Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
05-09-2024 12:34
General
-
Target
3cc0161c3315a0543ab5e41115c04350N.exe
-
Size
95KB
-
MD5
3cc0161c3315a0543ab5e41115c04350
-
SHA1
9ee499677f85d00e0447928b32b25b39d52ea693
-
SHA256
4dd5ea80d4a250be080593e7b76e4b6a8e747a62f824a740694122614c4ced32
-
SHA512
b8e2bbd07dff358eb8715d4d3ad244fba3c511adf16a3e1f9b920b99154bb955e935865e18a9260f38ce02e2d9e408d971b51a7727e6d8312762d2741181392c
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDoLuePjDYlZMzcLF:ymb3NkkiQ3mdBjFoLucjD7cp
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 19 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 23 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\3cc0161c3315a0543ab5e41115c04350N.exe"C:\Users\Admin\AppData\Local\Temp\3cc0161c3315a0543ab5e41115c04350N.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\bbtbnh.exec:\bbtbnh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvpvv.exec:\vvpvv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xxxflrf.exec:\xxxflrf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjjvd.exec:\pjjvd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddpjv.exec:\ddpjv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\llfrfrl.exec:\llfrfrl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bhhttn.exec:\bhhttn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lllxlxr.exec:\lllxlxr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bnnhnn.exec:\bnnhnn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpjvd.exec:\vpjvd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lllxlxx.exec:\lllxlxx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xxxrlfx.exec:\xxxrlfx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3bntnt.exec:\3bntnt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pvvpj.exec:\pvvpj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjdjj.exec:\pjdjj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ffrxfrf.exec:\ffrxfrf.exe17⤵
- Executes dropped EXE
-
\??\c:\xxlxlxl.exec:\xxlxlxl.exe18⤵
- Executes dropped EXE
-
\??\c:\nntttb.exec:\nntttb.exe19⤵
- Executes dropped EXE
-
\??\c:\pppdd.exec:\pppdd.exe20⤵
- Executes dropped EXE
-
\??\c:\vdvpd.exec:\vdvpd.exe21⤵
- Executes dropped EXE
-
\??\c:\lllfrlf.exec:\lllfrlf.exe22⤵
- Executes dropped EXE
-
\??\c:\ntntnt.exec:\ntntnt.exe23⤵
- Executes dropped EXE
-
\??\c:\7httnb.exec:\7httnb.exe24⤵
- Executes dropped EXE
-
\??\c:\jjpjj.exec:\jjpjj.exe25⤵
- Executes dropped EXE
-
\??\c:\tttnbn.exec:\tttnbn.exe26⤵
- Executes dropped EXE
-
\??\c:\9tnnbn.exec:\9tnnbn.exe27⤵
- Executes dropped EXE
-
\??\c:\ppvjd.exec:\ppvjd.exe28⤵
- Executes dropped EXE
