Analysis
-
max time kernel
120s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
-
submitted
05-09-2024 10:21
General
-
Target
74cb7fcfc9b8f047547782e7cc2787e0N.exe
-
Size
82KB
-
MD5
74cb7fcfc9b8f047547782e7cc2787e0
-
SHA1
0f497fb6c379a8181661983433ab52c77e0d5c39
-
SHA256
ad1ac7c4e558d189ccc2c3eb7d70f2d45251d5ad4ea978e6f3587164d9eb099c
-
SHA512
93ef1fe5a9b59a600f3163656e8eef202a99daa38686517d8560333989c123ee3c1761e8540171b2a4237799d2eda7f4a8fac2e53b9b0b0eea523c6d54b40871
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIIpIo60L9QrrA89QD:ymb3NkkiQ3mdBjFIIp9L9QrrA8g
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 20 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 29 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\74cb7fcfc9b8f047547782e7cc2787e0N.exe"C:\Users\Admin\AppData\Local\Temp\74cb7fcfc9b8f047547782e7cc2787e0N.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\xxrrxfx.exec:\xxrrxfx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnnthn.exec:\tnnthn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rxrrffx.exec:\rxrrffx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxrxflx.exec:\fxrxflx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btbhnn.exec:\btbhnn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tntnbh.exec:\tntnbh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vppvp.exec:\vppvp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjjpp.exec:\jjjpp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3lxfxxf.exec:\3lxfxxf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rrlxlrl.exec:\rrlxlrl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhbhtt.exec:\nhbhtt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1nnhhh.exec:\1nnhhh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5djpd.exec:\5djpd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jpdpd.exec:\jpdpd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxlfxxr.exec:\fxlfxxr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fflxflx.exec:\fflxflx.exe17⤵
- Executes dropped EXE
-
\??\c:\7rlxrxx.exec:\7rlxrxx.exe18⤵
- Executes dropped EXE
-
\??\c:\ntbttn.exec:\ntbttn.exe19⤵
- Executes dropped EXE
-
\??\c:\hhtbnn.exec:\hhtbnn.exe20⤵
- Executes dropped EXE
-
\??\c:\vpdjp.exec:\vpdjp.exe21⤵
- Executes dropped EXE
-
\??\c:\dvjjv.exec:\dvjjv.exe22⤵
- Executes dropped EXE
-
\??\c:\pjddj.exec:\pjddj.exe23⤵
- Executes dropped EXE
-
\??\c:\rlffrxl.exec:\rlffrxl.exe24⤵
- Executes dropped EXE
-
\??\c:\3xxxflx.exec:\3xxxflx.exe25⤵
- Executes dropped EXE
-
\??\c:\tnhntb.exec:\tnhntb.exe26⤵
- Executes dropped EXE
-
\??\c:\nnbbhn.exec:\nnbbhn.exe27⤵
- Executes dropped EXE
-
\??\c:\jdpdv.exec:\jdpdv.exe28⤵
- Executes dropped EXE
-
\??\c:\dvpvp.exec:\dvpvp.exe29⤵
- Executes dropped EXE
-
\??\c:\fxlflxr.exec:\fxlflxr.exe30⤵
- Executes dropped EXE
-
\??\c:\fxllxxr.exec:\fxllxxr.exe31⤵
- Executes dropped EXE
-
\??\c:\nhbhnb.exec:\nhbhnb.exe32⤵
- Executes dropped EXE
-
\??\c:\3nnthh.exec:\3nnthh.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\7pjpp.exec:\7pjpp.exe34⤵
- Executes dropped EXE
-
\??\c:\7jjdj.exec:\7jjdj.exe35⤵
- Executes dropped EXE
-
\??\c:\9xrfrlx.exec:\9xrfrlx.exe36⤵
- Executes dropped EXE
-
\??\c:\fllrlrl.exec:\fllrlrl.exe37⤵
- Executes dropped EXE
-
\??\c:\ffxlrxl.exec:\ffxlrxl.exe38⤵
- Executes dropped EXE
-
\??\c:\nnhbnt.exec:\nnhbnt.exe39⤵
- Executes dropped EXE
-
\??\c:\httbbt.exec:\httbbt.exe40⤵
- Executes dropped EXE
-
\??\c:\bbbnbt.exec:\bbbnbt.exe41⤵
- Executes dropped EXE
-
