Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
03/09/2024, 23:01
General
-
Target
7d1f16f60145d85271316263c68ce630N.exe
-
Size
72KB
-
MD5
7d1f16f60145d85271316263c68ce630
-
SHA1
0b92db84fd2b7e5b87900b1405ae000198260d55
-
SHA256
9a08580bc06b2575115a86d0e56f2ac69f0eeaab28b132cbc98334c4b30a4b9c
-
SHA512
bd3190149304e900e6cb49972398b26912692a62d9854fff1fefb17222b11c7b6004f4ff8403d9ec2436fde6345f1c387370e3dd6f5e8d96f8935bd017279003
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxND0yUPqrDZ5RxfVK5DIlm:ymb3NkkiQ3mdBjF0yUmrfVc5
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 22 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 31 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\7d1f16f60145d85271316263c68ce630N.exe"C:\Users\Admin\AppData\Local\Temp\7d1f16f60145d85271316263c68ce630N.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\rfrffxr.exec:\rfrffxr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5bbhbh.exec:\5bbhbh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9jppp.exec:\9jppp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frxlfll.exec:\frxlfll.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hhbhtb.exec:\hhbhtb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhbtht.exec:\nhbtht.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjddd.exec:\pjddd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbttnb.exec:\bbttnb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\htbhhh.exec:\htbhhh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\llrlrrl.exec:\llrlrrl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\llllllf.exec:\llllllf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdvdd.exec:\jdvdd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jvvpj.exec:\jvvpj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frfrlll.exec:\frfrlll.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbnnbn.exec:\hbnnbn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjjjj.exec:\pjjjj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lffffll.exec:\lffffll.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9bttbn.exec:\9bttbn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nnbhht.exec:\nnbhht.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjppd.exec:\pjppd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xlxrxxr.exec:\xlxrxxr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xfxxfll.exec:\xfxxfll.exe23⤵
- Executes dropped EXE
-
\??\c:\hhhhtb.exec:\hhhhtb.exe24⤵
- Executes dropped EXE
-
\??\c:\jdjjd.exec:\jdjjd.exe25⤵
- Executes dropped EXE
-
\??\c:\lxrrxrr.exec:\lxrrxrr.exe26⤵
- Executes dropped EXE
-
\??\c:\fxffxrx.exec:\fxffxrx.exe27⤵
- Executes dropped EXE
-
\??\c:\nbhbnh.exec:\nbhbnh.exe28⤵
- Executes dropped EXE
-
\??\c:\jvjvv.exec:\jvjvv.exe29⤵
- Executes dropped EXE
-
\??\c:\rxfxllf.exec:\rxfxllf.exe30⤵
- Executes dropped EXE
-
\??\c:\rrfrllx.exec:\rrfrllx.exe31⤵
- Executes dropped EXE
-
\??\c:\nnbbnt.exec:\nnbbnt.exe32⤵
- Executes dropped EXE
-
\??\c:\dvjjp.exec:\dvjjp.exe33⤵
- Executes dropped EXE
-
\??\c:\lrxfrxx.exec:\lrxfrxx.exe34⤵
- Executes dropped EXE
-
\??\c:\lllllll.exec:\lllllll.exe35⤵
- Executes dropped EXE
-
\??\c:\lxfllxf.exec:\lxfllxf.exe36⤵
- Executes dropped EXE
-
\??\c:\9ntnhn.exec:\9ntnhn.exe37⤵
- Executes dropped EXE
-
\??\c:\hbhhbh.exec:\hbhhbh.exe38⤵
- Executes dropped EXE
-
\??\c:\jpjpp.exec:\jpjpp.exe39⤵
- Executes dropped EXE
-
\??\c:\rrflrxf.exec:\rrflrxf.exe40⤵
- Executes dropped EXE
-
\??\c:\bnhbtn.exec:\bnhbtn.exe41⤵
- Executes dropped EXE
