Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
03-09-2024 23:53
General
-
Target
7db85bc4464e8c014f5e01ffb26c7e28f53f6e7a242138e8531ca6e7bf2a91bd.exe
-
Size
70KB
-
MD5
7988471efb6939dc418a0936e3fccd38
-
SHA1
2d85a18e650fe503902fefc8c471b9e3e9919c9a
-
SHA256
7db85bc4464e8c014f5e01ffb26c7e28f53f6e7a242138e8531ca6e7bf2a91bd
-
SHA512
a7aa4b70552b993500c9b67a0bfc6b4c7c00cef8876b9e97cae84032cca2be3931008c61b01dd4225206507d9884f2fb3676ec134d65e1466fb0e39a402536f5
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIb0z6MTSqfjK:ymb3NkkiQ3mdBjFI4V6
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 21 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 24 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\7db85bc4464e8c014f5e01ffb26c7e28f53f6e7a242138e8531ca6e7bf2a91bd.exe"C:\Users\Admin\AppData\Local\Temp\7db85bc4464e8c014f5e01ffb26c7e28f53f6e7a242138e8531ca6e7bf2a91bd.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\fflxrxr.exec:\fflxrxr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnhhhb.exec:\tnhhhb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvdpv.exec:\dvdpv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btnnbh.exec:\btnnbh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1nhnbh.exec:\1nhnbh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pddjp.exec:\pddjp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5vjvj.exec:\5vjvj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ttthhb.exec:\ttthhb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\htbhhb.exec:\htbhhb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jvddp.exec:\jvddp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlxxlrx.exec:\rlxxlrx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7hnhbn.exec:\7hnhbn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bnbhbh.exec:\bnbhbh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjjjv.exec:\jjjjv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rllxxxl.exec:\rllxxxl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xlllrxr.exec:\xlllrxr.exe17⤵
- Executes dropped EXE
-
\??\c:\nhhthh.exec:\nhhthh.exe18⤵
- Executes dropped EXE
-
\??\c:\pdvvp.exec:\pdvvp.exe19⤵
- Executes dropped EXE
-
\??\c:\ddvpv.exec:\ddvpv.exe20⤵
- Executes dropped EXE
-
\??\c:\xlflrrx.exec:\xlflrrx.exe21⤵
- Executes dropped EXE
-
\??\c:\lflfrrx.exec:\lflfrrx.exe22⤵
- Executes dropped EXE
-
\??\c:\5hbbtb.exec:\5hbbtb.exe23⤵
- Executes dropped EXE
-
\??\c:\ppvjd.exec:\ppvjd.exe24⤵
- Executes dropped EXE
-
\??\c:\7fxxxfr.exec:\7fxxxfr.exe25⤵
- Executes dropped EXE
-
\??\c:\1rflrrf.exec:\1rflrrf.exe26⤵
- Executes dropped EXE
-
\??\c:\nnbbnn.exec:\nnbbnn.exe27⤵
- Executes dropped EXE
-
\??\c:\bnhnnt.exec:\bnhnnt.exe28⤵
- Executes dropped EXE
-
\??\c:\pvdpp.exec:\pvdpp.exe29⤵
- Executes dropped EXE
-
\??\c:\vvpdv.exec:\vvpdv.exe30⤵
- Executes dropped EXE
-
\??\c:\9frxffl.exec:\9frxffl.exe31⤵
- Executes dropped EXE
-
\??\c:\bbttnb.exec:\bbttnb.exe32⤵
- Executes dropped EXE
-
\??\c:\dvjvp.exec:\dvjvp.exe33⤵
- Executes dropped EXE
-
\??\c:\7jdjj.exec:\7jdjj.exe34⤵
- Executes dropped EXE
-
\??\c:\fxfrrrx.exec:\fxfrrrx.exe35⤵
- Executes dropped EXE
-
\??\c:\fxllxrx.exec:\fxllxrx.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\3hnnnt.exec:\3hnnnt.exe37⤵
- Executes dropped EXE
-
\??\c:\ppdpd.exec:\ppdpd.exe38⤵
- Executes dropped EXE
-
\??\c:\1pvpv.exec:\1pvpv.exe39⤵
- Executes dropped EXE
-
\??\c:\rrlffll.exec:\rrlffll.exe40⤵
- Executes dropped EXE
-
\??\c:\3llrfxr.exec:\3llrfxr.exe41⤵
- Executes dropped EXE
-
\??\c:\1hhhnn.exec:\1hhhnn.exe42⤵
