Analysis
-
max time kernel
120s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
-
submitted
19/08/2024, 13:14
General
-
Target
d0a3c0239e457cd1d63fa2133d0b33f0N.exe
-
Size
93KB
-
MD5
d0a3c0239e457cd1d63fa2133d0b33f0
-
SHA1
ae9ce28e1506017099674583767adf40268ed1f0
-
SHA256
ee9b1d237fca9dd714ac4d72e1b8dc1ee49c9d82b82d9692c5c97c8cfb48978c
-
SHA512
a36e31a063bb162191d89384a885820eb20932b963bc1fe23d34d1ebc27744988c65bc113620092981369fd04bfd16c3638651b9ef0dece5fdc343fd5c4e22ea
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDo73XH/YP1HFrJximAAxS1rj/2CL:ymb3NkkiQ3mdBjFo73PYP1lri3K8GwV
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 24 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 28 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d0a3c0239e457cd1d63fa2133d0b33f0N.exe"C:\Users\Admin\AppData\Local\Temp\d0a3c0239e457cd1d63fa2133d0b33f0N.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\04628.exec:\04628.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\c084068.exec:\c084068.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\486062.exec:\486062.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\48864.exec:\48864.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\26064.exec:\26064.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\8000662.exec:\8000662.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\600088.exec:\600088.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\m6402.exec:\m6402.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\48620.exec:\48620.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\6404280.exec:\6404280.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\286268.exec:\286268.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\08408.exec:\08408.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\s2624.exec:\s2624.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\0806220.exec:\0806220.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\004644.exec:\004644.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\884426.exec:\884426.exe17⤵
- Executes dropped EXE
-
\??\c:\m4446.exec:\m4446.exe18⤵
- Executes dropped EXE
-
\??\c:\2062842.exec:\2062842.exe19⤵
- Executes dropped EXE
-
\??\c:\6604820.exec:\6604820.exe20⤵
- Executes dropped EXE
-
\??\c:\260028.exec:\260028.exe21⤵
- Executes dropped EXE
-
\??\c:\04242.exec:\04242.exe22⤵
- Executes dropped EXE
-
\??\c:\a6840.exec:\a6840.exe23⤵
- Executes dropped EXE
-
\??\c:\6462024.exec:\6462024.exe24⤵
- Executes dropped EXE
-
\??\c:\q08068.exec:\q08068.exe25⤵
- Executes dropped EXE
-
\??\c:\e20802.exec:\e20802.exe26⤵
- Executes dropped EXE
-
\??\c:\g4640.exec:\g4640.exe27⤵
- Executes dropped EXE
-
\??\c:\g2444.exec:\g2444.exe28⤵
- Executes dropped EXE
-
\??\c:\i206802.exec:\i206802.exe29⤵
- Executes dropped EXE
-
\??\c:\062088.exec:\062088.exe30⤵
- Executes dropped EXE
-
\??\c:\046628.exec:\046628.exe31⤵
- Executes dropped EXE
-
\??\c:\66462.exec:\66462.exe32⤵
- Executes dropped EXE
-
\??\c:\4628806.exec:\4628806.exe33⤵
- Executes dropped EXE
-
\??\c:\o020282.exec:\o020282.exe34⤵
- Executes dropped EXE
-
\??\c:\202240.exec:\202240.exe35⤵
- Executes dropped EXE
-
\??\c:\828800.exec:\828800.exe36⤵
- Executes dropped EXE
-
\??\c:\s4228.exec:\s4228.exe37⤵
- Executes dropped EXE
-
\??\c:\s0446.exec:\s0446.exe38⤵
- Executes dropped EXE
-
\??\c:\c842840.exec:\c842840.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\0864666.exec:\0864666.exe40⤵
- Executes dropped EXE
-
\??\c:\w42840.exec:\w42840.exe41⤵
- Executes dropped EXE
-
