Analysis
-
max time kernel
120s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
-
submitted
05/08/2024, 09:07
General
-
Target
736a73aa85054b11a5f52ab365705b80N.exe
-
Size
225KB
-
MD5
736a73aa85054b11a5f52ab365705b80
-
SHA1
6475ba7cfec5ccf10c02a396375bf7fe7437b436
-
SHA256
47515ceed1617cbf96364188b450e3ebab2058110736a6cfc5013339cf0d3521
-
SHA512
728defb4534e20c6cc6e0be000663225458eac6efe26104aa2f2d1cf966a9c32820b0bc18010a9cbef32d2c02ce22e0ff6598eb1be05e9f9a3e6e1d388eb60a9
-
SSDEEP
6144:n3C9BRo7tvnJ9oEz2Eu9XgcVyDOoZU0wGy:n3C9ytvnV2NQAo20wGy
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 22 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 22 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\736a73aa85054b11a5f52ab365705b80N.exe"C:\Users\Admin\AppData\Local\Temp\736a73aa85054b11a5f52ab365705b80N.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\xxrxflx.exec:\xxrxflx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tbnnnb.exec:\tbnnnb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddpdv.exec:\ddpdv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rrfrfrf.exec:\rrfrfrf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hhbthh.exec:\hhbthh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dddjj.exec:\dddjj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9xlflll.exec:\9xlflll.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nnnbbb.exec:\nnnbbb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nnhnhh.exec:\nnhnhh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ppvdd.exec:\ppvdd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7rrfrxr.exec:\7rrfrxr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7ttnnt.exec:\7ttnnt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3hbhth.exec:\3hbhth.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pppdp.exec:\pppdp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\llrflxf.exec:\llrflxf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xxflrfl.exec:\xxflrfl.exe17⤵
- Executes dropped EXE
-
\??\c:\ttbnbh.exec:\ttbnbh.exe18⤵
- Executes dropped EXE
-
\??\c:\dddpj.exec:\dddpj.exe19⤵
- Executes dropped EXE
-
\??\c:\fffflrf.exec:\fffflrf.exe20⤵
- Executes dropped EXE
-
\??\c:\flllrrf.exec:\flllrrf.exe21⤵
- Executes dropped EXE
-
\??\c:\9vvdp.exec:\9vvdp.exe22⤵
- Executes dropped EXE
-
\??\c:\jjjvp.exec:\jjjvp.exe23⤵
- Executes dropped EXE
-
\??\c:\lfxflrl.exec:\lfxflrl.exe24⤵
- Executes dropped EXE
-
\??\c:\5tthtb.exec:\5tthtb.exe25⤵
- Executes dropped EXE
-
\??\c:\vdjpv.exec:\vdjpv.exe26⤵
- Executes dropped EXE
-
\??\c:\jjdpj.exec:\jjdpj.exe27⤵
- Executes dropped EXE
-
\??\c:\5rrxrfl.exec:\5rrxrfl.exe28⤵
- Executes dropped EXE
-
\??\c:\tnhtht.exec:\tnhtht.exe29⤵
- Executes dropped EXE
-
\??\c:\vvvdj.exec:\vvvdj.exe30⤵
- Executes dropped EXE
-
\??\c:\dpvjd.exec:\dpvjd.exe31⤵
- Executes dropped EXE
-
\??\c:\rlllxfl.exec:\rlllxfl.exe32⤵
- Executes dropped EXE
-
\??\c:\nnnbhh.exec:\nnnbhh.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\lrrxllx.exec:\lrrxllx.exe34⤵
- Executes dropped EXE
-
\??\c:\rrfxlxl.exec:\rrfxlxl.exe35⤵
- Executes dropped EXE
-
\??\c:\bbtttb.exec:\bbtttb.exe36⤵
- Executes dropped EXE
-
\??\c:\hhbhtb.exec:\hhbhtb.exe37⤵
- Executes dropped EXE
-
\??\c:\3ppjv.exec:\3ppjv.exe38⤵
- Executes dropped EXE
-
\??\c:\jjjjd.exec:\jjjjd.exe39⤵
- Executes dropped EXE
-
\??\c:\7lflxfx.exec:\7lflxfx.exe40⤵
- Executes dropped EXE
-
\??\c:\5xrfrfr.exec:\5xrfrfr.exe41⤵
- Executes dropped EXE
-
\??\c:\tbbnbh.exec:\tbbnbh.exe42⤵
- Executes dropped EXE
-
\??\c:\5thhtb.exec:\5thhtb.exe43⤵
