Analysis
-
max time kernel
120s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
05-09-2024 12:29
General
-
Target
bbcbc89c52699aa7a6841287619ffec0N.exe
-
Size
70KB
-
MD5
bbcbc89c52699aa7a6841287619ffec0
-
SHA1
c78f0ffe144e9094968fa283cf28a348fc25d18f
-
SHA256
35175234c8e6192338a30c4b955daad9e403656167eda8d40d385bc75d216ecd
-
SHA512
8f777e0e4904e27c317e4620d93d11799d995ee5ba5774d18e537172abfce3ded57255d7a6325ee9dae8b1756ea86ea4a3a4e47721f658b5562a85e1e194589f
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIJ/RWPqBr3:ymb3NkkiQ3mdBjFIqsr3
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 17 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 22 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\bbcbc89c52699aa7a6841287619ffec0N.exe"C:\Users\Admin\AppData\Local\Temp\bbcbc89c52699aa7a6841287619ffec0N.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\3nhntb.exec:\3nhntb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jvpvd.exec:\jvpvd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlxfrrx.exec:\rlxfrrx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfrxrlr.exec:\lfrxrlr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbthth.exec:\bbthth.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ppppv.exec:\ppppv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrxfrxf.exec:\xrxfrxf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbhbht.exec:\hbhbht.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ttnhht.exec:\ttnhht.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7dvpj.exec:\7dvpj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvdpp.exec:\dvdpp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9xllrfl.exec:\9xllrfl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlrxlrx.exec:\rlrxlrx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tthnbb.exec:\tthnbb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvvjv.exec:\vvvjv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ppdpd.exec:\ppdpd.exe17⤵
- Executes dropped EXE
-
\??\c:\lrffrfr.exec:\lrffrfr.exe18⤵
- Executes dropped EXE
-
\??\c:\tntbhn.exec:\tntbhn.exe19⤵
- Executes dropped EXE
-
\??\c:\bhtbhn.exec:\bhtbhn.exe20⤵
- Executes dropped EXE
-
\??\c:\jpvpp.exec:\jpvpp.exe21⤵
- Executes dropped EXE
-
\??\c:\pjvvd.exec:\pjvvd.exe22⤵
- Executes dropped EXE
-
\??\c:\fllxxll.exec:\fllxxll.exe23⤵
- Executes dropped EXE
-
\??\c:\rllrffr.exec:\rllrffr.exe24⤵
- Executes dropped EXE
-
\??\c:\tnhnbh.exec:\tnhnbh.exe25⤵
- Executes dropped EXE
-
\??\c:\btnntt.exec:\btnntt.exe26⤵
- Executes dropped EXE
-
\??\c:\jdvvj.exec:\jdvvj.exe27⤵
- Executes dropped EXE
-
\??\c:\pvddd.exec:\pvddd.exe28⤵
- Executes dropped EXE
-
\??\c:\lfrfffl.exec:\lfrfffl.exe29⤵
- Executes dropped EXE
-
\??\c:\tnhnbt.exec:\tnhnbt.exe30⤵
- Executes dropped EXE
-
\??\c:\nhbhtb.exec:\nhbhtb.exe31⤵
- Executes dropped EXE
-
\??\c:\jvpvd.exec:\jvpvd.exe32⤵
- Executes dropped EXE
-
\??\c:\jvppd.exec:\jvppd.exe33⤵
- Executes dropped EXE
-
\??\c:\xlxrxxf.exec:\xlxrxxf.exe34⤵
- Executes dropped EXE
-
\??\c:\7fxfllx.exec:\7fxfllx.exe35⤵
- Executes dropped EXE
-
\??\c:\ttntbb.exec:\ttntbb.exe36⤵
- Executes dropped EXE
-
\??\c:\bnnbhn.exec:\bnnbhn.exe37⤵
- Executes dropped EXE
-
\??\c:\dvdjd.exec:\dvdjd.exe38⤵
- Executes dropped EXE
-
\??\c:\dpddp.exec:\dpddp.exe39⤵
- Executes dropped EXE
-
\??\c:\7vpjv.exec:\7vpjv.exe40⤵
- Executes dropped EXE
-
\??\c:\xlrrxxf.exec:\xlrrxxf.exe41⤵
- Executes dropped EXE
-
\??\c:\xrxflxl.exec:\xrxflxl.exe42⤵
- Executes dropped EXE
-
\??\c:\nhnthh.exec:\nhnthh.exe43⤵
