Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
01/09/2024, 00:00
General
-
Target
8f66ece1f20b14b5cd671ca36adb3c7bd154b31ec0e863ba17f51e9ddfeee0bd.exe
-
Size
374KB
-
MD5
9d507aad3c02f54230b83871ae598dd3
-
SHA1
0df806e29a740966b43df96c0b78c265b28d68c7
-
SHA256
8f66ece1f20b14b5cd671ca36adb3c7bd154b31ec0e863ba17f51e9ddfeee0bd
-
SHA512
c3f060345252284e6966e8f78fcde5081bd306a3db08f5b770f27c4e508d403898a4d984cbc64b22ae909c630187b08a3fa0d93de82c3878504c67cd9563920c
-
SSDEEP
6144:n3C9BRIG0asYFm71mJl3/X8mak5gNv9rC8IwLaYNUvtTxTKMMB:n3C9uYA7i3/stR9HGYyvtTxTKMg
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 20 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 26 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\8f66ece1f20b14b5cd671ca36adb3c7bd154b31ec0e863ba17f51e9ddfeee0bd.exe"C:\Users\Admin\AppData\Local\Temp\8f66ece1f20b14b5cd671ca36adb3c7bd154b31ec0e863ba17f51e9ddfeee0bd.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\jjjvj.exec:\jjjvj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5llxlxx.exec:\5llxlxx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9djdd.exec:\9djdd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7nhnbh.exec:\7nhnbh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ppdpv.exec:\ppdpv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3frrffl.exec:\3frrffl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1vvvp.exec:\1vvvp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3llrrxl.exec:\3llrrxl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvvdp.exec:\vvvdp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfxlxfl.exec:\lfxlxfl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1bhnbt.exec:\1bhnbt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjjpv.exec:\jjjpv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxlrxfr.exec:\fxlrxfr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvjpd.exec:\dvjpd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xxflrxl.exec:\xxflrxl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddjvp.exec:\ddjvp.exe17⤵
- Executes dropped EXE
-
\??\c:\lxxxlll.exec:\lxxxlll.exe18⤵
- Executes dropped EXE
-
\??\c:\bttnth.exec:\bttnth.exe19⤵
- Executes dropped EXE
-
\??\c:\5vvjv.exec:\5vvjv.exe20⤵
- Executes dropped EXE
-
\??\c:\btbnbh.exec:\btbnbh.exe21⤵
- Executes dropped EXE
-
\??\c:\bnnhhn.exec:\bnnhhn.exe22⤵
- Executes dropped EXE
-
\??\c:\lrxlxxf.exec:\lrxlxxf.exe23⤵
- Executes dropped EXE
-
\??\c:\bttthh.exec:\bttthh.exe24⤵
- Executes dropped EXE
-
\??\c:\jjjpd.exec:\jjjpd.exe25⤵
- Executes dropped EXE
-
\??\c:\rlrlxrl.exec:\rlrlxrl.exe26⤵
- Executes dropped EXE
-
\??\c:\vpppj.exec:\vpppj.exe27⤵
- Executes dropped EXE
-
\??\c:\llxxllx.exec:\llxxllx.exe28⤵
- Executes dropped EXE
-
\??\c:\bthhnn.exec:\bthhnn.exe29⤵
- Executes dropped EXE
-
\??\c:\3dvdv.exec:\3dvdv.exe30⤵
- Executes dropped EXE
-
\??\c:\htbbht.exec:\htbbht.exe31⤵
- Executes dropped EXE
-
\??\c:\7dvvp.exec:\7dvvp.exe32⤵
- Executes dropped EXE
-
\??\c:\fxlxfll.exec:\fxlxfll.exe33⤵
- Executes dropped EXE
-
\??\c:\9nhhtb.exec:\9nhhtb.exe34⤵
- Executes dropped EXE
-
\??\c:\ddjjd.exec:\ddjjd.exe35⤵
- Executes dropped EXE
-
\??\c:\rrxflrf.exec:\rrxflrf.exe36⤵
- Executes dropped EXE
-
\??\c:\bbhhtb.exec:\bbhhtb.exe37⤵
- Executes dropped EXE
-
\??\c:\dvjjj.exec:\dvjjj.exe38⤵
- Executes dropped EXE
-
\??\c:\vpjpd.exec:\vpjpd.exe39⤵
- Executes dropped EXE
-
\??\c:\7xllrfl.exec:\7xllrfl.exe40⤵
- Executes dropped EXE
-
\??\c:\5bntbb.exec:\5bntbb.exe41⤵
- Executes dropped EXE
-
