Analysis
-
max time kernel
120s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
18/08/2024, 07:00
General
-
Target
72c3d5ba11300153cf7479c7577e97f0N.exe
-
Size
78KB
-
MD5
72c3d5ba11300153cf7479c7577e97f0
-
SHA1
8896621fc3c1632646bdf385437fb04fbc6848d5
-
SHA256
2a94a389f31087a12f21d8d914a635f31ea7be44ba119b1a26abf1e79c22090f
-
SHA512
5b75b7fe69057d1bc9d1633fa0c647e4690c68396919fe635340d19cb5beec777a7318d42fe64cc0020dd8668ca3265bc2c509a94adf0663847f1b4b93164171
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxND+3T4+C2wVEJNQv:ymb3NkkiQ3mdBjF+3TU2KEJNQv
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 24 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 32 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\72c3d5ba11300153cf7479c7577e97f0N.exe"C:\Users\Admin\AppData\Local\Temp\72c3d5ba11300153cf7479c7577e97f0N.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\pvvvp.exec:\pvvvp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3frffrf.exec:\3frffrf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bnbbhh.exec:\bnbbhh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vjvvd.exec:\vjvvd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxrflxl.exec:\fxrflxl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rxllllr.exec:\rxllllr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hntbbh.exec:\hntbbh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvpvp.exec:\dvpvp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rxfffxl.exec:\rxfffxl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tntbbt.exec:\tntbbt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhtbhh.exec:\nhtbhh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vjpjv.exec:\vjpjv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfxfllx.exec:\lfxfllx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfflxfr.exec:\lfflxfr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bhnhtt.exec:\bhnhtt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvvdp.exec:\vvvdp.exe17⤵
- Executes dropped EXE
-
\??\c:\vpjvv.exec:\vpjvv.exe18⤵
- Executes dropped EXE
-
\??\c:\frxxfff.exec:\frxxfff.exe19⤵
- Executes dropped EXE
-
\??\c:\btnttb.exec:\btnttb.exe20⤵
- Executes dropped EXE
-
\??\c:\5htnnh.exec:\5htnnh.exe21⤵
- Executes dropped EXE
-
\??\c:\7vjpv.exec:\7vjpv.exe22⤵
- Executes dropped EXE
-
\??\c:\vjvvv.exec:\vjvvv.exe23⤵
- Executes dropped EXE
-
\??\c:\rllrxxl.exec:\rllrxxl.exe24⤵
- Executes dropped EXE
-
\??\c:\7nthth.exec:\7nthth.exe25⤵
- Executes dropped EXE
-
\??\c:\tnhntt.exec:\tnhntt.exe26⤵
- Executes dropped EXE
-
\??\c:\vdpvv.exec:\vdpvv.exe27⤵
- Executes dropped EXE
-
\??\c:\xxrlxlx.exec:\xxrlxlx.exe28⤵
- Executes dropped EXE
-
\??\c:\7thnhh.exec:\7thnhh.exe29⤵
- Executes dropped EXE
-
\??\c:\ppvpd.exec:\ppvpd.exe30⤵
- Executes dropped EXE
-
\??\c:\ddppd.exec:\ddppd.exe31⤵
- Executes dropped EXE
-
\??\c:\xxlllrf.exec:\xxlllrf.exe32⤵
- Executes dropped EXE
-
\??\c:\nbtbhh.exec:\nbtbhh.exe33⤵
- Executes dropped EXE
-
\??\c:\btnnht.exec:\btnnht.exe34⤵
- Executes dropped EXE
-
\??\c:\jjvpv.exec:\jjvpv.exe35⤵
- Executes dropped EXE
-
\??\c:\frxxlrx.exec:\frxxlrx.exe36⤵
- Executes dropped EXE
-
\??\c:\lfllfll.exec:\lfllfll.exe37⤵
- Executes dropped EXE
-
\??\c:\nbttbt.exec:\nbttbt.exe38⤵
- Executes dropped EXE
-
\??\c:\nbhhbt.exec:\nbhhbt.exe39⤵
- Executes dropped EXE
-
\??\c:\9vppv.exec:\9vppv.exe40⤵
- Executes dropped EXE
-
\??\c:\9pvvp.exec:\9pvvp.exe41⤵
- Executes dropped EXE
-
\??\c:\9frlrrf.exec:\9frlrrf.exe42⤵
