Analysis
-
max time kernel
120s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
03/09/2024, 18:59
General
-
Target
55d6b6925120b116003fc18a8322f100N.exe
-
Size
82KB
-
MD5
55d6b6925120b116003fc18a8322f100
-
SHA1
84e585a2b0fe8c17336ebeaff5a608cfa69ba42d
-
SHA256
1958a150d822437e5e69d40abe790b33afa692bb572b26fe511ce022723fa8c9
-
SHA512
706c797b500d162f6e4b94d3fc2f47c1aa1c22e0ffa951757790c984a7b417e71a4f337d09ff27231b07f3f1c6dbf93e1a1e9a2ee9315f26841fc6f2dd575e25
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIIpIo60L9QrrA89Q+:ymb3NkkiQ3mdBjFIIp9L9QrrA8/
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 19 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 29 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\55d6b6925120b116003fc18a8322f100N.exe"C:\Users\Admin\AppData\Local\Temp\55d6b6925120b116003fc18a8322f100N.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\xrtxlfd.exec:\xrtxlfd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nblhltt.exec:\nblhltt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lndjn.exec:\lndjn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxflb.exec:\lxflb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\phhlnd.exec:\phhlnd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnhjbx.exec:\tnhjbx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lppdb.exec:\lppdb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hlxdl.exec:\hlxdl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xdpfftl.exec:\xdpfftl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xthpbtt.exec:\xthpbtt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fhnxb.exec:\fhnxb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hljtrvb.exec:\hljtrvb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ldttlb.exec:\ldttlb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rfxdph.exec:\rfxdph.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fnddjv.exec:\fnddjv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bfbbjb.exec:\bfbbjb.exe17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\hljxltl.exec:\hljxltl.exe18⤵
- Executes dropped EXE
-
\??\c:\jrjrdlf.exec:\jrjrdlf.exe19⤵
- Executes dropped EXE
-
\??\c:\tvfjp.exec:\tvfjp.exe20⤵
- Executes dropped EXE
-
\??\c:\jfhxphj.exec:\jfhxphj.exe21⤵
- Executes dropped EXE
-
\??\c:\lhnptfp.exec:\lhnptfp.exe22⤵
- Executes dropped EXE
-
\??\c:\fflhhnb.exec:\fflhhnb.exe23⤵
- Executes dropped EXE
-
\??\c:\fxjplbd.exec:\fxjplbd.exe24⤵
- Executes dropped EXE
-
\??\c:\hxpbl.exec:\hxpbl.exe25⤵
- Executes dropped EXE
-
\??\c:\pjnvb.exec:\pjnvb.exe26⤵
- Executes dropped EXE
-
\??\c:\hffbl.exec:\hffbl.exe27⤵
- Executes dropped EXE
-
\??\c:\dnvprp.exec:\dnvprp.exe28⤵
- Executes dropped EXE
-
\??\c:\jrdllnb.exec:\jrdllnb.exe29⤵
- Executes dropped EXE
-
\??\c:\jjjph.exec:\jjjph.exe30⤵
- Executes dropped EXE
-
\??\c:\tdhjrpj.exec:\tdhjrpj.exe31⤵
- Executes dropped EXE
-
\??\c:\tjpvh.exec:\tjpvh.exe32⤵
- Executes dropped EXE
-
\??\c:\dttdblb.exec:\dttdblb.exe33⤵
- Executes dropped EXE
-
\??\c:\llvpdfn.exec:\llvpdfn.exe34⤵
- Executes dropped EXE
-
\??\c:\xnxrx.exec:\xnxrx.exe35⤵
- Executes dropped EXE
-
\??\c:\bpttdtf.exec:\bpttdtf.exe36⤵
- Executes dropped EXE
-
\??\c:\bhrth.exec:\bhrth.exe37⤵
- Executes dropped EXE
-
\??\c:\ljrbl.exec:\ljrbl.exe38⤵
- Executes dropped EXE
-
\??\c:\tnvlf.exec:\tnvlf.exe39⤵
- Executes dropped EXE
-
\??\c:\bftpt.exec:\bftpt.exe40⤵
- Executes dropped EXE
-
\??\c:\nnltrx.exec:\nnltrx.exe41⤵
- Executes dropped EXE
-
\??\c:\fnbxf.exec:\fnbxf.exe42⤵
