Analysis
-
max time kernel
120s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
-
submitted
26/07/2024, 06:54
General
-
Target
970771ff3538cc7439e6a1edaf6a9be0N.exe
-
Size
76KB
-
MD5
970771ff3538cc7439e6a1edaf6a9be0
-
SHA1
758b92e2f78a46f21718204a2b81ddefa8acdfb0
-
SHA256
e1692cb6fb1024c9bdaad2296aefd6393ecb28bfdef7fc51823838acc510d0ac
-
SHA512
684b0d8b7329223927195cc181003e2c1af8bf0a19246e1b5d216b6b5e37153c033cde588ee37dcd2ba7ace82461e6b67124dfd4862aac0de8d6ae71dbbb8583
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIJSsD+cGUFzJhB:ymb3NkkiQ3mdBjFIwsDhbN7B
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 22 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 19 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\970771ff3538cc7439e6a1edaf6a9be0N.exe"C:\Users\Admin\AppData\Local\Temp\970771ff3538cc7439e6a1edaf6a9be0N.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\lfxfrxf.exec:\lfxfrxf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9nntnn.exec:\9nntnn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hhhtth.exec:\hhhtth.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9vvdv.exec:\9vvdv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jpvvv.exec:\jpvvv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lrxlrll.exec:\lrxlrll.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3btbnn.exec:\3btbnn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvdvp.exec:\vvdvp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frffrrr.exec:\frffrrr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nnbtnb.exec:\nnbtnb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pvpjd.exec:\pvpjd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhbhth.exec:\nhbhth.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjvdv.exec:\jjvdv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ppdjp.exec:\ppdjp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxlrllr.exec:\fxlrllr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rxlfxfr.exec:\rxlfxfr.exe17⤵
- Executes dropped EXE
-
\??\c:\bbhttn.exec:\bbhttn.exe18⤵
- Executes dropped EXE
-
\??\c:\7lxflrl.exec:\7lxflrl.exe19⤵
- Executes dropped EXE
-
\??\c:\nhbbnn.exec:\nhbbnn.exe20⤵
- Executes dropped EXE
-
\??\c:\nhttbb.exec:\nhttbb.exe21⤵
- Executes dropped EXE
-
\??\c:\ppdpv.exec:\ppdpv.exe22⤵
- Executes dropped EXE
-
\??\c:\rrflxfl.exec:\rrflxfl.exe23⤵
- Executes dropped EXE
-
\??\c:\fxlxffr.exec:\fxlxffr.exe24⤵
- Executes dropped EXE
-
\??\c:\5htbtb.exec:\5htbtb.exe25⤵
- Executes dropped EXE
-
\??\c:\ppjdp.exec:\ppjdp.exe26⤵
- Executes dropped EXE
-
\??\c:\xxfxrff.exec:\xxfxrff.exe27⤵
- Executes dropped EXE
-
\??\c:\fffrlll.exec:\fffrlll.exe28⤵
- Executes dropped EXE
-
\??\c:\thhnnn.exec:\thhnnn.exe29⤵
- Executes dropped EXE
-
\??\c:\pjpvp.exec:\pjpvp.exe30⤵
- Executes dropped EXE
-
\??\c:\lllrxrx.exec:\lllrxrx.exe31⤵
- Executes dropped EXE
-
\??\c:\hbthtt.exec:\hbthtt.exe32⤵
- Executes dropped EXE
-
\??\c:\9djjp.exec:\9djjp.exe33⤵
- Executes dropped EXE
-
\??\c:\7ppdj.exec:\7ppdj.exe34⤵
- Executes dropped EXE
-
\??\c:\rfrrlxl.exec:\rfrrlxl.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\lfxxlrx.exec:\lfxxlrx.exe36⤵
- Executes dropped EXE
-
\??\c:\tbbtbh.exec:\tbbtbh.exe37⤵
- Executes dropped EXE
-
\??\c:\vvppj.exec:\vvppj.exe38⤵
- Executes dropped EXE
-
\??\c:\1pddp.exec:\1pddp.exe39⤵
- Executes dropped EXE
-
\??\c:\xflfxxl.exec:\xflfxxl.exe40⤵
- Executes dropped EXE
-
\??\c:\9hbbtb.exec:\9hbbtb.exe41⤵
-
\??\c:\nbnhhb.exec:\nbnhhb.exe42⤵
