Analysis
-
max time kernel
120s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
24/08/2024, 04:19
General
-
Target
19d0c65482ad77c6385914b10c736e40N.exe
-
Size
92KB
-
MD5
19d0c65482ad77c6385914b10c736e40
-
SHA1
c2e2acca004dc77bc83a2d304255f57ac706ba17
-
SHA256
56910911ada561beacb746c62f51ad8e5e8df7b933b33395b4daeef6c2a1aa8a
-
SHA512
39ba708b0e5a2099480bc06c16403cf12b075efaf33ddd6437db8180430f9367e0f3143278466977f39c0b8b5eb7a88219b2f11c4a3d1af1bc1b09048cb7dca3
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIS7/b9EUeWpEC3alBlwtn8BLn9q:ymb3NkkiQ3mdBjFIi/REUZnKlb94h
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 23 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 24 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\19d0c65482ad77c6385914b10c736e40N.exe"C:\Users\Admin\AppData\Local\Temp\19d0c65482ad77c6385914b10c736e40N.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\9rffrlf.exec:\9rffrlf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1ffflrr.exec:\1ffflrr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5thhht.exec:\5thhht.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pdpvj.exec:\pdpvj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\flfxxlx.exec:\flfxxlx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfrxfxl.exec:\lfrxfxl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btbhnb.exec:\btbhnb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7pvpv.exec:\7pvpv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ffxrxlx.exec:\ffxrxlx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7lxxllr.exec:\7lxxllr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhnnbb.exec:\nhnnbb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjvdj.exec:\pjvdj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjppv.exec:\pjppv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7xrlflr.exec:\7xrlflr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hhbnbh.exec:\hhbnbh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jddpv.exec:\jddpv.exe17⤵
- Executes dropped EXE
-
\??\c:\pdpjv.exec:\pdpjv.exe18⤵
- Executes dropped EXE
-
\??\c:\9lxfrxf.exec:\9lxfrxf.exe19⤵
- Executes dropped EXE
-
\??\c:\lxrrrxr.exec:\lxrrrxr.exe20⤵
- Executes dropped EXE
-
\??\c:\tnhhnt.exec:\tnhhnt.exe21⤵
- Executes dropped EXE
-
\??\c:\vppvd.exec:\vppvd.exe22⤵
- Executes dropped EXE
-
\??\c:\1jpjp.exec:\1jpjp.exe23⤵
- Executes dropped EXE
-
\??\c:\xfrxxxf.exec:\xfrxxxf.exe24⤵
- Executes dropped EXE
-
\??\c:\fxrxxxf.exec:\fxrxxxf.exe25⤵
- Executes dropped EXE
-
\??\c:\nnhhbb.exec:\nnhhbb.exe26⤵
- Executes dropped EXE
-
\??\c:\3hbtbb.exec:\3hbtbb.exe27⤵
- Executes dropped EXE
-
\??\c:\pjpdj.exec:\pjpdj.exe28⤵
- Executes dropped EXE
-
\??\c:\vpddj.exec:\vpddj.exe29⤵
- Executes dropped EXE
-
\??\c:\fxlfxfl.exec:\fxlfxfl.exe30⤵
- Executes dropped EXE
-
\??\c:\thbbtt.exec:\thbbtt.exe31⤵
- Executes dropped EXE
-
\??\c:\bnbhhn.exec:\bnbhhn.exe32⤵
- Executes dropped EXE
-
\??\c:\pjdjv.exec:\pjdjv.exe33⤵
- Executes dropped EXE
-
\??\c:\5xllrlr.exec:\5xllrlr.exe34⤵
- Executes dropped EXE
-
\??\c:\fxfrxxf.exec:\fxfrxxf.exe35⤵
- Executes dropped EXE
-
\??\c:\nhntbb.exec:\nhntbb.exe36⤵
- Executes dropped EXE
-
\??\c:\3ntntt.exec:\3ntntt.exe37⤵
- Executes dropped EXE
-
\??\c:\pjjvj.exec:\pjjvj.exe38⤵
- Executes dropped EXE
-
\??\c:\lfrlllr.exec:\lfrlllr.exe39⤵
- Executes dropped EXE
-
\??\c:\frrxflr.exec:\frrxflr.exe40⤵
- Executes dropped EXE
-
\??\c:\bnnbbb.exec:\bnnbbb.exe41⤵
- Executes dropped EXE
-
\??\c:\9bnntb.exec:\9bnntb.exe42⤵
- Executes dropped EXE