- Executes dropped EXE
-
\??\c:\frfffxr.exec:\frfffxr.exe43⤵
- Executes dropped EXE
-
\??\c:\ttbhnt.exec:\ttbhnt.exe44⤵
- Executes dropped EXE
-
\??\c:\bhnhbh.exec:\bhnhbh.exe45⤵
- Executes dropped EXE
-
\??\c:\5jddj.exec:\5jddj.exe46⤵
- Executes dropped EXE
-
\??\c:\vjddj.exec:\vjddj.exe47⤵
- Executes dropped EXE
-
\??\c:\1rrxrrr.exec:\1rrxrrr.exe48⤵
- Executes dropped EXE
-
\??\c:\nhhhnn.exec:\nhhhnn.exe49⤵
- Executes dropped EXE
-
\??\c:\btbthb.exec:\btbthb.exe50⤵
- Executes dropped EXE
-
\??\c:\9jvjd.exec:\9jvjd.exe51⤵
- Executes dropped EXE
-
\??\c:\dvvdv.exec:\dvvdv.exe52⤵
- Executes dropped EXE
-
\??\c:\vjvpj.exec:\vjvpj.exe53⤵
- Executes dropped EXE
-
\??\c:\1xlfllx.exec:\1xlfllx.exe54⤵
- Executes dropped EXE
-
\??\c:\lfffxfx.exec:\lfffxfx.exe55⤵
- Executes dropped EXE
-
\??\c:\bbbbhn.exec:\bbbbhn.exe56⤵
- Executes dropped EXE
-
\??\c:\5dvdj.exec:\5dvdj.exe57⤵
- Executes dropped EXE
-
\??\c:\pdjpd.exec:\pdjpd.exe58⤵
- Executes dropped EXE
-
\??\c:\fxxlxrx.exec:\fxxlxrx.exe59⤵
- Executes dropped EXE
-
\??\c:\frxlxrr.exec:\frxlxrr.exe60⤵
- Executes dropped EXE
-
\??\c:\htbthn.exec:\htbthn.exe61⤵
- Executes dropped EXE
-
\??\c:\tnnnnb.exec:\tnnnnb.exe62⤵
- Executes dropped EXE
-
\??\c:\pvjjd.exec:\pvjjd.exe63⤵
- Executes dropped EXE
-
\??\c:\pdjpp.exec:\pdjpp.exe64⤵
- Executes dropped EXE
-
\??\c:\rfrrffl.exec:\rfrrffl.exe65⤵
- Executes dropped EXE
-
\??\c:\5llrffr.exec:\5llrffr.exe66⤵
-
\??\c:\nhttbb.exec:\nhttbb.exe67⤵
-
\??\c:\9hbbnb.exec:\9hbbnb.exe68⤵
-
\??\c:\9vdpp.exec:\9vdpp.exe69⤵
-
\??\c:\9dvdj.exec:\9dvdj.exe70⤵
-
\??\c:\7lflffx.exec:\7lflffx.exe71⤵
-
\??\c:\rfxfxrl.exec:\rfxfxrl.exe72⤵
-
\??\c:\bthnbh.exec:\bthnbh.exe73⤵
-
\??\c:\3hbhtb.exec:\3hbhtb.exe74⤵
-
\??\c:\9jdpp.exec:\9jdpp.exe75⤵
-
\??\c:\vvvjp.exec:\vvvjp.exe76⤵
-
\??\c:\5flrffl.exec:\5flrffl.exe77⤵
-
\??\c:\xlfllrl.exec:\xlfllrl.exe78⤵
-
\??\c:\ttbtnb.exec:\ttbtnb.exe79⤵
-
\??\c:\jdpvj.exec:\jdpvj.exe80⤵
-
\??\c:\1pjpv.exec:\1pjpv.exe81⤵
-
\??\c:\lfxxflx.exec:\lfxxflx.exe82⤵
-
\??\c:\rffflll.exec:\rffflll.exe83⤵
-
\??\c:\bhhnnt.exec:\bhhnnt.exe84⤵
-
\??\c:\hbnnnn.exec:\hbnnnn.exe85⤵
-
\??\c:\3vjpv.exec:\3vjpv.exe86⤵
-
\??\c:\vddvv.exec:\vddvv.exe87⤵
-
\??\c:\xrfrxrx.exec:\xrfrxrx.exe88⤵
-
\??\c:\7flllff.exec:\7flllff.exe89⤵
-
\??\c:\nbtbhn.exec:\nbtbhn.exe90⤵
-
\??\c:\nbntht.exec:\nbntht.exe91⤵
-
\??\c:\jjdpv.exec:\jjdpv.exe92⤵
-
\??\c:\jdpvj.exec:\jdpvj.exe93⤵
-
\??\c:\xrfllrr.exec:\xrfllrr.exe94⤵
-
\??\c:\bntbnh.exec:\bntbnh.exe95⤵
-
\??\c:\5hbtbb.exec:\5hbtbb.exe96⤵
-
\??\c:\bbnnhh.exec:\bbnnhh.exe97⤵
-
\??\c:\3dvjp.exec:\3dvjp.exe98⤵
-
\??\c:\frflrrl.exec:\frflrrl.exe99⤵
-
\??\c:\7xrfrxr.exec:\7xrfrxr.exe100⤵
-
\??\c:\hbthth.exec:\hbthth.exe101⤵
-
\??\c:\btbbbb.exec:\btbbbb.exe102⤵
-
\??\c:\dvjjv.exec:\dvjjv.exe103⤵
-
\??\c:\jdjpj.exec:\jdjpj.exe104⤵
-
\??\c:\frrrrxx.exec:\frrrrxx.exe105⤵
-
\??\c:\xfflrrl.exec:\xfflrrl.exe106⤵
-
\??\c:\1rxfrlr.exec:\1rxfrlr.exe107⤵
-
\??\c:\tnbhhh.exec:\tnbhhh.exe108⤵
-
\??\c:\tnnnhh.exec:\tnnnhh.exe109⤵
-
\??\c:\vpvdd.exec:\vpvdd.exe110⤵
-
\??\c:\pddvv.exec:\pddvv.exe111⤵
-
\??\c:\7rxfllr.exec:\7rxfllr.exe112⤵
-
\??\c:\rfffrrf.exec:\rfffrrf.exe113⤵
-
\??\c:\rlxfrrx.exec:\rlxfrrx.exe114⤵
-
\??\c:\tntnnn.exec:\tntnnn.exe115⤵
-
\??\c:\jvpvj.exec:\jvpvj.exe116⤵
-
\??\c:\3pddj.exec:\3pddj.exe117⤵
-
\??\c:\fxxxflr.exec:\fxxxflr.exe118⤵
-
\??\c:\1llrfxf.exec:\1llrfxf.exe119⤵
-
\??\c:\bbnntt.exec:\bbnntt.exe120⤵
-
\??\c:\llrfflr.exec:\llrfflr.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-