Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
-
submitted
26/08/2024, 03:52
General
-
Target
1f7363470c3bce86c3f463a3d1d0f980N.exe
-
Size
85KB
-
MD5
1f7363470c3bce86c3f463a3d1d0f980
-
SHA1
f7fefeafbad453a4e25372b7fccbd774497c76be
-
SHA256
c69851805e7a1e39b43576404553a57958a5ae08921d46e6094695735983cfcf
-
SHA512
3c3e54cc32a2a5d62bd4b69c9ba642a9869c6ba85d1b05e4e9e71d328897b50ae1f2f44c0c26f15c301776747ac22090bb9a68eace5d3d69f4a4db103ff64678
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDoAXPfgr2hKmdbcPi2vzK:ymb3NkkiQ3mdBjFo6Pfgy3dbc/zK
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 22 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 23 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f7363470c3bce86c3f463a3d1d0f980N.exe"C:\Users\Admin\AppData\Local\Temp\1f7363470c3bce86c3f463a3d1d0f980N.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\hhtnht.exec:\hhtnht.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hhhthn.exec:\hhhthn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvjpj.exec:\vvjpj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xxxrxrl.exec:\xxxrxrl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\flrflxf.exec:\flrflxf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbnttb.exec:\hbnttb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tbthnh.exec:\tbthnh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjvpj.exec:\pjvpj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ffrfxfl.exec:\ffrfxfl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbnhtb.exec:\bbnhtb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pppvp.exec:\pppvp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvdvj.exec:\vvdvj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5xxrlxl.exec:\5xxrlxl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbntht.exec:\bbntht.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\djpvp.exec:\djpvp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xxlxrlf.exec:\xxlxrlf.exe17⤵
- Executes dropped EXE
-
\??\c:\tnnthn.exec:\tnnthn.exe18⤵
- Executes dropped EXE
-
\??\c:\nhtbth.exec:\nhtbth.exe19⤵
- Executes dropped EXE
-
\??\c:\3jppv.exec:\3jppv.exe20⤵
- Executes dropped EXE
-
\??\c:\lllffxx.exec:\lllffxx.exe21⤵
- Executes dropped EXE
-
\??\c:\ffxfrxr.exec:\ffxfrxr.exe22⤵
- Executes dropped EXE
-
\??\c:\9ntbnh.exec:\9ntbnh.exe23⤵
- Executes dropped EXE
-
\??\c:\jjjvj.exec:\jjjvj.exe24⤵
- Executes dropped EXE
-
\??\c:\rrfrlfx.exec:\rrfrlfx.exe25⤵
- Executes dropped EXE
-
\??\c:\rrlxlrf.exec:\rrlxlrf.exe26⤵
- Executes dropped EXE
-
\??\c:\hnthht.exec:\hnthht.exe27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\3ppdp.exec:\3ppdp.exe28⤵
- Executes dropped EXE
-
\??\c:\vjdpp.exec:\vjdpp.exe29⤵
- Executes dropped EXE
-
\??\c:\3lrffxl.exec:\3lrffxl.exe30⤵
- Executes dropped EXE
-
\??\c:\btnnbn.exec:\btnnbn.exe31⤵
- Executes dropped EXE
-
\??\c:\nbbnnn.exec:\nbbnnn.exe32⤵
- Executes dropped EXE
-
\??\c:\7jdjj.exec:\7jdjj.exe33⤵
- Executes dropped EXE
-
\??\c:\rxxrxxr.exec:\rxxrxxr.exe34⤵
- Executes dropped EXE
-
\??\c:\fxfrlrf.exec:\fxfrlrf.exe35⤵
- Executes dropped EXE
-
\??\c:\llxrrll.exec:\llxrrll.exe36⤵
- Executes dropped EXE
-
\??\c:\3hbhtb.exec:\3hbhtb.exe37⤵
- Executes dropped EXE
-
\??\c:\9bbtnt.exec:\9bbtnt.exe38⤵
- Executes dropped EXE
-
\??\c:\vvdjv.exec:\vvdjv.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\vvppd.exec:\vvppd.exe40⤵
- Executes dropped EXE
-
\??\c:\3rrfrff.exec:\3rrfrff.exe41⤵
- Executes dropped EXE
-
\??\c:\xrlfrlr.exec:\xrlfrlr.exe42⤵
- Executes dropped EXE
-