-
\??\c:\ttbhhn.exec:\ttbhhn.exe42⤵
- Executes dropped EXE
-
\??\c:\dddjp.exec:\dddjp.exe43⤵
- Executes dropped EXE
-
\??\c:\3dpvj.exec:\3dpvj.exe44⤵
- Executes dropped EXE
-
\??\c:\xlllxfr.exec:\xlllxfr.exe45⤵
- Executes dropped EXE
-
\??\c:\flxxrff.exec:\flxxrff.exe46⤵
- Executes dropped EXE
-
\??\c:\nbbtth.exec:\nbbtth.exe47⤵
- Executes dropped EXE
-
\??\c:\3thhbh.exec:\3thhbh.exe48⤵
- Executes dropped EXE
-
\??\c:\jpppv.exec:\jpppv.exe49⤵
- Executes dropped EXE
-
\??\c:\xrfflxx.exec:\xrfflxx.exe50⤵
- Executes dropped EXE
-
\??\c:\fflrllr.exec:\fflrllr.exe51⤵
- Executes dropped EXE
-
\??\c:\hntbbn.exec:\hntbbn.exe52⤵
- Executes dropped EXE
-
\??\c:\tbntth.exec:\tbntth.exe53⤵
- Executes dropped EXE
-
\??\c:\ddvvd.exec:\ddvvd.exe54⤵
- Executes dropped EXE
-
\??\c:\pjpvv.exec:\pjpvv.exe55⤵
- Executes dropped EXE
-
\??\c:\rlxxlrl.exec:\rlxxlrl.exe56⤵
- Executes dropped EXE
-
\??\c:\fxrlffx.exec:\fxrlffx.exe57⤵
- Executes dropped EXE
-
\??\c:\tbnhth.exec:\tbnhth.exe58⤵
- Executes dropped EXE
-
\??\c:\dddjp.exec:\dddjp.exe59⤵
- Executes dropped EXE
-
\??\c:\vvdpd.exec:\vvdpd.exe60⤵
- Executes dropped EXE
-
\??\c:\xlrxxrx.exec:\xlrxxrx.exe61⤵
- Executes dropped EXE
-
\??\c:\hbbbtn.exec:\hbbbtn.exe62⤵
- Executes dropped EXE
-
\??\c:\nnbhhn.exec:\nnbhhn.exe63⤵
- Executes dropped EXE
-
\??\c:\djvdj.exec:\djvdj.exe64⤵
- Executes dropped EXE
-
\??\c:\lrrrxrr.exec:\lrrrxrr.exe65⤵
- Executes dropped EXE
-
\??\c:\frrrrrx.exec:\frrrrrx.exe66⤵
-
\??\c:\nnttnn.exec:\nnttnn.exe67⤵
-
\??\c:\vvjpp.exec:\vvjpp.exe68⤵
-
\??\c:\fxffxfl.exec:\fxffxfl.exe69⤵
-
\??\c:\7lxxxff.exec:\7lxxxff.exe70⤵
-
\??\c:\bbhbbh.exec:\bbhbbh.exe71⤵
-
\??\c:\ttbbbh.exec:\ttbbbh.exe72⤵
-
\??\c:\djvdj.exec:\djvdj.exe73⤵
-
\??\c:\jpjpp.exec:\jpjpp.exe74⤵
-
\??\c:\fxxxflr.exec:\fxxxflr.exe75⤵
-
\??\c:\tttbbh.exec:\tttbbh.exe76⤵
-
\??\c:\7vjjv.exec:\7vjjv.exe77⤵
-
\??\c:\jvpjj.exec:\jvpjj.exe78⤵
-
\??\c:\xrfflll.exec:\xrfflll.exe79⤵
-
\??\c:\tnbbtn.exec:\tnbbtn.exe80⤵
-
\??\c:\9hhhbt.exec:\9hhhbt.exe81⤵
-
\??\c:\jvvdd.exec:\jvvdd.exe82⤵
-
\??\c:\pdddv.exec:\pdddv.exe83⤵
-
\??\c:\bbbtbh.exec:\bbbtbh.exe84⤵
-
\??\c:\jjvpv.exec:\jjvpv.exe85⤵
-
\??\c:\vpvjp.exec:\vpvjp.exe86⤵
-
\??\c:\xrrrllr.exec:\xrrrllr.exe87⤵
-
\??\c:\lfxrlll.exec:\lfxrlll.exe88⤵
-
\??\c:\bbtnbt.exec:\bbtnbt.exe89⤵
-
\??\c:\pppjj.exec:\pppjj.exe90⤵
-
\??\c:\jdddp.exec:\jdddp.exe91⤵
-
\??\c:\lllrlll.exec:\lllrlll.exe92⤵
-
\??\c:\9flllrr.exec:\9flllrr.exe93⤵
-
\??\c:\ttbbth.exec:\ttbbth.exe94⤵
-
\??\c:\9dddv.exec:\9dddv.exe95⤵
-
\??\c:\ppjvv.exec:\ppjvv.exe96⤵
-
\??\c:\9llfxxr.exec:\9llfxxr.exe97⤵
-
\??\c:\xxflllf.exec:\xxflllf.exe98⤵
-
\??\c:\tthbbh.exec:\tthbbh.exe99⤵
-
\??\c:\bbbthh.exec:\bbbthh.exe100⤵
-
\??\c:\jpdjv.exec:\jpdjv.exe101⤵
-
\??\c:\rflxfxx.exec:\rflxfxx.exe102⤵
-
\??\c:\xfxlfxr.exec:\xfxlfxr.exe103⤵
-
\??\c:\tbthtn.exec:\tbthtn.exe104⤵
-
\??\c:\3pvdv.exec:\3pvdv.exe105⤵
-
\??\c:\fxlfrxr.exec:\fxlfrxr.exe106⤵
-
\??\c:\lffxxrl.exec:\lffxxrl.exe107⤵
-
\??\c:\bhhhht.exec:\bhhhht.exe108⤵
-
\??\c:\7pvpj.exec:\7pvpj.exe109⤵
-
\??\c:\lxxxrrr.exec:\lxxxrrr.exe110⤵
-
\??\c:\9hnhbb.exec:\9hnhbb.exe111⤵
-
\??\c:\dpppj.exec:\dpppj.exe112⤵
-
\??\c:\rrrrxrl.exec:\rrrrxrl.exe113⤵
-
\??\c:\rrlllll.exec:\rrlllll.exe114⤵
-
\??\c:\nbhhnn.exec:\nbhhnn.exe115⤵
-
\??\c:\dvvvp.exec:\dvvvp.exe116⤵
-
\??\c:\xxxrfxr.exec:\xxxrfxr.exe117⤵
-
\??\c:\jvjjj.exec:\jvjjj.exe118⤵
-
\??\c:\jpjdv.exec:\jpjdv.exe119⤵
-
\??\c:\frxrllf.exec:\frxrllf.exe120⤵
-
\??\c:\xxrrlrr.exec:\xxrrlrr.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-