Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
05-09-2024 12:14
General
-
Target
830828fc55b9dd518a221e81d80c08c0N.exe
-
Size
64KB
-
MD5
830828fc55b9dd518a221e81d80c08c0
-
SHA1
184dd47840911eff449d91aeb5b6a6b85f407ef6
-
SHA256
c5b57d09803241e934c7e720d7f1b3da33f11a99c482693f9545d3660f9b414a
-
SHA512
fee7a90399b626710541498e452ed7bfa41b0b9d607a02c71bce2627cbe463342d68b993bc04a04b99bd7661f194cde47868e589bbe414cfca67ee4e36211634
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDI9L27B1g:ymb3NkkiQ3mdBjFI9cW
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 19 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 25 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\830828fc55b9dd518a221e81d80c08c0N.exe"C:\Users\Admin\AppData\Local\Temp\830828fc55b9dd518a221e81d80c08c0N.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\tnbhtt.exec:\tnbhtt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhnttt.exec:\nhnttt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3rrfrrf.exec:\3rrfrrf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrfrrlr.exec:\xrfrrlr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btbhhn.exec:\btbhhn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvdjp.exec:\dvdjp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxrfxxl.exec:\fxrfxxl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9hbnbt.exec:\9hbnbt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jvdjj.exec:\jvdjj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1xllrlr.exec:\1xllrlr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9llxllx.exec:\9llxllx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhbhnn.exec:\nhbhnn.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\pvddj.exec:\pvddj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvdpd.exec:\vvdpd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7lxffrx.exec:\7lxffrx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9tnthh.exec:\9tnthh.exe17⤵
- Executes dropped EXE
-
\??\c:\hbtnbb.exec:\hbtnbb.exe18⤵
- Executes dropped EXE
-
\??\c:\pvppv.exec:\pvppv.exe19⤵
- Executes dropped EXE
-
\??\c:\dpjvv.exec:\dpjvv.exe20⤵
- Executes dropped EXE
-
\??\c:\rlxxrxf.exec:\rlxxrxf.exe21⤵
- Executes dropped EXE
-
\??\c:\hbtbnt.exec:\hbtbnt.exe22⤵
- Executes dropped EXE
-
\??\c:\7thhhn.exec:\7thhhn.exe23⤵
- Executes dropped EXE
-
\??\c:\ppdjd.exec:\ppdjd.exe24⤵
- Executes dropped EXE
-
\??\c:\pjvjp.exec:\pjvjp.exe25⤵
- Executes dropped EXE
-
\??\c:\frllrxl.exec:\frllrxl.exe26⤵
- Executes dropped EXE
-
\??\c:\3btnhn.exec:\3btnhn.exe27⤵
- Executes dropped EXE
-
\??\c:\7hthht.exec:\7hthht.exe28⤵
- Executes dropped EXE
-
\??\c:\jjjpv.exec:\jjjpv.exe29⤵
- Executes dropped EXE
-
\??\c:\rrlfrfl.exec:\rrlfrfl.exe30⤵
- Executes dropped EXE
-
\??\c:\ntttnh.exec:\ntttnh.exe31⤵
- Executes dropped EXE
-
\??\c:\pjvpj.exec:\pjvpj.exe32⤵
- Executes dropped EXE
-
\??\c:\lfxlxfx.exec:\lfxlxfx.exe33⤵
- Executes dropped EXE
-
\??\c:\lfrxlrf.exec:\lfrxlrf.exe34⤵
- Executes dropped EXE
-
\??\c:\ttnnhn.exec:\ttnnhn.exe35⤵
- Executes dropped EXE
-
\??\c:\hnnbbt.exec:\hnnbbt.exe36⤵
- Executes dropped EXE
-
\??\c:\pjvpp.exec:\pjvpp.exe37⤵
- Executes dropped EXE
-
\??\c:\rlxxxxl.exec:\rlxxxxl.exe38⤵
- Executes dropped EXE
-
\??\c:\rllrflr.exec:\rllrflr.exe39⤵
- Executes dropped EXE
-
\??\c:\nbbhbb.exec:\nbbhbb.exe40⤵
- Executes dropped EXE
-
\??\c:\3hbtnn.exec:\3hbtnn.exe41⤵
- Executes dropped EXE
-
\??\c:\9dpvv.exec:\9dpvv.exe42⤵
- Executes dropped EXE
-
