Analysis
-
max time kernel
120s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
21/08/2024, 09:25
General
-
Target
d5408d82467fd3c5b2b262d81cea5950N.exe
-
Size
843KB
-
MD5
d5408d82467fd3c5b2b262d81cea5950
-
SHA1
a1881c33889c68f3ce15a20ac20bb312b5a68a5b
-
SHA256
62f421b3bb6e359eeeeee791fcf770c83202e9388834b0102702aa9629f7f70a
-
SHA512
4c0fc5f8b9e49a6b16547325fd639b1d09da5d8a85bbc8e785ee0a667bf23f136a3f2187a4bf3d43a3031bc4036f95de682b8e9e37e67e8be8a29eb47e3068a7
-
SSDEEP
24576:Sgdn8whSenedn8whhdn76gdn8whSfgdn8whSzF:TFyVPfe
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 19 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 29 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d5408d82467fd3c5b2b262d81cea5950N.exe"C:\Users\Admin\AppData\Local\Temp\d5408d82467fd3c5b2b262d81cea5950N.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\pvjjj.exec:\pvjjj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvjpv.exec:\vvjpv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlxlrlr.exec:\rlxlrlr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddpvd.exec:\ddpvd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ffxfflx.exec:\ffxfflx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnbbtb.exec:\tnbbtb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btbbhn.exec:\btbbhn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxffffl.exec:\lxffffl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btnttt.exec:\btnttt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3xlfxff.exec:\3xlfxff.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpvvd.exec:\vpvvd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrfflfl.exec:\xrfflfl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvpvv.exec:\vvpvv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\flrrrxf.exec:\flrrrxf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9jpvv.exec:\9jpvv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xxlrrlr.exec:\xxlrrlr.exe17⤵
- Executes dropped EXE
-
\??\c:\pdppv.exec:\pdppv.exe18⤵
- Executes dropped EXE
-
\??\c:\rlfflrx.exec:\rlfflrx.exe19⤵
- Executes dropped EXE
-
\??\c:\rxxxrlx.exec:\rxxxrlx.exe20⤵
- Executes dropped EXE
-
\??\c:\3hhthh.exec:\3hhthh.exe21⤵
- Executes dropped EXE
-
\??\c:\3frfllr.exec:\3frfllr.exe22⤵
- Executes dropped EXE
-
\??\c:\nttbbb.exec:\nttbbb.exe23⤵
- Executes dropped EXE
-
\??\c:\rlxrxfl.exec:\rlxrxfl.exe24⤵
- Executes dropped EXE
-
\??\c:\bbnbbh.exec:\bbnbbh.exe25⤵
- Executes dropped EXE
-
\??\c:\dpvvp.exec:\dpvvp.exe26⤵
- Executes dropped EXE
-
\??\c:\nbtbhn.exec:\nbtbhn.exe27⤵
- Executes dropped EXE
-
\??\c:\xrlllxl.exec:\xrlllxl.exe28⤵
- Executes dropped EXE
-
\??\c:\hbbbbh.exec:\hbbbbh.exe29⤵
- Executes dropped EXE
-
\??\c:\1lxfxxf.exec:\1lxfxxf.exe30⤵
- Executes dropped EXE
-
\??\c:\9jvdv.exec:\9jvdv.exe31⤵
- Executes dropped EXE
-
\??\c:\nbntnn.exec:\nbntnn.exe32⤵
- Executes dropped EXE
-
\??\c:\dvppv.exec:\dvppv.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\tnhhtb.exec:\tnhhtb.exe34⤵
- Executes dropped EXE
-
\??\c:\vjvjj.exec:\vjvjj.exe35⤵
- Executes dropped EXE
-
\??\c:\rlllffx.exec:\rlllffx.exe36⤵
- Executes dropped EXE
-
\??\c:\htbttt.exec:\htbttt.exe37⤵
- Executes dropped EXE
-
\??\c:\3pvpp.exec:\3pvpp.exe38⤵
- Executes dropped EXE
-
\??\c:\rfrxxlr.exec:\rfrxxlr.exe39⤵
- Executes dropped EXE
-
\??\c:\tnhtbt.exec:\tnhtbt.exe40⤵
- Executes dropped EXE
-
\??\c:\tnhbbt.exec:\tnhbbt.exe41⤵
- Executes dropped EXE
-
\??\c:\jdjjp.exec:\jdjjp.exe42⤵
- Executes dropped EXE
-
\??\c:\lfrxxxf.exec:\lfrxxxf.exe43⤵
