Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
03-08-2024 03:20
General
-
Target
cfc296b0789bf43b37b225ed1f918aa444a3132f78eda3a9fd303585d7503581.exe
-
Size
107KB
-
MD5
38ba27bd886286588fb072673d34f0cb
-
SHA1
836ca398172fd7c8f1f3669a83f905db374c6729
-
SHA256
cfc296b0789bf43b37b225ed1f918aa444a3132f78eda3a9fd303585d7503581
-
SHA512
db4cb2783db74e218247d13ad47dcb8769457e19d5b03daade4ae48d43e505acdedfa7453cff53c97965b8ff82ad560eb000a876b50839634db9c66a77098490
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDoTNKDeS98hPUdHV7RNzfJNXZmJ:ymb3NkkiQ3mdBjFo5KDe88g1fDg
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 21 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 29 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\cfc296b0789bf43b37b225ed1f918aa444a3132f78eda3a9fd303585d7503581.exe"C:\Users\Admin\AppData\Local\Temp\cfc296b0789bf43b37b225ed1f918aa444a3132f78eda3a9fd303585d7503581.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\7vvdj.exec:\7vvdj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9rllxfx.exec:\9rllxfx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7nbnth.exec:\7nbnth.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvjvj.exec:\dvjvj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlfflrr.exec:\rlfflrr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9lfflrf.exec:\9lfflrf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvvjp.exec:\vvvjp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpjvd.exec:\vpjvd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfxfrrf.exec:\lfxfrrf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btbbhh.exec:\btbbhh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dpdpj.exec:\dpdpj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pdpjv.exec:\pdpjv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3xxlrfl.exec:\3xxlrfl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btbtbb.exec:\btbtbb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dpjvd.exec:\dpjvd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvddj.exec:\dvddj.exe17⤵
- Executes dropped EXE
-
\??\c:\xrlxllx.exec:\xrlxllx.exe18⤵
- Executes dropped EXE
-
\??\c:\nhbbtt.exec:\nhbbtt.exe19⤵
- Executes dropped EXE
-
\??\c:\vpdvd.exec:\vpdvd.exe20⤵
- Executes dropped EXE
-
\??\c:\xrfxxxx.exec:\xrfxxxx.exe21⤵
- Executes dropped EXE
-
\??\c:\llfflxf.exec:\llfflxf.exe22⤵
- Executes dropped EXE
-
\??\c:\hbtbnn.exec:\hbtbnn.exe23⤵
- Executes dropped EXE
-
\??\c:\bnhbbt.exec:\bnhbbt.exe24⤵
- Executes dropped EXE
-
\??\c:\ddvdd.exec:\ddvdd.exe25⤵
- Executes dropped EXE
-
\??\c:\fflxfxf.exec:\fflxfxf.exe26⤵
- Executes dropped EXE
-
\??\c:\xfrlrlf.exec:\xfrlrlf.exe27⤵
- Executes dropped EXE
-
\??\c:\bthbhh.exec:\bthbhh.exe28⤵
- Executes dropped EXE
-
\??\c:\ddvpp.exec:\ddvpp.exe29⤵
- Executes dropped EXE
-
\??\c:\rlxrxrf.exec:\rlxrxrf.exe30⤵
- Executes dropped EXE
-
\??\c:\nnbnth.exec:\nnbnth.exe31⤵
- Executes dropped EXE
-
\??\c:\ttntbn.exec:\ttntbn.exe32⤵
- Executes dropped EXE
-
\??\c:\vppjp.exec:\vppjp.exe33⤵
- Executes dropped EXE
-
\??\c:\lfxxflx.exec:\lfxxflx.exe34⤵
- Executes dropped EXE
-
\??\c:\3fxxlfl.exec:\3fxxlfl.exe35⤵
- Executes dropped EXE
-
\??\c:\tththt.exec:\tththt.exe36⤵
- Executes dropped EXE
-
\??\c:\thnnnb.exec:\thnnnb.exe37⤵
- Executes dropped EXE
-
\??\c:\jjpvv.exec:\jjpvv.exe38⤵
- Executes dropped EXE
-
\??\c:\3jdjp.exec:\3jdjp.exe39⤵
- Executes dropped EXE
-
\??\c:\5llrxfr.exec:\5llrxfr.exe40⤵
- Executes dropped EXE
-
\??\c:\rlrxffr.exec:\rlrxffr.exe41⤵
- Executes dropped EXE
-
\??\c:\3thtnb.exec:\3thtnb.exe42⤵