- Executes dropped EXE
-
\??\c:\ttbbhn.exec:\ttbbhn.exe44⤵
- Executes dropped EXE
-
\??\c:\3xfflfl.exec:\3xfflfl.exe45⤵
- Executes dropped EXE
-
\??\c:\rrfxflr.exec:\rrfxflr.exe46⤵
- Executes dropped EXE
-
\??\c:\9hbbtb.exec:\9hbbtb.exe47⤵
- Executes dropped EXE
-
\??\c:\nhnttb.exec:\nhnttb.exe48⤵
- Executes dropped EXE
-
\??\c:\jdppj.exec:\jdppj.exe49⤵
- Executes dropped EXE
-
\??\c:\frllrff.exec:\frllrff.exe50⤵
- Executes dropped EXE
-
\??\c:\xfrrfff.exec:\xfrrfff.exe51⤵
- Executes dropped EXE
-
\??\c:\nbhtbt.exec:\nbhtbt.exe52⤵
- Executes dropped EXE
-
\??\c:\bnntnt.exec:\bnntnt.exe53⤵
- Executes dropped EXE
-
\??\c:\jdvvj.exec:\jdvvj.exe54⤵
- Executes dropped EXE
-
\??\c:\5dpvv.exec:\5dpvv.exe55⤵
- Executes dropped EXE
-
\??\c:\rlxxxfl.exec:\rlxxxfl.exe56⤵
- Executes dropped EXE
-
\??\c:\fxlrxrx.exec:\fxlrxrx.exe57⤵
- Executes dropped EXE
-
\??\c:\nhtbhn.exec:\nhtbhn.exe58⤵
- Executes dropped EXE
-
\??\c:\nhtbtt.exec:\nhtbtt.exe59⤵
- Executes dropped EXE
-
\??\c:\1pdvd.exec:\1pdvd.exe60⤵
- Executes dropped EXE
-
\??\c:\dddjj.exec:\dddjj.exe61⤵
- Executes dropped EXE
-
\??\c:\9rlrxxl.exec:\9rlrxxl.exe62⤵
- Executes dropped EXE
-
\??\c:\frfrffr.exec:\frfrffr.exe63⤵
- Executes dropped EXE
-
\??\c:\nhntbt.exec:\nhntbt.exe64⤵
- Executes dropped EXE
-
\??\c:\thnhbn.exec:\thnhbn.exe65⤵
- Executes dropped EXE
-
\??\c:\tnbnnt.exec:\tnbnnt.exe66⤵
-
\??\c:\djdvv.exec:\djdvv.exe67⤵
-
\??\c:\dvddd.exec:\dvddd.exe68⤵
- System Location Discovery: System Language Discovery
-
\??\c:\fxrrfxf.exec:\fxrrfxf.exe69⤵
-
\??\c:\rlflrlr.exec:\rlflrlr.exe70⤵
-
\??\c:\nbnhtn.exec:\nbnhtn.exe71⤵
-
\??\c:\bnhnth.exec:\bnhnth.exe72⤵
-
\??\c:\tnnnbh.exec:\tnnnbh.exe73⤵
-
\??\c:\3vpvv.exec:\3vpvv.exe74⤵
-
\??\c:\3jpvd.exec:\3jpvd.exe75⤵
-
\??\c:\lffrflr.exec:\lffrflr.exe76⤵
-
\??\c:\xlxllxx.exec:\xlxllxx.exe77⤵
-
\??\c:\nbnbbb.exec:\nbnbbb.exe78⤵
-
\??\c:\9thntb.exec:\9thntb.exe79⤵
-
\??\c:\pjdvv.exec:\pjdvv.exe80⤵
-
\??\c:\dddjd.exec:\dddjd.exe81⤵
-
\??\c:\xrlxlfl.exec:\xrlxlfl.exe82⤵
-
\??\c:\7lfxlxl.exec:\7lfxlxl.exe83⤵
-
\??\c:\nnhntn.exec:\nnhntn.exe84⤵
-
\??\c:\hbtbbh.exec:\hbtbbh.exe85⤵
-
\??\c:\dvdjj.exec:\dvdjj.exe86⤵
-
\??\c:\pdppp.exec:\pdppp.exe87⤵
-
\??\c:\9rrlxlx.exec:\9rrlxlx.exe88⤵
- System Location Discovery: System Language Discovery
-
\??\c:\frffllr.exec:\frffllr.exe89⤵
-
\??\c:\bthbtb.exec:\bthbtb.exe90⤵
-
\??\c:\hhbnth.exec:\hhbnth.exe91⤵
-
\??\c:\1djdj.exec:\1djdj.exe92⤵
-
\??\c:\jdppj.exec:\jdppj.exe93⤵
-
\??\c:\xxrxlrx.exec:\xxrxlrx.exe94⤵
-
\??\c:\9fxrrrx.exec:\9fxrrrx.exe95⤵
-
\??\c:\9tttbb.exec:\9tttbb.exe96⤵
-
\??\c:\bnhnth.exec:\bnhnth.exe97⤵
-
\??\c:\jvpjp.exec:\jvpjp.exe98⤵
-
\??\c:\vppjp.exec:\vppjp.exe99⤵
-
\??\c:\xrllfrx.exec:\xrllfrx.exe100⤵
-
\??\c:\rffllfx.exec:\rffllfx.exe101⤵
-
\??\c:\hbntbh.exec:\hbntbh.exe102⤵
-
\??\c:\pjjdp.exec:\pjjdp.exe103⤵
-
\??\c:\jjjvj.exec:\jjjvj.exe104⤵
-
\??\c:\jjvdj.exec:\jjvdj.exe105⤵
-
\??\c:\rlrffll.exec:\rlrffll.exe106⤵
-
\??\c:\5rrfrxl.exec:\5rrfrxl.exe107⤵
-
\??\c:\hhbhnb.exec:\hhbhnb.exe108⤵
-
\??\c:\nhtbbn.exec:\nhtbbn.exe109⤵
-
\??\c:\jvdjj.exec:\jvdjj.exe110⤵
-
\??\c:\vvjvj.exec:\vvjvj.exe111⤵
-
\??\c:\lxrllxx.exec:\lxrllxx.exe112⤵
-
\??\c:\9fxlfrx.exec:\9fxlfrx.exe113⤵
-
\??\c:\1bnnbb.exec:\1bnnbb.exe114⤵
-
\??\c:\bnbtnt.exec:\bnbtnt.exe115⤵
-
\??\c:\dpjdj.exec:\dpjdj.exe116⤵
-
\??\c:\jjjvp.exec:\jjjvp.exe117⤵
-
\??\c:\fffrxfr.exec:\fffrxfr.exe118⤵
-
\??\c:\5lrxrff.exec:\5lrxrff.exe119⤵
-
\??\c:\hbntnt.exec:\hbntnt.exe120⤵
-
\??\c:\htbnth.exec:\htbnth.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-