\??\c:\hhtnhn.exec:\hhtnhn.exe43⤵
- Executes dropped EXE
-
\??\c:\djvjd.exec:\djvjd.exe44⤵
- Executes dropped EXE
-
\??\c:\7jvvj.exec:\7jvvj.exe45⤵
- Executes dropped EXE
-
\??\c:\lfxflrf.exec:\lfxflrf.exe46⤵
- Executes dropped EXE
-
\??\c:\llfxrlf.exec:\llfxrlf.exe47⤵
- Executes dropped EXE
-
\??\c:\hhttth.exec:\hhttth.exe48⤵
- Executes dropped EXE
-
\??\c:\3nhbbn.exec:\3nhbbn.exe49⤵
- Executes dropped EXE
-
\??\c:\pdpdp.exec:\pdpdp.exe50⤵
- Executes dropped EXE
-
\??\c:\pdvjv.exec:\pdvjv.exe51⤵
- Executes dropped EXE
-
\??\c:\xxfrlrf.exec:\xxfrlrf.exe52⤵
- Executes dropped EXE
-
\??\c:\5flfxrl.exec:\5flfxrl.exe53⤵
- Executes dropped EXE
-
\??\c:\nhhtht.exec:\nhhtht.exe54⤵
- Executes dropped EXE
-
\??\c:\1hthhb.exec:\1hthhb.exe55⤵
- Executes dropped EXE
-
\??\c:\5vpdj.exec:\5vpdj.exe56⤵
- Executes dropped EXE
-
\??\c:\5ddjv.exec:\5ddjv.exe57⤵
- Executes dropped EXE
-
\??\c:\xrfxxlf.exec:\xrfxxlf.exe58⤵
- Executes dropped EXE
-
\??\c:\thhttn.exec:\thhttn.exe59⤵
- Executes dropped EXE
-
\??\c:\nnbtnb.exec:\nnbtnb.exe60⤵
- Executes dropped EXE
-
\??\c:\9tnbnb.exec:\9tnbnb.exe61⤵
- Executes dropped EXE
-
\??\c:\jdpvj.exec:\jdpvj.exe62⤵
- Executes dropped EXE
-
\??\c:\lfxlrfr.exec:\lfxlrfr.exe63⤵
- Executes dropped EXE
-
\??\c:\1xrxrxr.exec:\1xrxrxr.exe64⤵
- Executes dropped EXE
-
\??\c:\tnbnhh.exec:\tnbnhh.exe65⤵
- Executes dropped EXE
-
\??\c:\bttnnh.exec:\bttnnh.exe66⤵
-
\??\c:\7pjjd.exec:\7pjjd.exe67⤵
-
\??\c:\vpppv.exec:\vpppv.exe68⤵
-
\??\c:\5ffllxf.exec:\5ffllxf.exe69⤵
-
\??\c:\1fxrfrx.exec:\1fxrfrx.exe70⤵
-
\??\c:\3hhhnn.exec:\3hhhnn.exe71⤵
-
\??\c:\ttntnb.exec:\ttntnb.exe72⤵
-
\??\c:\djjvp.exec:\djjvp.exe73⤵
-
\??\c:\vvjjj.exec:\vvjjj.exe74⤵
- System Location Discovery: System Language Discovery
-
\??\c:\fxlxffr.exec:\fxlxffr.exe75⤵
-
\??\c:\llfxlrf.exec:\llfxlrf.exe76⤵
-
\??\c:\btnthh.exec:\btnthh.exe77⤵
-
\??\c:\tnnhnt.exec:\tnnhnt.exe78⤵
-
\??\c:\5ppvp.exec:\5ppvp.exe79⤵
-
\??\c:\1ppjv.exec:\1ppjv.exe80⤵
-
\??\c:\ffrlfff.exec:\ffrlfff.exe81⤵
-
\??\c:\rrlxlxf.exec:\rrlxlxf.exe82⤵
-
\??\c:\hnnnnb.exec:\hnnnnb.exe83⤵
-
\??\c:\thtbnt.exec:\thtbnt.exe84⤵
-
\??\c:\pjvdj.exec:\pjvdj.exe85⤵
-
\??\c:\9jjjp.exec:\9jjjp.exe86⤵
-
\??\c:\xllxrrf.exec:\xllxrrf.exe87⤵
-
\??\c:\xxlfrfr.exec:\xxlfrfr.exe88⤵
-
\??\c:\bttbtt.exec:\bttbtt.exe89⤵
-
\??\c:\nhthht.exec:\nhthht.exe90⤵
-
\??\c:\jvpvp.exec:\jvpvp.exe91⤵
-
\??\c:\1dvdv.exec:\1dvdv.exe92⤵
-
\??\c:\3jvdv.exec:\3jvdv.exe93⤵
-
\??\c:\lrlrflf.exec:\lrlrflf.exe94⤵
-
\??\c:\rrfxrxx.exec:\rrfxrxx.exe95⤵
-
\??\c:\ttbnhn.exec:\ttbnhn.exe96⤵
-
\??\c:\hbnhnb.exec:\hbnhnb.exe97⤵
-
\??\c:\pvjpj.exec:\pvjpj.exe98⤵
-
\??\c:\1vdvj.exec:\1vdvj.exe99⤵
-
\??\c:\5lxfrxl.exec:\5lxfrxl.exe100⤵
-
\??\c:\lffrlrl.exec:\lffrlrl.exe101⤵
-
\??\c:\nnnbtn.exec:\nnnbtn.exe102⤵
-
\??\c:\hbttnb.exec:\hbttnb.exe103⤵
-
\??\c:\jdvjd.exec:\jdvjd.exe104⤵
-
\??\c:\jvjjd.exec:\jvjjd.exe105⤵
-
\??\c:\ffflxlx.exec:\ffflxlx.exe106⤵
-
\??\c:\hhnbth.exec:\hhnbth.exe107⤵
- System Location Discovery: System Language Discovery
-
\??\c:\7htthn.exec:\7htthn.exe108⤵
-
\??\c:\dvvjj.exec:\dvvjj.exe109⤵
-
\??\c:\jdjpj.exec:\jdjpj.exe110⤵
-
\??\c:\lffrrfr.exec:\lffrrfr.exe111⤵
-
\??\c:\rlffllx.exec:\rlffllx.exe112⤵
-
\??\c:\ntnbbb.exec:\ntnbbb.exe113⤵
-
\??\c:\bthnbb.exec:\bthnbb.exe114⤵
-
\??\c:\hbthbn.exec:\hbthbn.exe115⤵
-
\??\c:\dvpdp.exec:\dvpdp.exe116⤵
-
\??\c:\dvjvp.exec:\dvjvp.exe117⤵
-
\??\c:\llxlffr.exec:\llxlffr.exe118⤵
-
\??\c:\rrlrlrr.exec:\rrlrlrr.exe119⤵
-
\??\c:\5nnbnb.exec:\5nnbnb.exe120⤵
-
\??\c:\btntnb.exec:\btntnb.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-