Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
05/09/2024, 10:38
General
-
Target
e50533859ca55a55d8ff04fef9a29aa0N.exe
-
Size
72KB
-
MD5
e50533859ca55a55d8ff04fef9a29aa0
-
SHA1
4723e05d6d7cf792f7b5ebe85e020cde355206ac
-
SHA256
7545aba7687d5c465dec70e9c61000db7394a1e59312172e398afad322e50a9b
-
SHA512
e62d0f11fd1f871691bea4b68d71b78f421fee32f17f27604ae65274d4fac0f169f00ee19b4542500369913f1c3ae61d4366aa50963be7c69c3af93ec0e4d769
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIb0z6MTSqfjM:ymb3NkkiQ3mdBjFI4V8
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 22 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 28 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e50533859ca55a55d8ff04fef9a29aa0N.exe"C:\Users\Admin\AppData\Local\Temp\e50533859ca55a55d8ff04fef9a29aa0N.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\1lfrlrf.exec:\1lfrlrf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hnhhbh.exec:\hnhhbh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdvjd.exec:\jdvjd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lrfrfrl.exec:\lrfrfrl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jvvdj.exec:\jvvdj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvpdv.exec:\dvpdv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbnhhn.exec:\hbnhhn.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\5thtnb.exec:\5thtnb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vdppj.exec:\vdppj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lrfxxxf.exec:\lrfxxxf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hhtthn.exec:\hhtthn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1tnntb.exec:\1tnntb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\llflrfr.exec:\llflrfr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7llrrxr.exec:\7llrrxr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ttttnt.exec:\ttttnt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjjdp.exec:\jjjdp.exe17⤵
- Executes dropped EXE
-
\??\c:\9vvpd.exec:\9vvpd.exe18⤵
- Executes dropped EXE
-
\??\c:\rrflxlx.exec:\rrflxlx.exe19⤵
- Executes dropped EXE
-
\??\c:\tnbttn.exec:\tnbttn.exe20⤵
- Executes dropped EXE
-
\??\c:\bhntbt.exec:\bhntbt.exe21⤵
- Executes dropped EXE
-
\??\c:\dvvvd.exec:\dvvvd.exe22⤵
- Executes dropped EXE
-
\??\c:\pppdp.exec:\pppdp.exe23⤵
- Executes dropped EXE
-
\??\c:\9fxxflr.exec:\9fxxflr.exe24⤵
- Executes dropped EXE
-
\??\c:\bhhbbt.exec:\bhhbbt.exe25⤵
- Executes dropped EXE
-
\??\c:\dppvv.exec:\dppvv.exe26⤵
- Executes dropped EXE
-
\??\c:\5vpjv.exec:\5vpjv.exe27⤵
- Executes dropped EXE
-
\??\c:\fxrxxxl.exec:\fxrxxxl.exe28⤵
- Executes dropped EXE
-
\??\c:\ttnnth.exec:\ttnnth.exe29⤵
- Executes dropped EXE
-
\??\c:\3hhbth.exec:\3hhbth.exe30⤵
- Executes dropped EXE
-
\??\c:\jjdpv.exec:\jjdpv.exe31⤵
- Executes dropped EXE
-
\??\c:\rrrrlrr.exec:\rrrrlrr.exe32⤵
- Executes dropped EXE
-
\??\c:\nhnbht.exec:\nhnbht.exe33⤵
- Executes dropped EXE
-
\??\c:\djvpp.exec:\djvpp.exe34⤵
- Executes dropped EXE
-
\??\c:\jjjpv.exec:\jjjpv.exe35⤵
- Executes dropped EXE
-
\??\c:\rlllxfr.exec:\rlllxfr.exe36⤵
- Executes dropped EXE
-
\??\c:\xrrxllf.exec:\xrrxllf.exe37⤵
- Executes dropped EXE
-
\??\c:\bbthnn.exec:\bbthnn.exe38⤵
- Executes dropped EXE
-
\??\c:\ttbbnn.exec:\ttbbnn.exe39⤵
- Executes dropped EXE
-
\??\c:\vvvdp.exec:\vvvdp.exe40⤵
- Executes dropped EXE
-
\??\c:\pvpdv.exec:\pvpdv.exe41⤵
- Executes dropped EXE
-
\??\c:\5dvdp.exec:\5dvdp.exe42⤵
- Executes dropped EXE
-