\??\c:\7jvjp.exec:\7jvjp.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\ddppd.exec:\ddppd.exe43⤵
- Executes dropped EXE
-
\??\c:\pvjdd.exec:\pvjdd.exe44⤵
- Executes dropped EXE
-
\??\c:\xxlrxxl.exec:\xxlrxxl.exe45⤵
- Executes dropped EXE
-
\??\c:\rfxlflr.exec:\rfxlflr.exe46⤵
- Executes dropped EXE
-
\??\c:\fflxllf.exec:\fflxllf.exe47⤵
- Executes dropped EXE
-
\??\c:\nhtbtb.exec:\nhtbtb.exe48⤵
- Executes dropped EXE
-
\??\c:\3bnnbh.exec:\3bnnbh.exe49⤵
- Executes dropped EXE
-
\??\c:\jdpdp.exec:\jdpdp.exe50⤵
- Executes dropped EXE
-
\??\c:\pjddp.exec:\pjddp.exe51⤵
- Executes dropped EXE
-
\??\c:\dvjpv.exec:\dvjpv.exe52⤵
- Executes dropped EXE
-
\??\c:\lflxlrr.exec:\lflxlrr.exe53⤵
- Executes dropped EXE
-
\??\c:\xxxfrrl.exec:\xxxfrrl.exe54⤵
- Executes dropped EXE
-
\??\c:\rrlfrxf.exec:\rrlfrxf.exe55⤵
- Executes dropped EXE
-
\??\c:\tthtnt.exec:\tthtnt.exe56⤵
- Executes dropped EXE
-
\??\c:\bbhnbn.exec:\bbhnbn.exe57⤵
- Executes dropped EXE
-
\??\c:\hbttbb.exec:\hbttbb.exe58⤵
- Executes dropped EXE
-
\??\c:\9jjpd.exec:\9jjpd.exe59⤵
- Executes dropped EXE
-
\??\c:\dvpvd.exec:\dvpvd.exe60⤵
- Executes dropped EXE
-
\??\c:\dvjvd.exec:\dvjvd.exe61⤵
- Executes dropped EXE
-
\??\c:\ffrllrl.exec:\ffrllrl.exe62⤵
- Executes dropped EXE
-
\??\c:\rfllxxf.exec:\rfllxxf.exe63⤵
- Executes dropped EXE
-
\??\c:\3lxrxxf.exec:\3lxrxxf.exe64⤵
- Executes dropped EXE
-
\??\c:\bnnthh.exec:\bnnthh.exe65⤵
- Executes dropped EXE
-
\??\c:\nbnnbb.exec:\nbnnbb.exe66⤵
-
\??\c:\hbhnbh.exec:\hbhnbh.exe67⤵
-
\??\c:\vpvdp.exec:\vpvdp.exe68⤵
-
\??\c:\jjjvj.exec:\jjjvj.exe69⤵
-
\??\c:\3vjpd.exec:\3vjpd.exe70⤵
-
\??\c:\fxxfllx.exec:\fxxfllx.exe71⤵
-
\??\c:\9rlxrxf.exec:\9rlxrxf.exe72⤵
-
\??\c:\xrxxxfl.exec:\xrxxxfl.exe73⤵
-
\??\c:\1bbnbn.exec:\1bbnbn.exe74⤵
-
\??\c:\3hnnnt.exec:\3hnnnt.exe75⤵
-
\??\c:\bbbnhn.exec:\bbbnhn.exe76⤵
-
\??\c:\dvvvd.exec:\dvvvd.exe77⤵
-
\??\c:\ddpvd.exec:\ddpvd.exe78⤵
-
\??\c:\5jpjp.exec:\5jpjp.exe79⤵
-
\??\c:\lfrflrl.exec:\lfrflrl.exe80⤵
-
\??\c:\rffrffl.exec:\rffrffl.exe81⤵
-
\??\c:\nhhntb.exec:\nhhntb.exe82⤵
-
\??\c:\bthttb.exec:\bthttb.exe83⤵
-
\??\c:\btttbb.exec:\btttbb.exe84⤵
-
\??\c:\vpvdv.exec:\vpvdv.exe85⤵
-
\??\c:\pvjpd.exec:\pvjpd.exe86⤵
-
\??\c:\dpdvv.exec:\dpdvv.exe87⤵
-
\??\c:\dpdpd.exec:\dpdpd.exe88⤵
-
\??\c:\xrrxrxl.exec:\xrrxrxl.exe89⤵
-
\??\c:\flxxrlf.exec:\flxxrlf.exe90⤵
-
\??\c:\1nnbbb.exec:\1nnbbb.exe91⤵
-
\??\c:\bhttnn.exec:\bhttnn.exe92⤵
-
\??\c:\thnthb.exec:\thnthb.exe93⤵
-
\??\c:\jjdpp.exec:\jjdpp.exe94⤵
-
\??\c:\7ppjd.exec:\7ppjd.exe95⤵
-
\??\c:\dpjjj.exec:\dpjjj.exe96⤵
-
\??\c:\ffflxxr.exec:\ffflxxr.exe97⤵
-
\??\c:\1frfrfr.exec:\1frfrfr.exe98⤵
-
\??\c:\rlxrrlx.exec:\rlxrrlx.exe99⤵
-
\??\c:\nbbbtt.exec:\nbbbtt.exe100⤵
-
\??\c:\tbhbbb.exec:\tbhbbb.exe101⤵
-
\??\c:\dvddp.exec:\dvddp.exe102⤵
-
\??\c:\djjjp.exec:\djjjp.exe103⤵
-
\??\c:\rlflrlx.exec:\rlflrlx.exe104⤵
-
\??\c:\5fxlllx.exec:\5fxlllx.exe105⤵
-
\??\c:\htnhnn.exec:\htnhnn.exe106⤵
-
\??\c:\7bnbnt.exec:\7bnbnt.exe107⤵
-
\??\c:\lfrrxxr.exec:\lfrrxxr.exe108⤵
-
\??\c:\hhbthh.exec:\hhbthh.exe109⤵
-
\??\c:\hbttnn.exec:\hbttnn.exe110⤵
-
\??\c:\vpdpd.exec:\vpdpd.exe111⤵
-
\??\c:\tththn.exec:\tththn.exe112⤵
-
\??\c:\jdvvj.exec:\jdvvj.exe113⤵
-
\??\c:\lfrxrrf.exec:\lfrxrrf.exe114⤵
-
\??\c:\rlxfxxl.exec:\rlxfxxl.exe115⤵
-
\??\c:\bhttnt.exec:\bhttnt.exe116⤵
-
\??\c:\vvjdp.exec:\vvjdp.exe117⤵
-
\??\c:\jvpvp.exec:\jvpvp.exe118⤵
-
\??\c:\fxfflxf.exec:\fxfflxf.exe119⤵
-
\??\c:\3btnhh.exec:\3btnhh.exe120⤵
-
\??\c:\hhbnbn.exec:\hhbnbn.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-