- Executes dropped EXE
-
\??\c:\nhbhnt.exec:\nhbhnt.exe44⤵
- Executes dropped EXE
-
\??\c:\9vvpd.exec:\9vvpd.exe45⤵
- Executes dropped EXE
-
\??\c:\5rxfrfl.exec:\5rxfrfl.exe46⤵
- Executes dropped EXE
-
\??\c:\hbhbtt.exec:\hbhbtt.exe47⤵
- Executes dropped EXE
-
\??\c:\pjvdj.exec:\pjvdj.exe48⤵
- Executes dropped EXE
-
\??\c:\fxlrlll.exec:\fxlrlll.exe49⤵
- Executes dropped EXE
-
\??\c:\tnttbt.exec:\tnttbt.exe50⤵
- Executes dropped EXE
-
\??\c:\5bnnhh.exec:\5bnnhh.exe51⤵
- Executes dropped EXE
-
\??\c:\dpvvv.exec:\dpvvv.exe52⤵
- Executes dropped EXE
-
\??\c:\9lrrrll.exec:\9lrrrll.exe53⤵
- Executes dropped EXE
-
\??\c:\1ntntn.exec:\1ntntn.exe54⤵
- Executes dropped EXE
-
\??\c:\1vddp.exec:\1vddp.exe55⤵
- Executes dropped EXE
-
\??\c:\rfrrrxf.exec:\rfrrrxf.exe56⤵
- Executes dropped EXE
-
\??\c:\1xrxffl.exec:\1xrxffl.exe57⤵
- Executes dropped EXE
-
\??\c:\hbnntb.exec:\hbnntb.exe58⤵
- Executes dropped EXE
-
\??\c:\pdvvd.exec:\pdvvd.exe59⤵
- Executes dropped EXE
-
\??\c:\fxfflrx.exec:\fxfflrx.exe60⤵
- Executes dropped EXE
-
\??\c:\3htnnn.exec:\3htnnn.exe61⤵
- Executes dropped EXE
-
\??\c:\vpppd.exec:\vpppd.exe62⤵
- Executes dropped EXE
-
\??\c:\rlxxffr.exec:\rlxxffr.exe63⤵
- Executes dropped EXE
-
\??\c:\thbhnn.exec:\thbhnn.exe64⤵
- Executes dropped EXE
-
\??\c:\thbbhb.exec:\thbbhb.exe65⤵
- Executes dropped EXE
-
\??\c:\pjdvj.exec:\pjdvj.exe66⤵
-
\??\c:\3rffxfx.exec:\3rffxfx.exe67⤵
-
\??\c:\7httbb.exec:\7httbb.exe68⤵
-
\??\c:\7vddp.exec:\7vddp.exe69⤵
-
\??\c:\xlxxrxx.exec:\xlxxrxx.exe70⤵
-
\??\c:\fxrxlfx.exec:\fxrxlfx.exe71⤵
-
\??\c:\hbnhnn.exec:\hbnhnn.exe72⤵
-
\??\c:\dpvjj.exec:\dpvjj.exe73⤵
-
\??\c:\rfrllfl.exec:\rfrllfl.exe74⤵
-
\??\c:\tnhnnn.exec:\tnhnnn.exe75⤵
-
\??\c:\dpjjj.exec:\dpjjj.exe76⤵
-
\??\c:\fxlfffx.exec:\fxlfffx.exe77⤵
-
\??\c:\rllfffr.exec:\rllfffr.exe78⤵
-
\??\c:\3thbnh.exec:\3thbnh.exe79⤵
-
\??\c:\pjdjp.exec:\pjdjp.exe80⤵
-
\??\c:\fxrrxxf.exec:\fxrrxxf.exe81⤵
-
\??\c:\rlxxlfl.exec:\rlxxlfl.exe82⤵
-
\??\c:\bnnttt.exec:\bnnttt.exe83⤵
-
\??\c:\pjvvv.exec:\pjvvv.exe84⤵
-
\??\c:\xxfflxx.exec:\xxfflxx.exe85⤵
-
\??\c:\5btbtb.exec:\5btbtb.exe86⤵
-
\??\c:\vvpvj.exec:\vvpvj.exe87⤵
-
\??\c:\lxllrxx.exec:\lxllrxx.exe88⤵
-
\??\c:\5bttbb.exec:\5bttbb.exe89⤵
-
\??\c:\vdpdj.exec:\vdpdj.exe90⤵
-
\??\c:\rrlrflr.exec:\rrlrflr.exe91⤵
-
\??\c:\tnbhnn.exec:\tnbhnn.exe92⤵
-
\??\c:\jdpvd.exec:\jdpvd.exe93⤵
-
\??\c:\jvjpv.exec:\jvjpv.exe94⤵
-
\??\c:\llrlxlx.exec:\llrlxlx.exe95⤵
-
\??\c:\9tnnbt.exec:\9tnnbt.exe96⤵
-
\??\c:\9pddj.exec:\9pddj.exe97⤵
-
\??\c:\lxllrxf.exec:\lxllrxf.exe98⤵
-
\??\c:\7htbnn.exec:\7htbnn.exe99⤵
-
\??\c:\pdvdd.exec:\pdvdd.exe100⤵
-
\??\c:\bbbbht.exec:\bbbbht.exe101⤵
- System Location Discovery: System Language Discovery
-
\??\c:\nhttbb.exec:\nhttbb.exe102⤵
-
\??\c:\7jjdv.exec:\7jjdv.exe103⤵
-
\??\c:\rlrxfll.exec:\rlrxfll.exe104⤵
-
\??\c:\bnntbh.exec:\bnntbh.exe105⤵
-
\??\c:\nnbntn.exec:\nnbntn.exe106⤵
-
\??\c:\vpvvj.exec:\vpvvj.exe107⤵
-
\??\c:\1flrxll.exec:\1flrxll.exe108⤵
-
\??\c:\hhtntt.exec:\hhtntt.exe109⤵
- System Location Discovery: System Language Discovery
-
\??\c:\jdpjj.exec:\jdpjj.exe110⤵
-
\??\c:\pdjpp.exec:\pdjpp.exe111⤵
-
\??\c:\xrlxflr.exec:\xrlxflr.exe112⤵
-
\??\c:\nbhthh.exec:\nbhthh.exe113⤵
-
\??\c:\jvvvd.exec:\jvvvd.exe114⤵
-
\??\c:\frxrrrr.exec:\frxrrrr.exe115⤵
-
\??\c:\htbhtb.exec:\htbhtb.exe116⤵
-
\??\c:\httnhb.exec:\httnhb.exe117⤵
-
\??\c:\pppjd.exec:\pppjd.exe118⤵
-
\??\c:\frxxxxx.exec:\frxxxxx.exe119⤵
-
\??\c:\nbnntb.exec:\nbnntb.exe120⤵
-
\??\c:\pjvdj.exec:\pjvdj.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-