- Executes dropped EXE
-
\??\c:\btnnnt.exec:\btnnnt.exe43⤵
- Executes dropped EXE
-
\??\c:\vpppv.exec:\vpppv.exe44⤵
- Executes dropped EXE
-
\??\c:\9pjpv.exec:\9pjpv.exe45⤵
- Executes dropped EXE
-
\??\c:\9xlllfr.exec:\9xlllfr.exe46⤵
- Executes dropped EXE
-
\??\c:\rffffxr.exec:\rffffxr.exe47⤵
- Executes dropped EXE
-
\??\c:\3bhhtt.exec:\3bhhtt.exe48⤵
- Executes dropped EXE
-
\??\c:\nnnnbt.exec:\nnnnbt.exe49⤵
- Executes dropped EXE
-
\??\c:\nbtbbh.exec:\nbtbbh.exe50⤵
- Executes dropped EXE
-
\??\c:\7vjjj.exec:\7vjjj.exe51⤵
- Executes dropped EXE
-
\??\c:\jddjv.exec:\jddjv.exe52⤵
- Executes dropped EXE
-
\??\c:\xrllxxl.exec:\xrllxxl.exe53⤵
- Executes dropped EXE
-
\??\c:\fxrxflx.exec:\fxrxflx.exe54⤵
- Executes dropped EXE
-
\??\c:\nhbhbn.exec:\nhbhbn.exe55⤵
- Executes dropped EXE
-
\??\c:\btthbt.exec:\btthbt.exe56⤵
- Executes dropped EXE
-
\??\c:\vpvdj.exec:\vpvdj.exe57⤵
- Executes dropped EXE
-
\??\c:\vpppv.exec:\vpppv.exe58⤵
- Executes dropped EXE
-
\??\c:\vpddp.exec:\vpddp.exe59⤵
- Executes dropped EXE
-
\??\c:\rfllrll.exec:\rfllrll.exe60⤵
- Executes dropped EXE
-
\??\c:\fllrrxl.exec:\fllrrxl.exe61⤵
- Executes dropped EXE
-
\??\c:\hhtbtt.exec:\hhtbtt.exe62⤵
- Executes dropped EXE
-
\??\c:\9tbbnh.exec:\9tbbnh.exe63⤵
- Executes dropped EXE
-
\??\c:\hhnnbh.exec:\hhnnbh.exe64⤵
- Executes dropped EXE
-
\??\c:\3ddvj.exec:\3ddvj.exe65⤵
- Executes dropped EXE
-
\??\c:\5dvvd.exec:\5dvvd.exe66⤵
-
\??\c:\flrlffr.exec:\flrlffr.exe67⤵
-
\??\c:\9fxxlrx.exec:\9fxxlrx.exe68⤵
-
\??\c:\lrxxxxl.exec:\lrxxxxl.exe69⤵
-
\??\c:\bthbhn.exec:\bthbhn.exe70⤵
-
\??\c:\tntnth.exec:\tntnth.exe71⤵
-
\??\c:\vpdvp.exec:\vpdvp.exe72⤵
-
\??\c:\1jvvj.exec:\1jvvj.exe73⤵
-
\??\c:\9xllllr.exec:\9xllllr.exe74⤵
-
\??\c:\fllxffx.exec:\fllxffx.exe75⤵
-
\??\c:\9rlrrxf.exec:\9rlrrxf.exe76⤵
-
\??\c:\nhhntt.exec:\nhhntt.exe77⤵
-
\??\c:\btbhnn.exec:\btbhnn.exe78⤵
-
\??\c:\jdjdj.exec:\jdjdj.exe79⤵
-
\??\c:\9vvdj.exec:\9vvdj.exe80⤵
-
\??\c:\fxlflrl.exec:\fxlflrl.exe81⤵
-
\??\c:\xrfflfr.exec:\xrfflfr.exe82⤵
-
\??\c:\nhnhnb.exec:\nhnhnb.exe83⤵
-
\??\c:\jvjvd.exec:\jvjvd.exe84⤵
-
\??\c:\ddvdp.exec:\ddvdp.exe85⤵
-
\??\c:\xrlrfrf.exec:\xrlrfrf.exe86⤵
-
\??\c:\bbtnnb.exec:\bbtnnb.exe87⤵
-
\??\c:\vpdjv.exec:\vpdjv.exe88⤵
-
\??\c:\jpjjd.exec:\jpjjd.exe89⤵
-
\??\c:\1xxrfxx.exec:\1xxrfxx.exe90⤵
-
\??\c:\nnhntt.exec:\nnhntt.exe91⤵
-
\??\c:\vdpjp.exec:\vdpjp.exe92⤵
-
\??\c:\rlrrxxl.exec:\rlrrxxl.exe93⤵
-
\??\c:\5xfffxf.exec:\5xfffxf.exe94⤵
-
\??\c:\btthtt.exec:\btthtt.exe95⤵
-
\??\c:\1pddv.exec:\1pddv.exe96⤵
-
\??\c:\pdjjp.exec:\pdjjp.exe97⤵
-
\??\c:\pvppd.exec:\pvppd.exe98⤵
-
\??\c:\rlrfffr.exec:\rlrfffr.exe99⤵
-
\??\c:\9rlrrxx.exec:\9rlrrxx.exe100⤵
-
\??\c:\bnnhbt.exec:\bnnhbt.exe101⤵
-
\??\c:\pjdjv.exec:\pjdjv.exe102⤵
-
\??\c:\ddvvv.exec:\ddvvv.exe103⤵
-
\??\c:\9frlrrl.exec:\9frlrrl.exe104⤵
-
\??\c:\fxlxrxl.exec:\fxlxrxl.exe105⤵
-
\??\c:\5bnbbb.exec:\5bnbbb.exe106⤵
-
\??\c:\nnbbtt.exec:\nnbbtt.exe107⤵
-
\??\c:\vpjdj.exec:\vpjdj.exe108⤵
-
\??\c:\xllffff.exec:\xllffff.exe109⤵
-
\??\c:\fxffllf.exec:\fxffllf.exe110⤵
-
\??\c:\3hbbhh.exec:\3hbbhh.exe111⤵
- System Location Discovery: System Language Discovery
-
\??\c:\thtthn.exec:\thtthn.exe112⤵
-
\??\c:\vvdvv.exec:\vvdvv.exe113⤵
-
\??\c:\7vdpv.exec:\7vdpv.exe114⤵
-
\??\c:\xlxxxff.exec:\xlxxxff.exe115⤵
-
\??\c:\xrrxlrf.exec:\xrrxlrf.exe116⤵
-
\??\c:\7nhnbh.exec:\7nhnbh.exe117⤵
-
\??\c:\btbhbt.exec:\btbhbt.exe118⤵
-
\??\c:\hbntbb.exec:\hbntbb.exe119⤵
-
\??\c:\jdpjj.exec:\jdpjj.exe120⤵
-
\??\c:\rrlxflr.exec:\rrlxflr.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-