\??\c:\xxlrflf.exec:\xxlrflf.exe43⤵
- Executes dropped EXE
-
\??\c:\lfrrxxl.exec:\lfrrxxl.exe44⤵
- Executes dropped EXE
-
\??\c:\nthnht.exec:\nthnht.exe45⤵
- Executes dropped EXE
-
\??\c:\vvpdv.exec:\vvpdv.exe46⤵
- Executes dropped EXE
-
\??\c:\jdvjd.exec:\jdvjd.exe47⤵
- Executes dropped EXE
-
\??\c:\dvpvd.exec:\dvpvd.exe48⤵
- Executes dropped EXE
-
\??\c:\rrxfxfl.exec:\rrxfxfl.exe49⤵
- Executes dropped EXE
-
\??\c:\ffflxlx.exec:\ffflxlx.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\nnbtht.exec:\nnbtht.exe51⤵
- Executes dropped EXE
-
\??\c:\tbnbhb.exec:\tbnbhb.exe52⤵
- Executes dropped EXE
-
\??\c:\jjpvd.exec:\jjpvd.exe53⤵
- Executes dropped EXE
-
\??\c:\ppdpd.exec:\ppdpd.exe54⤵
- Executes dropped EXE
-
\??\c:\1xxfxfl.exec:\1xxfxfl.exe55⤵
- Executes dropped EXE
-
\??\c:\xrlrxxl.exec:\xrlrxxl.exe56⤵
- Executes dropped EXE
-
\??\c:\bbbnth.exec:\bbbnth.exe57⤵
- Executes dropped EXE
-
\??\c:\thhnbh.exec:\thhnbh.exe58⤵
- Executes dropped EXE
-
\??\c:\ppjvj.exec:\ppjvj.exe59⤵
- Executes dropped EXE
-
\??\c:\jjdpj.exec:\jjdpj.exe60⤵
- Executes dropped EXE
-
\??\c:\xfxlrlx.exec:\xfxlrlx.exe61⤵
- Executes dropped EXE
-
\??\c:\lrxrrxf.exec:\lrxrrxf.exe62⤵
- Executes dropped EXE
-
\??\c:\hhbbht.exec:\hhbbht.exe63⤵
- Executes dropped EXE
-
\??\c:\bnnntb.exec:\bnnntb.exe64⤵
- Executes dropped EXE
-
\??\c:\1vvjj.exec:\1vvjj.exe65⤵
- Executes dropped EXE
-
\??\c:\7vpvp.exec:\7vpvp.exe66⤵
-
\??\c:\frrrfll.exec:\frrrfll.exe67⤵
-
\??\c:\btthtt.exec:\btthtt.exe68⤵
-
\??\c:\bbthht.exec:\bbthht.exe69⤵
-
\??\c:\7ppvj.exec:\7ppvj.exe70⤵
-
\??\c:\jjjdv.exec:\jjjdv.exe71⤵
-
\??\c:\1ffxfll.exec:\1ffxfll.exe72⤵
-
\??\c:\rffrfrl.exec:\rffrfrl.exe73⤵
-
\??\c:\9nnhnn.exec:\9nnhnn.exe74⤵
-
\??\c:\vpjdv.exec:\vpjdv.exe75⤵
-
\??\c:\vpjpd.exec:\vpjpd.exe76⤵
-
\??\c:\lllflrf.exec:\lllflrf.exe77⤵
-
\??\c:\9rrlxrl.exec:\9rrlxrl.exe78⤵
-
\??\c:\hbbnbb.exec:\hbbnbb.exe79⤵
-
\??\c:\nnhthn.exec:\nnhthn.exe80⤵
-
\??\c:\5ddvp.exec:\5ddvp.exe81⤵
-
\??\c:\lffxrlf.exec:\lffxrlf.exe82⤵
-
\??\c:\lrllxfr.exec:\lrllxfr.exe83⤵
-
\??\c:\nhbhtb.exec:\nhbhtb.exe84⤵
-
\??\c:\bthhth.exec:\bthhth.exe85⤵
-
\??\c:\vppvp.exec:\vppvp.exe86⤵
-
\??\c:\3ddpd.exec:\3ddpd.exe87⤵
-
\??\c:\rrlrrxl.exec:\rrlrrxl.exe88⤵
-
\??\c:\hnhtbn.exec:\hnhtbn.exe89⤵
-
\??\c:\hhthtt.exec:\hhthtt.exe90⤵
-
\??\c:\djjpv.exec:\djjpv.exe91⤵
-
\??\c:\vppdp.exec:\vppdp.exe92⤵
-
\??\c:\lfrfxlf.exec:\lfrfxlf.exe93⤵
-
\??\c:\3flxxxr.exec:\3flxxxr.exe94⤵
-
\??\c:\7hnhtb.exec:\7hnhtb.exe95⤵
-
\??\c:\hbhbbn.exec:\hbhbbn.exe96⤵
-
\??\c:\vpvpj.exec:\vpvpj.exe97⤵
-
\??\c:\3flxfxr.exec:\3flxfxr.exe98⤵
-
\??\c:\rrrrlrf.exec:\rrrrlrf.exe99⤵
-
\??\c:\hnhhbn.exec:\hnhhbn.exe100⤵
-
\??\c:\nnhtht.exec:\nnhtht.exe101⤵
-
\??\c:\ddvdd.exec:\ddvdd.exe102⤵
-
\??\c:\jjdjj.exec:\jjdjj.exe103⤵
-
\??\c:\lrrlxxx.exec:\lrrlxxx.exe104⤵
-
\??\c:\3llfrfr.exec:\3llfrfr.exe105⤵
-
\??\c:\tnhnhb.exec:\tnhnhb.exe106⤵
-
\??\c:\jjjdd.exec:\jjjdd.exe107⤵
-
\??\c:\pjdjj.exec:\pjdjj.exe108⤵
-
\??\c:\rfxlxxr.exec:\rfxlxxr.exe109⤵
-
\??\c:\lffxlxl.exec:\lffxlxl.exe110⤵
-
\??\c:\hthttt.exec:\hthttt.exe111⤵
-
\??\c:\vjvpp.exec:\vjvpp.exe112⤵
-
\??\c:\pppjd.exec:\pppjd.exe113⤵
-
\??\c:\9flxrrf.exec:\9flxrrf.exe114⤵
-
\??\c:\hbtbbn.exec:\hbtbbn.exe115⤵
-
\??\c:\hhbnhh.exec:\hhbnhh.exe116⤵
-
\??\c:\jjpdd.exec:\jjpdd.exe117⤵
-
\??\c:\5lfxflr.exec:\5lfxflr.exe118⤵
-
\??\c:\xxxrxlx.exec:\xxxrxlx.exe119⤵
-
\??\c:\7ttbtb.exec:\7ttbtb.exe120⤵
-
\??\c:\hhhtnb.exec:\hhhtnb.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-