Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
-
submitted
21/08/2024, 04:37
General
-
Target
cf75764bce315ed8e798e5b3cf8a52d0N.exe
-
Size
78KB
-
MD5
cf75764bce315ed8e798e5b3cf8a52d0
-
SHA1
c0f6b4be1e78ac55fabcce66517d1b29adb0e524
-
SHA256
ca0fffab83aea709020303bb7747249a9ebf01ebbcb7ce846a3b46ee6d1d10c4
-
SHA512
4e45c8c8e6821ebffd92c84aa9f900db77187bd79ec5f3cb2a0aff11d9144ae2caedb13a85d1f874a757bd222a8b371df24a61a5a85e65b55dcd783a6d011caa
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIsIpWCz+FR4RzWqC5rINFE4ye5:ymb3NkkiQ3mdBjFIsIpZ+R4RzWqCu4U
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 22 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 36 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\cf75764bce315ed8e798e5b3cf8a52d0N.exe"C:\Users\Admin\AppData\Local\Temp\cf75764bce315ed8e798e5b3cf8a52d0N.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\llrxxxr.exec:\llrxxxr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7nbhnb.exec:\7nbhnb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5tttbb.exec:\5tttbb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxlrflr.exec:\fxlrflr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbnnnt.exec:\nbnnnt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdvjj.exec:\jdvjj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\llflxxl.exec:\llflxxl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bnbttn.exec:\bnbttn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pdvpd.exec:\pdvpd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ppdpv.exec:\ppdpv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrffllf.exec:\xrffllf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbtnnt.exec:\bbtnnt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nnbhhn.exec:\nnbhhn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ppjpp.exec:\ppjpp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvjpv.exec:\vvjpv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3lxrrxf.exec:\3lxrrxf.exe17⤵
- Executes dropped EXE
-
\??\c:\5hbhhh.exec:\5hbhhh.exe18⤵
- Executes dropped EXE
-
\??\c:\3bthtb.exec:\3bthtb.exe19⤵
- Executes dropped EXE
-
\??\c:\ddvvj.exec:\ddvvj.exe20⤵
- Executes dropped EXE
-
\??\c:\ffrxflr.exec:\ffrxflr.exe21⤵
- Executes dropped EXE
-
\??\c:\xfxxxrx.exec:\xfxxxrx.exe22⤵
- Executes dropped EXE
-
\??\c:\hbhhhn.exec:\hbhhhn.exe23⤵
- Executes dropped EXE
-
\??\c:\vjpvd.exec:\vjpvd.exe24⤵
- Executes dropped EXE
-
\??\c:\pppdj.exec:\pppdj.exe25⤵
- Executes dropped EXE
-
\??\c:\frxrrfr.exec:\frxrrfr.exe26⤵
- Executes dropped EXE
-
\??\c:\nbnnhb.exec:\nbnnhb.exe27⤵
- Executes dropped EXE
-
\??\c:\3hbbnt.exec:\3hbbnt.exe28⤵
- Executes dropped EXE
-
\??\c:\hhthtt.exec:\hhthtt.exe29⤵
- Executes dropped EXE
-
\??\c:\ppjvd.exec:\ppjvd.exe30⤵
- Executes dropped EXE
-
\??\c:\1rllllr.exec:\1rllllr.exe31⤵
- Executes dropped EXE
-
\??\c:\1nnttt.exec:\1nnttt.exe32⤵
- Executes dropped EXE
-
\??\c:\hhtbbb.exec:\hhtbbb.exe33⤵
- Executes dropped EXE
-
\??\c:\5pvvd.exec:\5pvvd.exe34⤵
- Executes dropped EXE
-
\??\c:\7jdpp.exec:\7jdpp.exe35⤵
- Executes dropped EXE
-
\??\c:\rflfxfl.exec:\rflfxfl.exe36⤵
- Executes dropped EXE
-
\??\c:\xlfrrxf.exec:\xlfrrxf.exe37⤵
- Executes dropped EXE
-
\??\c:\bbbbbh.exec:\bbbbbh.exe38⤵
- Executes dropped EXE
-
\??\c:\tntbnn.exec:\tntbnn.exe39⤵
- Executes dropped EXE
-
\??\c:\pjdjj.exec:\pjdjj.exe40⤵
- Executes dropped EXE
-
\??\c:\djvpj.exec:\djvpj.exe41⤵
- Executes dropped EXE
-
\??\c:\rlfrxff.exec:\rlfrxff.exe42⤵
- Executes dropped EXE
-
