Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
-
submitted
26-07-2024 21:26
General
-
Target
585a998d119dd1130129cca5be7993b0N.exe
-
Size
73KB
-
MD5
585a998d119dd1130129cca5be7993b0
-
SHA1
fccfd93f0f70d78f8306a0012091860d247350a8
-
SHA256
c724adf1366e2ca6ad9212f7273a8755472d5df5a9e43d302dd31eaccaa7cbfa
-
SHA512
46d86e90e147822d1760e5395e9bd1307e42611a36298dd910f1033094851556724fee2197c7819449bb6b9feee5186f6e8cbcf64cfec1fec4b4ff763b65dae1
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxND0yUwcsbYsRgVK3G/w:ymb3NkkiQ3mdBjF0yjcsMsRH/
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 22 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 24 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\585a998d119dd1130129cca5be7993b0N.exe"C:\Users\Admin\AppData\Local\Temp\585a998d119dd1130129cca5be7993b0N.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\ttnnnh.exec:\ttnnnh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9pjpd.exec:\9pjpd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3pdvj.exec:\3pdvj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhnbnt.exec:\nhnbnt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pdvdd.exec:\pdvdd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lffrlrf.exec:\lffrlrf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5frxffr.exec:\5frxffr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1dvjj.exec:\1dvjj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jvjvd.exec:\jvjvd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\htbbhb.exec:\htbbhb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tntnht.exec:\tntnht.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lffrxxl.exec:\lffrxxl.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\lrflxff.exec:\lrflxff.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5btthb.exec:\5btthb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\djpdp.exec:\djpdp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\flrxrll.exec:\flrxrll.exe17⤵
- Executes dropped EXE
-
\??\c:\9nnnbh.exec:\9nnnbh.exe18⤵
- Executes dropped EXE
-
\??\c:\jdpdj.exec:\jdpdj.exe19⤵
- Executes dropped EXE
-
\??\c:\ffxxxff.exec:\ffxxxff.exe20⤵
- Executes dropped EXE
-
\??\c:\tbbtth.exec:\tbbtth.exe21⤵
- Executes dropped EXE
-
\??\c:\jjvpd.exec:\jjvpd.exe22⤵
- Executes dropped EXE
-
\??\c:\jvjpj.exec:\jvjpj.exe23⤵
- Executes dropped EXE
-
\??\c:\fllffxx.exec:\fllffxx.exe24⤵
- Executes dropped EXE
-
\??\c:\hhhtbn.exec:\hhhtbn.exe25⤵
- Executes dropped EXE
-
\??\c:\vjvdp.exec:\vjvdp.exe26⤵
- Executes dropped EXE
-
\??\c:\xfrlfrx.exec:\xfrlfrx.exe27⤵
- Executes dropped EXE
-
\??\c:\nhntbb.exec:\nhntbb.exe28⤵
- Executes dropped EXE
-
\??\c:\pvjdd.exec:\pvjdd.exe29⤵
- Executes dropped EXE
-
\??\c:\xfffrlf.exec:\xfffrlf.exe30⤵
- Executes dropped EXE
-
\??\c:\tnbtbb.exec:\tnbtbb.exe31⤵
- Executes dropped EXE
-
\??\c:\vpjvd.exec:\vpjvd.exe32⤵
- Executes dropped EXE
-
\??\c:\lffxrfr.exec:\lffxrfr.exe33⤵
- Executes dropped EXE
-
\??\c:\nttnbh.exec:\nttnbh.exe34⤵
- Executes dropped EXE
-
\??\c:\pvppv.exec:\pvppv.exe35⤵
- Executes dropped EXE
-
\??\c:\lrrxrrf.exec:\lrrxrrf.exe36⤵
- Executes dropped EXE
-
\??\c:\lxfxlrf.exec:\lxfxlrf.exe37⤵
- Executes dropped EXE
-
\??\c:\bbhbnn.exec:\bbhbnn.exe38⤵
- Executes dropped EXE
-
\??\c:\dvjvd.exec:\dvjvd.exe39⤵
- Executes dropped EXE
-
\??\c:\fxlrflx.exec:\fxlrflx.exe40⤵
- Executes dropped EXE
-
\??\c:\rxxllxf.exec:\rxxllxf.exe41⤵
- Executes dropped EXE
-
\??\c:\bthbnn.exec:\bthbnn.exe42⤵
- Executes dropped EXE
-
