Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
-
submitted
18-08-2024 03:19
General
-
Target
b58fff930e892b84635f2a3054693a70N.exe
-
Size
261KB
-
MD5
b58fff930e892b84635f2a3054693a70
-
SHA1
6531e70cd467de9461d1362cf2bf764d80ab4ec7
-
SHA256
1a773e6696b1afe09189e023a3e5be75f303df90692ae6cbbee8c543c228ade7
-
SHA512
a0f08f1fde5a8cdd0791f99c2fe8a4bf1e7995eca0beb1f0d0095097565b3f62c0092761fa0bb38098151101fe5e2fc06e1b4c5e2e86da8e9781045ab0672dce
-
SSDEEP
6144:n3C9BRo7tvnJ9Fywhk/T4i37K3BoKg0qF:n3C9ytvn8whkb4i3e3GF/F
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 22 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 21 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b58fff930e892b84635f2a3054693a70N.exe"C:\Users\Admin\AppData\Local\Temp\b58fff930e892b84635f2a3054693a70N.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\hbhhnn.exec:\hbhhnn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhttbh.exec:\nhttbh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5vjpj.exec:\5vjpj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bnttbn.exec:\bnttbn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ppdjd.exec:\ppdjd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7pddp.exec:\7pddp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\htbbhb.exec:\htbbhb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3pddj.exec:\3pddj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxrfxfl.exec:\fxrfxfl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nnbtbb.exec:\nnbtbb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9vjjp.exec:\9vjjp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfrlxfl.exec:\lfrlxfl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlxflll.exec:\rlxflll.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3nnhnh.exec:\3nnhnh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dppjp.exec:\dppjp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbtbhb.exec:\bbtbhb.exe17⤵
- Executes dropped EXE
-
\??\c:\htbhtn.exec:\htbhtn.exe18⤵
- Executes dropped EXE
-
\??\c:\llfxfll.exec:\llfxfll.exe19⤵
- Executes dropped EXE
-
\??\c:\5rrrllx.exec:\5rrrllx.exe20⤵
- Executes dropped EXE
-
\??\c:\9dpjv.exec:\9dpjv.exe21⤵
- Executes dropped EXE
-
\??\c:\pjvdp.exec:\pjvdp.exe22⤵
- Executes dropped EXE
-
\??\c:\xxrrffl.exec:\xxrrffl.exe23⤵
- Executes dropped EXE
-
\??\c:\nhbhtt.exec:\nhbhtt.exe24⤵
- Executes dropped EXE
-
\??\c:\pjvdj.exec:\pjvdj.exe25⤵
- Executes dropped EXE
-
\??\c:\lfrlfff.exec:\lfrlfff.exe26⤵
- Executes dropped EXE
-
\??\c:\hhtthh.exec:\hhtthh.exe27⤵
- Executes dropped EXE
-
\??\c:\bbtbnn.exec:\bbtbnn.exe28⤵
- Executes dropped EXE
-
\??\c:\xrffrrx.exec:\xrffrrx.exe29⤵
- Executes dropped EXE
-
\??\c:\nhnhbb.exec:\nhnhbb.exe30⤵
- Executes dropped EXE
-
\??\c:\3dddp.exec:\3dddp.exe31⤵
- Executes dropped EXE
-
\??\c:\fxlrxxx.exec:\fxlrxxx.exe32⤵
- Executes dropped EXE
-
\??\c:\nhtntn.exec:\nhtntn.exe33⤵
- Executes dropped EXE
-
\??\c:\7nhbhh.exec:\7nhbhh.exe34⤵
- Executes dropped EXE
-
\??\c:\jjppv.exec:\jjppv.exe35⤵
- Executes dropped EXE
-
\??\c:\llrlrll.exec:\llrlrll.exe36⤵
- Executes dropped EXE
-
\??\c:\rlfxffl.exec:\rlfxffl.exe37⤵
- Executes dropped EXE
-
\??\c:\3nttbb.exec:\3nttbb.exe38⤵
- Executes dropped EXE
-
\??\c:\dddjd.exec:\dddjd.exe39⤵
- Executes dropped EXE
-
\??\c:\jpvdp.exec:\jpvdp.exe40⤵
- Executes dropped EXE
-
\??\c:\5xxfrfx.exec:\5xxfrfx.exe41⤵
- Executes dropped EXE
-
\??\c:\rfxflfl.exec:\rfxflfl.exe42⤵
- Executes dropped EXE