\??\c:\lfrxllr.exec:\lfrxllr.exe43⤵
- Executes dropped EXE
-
\??\c:\5fxffxl.exec:\5fxffxl.exe44⤵
- Executes dropped EXE
-
\??\c:\nhbnbt.exec:\nhbnbt.exe45⤵
- Executes dropped EXE
-
\??\c:\9bnhnb.exec:\9bnhnb.exe46⤵
- Executes dropped EXE
-
\??\c:\jjddp.exec:\jjddp.exe47⤵
- Executes dropped EXE
-
\??\c:\vpvpv.exec:\vpvpv.exe48⤵
- Executes dropped EXE
-
\??\c:\xlrxffl.exec:\xlrxffl.exe49⤵
- Executes dropped EXE
-
\??\c:\1flrrrx.exec:\1flrrrx.exe50⤵
- Executes dropped EXE
-
\??\c:\hhbnbb.exec:\hhbnbb.exe51⤵
- Executes dropped EXE
-
\??\c:\9thttn.exec:\9thttn.exe52⤵
- Executes dropped EXE
-
\??\c:\9vdjp.exec:\9vdjp.exe53⤵
- Executes dropped EXE
-
\??\c:\9jvpj.exec:\9jvpj.exe54⤵
- Executes dropped EXE
-
\??\c:\lrffflr.exec:\lrffflr.exe55⤵
- Executes dropped EXE
-
\??\c:\xrflrrr.exec:\xrflrrr.exe56⤵
- Executes dropped EXE
-
\??\c:\rxflxlf.exec:\rxflxlf.exe57⤵
- Executes dropped EXE
-
\??\c:\nnnnbh.exec:\nnnnbh.exe58⤵
- Executes dropped EXE
-
\??\c:\tnhtbb.exec:\tnhtbb.exe59⤵
- Executes dropped EXE
-
\??\c:\jdvjj.exec:\jdvjj.exe60⤵
- Executes dropped EXE
-
\??\c:\7vdjp.exec:\7vdjp.exe61⤵
- Executes dropped EXE
-
\??\c:\9jvvd.exec:\9jvvd.exe62⤵
- Executes dropped EXE
-
\??\c:\rfxrfff.exec:\rfxrfff.exe63⤵
- Executes dropped EXE
-
\??\c:\3tbhhh.exec:\3tbhhh.exe64⤵
- Executes dropped EXE
-
\??\c:\5thhbh.exec:\5thhbh.exe65⤵
- Executes dropped EXE
-
\??\c:\pvvvd.exec:\pvvvd.exe66⤵
-
\??\c:\jjpvd.exec:\jjpvd.exe67⤵
-
\??\c:\3rrrrll.exec:\3rrrrll.exe68⤵
-
\??\c:\xrflrrr.exec:\xrflrrr.exe69⤵
-
\??\c:\btbhtb.exec:\btbhtb.exe70⤵
-
\??\c:\nhnhnb.exec:\nhnhnb.exe71⤵
-
\??\c:\pdvvj.exec:\pdvvj.exe72⤵
-
\??\c:\dvdjd.exec:\dvdjd.exe73⤵
-
\??\c:\9fxffxx.exec:\9fxffxx.exe74⤵
-
\??\c:\5frrrxf.exec:\5frrrxf.exe75⤵
-
\??\c:\thttbh.exec:\thttbh.exe76⤵
-
\??\c:\tntbhh.exec:\tntbhh.exe77⤵
-
\??\c:\pjvdj.exec:\pjvdj.exe78⤵
-
\??\c:\vpddj.exec:\vpddj.exe79⤵
-
\??\c:\llflxxf.exec:\llflxxf.exe80⤵
-
\??\c:\7fxrffr.exec:\7fxrffr.exe81⤵
-
\??\c:\bbnhtt.exec:\bbnhtt.exe82⤵
-
\??\c:\9btbnn.exec:\9btbnn.exe83⤵
-
\??\c:\vppvd.exec:\vppvd.exe84⤵
-
\??\c:\vvdvp.exec:\vvdvp.exe85⤵
-
\??\c:\rlrrrxf.exec:\rlrrrxf.exe86⤵
-
\??\c:\9rrxffl.exec:\9rrxffl.exe87⤵
-
\??\c:\hbthtt.exec:\hbthtt.exe88⤵
-
\??\c:\5nbhtb.exec:\5nbhtb.exe89⤵
-
\??\c:\jjvvp.exec:\jjvvp.exe90⤵
-
\??\c:\5vddd.exec:\5vddd.exe91⤵
-
\??\c:\fxrxfff.exec:\fxrxfff.exe92⤵
-
\??\c:\fxlflrx.exec:\fxlflrx.exe93⤵
-
\??\c:\5bbnbt.exec:\5bbnbt.exe94⤵
-
\??\c:\7tnttt.exec:\7tnttt.exe95⤵
-
\??\c:\vpvpv.exec:\vpvpv.exe96⤵
-
\??\c:\7vvvp.exec:\7vvvp.exe97⤵
-
\??\c:\fxxrllf.exec:\fxxrllf.exe98⤵
-
\??\c:\xllfxxl.exec:\xllfxxl.exe99⤵
-
\??\c:\hbtbhb.exec:\hbtbhb.exe100⤵
-
\??\c:\bnttbn.exec:\bnttbn.exe101⤵
-
\??\c:\jdppv.exec:\jdppv.exe102⤵
-
\??\c:\7dpjd.exec:\7dpjd.exe103⤵
-
\??\c:\frxrlrx.exec:\frxrlrx.exe104⤵
-
\??\c:\fxrfflx.exec:\fxrfflx.exe105⤵
-
\??\c:\btnnnn.exec:\btnnnn.exe106⤵
-
\??\c:\bntthh.exec:\bntthh.exe107⤵
-
\??\c:\dvjjp.exec:\dvjjp.exe108⤵
- System Location Discovery: System Language Discovery
-
\??\c:\vpvpv.exec:\vpvpv.exe109⤵
-
\??\c:\1xllrxf.exec:\1xllrxf.exe110⤵
-
\??\c:\lxfrrrx.exec:\lxfrrrx.exe111⤵
-
\??\c:\thnnbt.exec:\thnnbt.exe112⤵
-
\??\c:\hbhhnn.exec:\hbhhnn.exe113⤵
-
\??\c:\pvvpp.exec:\pvvpp.exe114⤵
-
\??\c:\fxxrfff.exec:\fxxrfff.exe115⤵
-
\??\c:\frxxlll.exec:\frxxlll.exe116⤵
-
\??\c:\nhbnnn.exec:\nhbnnn.exe117⤵
-
\??\c:\ppvvv.exec:\ppvvv.exe118⤵
-
\??\c:\pdpjd.exec:\pdpjd.exe119⤵
-
\??\c:\xrffflx.exec:\xrffflx.exe120⤵
-
\??\c:\xrllrrx.exec:\xrllrrx.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-