\??\c:\pjppj.exec:\pjppj.exe43⤵
- Executes dropped EXE
-
\??\c:\3pppj.exec:\3pppj.exe44⤵
- Executes dropped EXE
-
\??\c:\lffxlrf.exec:\lffxlrf.exe45⤵
- Executes dropped EXE
-
\??\c:\tbhnnn.exec:\tbhnnn.exe46⤵
- Executes dropped EXE
-
\??\c:\tnhbbn.exec:\tnhbbn.exe47⤵
- Executes dropped EXE
-
\??\c:\djjdv.exec:\djjdv.exe48⤵
- Executes dropped EXE
-
\??\c:\lrxflrl.exec:\lrxflrl.exe49⤵
- Executes dropped EXE
-
\??\c:\rlfxllr.exec:\rlfxllr.exe50⤵
- Executes dropped EXE
-
\??\c:\tnntbn.exec:\tnntbn.exe51⤵
- Executes dropped EXE
-
\??\c:\vvpdj.exec:\vvpdj.exe52⤵
- Executes dropped EXE
-
\??\c:\xlrffll.exec:\xlrffll.exe53⤵
- Executes dropped EXE
-
\??\c:\flfxrxl.exec:\flfxrxl.exe54⤵
- Executes dropped EXE
-
\??\c:\hhbtbn.exec:\hhbtbn.exe55⤵
- Executes dropped EXE
-
\??\c:\bnnbbt.exec:\bnnbbt.exe56⤵
- Executes dropped EXE
-
\??\c:\djjpv.exec:\djjpv.exe57⤵
- Executes dropped EXE
-
\??\c:\frfxlrx.exec:\frfxlrx.exe58⤵
- Executes dropped EXE
-
\??\c:\nnhnhh.exec:\nnhnhh.exe59⤵
- Executes dropped EXE
-
\??\c:\ppdvd.exec:\ppdvd.exe60⤵
- Executes dropped EXE
-
\??\c:\7vjvv.exec:\7vjvv.exe61⤵
- Executes dropped EXE
-
\??\c:\rxxlxfx.exec:\rxxlxfx.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\frrlxrx.exec:\frrlxrx.exe63⤵
- Executes dropped EXE
-
\??\c:\nhbbhh.exec:\nhbbhh.exe64⤵
- Executes dropped EXE
-
\??\c:\jvppv.exec:\jvppv.exe65⤵
- Executes dropped EXE
-
\??\c:\ffflrlf.exec:\ffflrlf.exe66⤵
-
\??\c:\ntnnnh.exec:\ntnnnh.exe67⤵
-
\??\c:\httnth.exec:\httnth.exe68⤵
-
\??\c:\pdvvv.exec:\pdvvv.exe69⤵
-
\??\c:\rrfxflr.exec:\rrfxflr.exe70⤵
-
\??\c:\9hbnht.exec:\9hbnht.exe71⤵
-
\??\c:\1tbtnn.exec:\1tbtnn.exe72⤵
-
\??\c:\jdjjj.exec:\jdjjj.exe73⤵
-
\??\c:\lflrrxr.exec:\lflrrxr.exe74⤵
-
\??\c:\nnthbh.exec:\nnthbh.exe75⤵
-
\??\c:\ttthhh.exec:\ttthhh.exe76⤵
-
\??\c:\7pjpj.exec:\7pjpj.exe77⤵
-
\??\c:\jdvjd.exec:\jdvjd.exe78⤵
-
\??\c:\flffrll.exec:\flffrll.exe79⤵
-
\??\c:\hnnnth.exec:\hnnnth.exe80⤵
-
\??\c:\5dvjv.exec:\5dvjv.exe81⤵
-
\??\c:\vvvdd.exec:\vvvdd.exe82⤵
-
\??\c:\7ffxxrr.exec:\7ffxxrr.exe83⤵
-
\??\c:\hnbhhb.exec:\hnbhhb.exe84⤵
-
\??\c:\ttnntb.exec:\ttnntb.exe85⤵
-
\??\c:\pjdpj.exec:\pjdpj.exe86⤵
-
\??\c:\fxllrrf.exec:\fxllrrf.exe87⤵
-
\??\c:\rlllxlx.exec:\rlllxlx.exe88⤵
-
\??\c:\nnhhth.exec:\nnhhth.exe89⤵
-
\??\c:\bbthbt.exec:\bbthbt.exe90⤵
-
\??\c:\vvppp.exec:\vvppp.exe91⤵
- System Location Discovery: System Language Discovery
-
\??\c:\xxffxll.exec:\xxffxll.exe92⤵
-
\??\c:\thhtnt.exec:\thhtnt.exe93⤵
-
\??\c:\thttnn.exec:\thttnn.exe94⤵
-
\??\c:\vpdpj.exec:\vpdpj.exe95⤵
-
\??\c:\lfxxxxr.exec:\lfxxxxr.exe96⤵
-
\??\c:\bnbhnb.exec:\bnbhnb.exe97⤵
-
\??\c:\hnhnnn.exec:\hnhnnn.exe98⤵
-
\??\c:\vjddp.exec:\vjddp.exe99⤵
-
\??\c:\lxxrrlr.exec:\lxxrrlr.exe100⤵
-
\??\c:\bhnntt.exec:\bhnntt.exe101⤵
-
\??\c:\ttbhbn.exec:\ttbhbn.exe102⤵
-
\??\c:\vvpvp.exec:\vvpvp.exe103⤵
-
\??\c:\lllfflr.exec:\lllfflr.exe104⤵
-
\??\c:\frlffrr.exec:\frlffrr.exe105⤵
-
\??\c:\hhhthb.exec:\hhhthb.exe106⤵
-
\??\c:\vvvdp.exec:\vvvdp.exe107⤵
-
\??\c:\3pvpj.exec:\3pvpj.exe108⤵
-
\??\c:\rfflrlf.exec:\rfflrlf.exe109⤵
-
\??\c:\3lxlxlx.exec:\3lxlxlx.exe110⤵
-
\??\c:\jjjdd.exec:\jjjdd.exe111⤵
-
\??\c:\ppddv.exec:\ppddv.exe112⤵
-
\??\c:\lllrxxf.exec:\lllrxxf.exe113⤵
-
\??\c:\hbttnt.exec:\hbttnt.exe114⤵
-
\??\c:\nbnntt.exec:\nbnntt.exe115⤵
-
\??\c:\pjjjv.exec:\pjjjv.exe116⤵
-
\??\c:\ddjpv.exec:\ddjpv.exe117⤵
-
\??\c:\fffxxrx.exec:\fffxxrx.exe118⤵
-
\??\c:\thttbb.exec:\thttbb.exe119⤵
-
\??\c:\pvppv.exec:\pvppv.exe120⤵
-
\??\c:\pvdvv.exec:\pvdvv.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-