Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
-
submitted
19/08/2024, 06:31
General
-
Target
eb1dd451b2b9db9dc0fa38ff7338df40N.exe
-
Size
58KB
-
MD5
eb1dd451b2b9db9dc0fa38ff7338df40
-
SHA1
54584146076a91ad98cd85bec9f4d5e5e8a370a4
-
SHA256
2a5f6c55d6f55bdd593e84c6b2070e4c2daee516e2a9941a90532382741e84ca
-
SHA512
7aade709058ffdd7aef45928af520d9a7a7aeae357653fa70c682264cad6cb2aec5693c19a05382efe253bc9f515edd11df1ce4d27a969bf2d4b75c1be67f2a2
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDoA0:ymb3NkkiQ3mdBjFoh
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 21 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 31 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\eb1dd451b2b9db9dc0fa38ff7338df40N.exe"C:\Users\Admin\AppData\Local\Temp\eb1dd451b2b9db9dc0fa38ff7338df40N.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\jdvdp.exec:\jdvdp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1lfllff.exec:\1lfllff.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bthtbb.exec:\bthtbb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjjvp.exec:\jjjvp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9xlllxf.exec:\9xlllxf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3fffrfr.exec:\3fffrfr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btttbn.exec:\btttbn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jpvjj.exec:\jpvjj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrlfllr.exec:\xrlfllr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxlflxl.exec:\lxlflxl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnhnnn.exec:\tnhnnn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vjvvd.exec:\vjvvd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxxrlxx.exec:\lxxrlxx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9xlfrrf.exec:\9xlfrrf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxxfxxf.exec:\fxxfxxf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5bhhht.exec:\5bhhht.exe17⤵
- Executes dropped EXE
-
\??\c:\ddvdp.exec:\ddvdp.exe18⤵
- Executes dropped EXE
-
\??\c:\9rlrffl.exec:\9rlrffl.exe19⤵
- Executes dropped EXE
-
\??\c:\rlllffl.exec:\rlllffl.exe20⤵
- Executes dropped EXE
-
\??\c:\1tnthh.exec:\1tnthh.exe21⤵
- Executes dropped EXE
-
\??\c:\tbthtn.exec:\tbthtn.exe22⤵
- Executes dropped EXE
-
\??\c:\dpddj.exec:\dpddj.exe23⤵
- Executes dropped EXE
-
\??\c:\rfxflxr.exec:\rfxflxr.exe24⤵
- Executes dropped EXE
-
\??\c:\5rlxflr.exec:\5rlxflr.exe25⤵
- Executes dropped EXE
-
\??\c:\hbnhnn.exec:\hbnhnn.exe26⤵
- Executes dropped EXE
-
\??\c:\hbthtb.exec:\hbthtb.exe27⤵
- Executes dropped EXE
-
\??\c:\9pjdp.exec:\9pjdp.exe28⤵
- Executes dropped EXE
-
\??\c:\fxlrrfr.exec:\fxlrrfr.exe29⤵
- Executes dropped EXE
-
\??\c:\nhnbtb.exec:\nhnbtb.exe30⤵
- Executes dropped EXE
-
\??\c:\tbhbhn.exec:\tbhbhn.exe31⤵
- Executes dropped EXE
-
\??\c:\vdjpj.exec:\vdjpj.exe32⤵
- Executes dropped EXE
-
\??\c:\lxrlfxf.exec:\lxrlfxf.exe33⤵
- Executes dropped EXE
-
\??\c:\rlxxflr.exec:\rlxxflr.exe34⤵
- Executes dropped EXE
-
\??\c:\tntbhn.exec:\tntbhn.exe35⤵
- Executes dropped EXE
-
\??\c:\hhtbbh.exec:\hhtbbh.exe36⤵
- Executes dropped EXE
-
\??\c:\pjjjj.exec:\pjjjj.exe37⤵
- Executes dropped EXE
-
\??\c:\jddjd.exec:\jddjd.exe38⤵
- Executes dropped EXE
-
\??\c:\fxrllrx.exec:\fxrllrx.exe39⤵
- Executes dropped EXE
-
\??\c:\xflxlfx.exec:\xflxlfx.exe40⤵
- Executes dropped EXE
-
\??\c:\ttbbbn.exec:\ttbbbn.exe41⤵
- Executes dropped EXE
-
\??\c:\jddjd.exec:\jddjd.exe42⤵
- Executes dropped EXE