-
\??\c:\ththbh.exec:\ththbh.exe43⤵
- Executes dropped EXE
-
\??\c:\7jppd.exec:\7jppd.exe44⤵
- Executes dropped EXE
-
\??\c:\vvjvp.exec:\vvjvp.exe45⤵
- Executes dropped EXE
-
\??\c:\lfllffx.exec:\lfllffx.exe46⤵
- Executes dropped EXE
-
\??\c:\7xfxflf.exec:\7xfxflf.exe47⤵
- Executes dropped EXE
-
\??\c:\tnbnbn.exec:\tnbnbn.exe48⤵
- Executes dropped EXE
-
\??\c:\jdpvd.exec:\jdpvd.exe49⤵
- Executes dropped EXE
-
\??\c:\vpddp.exec:\vpddp.exe50⤵
- Executes dropped EXE
-
\??\c:\xxxfrxl.exec:\xxxfrxl.exe51⤵
- Executes dropped EXE
-
\??\c:\fxlrrxl.exec:\fxlrrxl.exe52⤵
- Executes dropped EXE
-
\??\c:\1nnhht.exec:\1nnhht.exe53⤵
- Executes dropped EXE
-
\??\c:\pjdjd.exec:\pjdjd.exe54⤵
- Executes dropped EXE
-
\??\c:\pjjdj.exec:\pjjdj.exe55⤵
- Executes dropped EXE
-
\??\c:\fxrrrrr.exec:\fxrrrrr.exe56⤵
- Executes dropped EXE
-
\??\c:\bbtbbt.exec:\bbtbbt.exe57⤵
- Executes dropped EXE
-
\??\c:\tnhthn.exec:\tnhthn.exe58⤵
- Executes dropped EXE
-
\??\c:\vvpjd.exec:\vvpjd.exe59⤵
- Executes dropped EXE
-
\??\c:\pjvvd.exec:\pjvvd.exe60⤵
- Executes dropped EXE
-
\??\c:\5lfrxlx.exec:\5lfrxlx.exe61⤵
- Executes dropped EXE
-
\??\c:\bntttb.exec:\bntttb.exe62⤵
- Executes dropped EXE
-
\??\c:\hbtbnt.exec:\hbtbnt.exe63⤵
- Executes dropped EXE
-
\??\c:\dvppj.exec:\dvppj.exe64⤵
- Executes dropped EXE
-
\??\c:\5jvjj.exec:\5jvjj.exe65⤵
- Executes dropped EXE
-
\??\c:\3lrflff.exec:\3lrflff.exe66⤵
-
\??\c:\ttbthh.exec:\ttbthh.exe67⤵
-
\??\c:\1nttbb.exec:\1nttbb.exe68⤵
-
\??\c:\5jpvv.exec:\5jpvv.exe69⤵
-
\??\c:\9jddj.exec:\9jddj.exe70⤵
-
\??\c:\xrxxffl.exec:\xrxxffl.exe71⤵
-
\??\c:\tnnhbh.exec:\tnnhbh.exe72⤵
-
\??\c:\nnbhnt.exec:\nnbhnt.exe73⤵
-
\??\c:\dpjjp.exec:\dpjjp.exe74⤵
-
\??\c:\3vpjj.exec:\3vpjj.exe75⤵
-
\??\c:\rfrlrll.exec:\rfrlrll.exe76⤵
-
\??\c:\lfxlxxl.exec:\lfxlxxl.exe77⤵
-
\??\c:\9thhbt.exec:\9thhbt.exe78⤵
-
\??\c:\1vpjp.exec:\1vpjp.exe79⤵
-
\??\c:\lfrlrxf.exec:\lfrlrxf.exe80⤵
-
\??\c:\lllrfrf.exec:\lllrfrf.exe81⤵
-
\??\c:\1hntnt.exec:\1hntnt.exe82⤵
-
\??\c:\bnbbtt.exec:\bnbbtt.exe83⤵
-
\??\c:\ppjpv.exec:\ppjpv.exe84⤵
-
\??\c:\llxflrr.exec:\llxflrr.exe85⤵
-
\??\c:\5fxxxxx.exec:\5fxxxxx.exe86⤵
-
\??\c:\hbhntb.exec:\hbhntb.exe87⤵
-
\??\c:\hbhbhb.exec:\hbhbhb.exe88⤵
-
\??\c:\5dpvd.exec:\5dpvd.exe89⤵
-
\??\c:\fxllxlr.exec:\fxllxlr.exe90⤵
-
\??\c:\rllxlrx.exec:\rllxlrx.exe91⤵
-
\??\c:\9hnnbt.exec:\9hnnbt.exe92⤵
-
\??\c:\hbhtbt.exec:\hbhtbt.exe93⤵
-
\??\c:\9djjj.exec:\9djjj.exe94⤵
-
\??\c:\fxxfrxr.exec:\fxxfrxr.exe95⤵
-
\??\c:\7nhnth.exec:\7nhnth.exe96⤵
-
\??\c:\nhbnhn.exec:\nhbnhn.exe97⤵
-
\??\c:\3jddj.exec:\3jddj.exe98⤵
-
\??\c:\xrlrflf.exec:\xrlrflf.exe99⤵
-
\??\c:\rrrrffx.exec:\rrrrffx.exe100⤵
-
\??\c:\tnbbht.exec:\tnbbht.exe101⤵
-
\??\c:\btnthh.exec:\btnthh.exe102⤵
-
\??\c:\ddvvv.exec:\ddvvv.exe103⤵
-
\??\c:\vpjpd.exec:\vpjpd.exe104⤵
-
\??\c:\rrllxfr.exec:\rrllxfr.exe105⤵
-
\??\c:\tbthtb.exec:\tbthtb.exe106⤵
-
\??\c:\tnhhnt.exec:\tnhhnt.exe107⤵
-
\??\c:\pdpvv.exec:\pdpvv.exe108⤵
-
\??\c:\dppvj.exec:\dppvj.exe109⤵
-
\??\c:\rllxlxf.exec:\rllxlxf.exe110⤵
-
\??\c:\frflrfl.exec:\frflrfl.exe111⤵
-
\??\c:\nhnbhn.exec:\nhnbhn.exe112⤵
-
\??\c:\ppddp.exec:\ppddp.exe113⤵
-
\??\c:\7jvvd.exec:\7jvvd.exe114⤵
-
\??\c:\xxrrxxl.exec:\xxrrxxl.exe115⤵
-
\??\c:\bthntt.exec:\bthntt.exe116⤵
-
\??\c:\hhttbb.exec:\hhttbb.exe117⤵
-
\??\c:\ddppv.exec:\ddppv.exe118⤵
-
\??\c:\3lflrrx.exec:\3lflrrx.exe119⤵
-
\??\c:\hhbhtt.exec:\hhbhtt.exe120⤵
-
\??\c:\ttbnth.exec:\ttbnth.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-