- Executes dropped EXE
-
\??\c:\ppjjv.exec:\ppjjv.exe44⤵
- Executes dropped EXE
-
\??\c:\9dpvd.exec:\9dpvd.exe45⤵
- Executes dropped EXE
-
\??\c:\fxxlxlr.exec:\fxxlxlr.exe46⤵
- Executes dropped EXE
-
\??\c:\rrfxlxl.exec:\rrfxlxl.exe47⤵
- Executes dropped EXE
-
\??\c:\1nhthn.exec:\1nhthn.exe48⤵
- Executes dropped EXE
-
\??\c:\dddvp.exec:\dddvp.exe49⤵
- Executes dropped EXE
-
\??\c:\5vvdp.exec:\5vvdp.exe50⤵
- Executes dropped EXE
-
\??\c:\jpdvj.exec:\jpdvj.exe51⤵
- Executes dropped EXE
-
\??\c:\lrffffr.exec:\lrffffr.exe52⤵
- Executes dropped EXE
-
\??\c:\ttntnt.exec:\ttntnt.exe53⤵
- Executes dropped EXE
-
\??\c:\1hbthn.exec:\1hbthn.exe54⤵
- Executes dropped EXE
-
\??\c:\ppvjj.exec:\ppvjj.exe55⤵
- Executes dropped EXE
-
\??\c:\jjdpp.exec:\jjdpp.exe56⤵
- Executes dropped EXE
-
\??\c:\3flxrfr.exec:\3flxrfr.exe57⤵
- Executes dropped EXE
-
\??\c:\xxlrllf.exec:\xxlrllf.exe58⤵
- Executes dropped EXE
-
\??\c:\hbnhbb.exec:\hbnhbb.exe59⤵
- Executes dropped EXE
-
\??\c:\nhtnth.exec:\nhtnth.exe60⤵
- Executes dropped EXE
-
\??\c:\jjdjv.exec:\jjdjv.exe61⤵
- Executes dropped EXE
-
\??\c:\1jdvd.exec:\1jdvd.exe62⤵
- Executes dropped EXE
-
\??\c:\llxfxfr.exec:\llxfxfr.exe63⤵
- Executes dropped EXE
-
\??\c:\xffllfx.exec:\xffllfx.exe64⤵
- Executes dropped EXE
-
\??\c:\bhtnht.exec:\bhtnht.exe65⤵
- Executes dropped EXE
-
\??\c:\bbhthb.exec:\bbhthb.exe66⤵
-
\??\c:\vvjvp.exec:\vvjvp.exe67⤵
- System Location Discovery: System Language Discovery
-
\??\c:\9dddj.exec:\9dddj.exe68⤵
-
\??\c:\rrfflrl.exec:\rrfflrl.exe69⤵
-
\??\c:\9fxfffx.exec:\9fxfffx.exe70⤵
-
\??\c:\hnhbnb.exec:\hnhbnb.exe71⤵
- System Location Discovery: System Language Discovery
-
\??\c:\bhhtth.exec:\bhhtth.exe72⤵
-
\??\c:\5dvpj.exec:\5dvpj.exe73⤵
-
\??\c:\7vpvd.exec:\7vpvd.exe74⤵
-
\??\c:\3rlrllx.exec:\3rlrllx.exe75⤵
-
\??\c:\rfrxflr.exec:\rfrxflr.exe76⤵
-
\??\c:\5bbtnt.exec:\5bbtnt.exe77⤵
-
\??\c:\tnhhnb.exec:\tnhhnb.exe78⤵
-
\??\c:\vpdpd.exec:\vpdpd.exe79⤵
-
\??\c:\9ppvj.exec:\9ppvj.exe80⤵
-
\??\c:\7rlrxlx.exec:\7rlrxlx.exe81⤵
-
\??\c:\xrlrlrf.exec:\xrlrlrf.exe82⤵
-
\??\c:\nhhtnb.exec:\nhhtnb.exe83⤵
-
\??\c:\1nnnbn.exec:\1nnnbn.exe84⤵
-
\??\c:\vppjd.exec:\vppjd.exe85⤵
-
\??\c:\djjpv.exec:\djjpv.exe86⤵
-
\??\c:\lllxflx.exec:\lllxflx.exe87⤵
-
\??\c:\fflrrfr.exec:\fflrrfr.exe88⤵
-
\??\c:\3bhnbh.exec:\3bhnbh.exe89⤵
-
\??\c:\3dpvj.exec:\3dpvj.exe90⤵
-
\??\c:\pjpvj.exec:\pjpvj.exe91⤵
-
\??\c:\pjdpv.exec:\pjdpv.exe92⤵
-
\??\c:\llxfllr.exec:\llxfllr.exe93⤵
-
\??\c:\xrfxrxr.exec:\xrfxrxr.exe94⤵
-
\??\c:\hbbbnn.exec:\hbbbnn.exe95⤵
-
\??\c:\vpddp.exec:\vpddp.exe96⤵
-
\??\c:\3dvdd.exec:\3dvdd.exe97⤵
-
\??\c:\rlffxxl.exec:\rlffxxl.exe98⤵
-
\??\c:\5llxrrl.exec:\5llxrrl.exe99⤵
-
\??\c:\nhnhbt.exec:\nhnhbt.exe100⤵
-
\??\c:\hnhthh.exec:\hnhthh.exe101⤵
-
\??\c:\jvjjv.exec:\jvjjv.exe102⤵
-
\??\c:\dvjvj.exec:\dvjvj.exe103⤵
- System Location Discovery: System Language Discovery
-
\??\c:\lxfrxrx.exec:\lxfrxrx.exe104⤵
-
\??\c:\fllxlxx.exec:\fllxlxx.exe105⤵
-
\??\c:\bbntbt.exec:\bbntbt.exe106⤵
-
\??\c:\hhhthn.exec:\hhhthn.exe107⤵
-
\??\c:\pjppj.exec:\pjppj.exe108⤵
-
\??\c:\9vppj.exec:\9vppj.exe109⤵
-
\??\c:\fxrxlrf.exec:\fxrxlrf.exe110⤵
-
\??\c:\fxrxxxl.exec:\fxrxxxl.exe111⤵
-
\??\c:\ttnbnt.exec:\ttnbnt.exe112⤵
-
\??\c:\bhthbh.exec:\bhthbh.exe113⤵
-
\??\c:\3dppd.exec:\3dppd.exe114⤵
-
\??\c:\vvjpj.exec:\vvjpj.exe115⤵
-
\??\c:\ffllxxl.exec:\ffllxxl.exe116⤵
-
\??\c:\1xlrxfr.exec:\1xlrxfr.exe117⤵
-
\??\c:\ntthtn.exec:\ntthtn.exe118⤵
-
\??\c:\hbntbb.exec:\hbntbb.exe119⤵
-
\??\c:\vpjjp.exec:\vpjjp.exe120⤵
-
\??\c:\jjvdv.exec:\jjvdv.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-