-
\??\c:\ppjvp.exec:\ppjvp.exe43⤵
- Executes dropped EXE
-
\??\c:\rrlrxfl.exec:\rrlrxfl.exe44⤵
- Executes dropped EXE
-
\??\c:\xlflrrr.exec:\xlflrrr.exe45⤵
- Executes dropped EXE
-
\??\c:\nhthth.exec:\nhthth.exe46⤵
- Executes dropped EXE
-
\??\c:\httbnn.exec:\httbnn.exe47⤵
- Executes dropped EXE
-
\??\c:\vvjdv.exec:\vvjdv.exe48⤵
- Executes dropped EXE
-
\??\c:\9ppdd.exec:\9ppdd.exe49⤵
- Executes dropped EXE
-
\??\c:\xxrlxfr.exec:\xxrlxfr.exe50⤵
- Executes dropped EXE
-
\??\c:\xfxxflf.exec:\xfxxflf.exe51⤵
- Executes dropped EXE
-
\??\c:\5ntbhh.exec:\5ntbhh.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\7nbbnn.exec:\7nbbnn.exe53⤵
- Executes dropped EXE
-
\??\c:\ddpdd.exec:\ddpdd.exe54⤵
- Executes dropped EXE
-
\??\c:\1jddd.exec:\1jddd.exe55⤵
- Executes dropped EXE
-
\??\c:\rlfxlrx.exec:\rlfxlrx.exe56⤵
- Executes dropped EXE
-
\??\c:\xxlrrxx.exec:\xxlrrxx.exe57⤵
- Executes dropped EXE
-
\??\c:\1thnnn.exec:\1thnnn.exe58⤵
- Executes dropped EXE
-
\??\c:\nbntnt.exec:\nbntnt.exe59⤵
- Executes dropped EXE
-
\??\c:\vdjdd.exec:\vdjdd.exe60⤵
- Executes dropped EXE
-
\??\c:\lllxfxr.exec:\lllxfxr.exe61⤵
- Executes dropped EXE
-
\??\c:\fxfrffl.exec:\fxfrffl.exe62⤵
- Executes dropped EXE
-
\??\c:\tthnbh.exec:\tthnbh.exe63⤵
- Executes dropped EXE
-
\??\c:\thbbbh.exec:\thbbbh.exe64⤵
- Executes dropped EXE
-
\??\c:\pjvpp.exec:\pjvpp.exe65⤵
- Executes dropped EXE
-
\??\c:\jvddv.exec:\jvddv.exe66⤵
-
\??\c:\frxllrf.exec:\frxllrf.exe67⤵
-
\??\c:\rlfrlrl.exec:\rlfrlrl.exe68⤵
-
\??\c:\3hhnbb.exec:\3hhnbb.exe69⤵
-
\??\c:\nhbhhn.exec:\nhbhhn.exe70⤵
-
\??\c:\1ddpd.exec:\1ddpd.exe71⤵
-
\??\c:\vpdvv.exec:\vpdvv.exe72⤵
-
\??\c:\xllllll.exec:\xllllll.exe73⤵
-
\??\c:\flllfff.exec:\flllfff.exe74⤵
-
\??\c:\thtbbh.exec:\thtbbh.exe75⤵
-
\??\c:\1vvvd.exec:\1vvvd.exe76⤵
-
\??\c:\vjvvp.exec:\vjvvp.exe77⤵
-
\??\c:\fxlflfr.exec:\fxlflfr.exe78⤵
-
\??\c:\7lffrxf.exec:\7lffrxf.exe79⤵
-
\??\c:\hbtbhn.exec:\hbtbhn.exe80⤵
-
\??\c:\httttt.exec:\httttt.exe81⤵
-
\??\c:\vvvvv.exec:\vvvvv.exe82⤵
-
\??\c:\pjppp.exec:\pjppp.exe83⤵
-
\??\c:\xxlxxrr.exec:\xxlxxrr.exe84⤵
-
\??\c:\rrfrfxf.exec:\rrfrfxf.exe85⤵
-
\??\c:\hhtnbn.exec:\hhtnbn.exe86⤵
-
\??\c:\htbbbb.exec:\htbbbb.exe87⤵
-
\??\c:\nhtntn.exec:\nhtntn.exe88⤵
-
\??\c:\vjvdd.exec:\vjvdd.exe89⤵
-
\??\c:\vppvd.exec:\vppvd.exe90⤵
-
\??\c:\fxlfffl.exec:\fxlfffl.exe91⤵
-
\??\c:\9rfrrlx.exec:\9rfrrlx.exe92⤵
-
\??\c:\5hbhnh.exec:\5hbhnh.exe93⤵
-
\??\c:\nttbtb.exec:\nttbtb.exe94⤵
-
\??\c:\ddppp.exec:\ddppp.exe95⤵
-
\??\c:\vjvdj.exec:\vjvdj.exe96⤵
-
\??\c:\xrffxxf.exec:\xrffxxf.exe97⤵
-
\??\c:\frfrrll.exec:\frfrrll.exe98⤵
-
\??\c:\nnhthh.exec:\nnhthh.exe99⤵
-
\??\c:\tnbtnn.exec:\tnbtnn.exe100⤵
-
\??\c:\dvppv.exec:\dvppv.exe101⤵
-
\??\c:\1dddd.exec:\1dddd.exe102⤵
-
\??\c:\dvjjj.exec:\dvjjj.exe103⤵
-
\??\c:\5rffffl.exec:\5rffffl.exe104⤵
-
\??\c:\lxrxxfl.exec:\lxrxxfl.exe105⤵
-
\??\c:\tnttbb.exec:\tnttbb.exe106⤵
-
\??\c:\nhntbb.exec:\nhntbb.exe107⤵
-
\??\c:\pjddd.exec:\pjddd.exe108⤵
-
\??\c:\7pjjd.exec:\7pjjd.exe109⤵
-
\??\c:\jpjjv.exec:\jpjjv.exe110⤵
-
\??\c:\frlxxxx.exec:\frlxxxx.exe111⤵
-
\??\c:\3fllflr.exec:\3fllflr.exe112⤵
-
\??\c:\hbnnhn.exec:\hbnnhn.exe113⤵
-
\??\c:\tnnnnn.exec:\tnnnnn.exe114⤵
-
\??\c:\dvpjp.exec:\dvpjp.exe115⤵
-
\??\c:\pjvvj.exec:\pjvvj.exe116⤵
-
\??\c:\xxxfxlx.exec:\xxxfxlx.exe117⤵
-
\??\c:\xrrxfxl.exec:\xrrxfxl.exe118⤵
-
\??\c:\tbnhht.exec:\tbnhht.exe119⤵
-
\??\c:\thttnt.exec:\thttnt.exe120⤵
-
\??\c:\dvvjv.exec:\dvvjv.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-