- Executes dropped EXE
-
\??\c:\pdvdv.exec:\pdvdv.exe43⤵
- Executes dropped EXE
-
\??\c:\pppjv.exec:\pppjv.exe44⤵
- Executes dropped EXE
-
\??\c:\xxfxrfx.exec:\xxfxrfx.exe45⤵
- Executes dropped EXE
-
\??\c:\rlfrxxf.exec:\rlfrxxf.exe46⤵
- Executes dropped EXE
-
\??\c:\bbnhtn.exec:\bbnhtn.exe47⤵
- Executes dropped EXE
-
\??\c:\jppvv.exec:\jppvv.exe48⤵
- Executes dropped EXE
-
\??\c:\1pddj.exec:\1pddj.exe49⤵
- Executes dropped EXE
-
\??\c:\xrfrxlr.exec:\xrfrxlr.exe50⤵
- Executes dropped EXE
-
\??\c:\bttttn.exec:\bttttn.exe51⤵
- Executes dropped EXE
-
\??\c:\ntthnh.exec:\ntthnh.exe52⤵
- Executes dropped EXE
-
\??\c:\jvpvj.exec:\jvpvj.exe53⤵
- Executes dropped EXE
-
\??\c:\jpjdd.exec:\jpjdd.exe54⤵
- Executes dropped EXE
-
\??\c:\xxrlflx.exec:\xxrlflx.exe55⤵
- Executes dropped EXE
-
\??\c:\ffrrllx.exec:\ffrrllx.exe56⤵
- Executes dropped EXE
-
\??\c:\bbntnt.exec:\bbntnt.exe57⤵
- Executes dropped EXE
-
\??\c:\jvpvj.exec:\jvpvj.exe58⤵
- Executes dropped EXE
-
\??\c:\vvpvp.exec:\vvpvp.exe59⤵
- Executes dropped EXE
-
\??\c:\lxllxff.exec:\lxllxff.exe60⤵
- Executes dropped EXE
-
\??\c:\3tnhtn.exec:\3tnhtn.exe61⤵
- Executes dropped EXE
-
\??\c:\7hbtnb.exec:\7hbtnb.exe62⤵
- Executes dropped EXE
-
\??\c:\jvpvd.exec:\jvpvd.exe63⤵
- Executes dropped EXE
-
\??\c:\lfrffrl.exec:\lfrffrl.exe64⤵
- Executes dropped EXE
-
\??\c:\1bnbbb.exec:\1bnbbb.exe65⤵
- Executes dropped EXE
-
\??\c:\ttnthh.exec:\ttnthh.exe66⤵
- Executes dropped EXE
-
\??\c:\vvvdj.exec:\vvvdj.exe67⤵
-
\??\c:\vvvdp.exec:\vvvdp.exe68⤵
-
\??\c:\fxllrrf.exec:\fxllrrf.exe69⤵
-
\??\c:\bbthbn.exec:\bbthbn.exe70⤵
-
\??\c:\hbbhhn.exec:\hbbhhn.exe71⤵
-
\??\c:\dddjj.exec:\dddjj.exe72⤵
-
\??\c:\vpppj.exec:\vpppj.exe73⤵
-
\??\c:\lrlfrrr.exec:\lrlfrrr.exe74⤵
-
\??\c:\tnhhtb.exec:\tnhhtb.exe75⤵
-
\??\c:\btnhbt.exec:\btnhbt.exe76⤵
-
\??\c:\dpjpj.exec:\dpjpj.exe77⤵
-
\??\c:\vpvjp.exec:\vpvjp.exe78⤵
-
\??\c:\xrrrlrr.exec:\xrrrlrr.exe79⤵
-
\??\c:\hhbhtt.exec:\hhbhtt.exe80⤵
-
\??\c:\tthhnn.exec:\tthhnn.exe81⤵
-
\??\c:\jdjvp.exec:\jdjvp.exe82⤵
-
\??\c:\xrlfllr.exec:\xrlfllr.exe83⤵
-
\??\c:\lxrxrlr.exec:\lxrxrlr.exe84⤵
-
\??\c:\vppdj.exec:\vppdj.exe85⤵
-
\??\c:\dvvpv.exec:\dvvpv.exe86⤵
-
\??\c:\9rrrrlf.exec:\9rrrrlf.exe87⤵
-
\??\c:\fllxxll.exec:\fllxxll.exe88⤵
-
\??\c:\bnnnbn.exec:\bnnnbn.exe89⤵
-
\??\c:\7bhntn.exec:\7bhntn.exe90⤵
-
\??\c:\7pjjv.exec:\7pjjv.exe91⤵
-
\??\c:\jppdd.exec:\jppdd.exe92⤵
-
\??\c:\rfrlxrl.exec:\rfrlxrl.exe93⤵
-
\??\c:\7nhbnt.exec:\7nhbnt.exe94⤵
-
\??\c:\7hnhhn.exec:\7hnhhn.exe95⤵
-
\??\c:\vpvdv.exec:\vpvdv.exe96⤵
-
\??\c:\dvvjj.exec:\dvvjj.exe97⤵
-
\??\c:\xfflxrl.exec:\xfflxrl.exe98⤵
-
\??\c:\1frfflx.exec:\1frfflx.exe99⤵
-
\??\c:\hhhnhh.exec:\hhhnhh.exe100⤵
-
\??\c:\bbbnbh.exec:\bbbnbh.exe101⤵
-
\??\c:\jjppj.exec:\jjppj.exe102⤵
-
\??\c:\ddvjp.exec:\ddvjp.exe103⤵
-
\??\c:\rlfrrfl.exec:\rlfrrfl.exe104⤵
-
\??\c:\xrxfrfx.exec:\xrxfrfx.exe105⤵
-
\??\c:\hbtbbb.exec:\hbtbbb.exe106⤵
-
\??\c:\hbtnhh.exec:\hbtnhh.exe107⤵
-
\??\c:\dvvpj.exec:\dvvpj.exe108⤵
-
\??\c:\1jpjv.exec:\1jpjv.exe109⤵
-
\??\c:\3xrfrxl.exec:\3xrfrxl.exe110⤵
-
\??\c:\xflxfrx.exec:\xflxfrx.exe111⤵
-
\??\c:\hhhbhn.exec:\hhhbhn.exe112⤵
-
\??\c:\httntb.exec:\httntb.exe113⤵
-
\??\c:\jdvjd.exec:\jdvjd.exe114⤵
-
\??\c:\vvpdv.exec:\vvpdv.exe115⤵
-
\??\c:\9lfxlrf.exec:\9lfxlrf.exe116⤵
-
\??\c:\lfxfxxl.exec:\lfxfxxl.exe117⤵
-
\??\c:\5bnbtt.exec:\5bnbtt.exe118⤵
-
\??\c:\ntthhh.exec:\ntthhh.exe119⤵
-
\??\c:\7pjvd.exec:\7pjvd.exe120⤵
-
\??\c:\3lffflr.exec:\3lffflr.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-