-
\??\c:\pjpjp.exec:\pjpjp.exe43⤵
- Executes dropped EXE
-
\??\c:\pjvpv.exec:\pjvpv.exe44⤵
- Executes dropped EXE
-
\??\c:\xrrfxlx.exec:\xrrfxlx.exe45⤵
- Executes dropped EXE
-
\??\c:\rlrrxrf.exec:\rlrrxrf.exe46⤵
- Executes dropped EXE
-
\??\c:\hbnntt.exec:\hbnntt.exe47⤵
- Executes dropped EXE
-
\??\c:\thtttt.exec:\thtttt.exe48⤵
- Executes dropped EXE
-
\??\c:\dpvdd.exec:\dpvdd.exe49⤵
- Executes dropped EXE
-
\??\c:\vpppd.exec:\vpppd.exe50⤵
- Executes dropped EXE
-
\??\c:\rrllxxf.exec:\rrllxxf.exe51⤵
- Executes dropped EXE
-
\??\c:\5xlxfxf.exec:\5xlxfxf.exe52⤵
- Executes dropped EXE
-
\??\c:\9nnbbb.exec:\9nnbbb.exe53⤵
- Executes dropped EXE
-
\??\c:\tnbnhh.exec:\tnbnhh.exe54⤵
- Executes dropped EXE
-
\??\c:\thhbtn.exec:\thhbtn.exe55⤵
- Executes dropped EXE
-
\??\c:\vpjpp.exec:\vpjpp.exe56⤵
- Executes dropped EXE
-
\??\c:\5vdjj.exec:\5vdjj.exe57⤵
- Executes dropped EXE
-
\??\c:\dpjdj.exec:\dpjdj.exe58⤵
- Executes dropped EXE
-
\??\c:\5fxrllr.exec:\5fxrllr.exe59⤵
- Executes dropped EXE
-
\??\c:\xlfxlrr.exec:\xlfxlrr.exe60⤵
- Executes dropped EXE
-
\??\c:\7hhtnb.exec:\7hhtnb.exe61⤵
- Executes dropped EXE
-
\??\c:\1dvdd.exec:\1dvdd.exe62⤵
- Executes dropped EXE
-
\??\c:\pdpjp.exec:\pdpjp.exe63⤵
- Executes dropped EXE
-
\??\c:\pddvv.exec:\pddvv.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\rfrllll.exec:\rfrllll.exe65⤵
- Executes dropped EXE
-
\??\c:\3xfrxrf.exec:\3xfrxrf.exe66⤵
-
\??\c:\nbttnt.exec:\nbttnt.exe67⤵
-
\??\c:\thtthh.exec:\thtthh.exe68⤵
-
\??\c:\nhnnbt.exec:\nhnnbt.exe69⤵
-
\??\c:\pvvvd.exec:\pvvvd.exe70⤵
-
\??\c:\vpvvd.exec:\vpvvd.exe71⤵
-
\??\c:\rlflxfx.exec:\rlflxfx.exe72⤵
-
\??\c:\9rlrflr.exec:\9rlrflr.exe73⤵
-
\??\c:\thhntb.exec:\thhntb.exe74⤵
-
\??\c:\bntntn.exec:\bntntn.exe75⤵
-
\??\c:\htnhnn.exec:\htnhnn.exe76⤵
-
\??\c:\dvjjp.exec:\dvjjp.exe77⤵
-
\??\c:\pddvd.exec:\pddvd.exe78⤵
-
\??\c:\9pvpp.exec:\9pvpp.exe79⤵
-
\??\c:\xrlrrlf.exec:\xrlrrlf.exe80⤵
-
\??\c:\rlxxlfl.exec:\rlxxlfl.exe81⤵
-
\??\c:\hthnhn.exec:\hthnhn.exe82⤵
-
\??\c:\9htnnn.exec:\9htnnn.exe83⤵
-
\??\c:\nhbhnn.exec:\nhbhnn.exe84⤵
-
\??\c:\1vjjj.exec:\1vjjj.exe85⤵
-
\??\c:\xxflrxf.exec:\xxflrxf.exe86⤵
-
\??\c:\xrfrlrr.exec:\xrfrlrr.exe87⤵
-
\??\c:\5hbnhh.exec:\5hbnhh.exe88⤵
-
\??\c:\nhhnbh.exec:\nhhnbh.exe89⤵
-
\??\c:\7btthh.exec:\7btthh.exe90⤵
-
\??\c:\vpddp.exec:\vpddp.exe91⤵
-
\??\c:\lxrllrx.exec:\lxrllrx.exe92⤵
-
\??\c:\lxffxrr.exec:\lxffxrr.exe93⤵
-
\??\c:\7bnbbh.exec:\7bnbbh.exe94⤵
-
\??\c:\3thnbn.exec:\3thnbn.exe95⤵
-
\??\c:\3ddjp.exec:\3ddjp.exe96⤵
-
\??\c:\dpjdv.exec:\dpjdv.exe97⤵
-
\??\c:\fxflxxf.exec:\fxflxxf.exe98⤵
-
\??\c:\llfllrf.exec:\llfllrf.exe99⤵
-
\??\c:\tbnnnh.exec:\tbnnnh.exe100⤵
-
\??\c:\7thttt.exec:\7thttt.exe101⤵
-
\??\c:\dvjjd.exec:\dvjjd.exe102⤵
- System Location Discovery: System Language Discovery
-
\??\c:\frlllxl.exec:\frlllxl.exe103⤵
-
\??\c:\rlxxffr.exec:\rlxxffr.exe104⤵
-
\??\c:\xrlfrrr.exec:\xrlfrrr.exe105⤵
-
\??\c:\tthhtb.exec:\tthhtb.exe106⤵
-
\??\c:\7btnbh.exec:\7btnbh.exe107⤵
-
\??\c:\vpvvd.exec:\vpvvd.exe108⤵
-
\??\c:\pjpvv.exec:\pjpvv.exe109⤵
-
\??\c:\5rlrxxf.exec:\5rlrxxf.exe110⤵
-
\??\c:\lflrxrl.exec:\lflrxrl.exe111⤵
-
\??\c:\dvdpd.exec:\dvdpd.exe112⤵
-
\??\c:\1dddd.exec:\1dddd.exe113⤵
-
\??\c:\lfxflfl.exec:\lfxflfl.exe114⤵
-
\??\c:\5lxxxrr.exec:\5lxxxrr.exe115⤵
-
\??\c:\7ffxxrf.exec:\7ffxxrf.exe116⤵
-
\??\c:\tnbbnn.exec:\tnbbnn.exe117⤵
-
\??\c:\tnbbtb.exec:\tnbbtb.exe118⤵
-
\??\c:\dvjjv.exec:\dvjjv.exe119⤵
-
\??\c:\ddjdj.exec:\ddjdj.exe120⤵
-
\??\c:\9rlrxfl.exec:\9rlrxfl.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-