\??\c:\pvjvd.exec:\pvjvd.exe43⤵
- Executes dropped EXE
-
\??\c:\rlrfrrx.exec:\rlrfrrx.exe44⤵
- Executes dropped EXE
-
\??\c:\bbbthn.exec:\bbbthn.exe45⤵
- Executes dropped EXE
-
\??\c:\7hbthn.exec:\7hbthn.exe46⤵
- Executes dropped EXE
-
\??\c:\pdvjp.exec:\pdvjp.exe47⤵
- Executes dropped EXE
-
\??\c:\ddjvj.exec:\ddjvj.exe48⤵
- Executes dropped EXE
-
\??\c:\xrxxlxr.exec:\xrxxlxr.exe49⤵
- Executes dropped EXE
-
\??\c:\rfrlxfl.exec:\rfrlxfl.exe50⤵
- Executes dropped EXE
-
\??\c:\tbbtnh.exec:\tbbtnh.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\1dppp.exec:\1dppp.exe52⤵
- Executes dropped EXE
-
\??\c:\dpvdp.exec:\dpvdp.exe53⤵
- Executes dropped EXE
-
\??\c:\xrrflrf.exec:\xrrflrf.exe54⤵
- Executes dropped EXE
-
\??\c:\fxlxflr.exec:\fxlxflr.exe55⤵
- Executes dropped EXE
-
\??\c:\thhhbb.exec:\thhhbb.exe56⤵
- Executes dropped EXE
-
\??\c:\3dvjj.exec:\3dvjj.exe57⤵
- Executes dropped EXE
-
\??\c:\vjvdd.exec:\vjvdd.exe58⤵
- Executes dropped EXE
-
\??\c:\5rlrxxx.exec:\5rlrxxx.exe59⤵
- Executes dropped EXE
-
\??\c:\rrrxfrf.exec:\rrrxfrf.exe60⤵
- Executes dropped EXE
-
\??\c:\hbnbtb.exec:\hbnbtb.exe61⤵
- Executes dropped EXE
-
\??\c:\7nbnbn.exec:\7nbnbn.exe62⤵
- Executes dropped EXE
-
\??\c:\jjddp.exec:\jjddp.exe63⤵
- Executes dropped EXE
-
\??\c:\9pjvd.exec:\9pjvd.exe64⤵
- Executes dropped EXE
-
\??\c:\xlfllfr.exec:\xlfllfr.exe65⤵
- Executes dropped EXE
-
\??\c:\fxxxrxl.exec:\fxxxrxl.exe66⤵
-
\??\c:\1nnhnt.exec:\1nnhnt.exe67⤵
-
\??\c:\nbbbnt.exec:\nbbbnt.exe68⤵
-
\??\c:\9jjjd.exec:\9jjjd.exe69⤵
-
\??\c:\5ddjp.exec:\5ddjp.exe70⤵
-
\??\c:\lfrxrxf.exec:\lfrxrxf.exe71⤵
-
\??\c:\bnthbb.exec:\bnthbb.exe72⤵
-
\??\c:\3htbbb.exec:\3htbbb.exe73⤵
-
\??\c:\nbhnbh.exec:\nbhnbh.exe74⤵
-
\??\c:\7dpdd.exec:\7dpdd.exe75⤵
-
\??\c:\jjdpj.exec:\jjdpj.exe76⤵
-
\??\c:\7xlfffr.exec:\7xlfffr.exe77⤵
-
\??\c:\lflxrfl.exec:\lflxrfl.exe78⤵
-
\??\c:\3thnbt.exec:\3thnbt.exe79⤵
-
\??\c:\pdvjj.exec:\pdvjj.exe80⤵
-
\??\c:\ppvvd.exec:\ppvvd.exe81⤵
-
\??\c:\rrllfrr.exec:\rrllfrr.exe82⤵
-
\??\c:\5xxfxff.exec:\5xxfxff.exe83⤵
-
\??\c:\1bbnht.exec:\1bbnht.exe84⤵
-
\??\c:\hhhnbh.exec:\hhhnbh.exe85⤵
-
\??\c:\vvvvp.exec:\vvvvp.exe86⤵
-
\??\c:\3rrrlrf.exec:\3rrrlrf.exe87⤵
-
\??\c:\ffflxff.exec:\ffflxff.exe88⤵
-
\??\c:\rrrrflx.exec:\rrrrflx.exe89⤵
-
\??\c:\hhbnbn.exec:\hhbnbn.exe90⤵
-
\??\c:\btnthh.exec:\btnthh.exe91⤵
-
\??\c:\dddpj.exec:\dddpj.exe92⤵
-
\??\c:\3lllrrx.exec:\3lllrrx.exe93⤵
-
\??\c:\5lflrfx.exec:\5lflrfx.exe94⤵
-
\??\c:\5hbbhn.exec:\5hbbhn.exe95⤵
-
\??\c:\1bnhtb.exec:\1bnhtb.exe96⤵
-
\??\c:\3jjdj.exec:\3jjdj.exe97⤵
-
\??\c:\dvdjv.exec:\dvdjv.exe98⤵
-
\??\c:\9rlrxxf.exec:\9rlrxxf.exe99⤵
-
\??\c:\rfflrrr.exec:\rfflrrr.exe100⤵
-
\??\c:\bnbbhn.exec:\bnbbhn.exe101⤵
-
\??\c:\hbnttt.exec:\hbnttt.exe102⤵
-
\??\c:\pjvpv.exec:\pjvpv.exe103⤵
-
\??\c:\7vvdv.exec:\7vvdv.exe104⤵
-
\??\c:\rflfxff.exec:\rflfxff.exe105⤵
-
\??\c:\hthnnt.exec:\hthnnt.exe106⤵
-
\??\c:\3thntb.exec:\3thntb.exe107⤵
-
\??\c:\vppvv.exec:\vppvv.exe108⤵
-
\??\c:\jdpjp.exec:\jdpjp.exe109⤵
-
\??\c:\vjvdj.exec:\vjvdj.exe110⤵
-
\??\c:\rlffrlx.exec:\rlffrlx.exe111⤵
-
\??\c:\xrfrxff.exec:\xrfrxff.exe112⤵
-
\??\c:\5hhtnt.exec:\5hhtnt.exe113⤵
-
\??\c:\dpjpd.exec:\dpjpd.exe114⤵
-
\??\c:\3fxllrf.exec:\3fxllrf.exe115⤵
-
\??\c:\ffrxflr.exec:\ffrxflr.exe116⤵
-
\??\c:\xrrxfrx.exec:\xrrxfrx.exe117⤵
-
\??\c:\bnbnnn.exec:\bnbnnn.exe118⤵
-
\??\c:\vpjpd.exec:\vpjpd.exe119⤵
-
\??\c:\jjdpp.exec:\jjdpp.exe120⤵
-
\??\c:\xrrxxfl.exec:\xrrxxfl.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-