Analysis
-
max time kernel
120s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
05-09-2024 12:18
General
-
Target
7f149581054b45f83054d4b616e348c0N.exe
-
Size
64KB
-
MD5
7f149581054b45f83054d4b616e348c0
-
SHA1
ae484dcb3987e4d4db2a11f608d38d2e889f0d51
-
SHA256
794365d91ff6f206e7ca2b2f6ee6d2cc4acddaa061b7df73b168c7ef13ccd612
-
SHA512
8e3276aac1dfc686e0a49c15e788adb46fbfae39123f51d64c9e4c9d83db79854982ceb020016f6d7fcb411d6438fcf9fb1ee6fecd86f048bfac73d3e43beb29
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDI9L27B11:ymb3NkkiQ3mdBjFI9cD
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 20 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 17 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\7f149581054b45f83054d4b616e348c0N.exe"C:\Users\Admin\AppData\Local\Temp\7f149581054b45f83054d4b616e348c0N.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\flrfxrr.exec:\flrfxrr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5bhthn.exec:\5bhthn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjvvp.exec:\pjvvp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjdjv.exec:\pjdjv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxllllf.exec:\fxllllf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbtntb.exec:\hbtntb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjjpd.exec:\jjjpd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pdvdp.exec:\pdvdp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ffrlrrf.exec:\ffrlrrf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvvdv.exec:\vvvdv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7pvdp.exec:\7pvdp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rrlfrrf.exec:\rrlfrrf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxxlfxl.exec:\lxxlfxl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nnnnhn.exec:\nnnnhn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvvdv.exec:\vvvdv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ppjpv.exec:\ppjpv.exe17⤵
- Executes dropped EXE
-
\??\c:\3lrlxfl.exec:\3lrlxfl.exe18⤵
- Executes dropped EXE
-
\??\c:\bbtnbh.exec:\bbtnbh.exe19⤵
- Executes dropped EXE
-
\??\c:\ttnbnb.exec:\ttnbnb.exe20⤵
- Executes dropped EXE
-
\??\c:\9pjvp.exec:\9pjvp.exe21⤵
- Executes dropped EXE
-
\??\c:\5pddj.exec:\5pddj.exe22⤵
- Executes dropped EXE
-
\??\c:\fffxlrf.exec:\fffxlrf.exe23⤵
- Executes dropped EXE
-
\??\c:\lfxlrxf.exec:\lfxlrxf.exe24⤵
- Executes dropped EXE
-
\??\c:\1htnnt.exec:\1htnnt.exe25⤵
- Executes dropped EXE
-
\??\c:\jjjjp.exec:\jjjjp.exe26⤵
- Executes dropped EXE
-
\??\c:\vppjv.exec:\vppjv.exe27⤵
- Executes dropped EXE
-
\??\c:\rrlfxrx.exec:\rrlfxrx.exe28⤵
- Executes dropped EXE
-
\??\c:\7nhtbn.exec:\7nhtbn.exe29⤵
- Executes dropped EXE
-
\??\c:\tttnnb.exec:\tttnnb.exe30⤵
- Executes dropped EXE
-
\??\c:\pvppp.exec:\pvppp.exe31⤵
- Executes dropped EXE
-
\??\c:\5vpjp.exec:\5vpjp.exe32⤵
- Executes dropped EXE
-
\??\c:\xxlfxfr.exec:\xxlfxfr.exe33⤵
- Executes dropped EXE
-
\??\c:\5xxlxlr.exec:\5xxlxlr.exe34⤵
- Executes dropped EXE
-
\??\c:\ntthbn.exec:\ntthbn.exe35⤵
- Executes dropped EXE
-
\??\c:\jvdvv.exec:\jvdvv.exe36⤵
- Executes dropped EXE
-
\??\c:\1djvp.exec:\1djvp.exe37⤵
- Executes dropped EXE
-
\??\c:\xrfrxfl.exec:\xrfrxfl.exe38⤵
- Executes dropped EXE
-
\??\c:\nthnnh.exec:\nthnnh.exe39⤵
- Executes dropped EXE
-
\??\c:\hhbtth.exec:\hhbtth.exe40⤵
- Executes dropped EXE
-
\??\c:\3vvdv.exec:\3vvdv.exe41⤵
- Executes dropped EXE
-
\??\c:\vjjpv.exec:\vjjpv.exe42⤵
- Executes dropped EXE
-