\??\c:\7vvjp.exec:\7vvjp.exe42⤵
- Executes dropped EXE
-
\??\c:\lxxflrl.exec:\lxxflrl.exe43⤵
- Executes dropped EXE
-
\??\c:\rrlrllx.exec:\rrlrllx.exe44⤵
- Executes dropped EXE
-
\??\c:\bnbbbb.exec:\bnbbbb.exe45⤵
- Executes dropped EXE
-
\??\c:\vpppv.exec:\vpppv.exe46⤵
- Executes dropped EXE
-
\??\c:\frffllr.exec:\frffllr.exe47⤵
- Executes dropped EXE
-
\??\c:\flxlrrx.exec:\flxlrrx.exe48⤵
- Executes dropped EXE
-
\??\c:\nnbbtt.exec:\nnbbtt.exe49⤵
- Executes dropped EXE
-
\??\c:\vvppv.exec:\vvppv.exe50⤵
- Executes dropped EXE
-
\??\c:\3rxxflr.exec:\3rxxflr.exe51⤵
- Executes dropped EXE
-
\??\c:\btbnnn.exec:\btbnnn.exe52⤵
- Executes dropped EXE
-
\??\c:\pvvpv.exec:\pvvpv.exe53⤵
- Executes dropped EXE
-
\??\c:\ddvdp.exec:\ddvdp.exe54⤵
- Executes dropped EXE
-
\??\c:\rxflrrr.exec:\rxflrrr.exe55⤵
- Executes dropped EXE
-
\??\c:\hhntbh.exec:\hhntbh.exe56⤵
- Executes dropped EXE
-
\??\c:\hhtthh.exec:\hhtthh.exe57⤵
- Executes dropped EXE
-
\??\c:\9pddj.exec:\9pddj.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\xrflrrf.exec:\xrflrrf.exe59⤵
- Executes dropped EXE
-
\??\c:\ntthbh.exec:\ntthbh.exe60⤵
- Executes dropped EXE
-
\??\c:\ttbnhn.exec:\ttbnhn.exe61⤵
- Executes dropped EXE
-
\??\c:\1pdpp.exec:\1pdpp.exe62⤵
- Executes dropped EXE
-
\??\c:\5flrflr.exec:\5flrflr.exe63⤵
- Executes dropped EXE
-
\??\c:\7nhnbn.exec:\7nhnbn.exe64⤵
- Executes dropped EXE
-
\??\c:\7jjpv.exec:\7jjpv.exe65⤵
- Executes dropped EXE
-
\??\c:\pjdjv.exec:\pjdjv.exe66⤵
-
\??\c:\rrrlrxl.exec:\rrrlrxl.exe67⤵
-
\??\c:\hbnthn.exec:\hbnthn.exe68⤵
-
\??\c:\5ntbbh.exec:\5ntbbh.exe69⤵
-
\??\c:\7pvdj.exec:\7pvdj.exe70⤵
-
\??\c:\9xxflxf.exec:\9xxflxf.exe71⤵
-
\??\c:\rlxrxfr.exec:\rlxrxfr.exe72⤵
-
\??\c:\tthbnn.exec:\tthbnn.exe73⤵
-
\??\c:\5ddvj.exec:\5ddvj.exe74⤵
-
\??\c:\ppdpj.exec:\ppdpj.exe75⤵
-
\??\c:\1rllrrf.exec:\1rllrrf.exe76⤵
-
\??\c:\bbhhnt.exec:\bbhhnt.exe77⤵
-
\??\c:\vdvjv.exec:\vdvjv.exe78⤵
-
\??\c:\pppvd.exec:\pppvd.exe79⤵
-
\??\c:\fxffrxl.exec:\fxffrxl.exe80⤵
-
\??\c:\xfrlrfr.exec:\xfrlrfr.exe81⤵
-
\??\c:\1thbhn.exec:\1thbhn.exe82⤵
-
\??\c:\dvpvp.exec:\dvpvp.exe83⤵
-
\??\c:\pdpvv.exec:\pdpvv.exe84⤵
-
\??\c:\fxrllxr.exec:\fxrllxr.exe85⤵
-
\??\c:\7tbtnb.exec:\7tbtnb.exe86⤵
-
\??\c:\hbbnbh.exec:\hbbnbh.exe87⤵
-
\??\c:\djjjv.exec:\djjjv.exe88⤵
-
\??\c:\ffflxxr.exec:\ffflxxr.exe89⤵
-
\??\c:\lflrfxf.exec:\lflrfxf.exe90⤵
-
\??\c:\hbtthh.exec:\hbtthh.exe91⤵
-
\??\c:\vvjvd.exec:\vvjvd.exe92⤵
-
\??\c:\ppjpp.exec:\ppjpp.exe93⤵
-
\??\c:\ffrfxll.exec:\ffrfxll.exe94⤵
-
\??\c:\7hbntt.exec:\7hbntt.exe95⤵
-
\??\c:\bthnnn.exec:\bthnnn.exe96⤵
-
\??\c:\vvpjp.exec:\vvpjp.exe97⤵
-
\??\c:\jpjjv.exec:\jpjjv.exe98⤵
-
\??\c:\9lxxxrl.exec:\9lxxxrl.exe99⤵
-
\??\c:\ttnnbb.exec:\ttnnbb.exe100⤵
-
\??\c:\bhhttt.exec:\bhhttt.exe101⤵
-
\??\c:\5pjpv.exec:\5pjpv.exe102⤵
-
\??\c:\rfrrllx.exec:\rfrrllx.exe103⤵
-
\??\c:\xrfrlrr.exec:\xrfrlrr.exe104⤵
-
\??\c:\tnhhtt.exec:\tnhhtt.exe105⤵
-
\??\c:\bntthn.exec:\bntthn.exe106⤵
-
\??\c:\vvvjd.exec:\vvvjd.exe107⤵
-
\??\c:\ffrflrf.exec:\ffrflrf.exe108⤵
-
\??\c:\tnbhtb.exec:\tnbhtb.exe109⤵
-
\??\c:\bhnhth.exec:\bhnhth.exe110⤵
-
\??\c:\5vpjd.exec:\5vpjd.exe111⤵
-
\??\c:\lfrxflx.exec:\lfrxflx.exe112⤵
-
\??\c:\frlxffl.exec:\frlxffl.exe113⤵
-
\??\c:\tnhhtb.exec:\tnhhtb.exe114⤵
-
\??\c:\jjjvj.exec:\jjjvj.exe115⤵
-
\??\c:\vpddj.exec:\vpddj.exe116⤵
-
\??\c:\lxlfllx.exec:\lxlfllx.exe117⤵
-
\??\c:\hbtntb.exec:\hbtntb.exe118⤵
-
\??\c:\hnnttt.exec:\hnnttt.exe119⤵
-
\??\c:\5vdpj.exec:\5vdpj.exe120⤵
-
\??\c:\xrxrrrf.exec:\xrxrrrf.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-