Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
17/08/2024, 23:39
General
-
Target
deb8cc4d2e28901c1ddaecfc0eb69430N.exe
-
Size
64KB
-
MD5
deb8cc4d2e28901c1ddaecfc0eb69430
-
SHA1
f643c30ced3be39245d9a2025713ceef1622a560
-
SHA256
4eb91b32a500e67cfd47add1092e2f498f428b053e2e797fd60114c59adec2e1
-
SHA512
6543891fe9f5bd1a706d5e9fe9b1772a7a5eeb8b6b83ec6bb97cdb1986a71c2247917afcaaa48f9a225d5308d8a7bcc511f0149f47720c41e27e9490d3527537
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxND0yU+kbxm:ymb3NkkiQ3mdBjF0y7kbY
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 20 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 23 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\deb8cc4d2e28901c1ddaecfc0eb69430N.exe"C:\Users\Admin\AppData\Local\Temp\deb8cc4d2e28901c1ddaecfc0eb69430N.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\rxrllfr.exec:\rxrllfr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hhbhtb.exec:\hhbhtb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddvvp.exec:\ddvvp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvdpd.exec:\dvdpd.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\nnhntb.exec:\nnhntb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvdjj.exec:\dvdjj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9vjjp.exec:\9vjjp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbnbtn.exec:\hbnbtn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9bbbnh.exec:\9bbbnh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdpdj.exec:\jdpdj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfrlxfl.exec:\lfrlxfl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlfrxxf.exec:\rlfrxxf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nnbhnt.exec:\nnbhnt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pdvvj.exec:\pdvvj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frrrrfl.exec:\frrrrfl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxxlxff.exec:\fxxlxff.exe17⤵
- Executes dropped EXE
-
\??\c:\9bbbnb.exec:\9bbbnb.exe18⤵
- Executes dropped EXE
-
\??\c:\djjdv.exec:\djjdv.exe19⤵
- Executes dropped EXE
-
\??\c:\jjpdj.exec:\jjpdj.exe20⤵
- Executes dropped EXE
-
\??\c:\fffffrl.exec:\fffffrl.exe21⤵
- Executes dropped EXE
-
\??\c:\7nnbnt.exec:\7nnbnt.exe22⤵
- Executes dropped EXE
-
\??\c:\bbbnbh.exec:\bbbnbh.exe23⤵
- Executes dropped EXE
-
\??\c:\ppdjp.exec:\ppdjp.exe24⤵
- Executes dropped EXE
-
\??\c:\1vvjv.exec:\1vvjv.exe25⤵
- Executes dropped EXE
-
\??\c:\ffxxffr.exec:\ffxxffr.exe26⤵
- Executes dropped EXE
-
\??\c:\5bnbhh.exec:\5bnbhh.exe27⤵
- Executes dropped EXE
-
\??\c:\ddvjv.exec:\ddvjv.exe28⤵
- Executes dropped EXE
-
\??\c:\lfxflrf.exec:\lfxflrf.exe29⤵
- Executes dropped EXE
-
\??\c:\rlfrflx.exec:\rlfrflx.exe30⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\nhthnt.exec:\nhthnt.exe31⤵
- Executes dropped EXE
-
\??\c:\7jpjd.exec:\7jpjd.exe32⤵
- Executes dropped EXE
-
\??\c:\dvjpv.exec:\dvjpv.exe33⤵
- Executes dropped EXE
-
\??\c:\xxxflfx.exec:\xxxflfx.exe34⤵
- Executes dropped EXE
-
\??\c:\hhbhtb.exec:\hhbhtb.exe35⤵
- Executes dropped EXE
-
\??\c:\btbnbh.exec:\btbnbh.exe36⤵
- Executes dropped EXE
-
\??\c:\vpjpp.exec:\vpjpp.exe37⤵
- Executes dropped EXE
-
\??\c:\dvjdj.exec:\dvjdj.exe38⤵
- Executes dropped EXE
-
\??\c:\fxffxfl.exec:\fxffxfl.exe39⤵
- Executes dropped EXE
-
\??\c:\lfxlrxl.exec:\lfxlrxl.exe40⤵
- Executes dropped EXE
-
\??\c:\nhtttb.exec:\nhtttb.exe41⤵
- Executes dropped EXE
-
\??\c:\nhnntb.exec:\nhnntb.exe42⤵
- Executes dropped EXE
-
\??\c:\dvddp.exec:\dvddp.exe43⤵
