Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
-
submitted
29/08/2024, 05:34
General
-
Target
f9cb1eea530a3dee983a3f328d2458831137bf3ec8259e052f157f5f739109f1.exe
-
Size
96KB
-
MD5
2e5025eeefc7192c12d14f6e7234d9c8
-
SHA1
fc38fa5d794aba9d30ae82cb62e3c57aff804477
-
SHA256
f9cb1eea530a3dee983a3f328d2458831137bf3ec8259e052f157f5f739109f1
-
SHA512
3b226cae7fd45dadde4d5baf82176a107b4725b6e63d1094f687c028ca6f3c6d666ee4c190c6e1b9fc5a37069a165eb59895e0d353343d38a360487b8b18431a
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIkpi+qP1hvZo66Ox4oq2SQwfTrg:ymb3NkkiQ3mdBjFIj+qNhvZuHQYfw4jS
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 21 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 26 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f9cb1eea530a3dee983a3f328d2458831137bf3ec8259e052f157f5f739109f1.exe"C:\Users\Admin\AppData\Local\Temp\f9cb1eea530a3dee983a3f328d2458831137bf3ec8259e052f157f5f739109f1.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\pjvdj.exec:\pjvdj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\480082.exec:\480082.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\20882.exec:\20882.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\2200222.exec:\2200222.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\httnnh.exec:\httnnh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rrxrfrl.exec:\rrxrfrl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pppdp.exec:\pppdp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\662660.exec:\662660.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbnbth.exec:\nbnbth.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddjvj.exec:\ddjvj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\82482.exec:\82482.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\64668.exec:\64668.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5xxfflr.exec:\5xxfflr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\880800.exec:\880800.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\0480246.exec:\0480246.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5xlfxlx.exec:\5xlfxlx.exe17⤵
- Executes dropped EXE
-
\??\c:\820680.exec:\820680.exe18⤵
- Executes dropped EXE
-
\??\c:\2242628.exec:\2242628.exe19⤵
- Executes dropped EXE
-
\??\c:\c466406.exec:\c466406.exe20⤵
- Executes dropped EXE
-
\??\c:\rflrxfl.exec:\rflrxfl.exe21⤵
- Executes dropped EXE
-
\??\c:\8868062.exec:\8868062.exe22⤵
- Executes dropped EXE
-
\??\c:\vvjpd.exec:\vvjpd.exe23⤵
- Executes dropped EXE
-
\??\c:\3dpvd.exec:\3dpvd.exe24⤵
- Executes dropped EXE
-
\??\c:\5bntbn.exec:\5bntbn.exe25⤵
- Executes dropped EXE
-
\??\c:\482066.exec:\482066.exe26⤵
- Executes dropped EXE
-
\??\c:\9xflllr.exec:\9xflllr.exe27⤵
- Executes dropped EXE
-
\??\c:\8602884.exec:\8602884.exe28⤵
- Executes dropped EXE
-
\??\c:\260622.exec:\260622.exe29⤵
- Executes dropped EXE
-
\??\c:\3hbbhn.exec:\3hbbhn.exe30⤵
- Executes dropped EXE
-
\??\c:\88686.exec:\88686.exe31⤵
- Executes dropped EXE
-
\??\c:\jdvjj.exec:\jdvjj.exe32⤵
- Executes dropped EXE
-
\??\c:\i024264.exec:\i024264.exe33⤵
- Executes dropped EXE
-
\??\c:\26802.exec:\26802.exe34⤵
- Executes dropped EXE
-
\??\c:\rlffffl.exec:\rlffffl.exe35⤵
- Executes dropped EXE
-
\??\c:\208460.exec:\208460.exe36⤵
- Executes dropped EXE
-
\??\c:\86286.exec:\86286.exe37⤵
- Executes dropped EXE
-
\??\c:\400622.exec:\400622.exe38⤵
- Executes dropped EXE
-
\??\c:\xxxfffr.exec:\xxxfffr.exe39⤵
- Executes dropped EXE
-
\??\c:\64224.exec:\64224.exe40⤵
- Executes dropped EXE
-
\??\c:\pjddj.exec:\pjddj.exe41⤵
