Analysis
-
max time kernel
98s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
22-08-2024 18:19
General
-
Target
ebc40cd78bf15a7862f1db4c29cd7580N.exe
-
Size
73KB
-
MD5
ebc40cd78bf15a7862f1db4c29cd7580
-
SHA1
07273016d621b7035c7e6d053dc0591df73b06b3
-
SHA256
ec07e19890290a8c09077fdafb7e1c8b158bb7aa17f1659a8014bd2ecf787e4f
-
SHA512
35f622a9eddc02a94a62a3650ef85f557c0a487e2d3cc0d4d6768db95361dbd4768dadeed949ec37b8bce1cd8ec506dffdc883c23812b6c2166ec6956fd98cb2
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDWiekja1br3GGBxfot3ey:ymb3NkkiQ3mdBjFWXkj7afoV
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 18 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 29 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ebc40cd78bf15a7862f1db4c29cd7580N.exe"C:\Users\Admin\AppData\Local\Temp\ebc40cd78bf15a7862f1db4c29cd7580N.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\nbhtbh.exec:\nbhtbh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdvdp.exec:\jdvdp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nnhnbb.exec:\nnhnbb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9vvdp.exec:\9vvdp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxlrffl.exec:\fxlrffl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rrrflxr.exec:\rrrflxr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9djdp.exec:\9djdp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rrxxllx.exec:\rrxxllx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5nbhbn.exec:\5nbhbn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhtbnn.exec:\nhtbnn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1pjvd.exec:\1pjvd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlrrxfl.exec:\rlrrxfl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhbnbn.exec:\nhbnbn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9tnthn.exec:\9tnthn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1jpvj.exec:\1jpvj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9xxrrrr.exec:\9xxrrrr.exe17⤵
- Executes dropped EXE
-
\??\c:\lfrfxxl.exec:\lfrfxxl.exe18⤵
- Executes dropped EXE
-
\??\c:\tbnbbb.exec:\tbnbbb.exe19⤵
- Executes dropped EXE
-
\??\c:\7pvpp.exec:\7pvpp.exe20⤵
- Executes dropped EXE
-
\??\c:\ppdpv.exec:\ppdpv.exe21⤵
- Executes dropped EXE
-
\??\c:\ffrxffx.exec:\ffrxffx.exe22⤵
- Executes dropped EXE
-
\??\c:\hbntnb.exec:\hbntnb.exe23⤵
- Executes dropped EXE
-
\??\c:\hbnhnn.exec:\hbnhnn.exe24⤵
- Executes dropped EXE
-
\??\c:\jjdjp.exec:\jjdjp.exe25⤵
- Executes dropped EXE
-
\??\c:\1lllrxl.exec:\1lllrxl.exe26⤵
- Executes dropped EXE
-
\??\c:\nhnntt.exec:\nhnntt.exe27⤵
- Executes dropped EXE
-
\??\c:\bbthbb.exec:\bbthbb.exe28⤵
- Executes dropped EXE
-
\??\c:\vvpjv.exec:\vvpjv.exe29⤵
- Executes dropped EXE
-
\??\c:\9fxlxrl.exec:\9fxlxrl.exe30⤵
- Executes dropped EXE
-
\??\c:\rrllffr.exec:\rrllffr.exe31⤵
- Executes dropped EXE
-
\??\c:\7hnhbb.exec:\7hnhbb.exe32⤵
- Executes dropped EXE
-
\??\c:\jdjvj.exec:\jdjvj.exe33⤵
- Executes dropped EXE
-
\??\c:\3pvjp.exec:\3pvjp.exe34⤵
- Executes dropped EXE
-
\??\c:\7rfffll.exec:\7rfffll.exe35⤵
- Executes dropped EXE
-
\??\c:\hhthtb.exec:\hhthtb.exe36⤵
- Executes dropped EXE
-
\??\c:\tthnnt.exec:\tthnnt.exe37⤵
- Executes dropped EXE
-
\??\c:\jdvvp.exec:\jdvvp.exe38⤵
- Executes dropped EXE
-
\??\c:\llxfllx.exec:\llxfllx.exe39⤵
- Executes dropped EXE
-
\??\c:\lllfxfl.exec:\lllfxfl.exe40⤵
- Executes dropped EXE
-
\??\c:\nhbnht.exec:\nhbnht.exe41⤵
- Executes dropped EXE
-
\??\c:\nnhtnb.exec:\nnhtnb.exe42⤵
- Executes dropped EXE
-