\??\c:\rlxxlxl.exec:\rlxxlxl.exe43⤵
- Executes dropped EXE
-
\??\c:\9lxxflx.exec:\9lxxflx.exe44⤵
- Executes dropped EXE
-
\??\c:\hhbnnn.exec:\hhbnnn.exe45⤵
- Executes dropped EXE
-
\??\c:\btntnt.exec:\btntnt.exe46⤵
- Executes dropped EXE
-
\??\c:\3ddpj.exec:\3ddpj.exe47⤵
- Executes dropped EXE
-
\??\c:\1dpjp.exec:\1dpjp.exe48⤵
- Executes dropped EXE
-
\??\c:\1xrfrxr.exec:\1xrfrxr.exe49⤵
- Executes dropped EXE
-
\??\c:\3lrflfl.exec:\3lrflfl.exe50⤵
- Executes dropped EXE
-
\??\c:\1bttht.exec:\1bttht.exe51⤵
- Executes dropped EXE
-
\??\c:\hhtbhn.exec:\hhtbhn.exe52⤵
- Executes dropped EXE
-
\??\c:\ddvvd.exec:\ddvvd.exe53⤵
- Executes dropped EXE
-
\??\c:\jjddv.exec:\jjddv.exe54⤵
- Executes dropped EXE
-
\??\c:\xxrfrff.exec:\xxrfrff.exe55⤵
- Executes dropped EXE
-
\??\c:\lfflxfr.exec:\lfflxfr.exe56⤵
- Executes dropped EXE
-
\??\c:\hhthbh.exec:\hhthbh.exe57⤵
- Executes dropped EXE
-
\??\c:\hbntnt.exec:\hbntnt.exe58⤵
- Executes dropped EXE
-
\??\c:\ddpvj.exec:\ddpvj.exe59⤵
- Executes dropped EXE
-
\??\c:\pjddp.exec:\pjddp.exe60⤵
- Executes dropped EXE
-
\??\c:\9xlffxr.exec:\9xlffxr.exe61⤵
- Executes dropped EXE
-
\??\c:\nnthhh.exec:\nnthhh.exe62⤵
- Executes dropped EXE
-
\??\c:\jjpdj.exec:\jjpdj.exe63⤵
- Executes dropped EXE
-
\??\c:\ppdjv.exec:\ppdjv.exe64⤵
- Executes dropped EXE
-
\??\c:\xrxfflx.exec:\xrxfflx.exe65⤵
- Executes dropped EXE
-
\??\c:\fffxffl.exec:\fffxffl.exe66⤵
-
\??\c:\tnntbb.exec:\tnntbb.exe67⤵
-
\??\c:\bbnbhn.exec:\bbnbhn.exe68⤵
-
\??\c:\jpddv.exec:\jpddv.exe69⤵
-
\??\c:\pjjpv.exec:\pjjpv.exe70⤵
-
\??\c:\xllxlrf.exec:\xllxlrf.exe71⤵
-
\??\c:\ffxlxxl.exec:\ffxlxxl.exe72⤵
-
\??\c:\hnbtbn.exec:\hnbtbn.exe73⤵
-
\??\c:\tthhnt.exec:\tthhnt.exe74⤵
-
\??\c:\pppjv.exec:\pppjv.exe75⤵
-
\??\c:\xrrxlrl.exec:\xrrxlrl.exe76⤵
-
\??\c:\rxxrlrl.exec:\rxxrlrl.exe77⤵
-
\??\c:\hhtnnt.exec:\hhtnnt.exe78⤵
-
\??\c:\5hbtth.exec:\5hbtth.exe79⤵
-
\??\c:\dddvp.exec:\dddvp.exe80⤵
-
\??\c:\dddpv.exec:\dddpv.exe81⤵
-
\??\c:\rlrxllx.exec:\rlrxllx.exe82⤵
-
\??\c:\lrfrrxx.exec:\lrfrrxx.exe83⤵
-
\??\c:\hbnbtt.exec:\hbnbtt.exe84⤵
-
\??\c:\1pppd.exec:\1pppd.exe85⤵
-
\??\c:\jdjjj.exec:\jdjjj.exe86⤵
-
\??\c:\ppjjv.exec:\ppjjv.exe87⤵
-
\??\c:\3fllrxf.exec:\3fllrxf.exe88⤵
-
\??\c:\hhnbbh.exec:\hhnbbh.exe89⤵
-
\??\c:\btbhnt.exec:\btbhnt.exe90⤵
-
\??\c:\7vvpd.exec:\7vvpd.exe91⤵
-
\??\c:\lflrxxf.exec:\lflrxxf.exe92⤵
-
\??\c:\rlllxxl.exec:\rlllxxl.exe93⤵
-
\??\c:\hbthhn.exec:\hbthhn.exe94⤵
-
\??\c:\bbntbh.exec:\bbntbh.exe95⤵
-
\??\c:\jdvdp.exec:\jdvdp.exe96⤵
-
\??\c:\9jjvp.exec:\9jjvp.exe97⤵
-
\??\c:\llfrlff.exec:\llfrlff.exe98⤵
-
\??\c:\lrlflfx.exec:\lrlflfx.exe99⤵
-
\??\c:\bnnbbb.exec:\bnnbbb.exe100⤵
-
\??\c:\bhhtth.exec:\bhhtth.exe101⤵
-
\??\c:\ppjpj.exec:\ppjpj.exe102⤵
-
\??\c:\dpvdv.exec:\dpvdv.exe103⤵
-
\??\c:\vpjjd.exec:\vpjjd.exe104⤵
-
\??\c:\7xlllxl.exec:\7xlllxl.exe105⤵
- System Location Discovery: System Language Discovery
-
\??\c:\7fxlllr.exec:\7fxlllr.exe106⤵
-
\??\c:\ntbtbb.exec:\ntbtbb.exe107⤵
-
\??\c:\ppjvj.exec:\ppjvj.exe108⤵
-
\??\c:\djpjp.exec:\djpjp.exe109⤵
-
\??\c:\3rrxlrf.exec:\3rrxlrf.exe110⤵
-
\??\c:\xffxxrl.exec:\xffxxrl.exe111⤵
-
\??\c:\hnntbn.exec:\hnntbn.exe112⤵
-
\??\c:\5hbnbh.exec:\5hbnbh.exe113⤵
-
\??\c:\7jvjv.exec:\7jvjv.exe114⤵
-
\??\c:\pjdjv.exec:\pjdjv.exe115⤵
-
\??\c:\xflxlrf.exec:\xflxlrf.exe116⤵
-
\??\c:\1lxlxfr.exec:\1lxlxfr.exe117⤵
-
\??\c:\nhttnt.exec:\nhttnt.exe118⤵
-
\??\c:\3tttht.exec:\3tttht.exe119⤵
-
\??\c:\9jdpj.exec:\9jdpj.exe120⤵
-
\??\c:\vdpdd.exec:\vdpdd.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-