrp.exec:\vvfrp.exe102⤵
-
\??\c:\rbtdh.exec:\rbtdh.exe103⤵
-
\??\c:\fdjhr.exec:\fdjhr.exe104⤵
-
\??\c:\fdpdb.exec:\fdpdb.exe105⤵
-
\??\c:\xxlxlxn.exec:\xxlxlxn.exe106⤵
-
\??\c:\bjrvv.exec:\bjrvv.exe107⤵
-
\??\c:\hnfhhj.exec:\hnfhhj.exe108⤵
-
\??\c:\hlbjrjl.exec:\hlbjrjl.exe109⤵
-
\??\c:\fxhblfl.exec:\fxhblfl.exe110⤵
-
\??\c:\jnntx.exec:\jnntx.exe111⤵
-
\??\c:\txlvvjd.exec:\txlvvjd.exe112⤵
-
\??\c:\llpfj.exec:\llpfj.exe113⤵
-
\??\c:\rvvfx.exec:\rvvfx.exe114⤵
-
\??\c:\hxhjt.exec:\hxhjt.exe115⤵
-
\??\c:\bnjxhtt.exec:\bnjxhtt.exe116⤵
-
\??\c:\xrdnpxd.exec:\xrdnpxd.exe117⤵
-
\??\c:\fpphfl.exec:\fpphfl.exe118⤵
-
\??\c:\tplpxl.exec:\tplpxl.exe119⤵
-
\??\c:\nxtbh.exec:\nxtbh.exe120⤵
-
\??\c:\bjjrr.exec:\bjjrr.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-