- Executes dropped EXE
-
\??\c:\nhbhth.exec:\nhbhth.exe43⤵
- Executes dropped EXE
-
\??\c:\vpdjj.exec:\vpdjj.exe44⤵
- Executes dropped EXE
-
\??\c:\xxlxxlr.exec:\xxlxxlr.exe45⤵
- Executes dropped EXE
-
\??\c:\fxxrlrx.exec:\fxxrlrx.exe46⤵
- Executes dropped EXE
-
\??\c:\ttbhhh.exec:\ttbhhh.exe47⤵
- Executes dropped EXE
-
\??\c:\3thnbh.exec:\3thnbh.exe48⤵
- Executes dropped EXE
-
\??\c:\nbnhnb.exec:\nbnhnb.exe49⤵
- Executes dropped EXE
-
\??\c:\jvpvp.exec:\jvpvp.exe50⤵
- Executes dropped EXE
-
\??\c:\5vpvj.exec:\5vpvj.exe51⤵
- Executes dropped EXE
-
\??\c:\lfrxlrr.exec:\lfrxlrr.exe52⤵
- Executes dropped EXE
-
\??\c:\fxllxrf.exec:\fxllxrf.exe53⤵
- Executes dropped EXE
-
\??\c:\nhnbnt.exec:\nhnbnt.exe54⤵
- Executes dropped EXE
-
\??\c:\3bhthh.exec:\3bhthh.exe55⤵
- Executes dropped EXE
-
\??\c:\jddjp.exec:\jddjp.exe56⤵
- Executes dropped EXE
-
\??\c:\vjjvv.exec:\vjjvv.exe57⤵
- Executes dropped EXE
-
\??\c:\lfxfrrx.exec:\lfxfrrx.exe58⤵
- Executes dropped EXE
-
\??\c:\5xlxrlr.exec:\5xlxrlr.exe59⤵
- Executes dropped EXE
-
\??\c:\1hbntb.exec:\1hbntb.exe60⤵
- Executes dropped EXE
-
\??\c:\nhtbbb.exec:\nhtbbb.exe61⤵
- Executes dropped EXE
-
\??\c:\vjjpj.exec:\vjjpj.exe62⤵
- Executes dropped EXE
-
\??\c:\vjvdp.exec:\vjvdp.exe63⤵
- Executes dropped EXE
-
\??\c:\lxxxllx.exec:\lxxxllx.exe64⤵
- Executes dropped EXE
-
\??\c:\fxllrfl.exec:\fxllrfl.exe65⤵
- Executes dropped EXE
-
\??\c:\xllrfxl.exec:\xllrfxl.exe66⤵
- System Location Discovery: System Language Discovery
-
\??\c:\3nbhht.exec:\3nbhht.exe67⤵
-
\??\c:\hhnnhh.exec:\hhnnhh.exe68⤵
-
\??\c:\3jdvj.exec:\3jdvj.exe69⤵
-
\??\c:\jdvjp.exec:\jdvjp.exe70⤵
-
\??\c:\xrrllrl.exec:\xrrllrl.exe71⤵
-
\??\c:\fxxfxfl.exec:\fxxfxfl.exe72⤵
-
\??\c:\nhhntn.exec:\nhhntn.exe73⤵
-
\??\c:\3hnnbh.exec:\3hnnbh.exe74⤵
-
\??\c:\pjjjd.exec:\pjjjd.exe75⤵
-
\??\c:\pjvvd.exec:\pjvvd.exe76⤵
-
\??\c:\3lxxrrx.exec:\3lxxrrx.exe77⤵
-
\??\c:\fxffrll.exec:\fxffrll.exe78⤵
-
\??\c:\htbbnt.exec:\htbbnt.exe79⤵
-
\??\c:\btbtbt.exec:\btbtbt.exe80⤵
-
\??\c:\1dpdp.exec:\1dpdp.exe81⤵
-
\??\c:\pjvjv.exec:\pjvjv.exe82⤵
-
\??\c:\fxlrllx.exec:\fxlrllx.exe83⤵
-
\??\c:\9lflxrx.exec:\9lflxrx.exe84⤵
-
\??\c:\nhbbhn.exec:\nhbbhn.exe85⤵
-
\??\c:\hbnbtb.exec:\hbnbtb.exe86⤵
-
\??\c:\jdvvv.exec:\jdvvv.exe87⤵
-
\??\c:\dpvvd.exec:\dpvvd.exe88⤵
-
\??\c:\ffffflr.exec:\ffffflr.exe89⤵
-
\??\c:\9xlfllx.exec:\9xlfllx.exe90⤵
-
\??\c:\nhbbhn.exec:\nhbbhn.exe91⤵
-
\??\c:\btntbn.exec:\btntbn.exe92⤵
-
\??\c:\dvpdd.exec:\dvpdd.exe93⤵
-
\??\c:\dvpvv.exec:\dvpvv.exe94⤵
-
\??\c:\xrllrrf.exec:\xrllrrf.exe95⤵
-
\??\c:\frffrrf.exec:\frffrrf.exe96⤵
-
\??\c:\1tbnnb.exec:\1tbnnb.exe97⤵
-
\??\c:\pdvvd.exec:\pdvvd.exe98⤵
-
\??\c:\pppvp.exec:\pppvp.exe99⤵
-
\??\c:\lxfxlrf.exec:\lxfxlrf.exe100⤵
-
\??\c:\xrfrrxx.exec:\xrfrrxx.exe101⤵
-
\??\c:\nhnbnn.exec:\nhnbnn.exe102⤵
-
\??\c:\tthhnh.exec:\tthhnh.exe103⤵
-
\??\c:\vpppv.exec:\vpppv.exe104⤵
-
\??\c:\9vppp.exec:\9vppp.exe105⤵
-
\??\c:\lfflxff.exec:\lfflxff.exe106⤵
-
\??\c:\lfxflll.exec:\lfxflll.exe107⤵
-
\??\c:\hhbhth.exec:\hhbhth.exe108⤵
-
\??\c:\bbnthb.exec:\bbnthb.exe109⤵
-
\??\c:\jjdjp.exec:\jjdjp.exe110⤵
-
\??\c:\jvdpv.exec:\jvdpv.exe111⤵
-
\??\c:\xrxxxrx.exec:\xrxxxrx.exe112⤵
-
\??\c:\xxrfrrx.exec:\xxrfrrx.exe113⤵
-
\??\c:\3hbbnt.exec:\3hbbnt.exe114⤵
-
\??\c:\tnbhtb.exec:\tnbhtb.exe115⤵
-
\??\c:\3vpjv.exec:\3vpjv.exe116⤵
-
\??\c:\3pjpd.exec:\3pjpd.exe117⤵
-
\??\c:\lflrrxx.exec:\lflrrxx.exe118⤵
-
\??\c:\3lllxrf.exec:\3lllxrf.exe119⤵
-
\??\c:\1tnbbn.exec:\1tnbbn.exe120⤵
-
\??\c:\9nnhtt.exec:\9nnhtt.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-