\??\c:\ddvjd.exec:\ddvjd.exe43⤵
- Executes dropped EXE
-
\??\c:\ppjjj.exec:\ppjjj.exe44⤵
- Executes dropped EXE
-
\??\c:\xrffrrx.exec:\xrffrrx.exe45⤵
- Executes dropped EXE
-
\??\c:\fxxlxfl.exec:\fxxlxfl.exe46⤵
- Executes dropped EXE
-
\??\c:\5tnttt.exec:\5tnttt.exe47⤵
- Executes dropped EXE
-
\??\c:\ddvjv.exec:\ddvjv.exe48⤵
- Executes dropped EXE
-
\??\c:\dpdjp.exec:\dpdjp.exe49⤵
- Executes dropped EXE
-
\??\c:\llxfllr.exec:\llxfllr.exe50⤵
- Executes dropped EXE
-
\??\c:\5xlxlxf.exec:\5xlxlxf.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\1hbnth.exec:\1hbnth.exe52⤵
- Executes dropped EXE
-
\??\c:\jdpjv.exec:\jdpjv.exe53⤵
- Executes dropped EXE
-
\??\c:\jdvdv.exec:\jdvdv.exe54⤵
- Executes dropped EXE
-
\??\c:\9xrxlxl.exec:\9xrxlxl.exe55⤵
- Executes dropped EXE
-
\??\c:\xrxxfrf.exec:\xrxxfrf.exe56⤵
- Executes dropped EXE
-
\??\c:\bnttbn.exec:\bnttbn.exe57⤵
- Executes dropped EXE
-
\??\c:\btbtbh.exec:\btbtbh.exe58⤵
- Executes dropped EXE
-
\??\c:\vvjpv.exec:\vvjpv.exe59⤵
- Executes dropped EXE
-
\??\c:\ffrrxfl.exec:\ffrrxfl.exe60⤵
- Executes dropped EXE
-
\??\c:\rlrrfll.exec:\rlrrfll.exe61⤵
- Executes dropped EXE
-
\??\c:\bnbhtn.exec:\bnbhtn.exe62⤵
- Executes dropped EXE
-
\??\c:\tntthh.exec:\tntthh.exe63⤵
- Executes dropped EXE
-
\??\c:\3jvjj.exec:\3jvjj.exe64⤵
- Executes dropped EXE
-
\??\c:\jjddj.exec:\jjddj.exe65⤵
- Executes dropped EXE
-
\??\c:\1rrrxfl.exec:\1rrrxfl.exe66⤵
-
\??\c:\xfxxfxf.exec:\xfxxfxf.exe67⤵
-
\??\c:\3thhhh.exec:\3thhhh.exe68⤵
-
\??\c:\btbtbh.exec:\btbtbh.exe69⤵
-
\??\c:\vpddp.exec:\vpddp.exe70⤵
-
\??\c:\pjddv.exec:\pjddv.exe71⤵
-
\??\c:\rrrrxxl.exec:\rrrrxxl.exe72⤵
-
\??\c:\hhbnbh.exec:\hhbnbh.exe73⤵
-
\??\c:\hhbnbh.exec:\hhbnbh.exe74⤵
-
\??\c:\jdjpv.exec:\jdjpv.exe75⤵
-
\??\c:\1pjdj.exec:\1pjdj.exe76⤵
-
\??\c:\rlrrrxl.exec:\rlrrrxl.exe77⤵
-
\??\c:\llfxlrf.exec:\llfxlrf.exe78⤵
- System Location Discovery: System Language Discovery
-
\??\c:\nhbnbb.exec:\nhbnbb.exe79⤵
-
\??\c:\hnhntb.exec:\hnhntb.exe80⤵
-
\??\c:\1vppd.exec:\1vppd.exe81⤵
-
\??\c:\9jppv.exec:\9jppv.exe82⤵
-
\??\c:\7fffrxr.exec:\7fffrxr.exe83⤵
-
\??\c:\xrlxlrf.exec:\xrlxlrf.exe84⤵
-
\??\c:\1nnnbh.exec:\1nnnbh.exe85⤵
-
\??\c:\tnnnnb.exec:\tnnnnb.exe86⤵
-
\??\c:\vjjjp.exec:\vjjjp.exe87⤵
-
\??\c:\7dddj.exec:\7dddj.exe88⤵
-
\??\c:\9fxxrxl.exec:\9fxxrxl.exe89⤵
-
\??\c:\hhnbth.exec:\hhnbth.exe90⤵
-
\??\c:\1tthtn.exec:\1tthtn.exe91⤵
-
\??\c:\ppjdj.exec:\ppjdj.exe92⤵
-
\??\c:\jdpdv.exec:\jdpdv.exe93⤵
-
\??\c:\lllrffl.exec:\lllrffl.exe94⤵
-
\??\c:\lrlrrxr.exec:\lrlrrxr.exe95⤵
-
\??\c:\9nnhbh.exec:\9nnhbh.exe96⤵
-
\??\c:\pjjjd.exec:\pjjjd.exe97⤵
-
\??\c:\pjpdp.exec:\pjpdp.exe98⤵
-
\??\c:\xfrrxrl.exec:\xfrrxrl.exe99⤵
-
\??\c:\xrfxlxf.exec:\xrfxlxf.exe100⤵
-
\??\c:\nthhtt.exec:\nthhtt.exe101⤵
-
\??\c:\7thtnb.exec:\7thtnb.exe102⤵
-
\??\c:\dpdpv.exec:\dpdpv.exe103⤵
-
\??\c:\dvddj.exec:\dvddj.exe104⤵
-
\??\c:\lfrfrxf.exec:\lfrfrxf.exe105⤵
-
\??\c:\rlxrxxl.exec:\rlxrxxl.exe106⤵
-
\??\c:\bbtbbh.exec:\bbtbbh.exe107⤵
-
\??\c:\bthnbn.exec:\bthnbn.exe108⤵
-
\??\c:\3vdpp.exec:\3vdpp.exe109⤵
-
\??\c:\3jvvv.exec:\3jvvv.exe110⤵
-
\??\c:\lfxlfxf.exec:\lfxlfxf.exe111⤵
-
\??\c:\fxfrflr.exec:\fxfrflr.exe112⤵
-
\??\c:\hhbtbh.exec:\hhbtbh.exe113⤵
-
\??\c:\nnhtbb.exec:\nnhtbb.exe114⤵
-
\??\c:\dvddd.exec:\dvddd.exe115⤵
-
\??\c:\dpdvd.exec:\dpdvd.exe116⤵
-
\??\c:\lfrrfrf.exec:\lfrrfrf.exe117⤵
-
\??\c:\1rlflxf.exec:\1rlflxf.exe118⤵
-
\??\c:\nhnbnt.exec:\nhnbnt.exe119⤵
-
\??\c:\5hbhnt.exec:\5hbhnt.exe120⤵
-
\??\c:\jdjpd.exec:\jdjpd.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-