- Executes dropped EXE
-
\??\c:\fndrf.exec:\fndrf.exe43⤵
- Executes dropped EXE
-
\??\c:\ltrfnj.exec:\ltrfnj.exe44⤵
- Executes dropped EXE
-
\??\c:\hdxlvp.exec:\hdxlvp.exe45⤵
- Executes dropped EXE
-
\??\c:\dnxtrvt.exec:\dnxtrvt.exe46⤵
- Executes dropped EXE
-
\??\c:\tdppfh.exec:\tdppfh.exe47⤵
- Executes dropped EXE
-
\??\c:\txdxr.exec:\txdxr.exe48⤵
- Executes dropped EXE
-
\??\c:\ndfnbhb.exec:\ndfnbhb.exe49⤵
- Executes dropped EXE
-
\??\c:\nxjnl.exec:\nxjnl.exe50⤵
- Executes dropped EXE
-
\??\c:\jhhfv.exec:\jhhfv.exe51⤵
- Executes dropped EXE
-
\??\c:\vnjth.exec:\vnjth.exe52⤵
- Executes dropped EXE
-
\??\c:\pdnfx.exec:\pdnfx.exe53⤵
- Executes dropped EXE
-
\??\c:\rxtnpb.exec:\rxtnpb.exe54⤵
- Executes dropped EXE
-
\??\c:\jtvlfvf.exec:\jtvlfvf.exe55⤵
- Executes dropped EXE
-
\??\c:\npljrr.exec:\npljrr.exe56⤵
- Executes dropped EXE
-
\??\c:\ptvlrlp.exec:\ptvlrlp.exe57⤵
- Executes dropped EXE
-
\??\c:\jntxnp.exec:\jntxnp.exe58⤵
- Executes dropped EXE
-
\??\c:\trjft.exec:\trjft.exe59⤵
- Executes dropped EXE
-
\??\c:\hbvfnt.exec:\hbvfnt.exe60⤵
- Executes dropped EXE
-
\??\c:\fnffnnn.exec:\fnffnnn.exe61⤵
- Executes dropped EXE
-
\??\c:\jfxtfr.exec:\jfxtfr.exe62⤵
- Executes dropped EXE
-
\??\c:\ldlvvp.exec:\ldlvvp.exe63⤵
- Executes dropped EXE
-
\??\c:\ptrrn.exec:\ptrrn.exe64⤵
- Executes dropped EXE
-
\??\c:\lfxblb.exec:\lfxblb.exe65⤵
- Executes dropped EXE
-
\??\c:\nflfd.exec:\nflfd.exe66⤵
-
\??\c:\hpthllv.exec:\hpthllv.exe67⤵
-
\??\c:\tbblnbh.exec:\tbblnbh.exe68⤵
-
\??\c:\jxvfb.exec:\jxvfb.exe69⤵
-
\??\c:\bvjnrtb.exec:\bvjnrtb.exe70⤵
-
\??\c:\nlvvl.exec:\nlvvl.exe71⤵
-
\??\c:\fhllx.exec:\fhllx.exe72⤵
-
\??\c:\dnntjv.exec:\dnntjv.exe73⤵
-
\??\c:\ffrhffn.exec:\ffrhffn.exe74⤵
-
\??\c:\pxjpvbf.exec:\pxjpvbf.exe75⤵
-
\??\c:\vbphn.exec:\vbphn.exe76⤵
-
\??\c:\rnvdl.exec:\rnvdl.exe77⤵
-
\??\c:\xrlnxtb.exec:\xrlnxtb.exe78⤵
-
\??\c:\drprd.exec:\drprd.exe79⤵
-
\??\c:\rlhlxpn.exec:\rlhlxpn.exe80⤵
-
\??\c:\rxxjh.exec:\rxxjh.exe81⤵
-
\??\c:\nhftl.exec:\nhftl.exe82⤵
-
\??\c:\vlhxtt.exec:\vlhxtt.exe83⤵
-
\??\c:\bjjnt.exec:\bjjnt.exe84⤵
-
\??\c:\fpjrtnn.exec:\fpjrtnn.exe85⤵
-
\??\c:\vdlvd.exec:\vdlvd.exe86⤵
-
\??\c:\tpbjvdn.exec:\tpbjvdn.exe87⤵
-
\??\c:\jlnhln.exec:\jlnhln.exe88⤵
-
\??\c:\vrlfhb.exec:\vrlfhb.exe89⤵
-
\??\c:\ltlhltp.exec:\ltlhltp.exe90⤵
-
\??\c:\lhjflp.exec:\lhjflp.exe91⤵
-
\??\c:\rvrvd.exec:\rvrvd.exe92⤵
-
\??\c:\nvnvl.exec:\nvnvl.exe93⤵
-
\??\c:\rljlrb.exec:\rljlrb.exe94⤵
-
\??\c:\bntjhjt.exec:\bntjhjt.exe95⤵
-
\??\c:\vjnpbb.exec:\vjnpbb.exe96⤵
-
\??\c:\jddvt.exec:\jddvt.exe97⤵
-
\??\c:\llvvv.exec:\llvvv.exe98⤵
-
\??\c:\btljd.exec:\btljd.exe99⤵
-
\??\c:\fxtjrnf.exec:\fxtjrnf.exe100⤵
-
\??\c:\nbtxft.exec:\nbtxft.exe101⤵
-
\??\c:\pnnhjl.exec:\pnnhjl.exe102⤵
-
\??\c:\lhblpt.exec:\lhblpt.exe103⤵
-
\??\c:\jhhtr.exec:\jhhtr.exe104⤵
-
\??\c:\xnnhxlt.exec:\xnnhxlt.exe105⤵
-
\??\c:\ttjlxf.exec:\ttjlxf.exe106⤵
-
\??\c:\lbrvd.exec:\lbrvd.exe107⤵
-
\??\c:\nllnrh.exec:\nllnrh.exe108⤵
-
\??\c:\thfxpx.exec:\thfxpx.exe109⤵
-
\??\c:\bvlvttd.exec:\bvlvttd.exe110⤵
-
\??\c:\vfjbhbl.exec:\vfjbhbl.exe111⤵
-
\??\c:\vnnnn.exec:\vnnnn.exe112⤵
-
\??\c:\vpdbrpr.exec:\vpdbrpr.exe113⤵
-
\??\c:\ffhbxdx.exec:\ffhbxdx.exe114⤵
-
\??\c:\vjfxf.exec:\vjfxf.exe115⤵
-
\??\c:\rdrjjb.exec:\rdrjjb.exe116⤵
-
\??\c:\pfptt.exec:\pfptt.exe117⤵
-
\??\c:\jvjnp.exec:\jvjnp.exe118⤵
- System Location Discovery: System Language Discovery
-
\??\c:\hpdrr.exec:\hpdrr.exe119⤵
-
\??\c:\hjtpf.exec:\hjtpf.exe120⤵
-
\??\c:\nnnfppp.exec:\nnnfppp.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-