\??\c:\482244.exec:\482244.exe42⤵
- Executes dropped EXE
-
\??\c:\480286.exec:\480286.exe43⤵
- Executes dropped EXE
-
\??\c:\m8400.exec:\m8400.exe44⤵
- Executes dropped EXE
-
\??\c:\0424006.exec:\0424006.exe45⤵
- Executes dropped EXE
-
\??\c:\2088284.exec:\2088284.exe46⤵
- Executes dropped EXE
-
\??\c:\664088.exec:\664088.exe47⤵
- Executes dropped EXE
-
\??\c:\k02844.exec:\k02844.exe48⤵
- Executes dropped EXE
-
\??\c:\64246.exec:\64246.exe49⤵
- Executes dropped EXE
-
\??\c:\04286.exec:\04286.exe50⤵
- Executes dropped EXE
-
\??\c:\8244006.exec:\8244006.exe51⤵
- Executes dropped EXE
-
\??\c:\o006684.exec:\o006684.exe52⤵
- Executes dropped EXE
-
\??\c:\640040.exec:\640040.exe53⤵
- Executes dropped EXE
-
\??\c:\624408.exec:\624408.exe54⤵
- Executes dropped EXE
-
\??\c:\88286.exec:\88286.exe55⤵
- Executes dropped EXE
-
\??\c:\08628.exec:\08628.exe56⤵
- Executes dropped EXE
-
\??\c:\2206284.exec:\2206284.exe57⤵
- Executes dropped EXE
-
\??\c:\2602468.exec:\2602468.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\248682.exec:\248682.exe59⤵
- Executes dropped EXE
-
\??\c:\q64640.exec:\q64640.exe60⤵
- Executes dropped EXE
-
\??\c:\a4420.exec:\a4420.exe61⤵
- Executes dropped EXE
-
\??\c:\26006.exec:\26006.exe62⤵
- Executes dropped EXE
-
\??\c:\0822466.exec:\0822466.exe63⤵
- Executes dropped EXE
-
\??\c:\u202446.exec:\u202446.exe64⤵
- Executes dropped EXE
-
\??\c:\608840.exec:\608840.exe65⤵
- Executes dropped EXE
-
\??\c:\840026.exec:\840026.exe66⤵
-
\??\c:\82024.exec:\82024.exe67⤵
-
\??\c:\20886.exec:\20886.exe68⤵
-
\??\c:\64668.exec:\64668.exe69⤵
-
\??\c:\4846628.exec:\4846628.exe70⤵
-
\??\c:\6044286.exec:\6044286.exe71⤵
-
\??\c:\600622.exec:\600622.exe72⤵
-
\??\c:\w86622.exec:\w86622.exe73⤵
-
\??\c:\428688.exec:\428688.exe74⤵
-
\??\c:\48684.exec:\48684.exe75⤵
-
\??\c:\22028.exec:\22028.exe76⤵
-
\??\c:\2640684.exec:\2640684.exe77⤵
-
\??\c:\0800668.exec:\0800668.exe78⤵
-
\??\c:\822406.exec:\822406.exe79⤵
-
\??\c:\424082.exec:\424082.exe80⤵
-
\??\c:\e42088.exec:\e42088.exe81⤵
-
\??\c:\m8684.exec:\m8684.exe82⤵
-
\??\c:\26244.exec:\26244.exe83⤵
-
\??\c:\2028068.exec:\2028068.exe84⤵
-
\??\c:\8200666.exec:\8200666.exe85⤵
-
\??\c:\4802884.exec:\4802884.exe86⤵
-
\??\c:\800402.exec:\800402.exe87⤵
-
\??\c:\822200.exec:\822200.exe88⤵
-
\??\c:\s6802.exec:\s6802.exe89⤵
-
\??\c:\42002.exec:\42002.exe90⤵
-
\??\c:\c862406.exec:\c862406.exe91⤵
-
\??\c:\0466464.exec:\0466464.exe92⤵
-
\??\c:\066886.exec:\066886.exe93⤵
-
\??\c:\646688.exec:\646688.exe94⤵
-
\??\c:\04060.exec:\04060.exe95⤵
-
\??\c:\82068.exec:\82068.exe96⤵
-
\??\c:\2640884.exec:\2640884.exe97⤵
-
\??\c:\o024668.exec:\o024668.exe98⤵
-
\??\c:\826284.exec:\826284.exe99⤵
-
\??\c:\664004.exec:\664004.exe100⤵
-
\??\c:\s6062.exec:\s6062.exe101⤵
-
\??\c:\48022.exec:\48022.exe102⤵
-
\??\c:\8884680.exec:\8884680.exe103⤵
-
\??\c:\2028024.exec:\2028024.exe104⤵
-
\??\c:\202206.exec:\202206.exe105⤵
-
\??\c:\q04626.exec:\q04626.exe106⤵
-
\??\c:\s2446.exec:\s2446.exe107⤵
-
\??\c:\a2064.exec:\a2064.exe108⤵
-
\??\c:\2628660.exec:\2628660.exe109⤵
-
\??\c:\6468624.exec:\6468624.exe110⤵
-
\??\c:\486284.exec:\486284.exe111⤵
-
\??\c:\646422.exec:\646422.exe112⤵
-
\??\c:\60802.exec:\60802.exe113⤵
-
\??\c:\42064.exec:\42064.exe114⤵
-
\??\c:\0462628.exec:\0462628.exe115⤵
-
\??\c:\422804.exec:\422804.exe116⤵
-
\??\c:\206626.exec:\206626.exe117⤵
-
\??\c:\m2088.exec:\m2088.exe118⤵
-
\??\c:\44422.exec:\44422.exe119⤵
-
\??\c:\8462840.exec:\8462840.exe120⤵
-
\??\c:\4048006.exec:\4048006.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-