- Executes dropped EXE
-
\??\c:\lfxrllx.exec:\lfxrllx.exe42⤵
- Executes dropped EXE
-
\??\c:\rrllxfl.exec:\rrllxfl.exe43⤵
- Executes dropped EXE
-
\??\c:\jdpvd.exec:\jdpvd.exe44⤵
- Executes dropped EXE
-
\??\c:\042244.exec:\042244.exe45⤵
- Executes dropped EXE
-
\??\c:\20026.exec:\20026.exe46⤵
- Executes dropped EXE
-
\??\c:\8202046.exec:\8202046.exe47⤵
- Executes dropped EXE
-
\??\c:\040824.exec:\040824.exe48⤵
- Executes dropped EXE
-
\??\c:\lfrxflr.exec:\lfrxflr.exe49⤵
- Executes dropped EXE
-
\??\c:\llllxfl.exec:\llllxfl.exe50⤵
- Executes dropped EXE
-
\??\c:\hbbbnn.exec:\hbbbnn.exe51⤵
- Executes dropped EXE
-
\??\c:\4480246.exec:\4480246.exe52⤵
- Executes dropped EXE
-
\??\c:\0488662.exec:\0488662.exe53⤵
- Executes dropped EXE
-
\??\c:\thbbbn.exec:\thbbbn.exe54⤵
- Executes dropped EXE
-
\??\c:\02288.exec:\02288.exe55⤵
- Executes dropped EXE
-
\??\c:\pjpdj.exec:\pjpdj.exe56⤵
- Executes dropped EXE
-
\??\c:\9xrrxxf.exec:\9xrrxxf.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\824688.exec:\824688.exe58⤵
- Executes dropped EXE
-
\??\c:\226444.exec:\226444.exe59⤵
- Executes dropped EXE
-
\??\c:\o206440.exec:\o206440.exe60⤵
- Executes dropped EXE
-
\??\c:\jvdjp.exec:\jvdjp.exe61⤵
- Executes dropped EXE
-
\??\c:\vvjjv.exec:\vvjjv.exe62⤵
- Executes dropped EXE
-
\??\c:\flxrffr.exec:\flxrffr.exe63⤵
- Executes dropped EXE
-
\??\c:\ppddj.exec:\ppddj.exe64⤵
- Executes dropped EXE
-
\??\c:\6044062.exec:\6044062.exe65⤵
- Executes dropped EXE
-
\??\c:\3pvvd.exec:\3pvvd.exe66⤵
-
\??\c:\jdppd.exec:\jdppd.exe67⤵
-
\??\c:\dddpj.exec:\dddpj.exe68⤵
-
\??\c:\xxllrrf.exec:\xxllrrf.exe69⤵
-
\??\c:\226828.exec:\226828.exe70⤵
-
\??\c:\08402.exec:\08402.exe71⤵
-
\??\c:\2088480.exec:\2088480.exe72⤵
-
\??\c:\080640.exec:\080640.exe73⤵
-
\??\c:\48684.exec:\48684.exe74⤵
-
\??\c:\7vjjv.exec:\7vjjv.exe75⤵
-
\??\c:\nthhnn.exec:\nthhnn.exe76⤵
-
\??\c:\dvvdj.exec:\dvvdj.exe77⤵
-
\??\c:\7rfflxl.exec:\7rfflxl.exe78⤵
-
\??\c:\8868002.exec:\8868002.exe79⤵
-
\??\c:\o800628.exec:\o800628.exe80⤵
-
\??\c:\0428062.exec:\0428062.exe81⤵
-
\??\c:\48628.exec:\48628.exe82⤵
-
\??\c:\60222.exec:\60222.exe83⤵
-
\??\c:\frlflrx.exec:\frlflrx.exe84⤵
-
\??\c:\0024006.exec:\0024006.exe85⤵
-
\??\c:\46844.exec:\46844.exe86⤵
-
\??\c:\e86642.exec:\e86642.exe87⤵
-
\??\c:\0600224.exec:\0600224.exe88⤵
-
\??\c:\rrllxfl.exec:\rrllxfl.exe89⤵
-
\??\c:\nhntnt.exec:\nhntnt.exe90⤵
-
\??\c:\5djpv.exec:\5djpv.exe91⤵
-
\??\c:\e84804.exec:\e84804.exe92⤵
-
\??\c:\4288420.exec:\4288420.exe93⤵
-
\??\c:\082666.exec:\082666.exe94⤵
-
\??\c:\64664.exec:\64664.exe95⤵
-
\??\c:\jpvpv.exec:\jpvpv.exe96⤵
-
\??\c:\lrxrllr.exec:\lrxrllr.exe97⤵
-
\??\c:\nbhntn.exec:\nbhntn.exe98⤵
-
\??\c:\vpdvv.exec:\vpdvv.exe99⤵
-
\??\c:\fxrfxfl.exec:\fxrfxfl.exe100⤵
-
\??\c:\82888.exec:\82888.exe101⤵
-
\??\c:\3nbbbb.exec:\3nbbbb.exe102⤵
-
\??\c:\3vjdj.exec:\3vjdj.exe103⤵
-
\??\c:\lfllllr.exec:\lfllllr.exe104⤵
-
\??\c:\fxrxlrf.exec:\fxrxlrf.exe105⤵
-
\??\c:\tntnnb.exec:\tntnnb.exe106⤵
-
\??\c:\04624.exec:\04624.exe107⤵
-
\??\c:\442240.exec:\442240.exe108⤵
-
\??\c:\nhtbbh.exec:\nhtbbh.exe109⤵
-
\??\c:\202284.exec:\202284.exe110⤵
-
\??\c:\7jppp.exec:\7jppp.exe111⤵
-
\??\c:\202666.exec:\202666.exe112⤵
-
\??\c:\vjvdj.exec:\vjvdj.exe113⤵
-
\??\c:\2280426.exec:\2280426.exe114⤵
-
\??\c:\86802.exec:\86802.exe115⤵
-
\??\c:\08624.exec:\08624.exe116⤵
-
\??\c:\20606.exec:\20606.exe117⤵
-
\??\c:\6460000.exec:\6460000.exe118⤵
-
\??\c:\o440040.exec:\o440040.exe119⤵
-
\??\c:\42440.exec:\42440.exe120⤵
-
\??\c:\9lxrrrr.exec:\9lxrrrr.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-