- Executes dropped EXE
-
\??\c:\5ppvv.exec:\5ppvv.exe44⤵
- Executes dropped EXE
-
\??\c:\xxlrffl.exec:\xxlrffl.exe45⤵
- Executes dropped EXE
-
\??\c:\lrlxfrf.exec:\lrlxfrf.exe46⤵
- Executes dropped EXE
-
\??\c:\hbnbhb.exec:\hbnbhb.exe47⤵
- Executes dropped EXE
-
\??\c:\hhtnnb.exec:\hhtnnb.exe48⤵
- Executes dropped EXE
-
\??\c:\9dvpv.exec:\9dvpv.exe49⤵
- Executes dropped EXE
-
\??\c:\jdpvj.exec:\jdpvj.exe50⤵
- Executes dropped EXE
-
\??\c:\rlxrrrf.exec:\rlxrrrf.exe51⤵
- Executes dropped EXE
-
\??\c:\ffrfxxx.exec:\ffrfxxx.exe52⤵
- Executes dropped EXE
-
\??\c:\nbntth.exec:\nbntth.exe53⤵
- Executes dropped EXE
-
\??\c:\vvdpv.exec:\vvdpv.exe54⤵
- Executes dropped EXE
-
\??\c:\vppvj.exec:\vppvj.exe55⤵
- Executes dropped EXE
-
\??\c:\9frlxxl.exec:\9frlxxl.exe56⤵
- Executes dropped EXE
-
\??\c:\lffflll.exec:\lffflll.exe57⤵
- Executes dropped EXE
-
\??\c:\nhhnbb.exec:\nhhnbb.exe58⤵
- Executes dropped EXE
-
\??\c:\nhbbtt.exec:\nhbbtt.exe59⤵
- Executes dropped EXE
-
\??\c:\dpdjp.exec:\dpdjp.exe60⤵
- Executes dropped EXE
-
\??\c:\vpjjp.exec:\vpjjp.exe61⤵
- Executes dropped EXE
-
\??\c:\lrrfxfr.exec:\lrrfxfr.exe62⤵
- Executes dropped EXE
-
\??\c:\ththnt.exec:\ththnt.exe63⤵
- Executes dropped EXE
-
\??\c:\bbhbbt.exec:\bbhbbt.exe64⤵
- Executes dropped EXE
-
\??\c:\dpvdj.exec:\dpvdj.exe65⤵
- Executes dropped EXE
-
\??\c:\nnbhbh.exec:\nnbhbh.exe66⤵
-
\??\c:\5tnnnt.exec:\5tnnnt.exe67⤵
-
\??\c:\jjdjv.exec:\jjdjv.exe68⤵
-
\??\c:\ddvdv.exec:\ddvdv.exe69⤵
-
\??\c:\rlrxrrf.exec:\rlrxrrf.exe70⤵
-
\??\c:\xrlflrx.exec:\xrlflrx.exe71⤵
-
\??\c:\5hbnhh.exec:\5hbnhh.exe72⤵
-
\??\c:\bbnhnn.exec:\bbnhnn.exe73⤵
-
\??\c:\5pjdj.exec:\5pjdj.exe74⤵
-
\??\c:\9vjdd.exec:\9vjdd.exe75⤵
-
\??\c:\vjdpv.exec:\vjdpv.exe76⤵
-
\??\c:\xxffflf.exec:\xxffflf.exe77⤵
-
\??\c:\7xrlxrx.exec:\7xrlxrx.exe78⤵
-
\??\c:\5bnbbh.exec:\5bnbbh.exe79⤵
-
\??\c:\hbttbh.exec:\hbttbh.exe80⤵
-
\??\c:\pjpvd.exec:\pjpvd.exe81⤵
-
\??\c:\jdppv.exec:\jdppv.exe82⤵
-
\??\c:\lffrffx.exec:\lffrffx.exe83⤵
-
\??\c:\rlflrxf.exec:\rlflrxf.exe84⤵
-
\??\c:\tnbnnn.exec:\tnbnnn.exe85⤵
-
\??\c:\bbntbh.exec:\bbntbh.exe86⤵
-
\??\c:\dppvv.exec:\dppvv.exe87⤵
-
\??\c:\ppdpv.exec:\ppdpv.exe88⤵
-
\??\c:\9flrrrr.exec:\9flrrrr.exe89⤵
-
\??\c:\3llxfrr.exec:\3llxfrr.exe90⤵
-
\??\c:\9hhbnh.exec:\9hhbnh.exe91⤵
-
\??\c:\ththtb.exec:\ththtb.exe92⤵
-
\??\c:\ppddp.exec:\ppddp.exe93⤵
-
\??\c:\dpppv.exec:\dpppv.exe94⤵
-
\??\c:\fxffxxx.exec:\fxffxxx.exe95⤵
-
\??\c:\rflxxxf.exec:\rflxxxf.exe96⤵
-
\??\c:\7hhbth.exec:\7hhbth.exe97⤵
-
\??\c:\nnntbh.exec:\nnntbh.exe98⤵
-
\??\c:\nbntbt.exec:\nbntbt.exe99⤵
-
\??\c:\jdpdp.exec:\jdpdp.exe100⤵
-
\??\c:\3rxxrxr.exec:\3rxxrxr.exe101⤵
-
\??\c:\lflxflx.exec:\lflxflx.exe102⤵
-
\??\c:\fxxlllr.exec:\fxxlllr.exe103⤵
-
\??\c:\tbthhn.exec:\tbthhn.exe104⤵
-
\??\c:\tthtnb.exec:\tthtnb.exe105⤵
-
\??\c:\1pddv.exec:\1pddv.exe106⤵
-
\??\c:\vpdpp.exec:\vpdpp.exe107⤵
-
\??\c:\lfxxflx.exec:\lfxxflx.exe108⤵
-
\??\c:\1lfrrxx.exec:\1lfrrxx.exe109⤵
-
\??\c:\hbnntn.exec:\hbnntn.exe110⤵
-
\??\c:\tnbhnh.exec:\tnbhnh.exe111⤵
-
\??\c:\vjvvv.exec:\vjvvv.exe112⤵
-
\??\c:\dpjdp.exec:\dpjdp.exe113⤵
-
\??\c:\xflffff.exec:\xflffff.exe114⤵
-
\??\c:\xffxlxf.exec:\xffxlxf.exe115⤵
-
\??\c:\ttthbn.exec:\ttthbn.exe116⤵
- System Location Discovery: System Language Discovery
-
\??\c:\tntttb.exec:\tntttb.exe117⤵
-
\??\c:\jjdjd.exec:\jjdjd.exe118⤵
-
\??\c:\vjpjv.exec:\vjpjv.exe119⤵
-
\??\c:\rfrlffl.exec:\rfrlffl.exe120⤵
-
\??\c:\3xxllrx.exec:\3xxllrx.exe121⤵
- System Location Discovery: System Language Discovery
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-