Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
-
submitted
02/09/2024, 00:57
General
-
Target
5a2f17a571075e8716d28ae94a69b50eaa042d2cee5bc834601c986779af7ba6.exe
-
Size
71KB
-
MD5
5206e13281a5a2ec34dd159ed0643c94
-
SHA1
80c17d25e960c1eb58f0e5b245aaec297505ae65
-
SHA256
5a2f17a571075e8716d28ae94a69b50eaa042d2cee5bc834601c986779af7ba6
-
SHA512
961bab46a51921885139d7faaae396a2e387f8bbd775be16ffb9e38fafac626e343889462d30b72070be750216e08356472f55b2179dc84bc3ecbeaa91f08238
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIkpi+qP1hgVsz:ymb3NkkiQ3mdBjFIj+qNhgVsz
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 23 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 28 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\5a2f17a571075e8716d28ae94a69b50eaa042d2cee5bc834601c986779af7ba6.exe"C:\Users\Admin\AppData\Local\Temp\5a2f17a571075e8716d28ae94a69b50eaa042d2cee5bc834601c986779af7ba6.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\7lllxxx.exec:\7lllxxx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nntthn.exec:\nntthn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ttnhnn.exec:\ttnhnn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7llrxfr.exec:\7llrxfr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5tnthn.exec:\5tnthn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5bthnt.exec:\5bthnt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpvdj.exec:\vpvdj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlflrfx.exec:\rlflrfx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5nhthn.exec:\5nhthn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbbbnt.exec:\bbbbnt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddpdj.exec:\ddpdj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxrrxxl.exec:\lxrrxxl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9nhtnb.exec:\9nhtnb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9bnttn.exec:\9bnttn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdppv.exec:\jdppv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxllrxf.exec:\fxllrxf.exe17⤵
- Executes dropped EXE
-
\??\c:\hbntbb.exec:\hbntbb.exe18⤵
- Executes dropped EXE
-
\??\c:\9bnntt.exec:\9bnntt.exe19⤵
- Executes dropped EXE
-
\??\c:\vddvd.exec:\vddvd.exe20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\pjvjp.exec:\pjvjp.exe21⤵
- Executes dropped EXE
-
\??\c:\lfxrfrl.exec:\lfxrfrl.exe22⤵
- Executes dropped EXE
-
\??\c:\rlxxxfx.exec:\rlxxxfx.exe23⤵
- Executes dropped EXE
-
\??\c:\nhhnnn.exec:\nhhnnn.exe24⤵
- Executes dropped EXE
-
\??\c:\vvvpd.exec:\vvvpd.exe25⤵
- Executes dropped EXE
-
\??\c:\9lfrrxx.exec:\9lfrrxx.exe26⤵
- Executes dropped EXE
-
\??\c:\3rrflrx.exec:\3rrflrx.exe27⤵
- Executes dropped EXE
-
\??\c:\tnhttn.exec:\tnhttn.exe28⤵
- Executes dropped EXE
-
\??\c:\bbtnth.exec:\bbtnth.exe29⤵
- Executes dropped EXE
-
\??\c:\pjjdj.exec:\pjjdj.exe30⤵
- Executes dropped EXE
-
\??\c:\xxxlxfl.exec:\xxxlxfl.exe31⤵
- Executes dropped EXE
-
\??\c:\ttnnhn.exec:\ttnnhn.exe32⤵
- Executes dropped EXE
-
\??\c:\bthntb.exec:\bthntb.exe33⤵
- Executes dropped EXE
-
\??\c:\dvppd.exec:\dvppd.exe34⤵
- Executes dropped EXE
-
\??\c:\7dpvd.exec:\7dpvd.exe35⤵
- Executes dropped EXE
-
\??\c:\rrlxlxr.exec:\rrlxlxr.exe36⤵
- Executes dropped EXE
-
\??\c:\llrrxxf.exec:\llrrxxf.exe37⤵
- Executes dropped EXE
-
\??\c:\5hhbhn.exec:\5hhbhn.exe38⤵
- Executes dropped EXE
-
\??\c:\nhhhnn.exec:\nhhhnn.exe39⤵
- Executes dropped EXE
-
\??\c:\vpdvj.exec:\vpdvj.exe40⤵
- Executes dropped EXE
-
\??\c:\dvjvv.exec:\dvjvv.exe41⤵
- Executes dropped EXE
-
\??\c:\7rlllfr.exec:\7rlllfr.exe42⤵
- Executes dropped EXE
-
\??\c:\5lrrffl.exec:\5lrrffl.exe43⤵
- Executes dropped EXE
-
\??\c:\9hhnbb.exec:\9hhnbb.exe44⤵
- Executes dropped EXE
-
\??\c:\9bnbbt.exec:\9bnbbt.exe45⤵
- Executes dropped EXE
-
\??\c:\dvjpj.exec:\dvjpj.exe46⤵
- Executes dropped EXE
-
\??\c:\pdppp.exec:\pdppp.exe47⤵
- Executes dropped EXE
-
\??\c:\fflxrrf.exec:\fflxrrf.exe48⤵
- Executes dropped EXE
-
\??\c:\7flrrrl.exec:\7flrrrl.exe49⤵
- Executes dropped EXE
-
\??\c:\thbthh.exec:\thbthh.exe50⤵
- Executes dropped EXE
-
\??\c:\9bbbhh.exec:\9bbbhh.exe51⤵
- Executes dropped EXE
-
\??\c:\5jdjv.exec:\5jdjv.exe52⤵
- Executes dropped EXE
-
\??\c:\vvjjj.exec:\vvjjj.exe53⤵
- Executes dropped EXE
-
\??\c:\nnhhhn.exec:\nnhhhn.exe54⤵
- Executes dropped EXE
-
\??\c:\dvvjd.exec:\dvvjd.exe55⤵
- Executes dropped EXE
-
\??\c:\jdvvd.exec:\jdvvd.exe56⤵
- Executes dropped EXE
-
\??\c:\xlrlrlr.exec:\xlrlrlr.exe57⤵
- Executes dropped EXE
-
\??\c:\lfrlrrf.exec:\lfrlrrf.exe58⤵
- Executes dropped EXE
-
\??\c:\1hbhtn.exec:\1hbhtn.exe59⤵
- Executes dropped EXE
-
\??\c:\nnhhtb.exec:\nnhhtb.exe60⤵
- Executes dropped EXE
-
\??\c:\vpdjd.exec:\vpdjd.exe61⤵
- Executes dropped EXE
-
\??\c:\jvpdd.exec:\jvpdd.exe62⤵
- Executes dropped EXE
-
\??\c:\5frlxxx.exec:\5frlxxx.exe63⤵
- Executes dropped EXE
-
\??\c:\htnttb.exec:\htnttb.exe64⤵
- Executes dropped EXE
-
\??\c:\hbbbhh.exec:\hbbbhh.exe65⤵
- Executes dropped EXE
-
\??\c:\jdvpd.exec:\jdvpd.exe66⤵
-
\??\c:\dpjjj.exec:\dpjjj.exe67⤵
-
\??\c:\xrflfrx.exec:\xrflfrx.exe68⤵
-
\??\c:\fffxxxr.exec:\fffxxxr.exe69⤵
-
\??\c:\bbthtn.exec:\bbthtn.exe70⤵
-
\??\c:\3btnnt.exec:\3btnnt.exe71⤵
-
\??\c:\vpddd.exec:\vpddd.exe72⤵
-
\??\c:\1fxxxxf.exec:\1fxxxxf.exe73⤵
-
\??\c:\3llxrxl.exec:\3llxrxl.exe74⤵
-
\??\c:\rlffrlx.exec:\rlffrlx.exe75⤵
-
\??\c:\hbnttt.exec:\hbnttt.exe76⤵
-
\??\c:\jdvdv.exec:\jdvdv.exe77⤵
-
\??\c:\jvjpv.exec:\jvjpv.exe78⤵
-
\??\c:\rfrxrrx.exec:\rfrxrrx.exe79⤵
-
\??\c:\rlxlrxr.exec:\rlxlrxr.exe80⤵
-
\??\c:\tnnbtb.exec:\tnnbtb.exe81⤵
-
\??\c:\jdpdp.exec:\jdpdp.exe82⤵
-
\??\c:\jvjjp.exec:\jvjjp.exe83⤵
-
\??\c:\lfrrrrx.exec:\lfrrrrx.exe84⤵
-
\??\c:\rlxllll.exec:\rlxllll.exe85⤵
-
\??\c:\tnbbbb.exec:\tnbbbb.exe86⤵
-
\??\c:\7nnthn.exec:\7nnthn.exe87⤵
-
\??\c:\pjvpp.exec:\pjvpp.exe88⤵
-
\??\c:\dpdjd.exec:\dpdjd.exe89⤵
-
\??\c:\fxrxxfr.exec:\fxrxxfr.exe90⤵
-
\??\c:\rlxlxfr.exec:\rlxlxfr.exe91⤵
-
\??\c:\7btbbb.exec:\7btbbb.exe92⤵
-
\??\c:\thtttt.exec:\thtttt.exe93⤵
-
\??\c:\djvjp.exec:\djvjp.exe94⤵
-
\??\c:\dvpvd.exec:\dvpvd.exe95⤵
-
\??\c:\frfxllr.exec:\frfxllr.exe96⤵
-
\??\c:\rfrllff.exec:\rfrllff.exe97⤵
-
\??\c:\hhthhn.exec:\hhthhn.exe98⤵
-
\??\c:\7hbhtb.exec:\7hbhtb.exe99⤵
-
\??\c:\vpddp.exec:\vpddp.exe100⤵
-
\??\c:\vjpjp.exec:\vjpjp.exe101⤵
-
\??\c:\rlxlxff.exec:\rlxlxff.exe102⤵
-
\??\c:\5xxlxxf.exec:\5xxlxxf.exe103⤵
-
\??\c:\hbnhnb.exec:\hbnhnb.exe104⤵
-
\??\c:\nbhhhn.exec:\nbhhhn.exe105⤵
-
\??\c:\dvppj.exec:\dvppj.exe106⤵
-
\??\c:\9dpvd.exec:\9dpvd.exe107⤵
-
\??\c:\rrfrllr.exec:\rrfrllr.exe108⤵
-
\??\c:\9xrxlrf.exec:\9xrxlrf.exe109⤵
-
\??\c:\btnnnt.exec:\btnnnt.exe110⤵
-
\??\c:\1ttbbb.exec:\1ttbbb.exe111⤵
-
\??\c:\3bthnn.exec:\3bthnn.exe112⤵
-
\??\c:\5vppp.exec:\5vppp.exe113⤵
-
\??\c:\pdpvj.exec:\pdpvj.exe114⤵
-
\??\c:\xlrrlfl.exec:\xlrrlfl.exe115⤵
-
\??\c:\ffrrllr.exec:\ffrrllr.exe116⤵
-
\??\c:\9xffllx.exec:\9xffllx.exe117⤵
-
\??\c:\htbhhb.exec:\htbhhb.exe118⤵
-
\??\c:\tnbthb.exec:\tnbthb.exe119⤵
-
\??\c:\jvddv.exec:\jvddv.exe120⤵
-
\??\c:\jjvdp.exec:\jjvdp.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-