-
\??\c:\vvvvj.exec:\vvvvj.exe29⤵
- Executes dropped EXE
-
\??\c:\rxlrrxr.exec:\rxlrrxr.exe30⤵
- Executes dropped EXE
-
\??\c:\5hbnhh.exec:\5hbnhh.exe31⤵
- Executes dropped EXE
-
\??\c:\pvpjj.exec:\pvpjj.exe32⤵
- Executes dropped EXE
-
\??\c:\vpjvp.exec:\vpjvp.exe33⤵
- Executes dropped EXE
-
\??\c:\3lrrlrl.exec:\3lrrlrl.exe34⤵
- Executes dropped EXE
-
\??\c:\bbtbbb.exec:\bbtbbb.exe35⤵
- Executes dropped EXE
-
\??\c:\hnnbht.exec:\hnnbht.exe36⤵
- Executes dropped EXE
-
\??\c:\vddjj.exec:\vddjj.exe37⤵
- Executes dropped EXE
-
\??\c:\vvjdd.exec:\vvjdd.exe38⤵
- Executes dropped EXE
-
\??\c:\llflxlx.exec:\llflxlx.exe39⤵
- Executes dropped EXE
-
\??\c:\llrllxl.exec:\llrllxl.exe40⤵
- Executes dropped EXE
-
\??\c:\nnnbth.exec:\nnnbth.exe41⤵
- Executes dropped EXE
-
\??\c:\nnhnhh.exec:\nnhnhh.exe42⤵
- Executes dropped EXE
-
\??\c:\vpppd.exec:\vpppd.exe43⤵
- Executes dropped EXE
-
\??\c:\7ddvp.exec:\7ddvp.exe44⤵
- Executes dropped EXE
-
\??\c:\flfrrfr.exec:\flfrrfr.exe45⤵
- Executes dropped EXE
-
\??\c:\flrllxx.exec:\flrllxx.exe46⤵
- Executes dropped EXE
-
\??\c:\hhbhbn.exec:\hhbhbn.exe47⤵
- Executes dropped EXE
-
\??\c:\1thbhb.exec:\1thbhb.exe48⤵
- Executes dropped EXE
-
\??\c:\7djvj.exec:\7djvj.exe49⤵
- Executes dropped EXE
-
\??\c:\pjjvv.exec:\pjjvv.exe50⤵
- Executes dropped EXE
-
\??\c:\xlflrrx.exec:\xlflrrx.exe51⤵
- Executes dropped EXE
-
\??\c:\9rfrlff.exec:\9rfrlff.exe52⤵
- Executes dropped EXE
-
\??\c:\9bthht.exec:\9bthht.exe53⤵
- Executes dropped EXE
-
\??\c:\7ddpj.exec:\7ddpj.exe54⤵
- Executes dropped EXE
-
\??\c:\7pvdp.exec:\7pvdp.exe55⤵
- Executes dropped EXE
-
\??\c:\xxxlfrl.exec:\xxxlfrl.exe56⤵
- Executes dropped EXE
-
\??\c:\rxxfrff.exec:\rxxfrff.exe57⤵
- Executes dropped EXE
-
\??\c:\tttbnb.exec:\tttbnb.exe58⤵
- Executes dropped EXE
-
\??\c:\bbnhhb.exec:\bbnhhb.exe59⤵
- Executes dropped EXE
-
\??\c:\jjjjp.exec:\jjjjp.exe60⤵
- Executes dropped EXE
-
\??\c:\pjvvd.exec:\pjvvd.exe61⤵
- Executes dropped EXE
-
\??\c:\ffrllrf.exec:\ffrllrf.exe62⤵
- Executes dropped EXE
-
\??\c:\xxfrlxr.exec:\xxfrlxr.exe63⤵
- Executes dropped EXE
-
\??\c:\tnbhtt.exec:\tnbhtt.exe64⤵
- Executes dropped EXE
-
\??\c:\jjvvj.exec:\jjvvj.exe65⤵
- Executes dropped EXE
-
\??\c:\pjppd.exec:\pjppd.exe66⤵
-
\??\c:\xxlxlrx.exec:\xxlxlrx.exe67⤵
-
\??\c:\5rlfrfl.exec:\5rlfrfl.exe68⤵
-
\??\c:\3lflxfr.exec:\3lflxfr.exe69⤵
-
\??\c:\tthnbh.exec:\tthnbh.exe70⤵
-
\??\c:\hhbbnt.exec:\hhbbnt.exe71⤵
-
\??\c:\3vppp.exec:\3vppp.exe72⤵
-
\??\c:\xrrrlxr.exec:\xrrrlxr.exe73⤵
-
\??\c:\5rrfrxl.exec:\5rrfrxl.exe74⤵
-
\??\c:\1hbbth.exec:\1hbbth.exe75⤵
-
\??\c:\tbnhnt.exec:\tbnhnt.exe76⤵
-
\??\c:\pppdd.exec:\pppdd.exe77⤵
-
\??\c:\vvvdp.exec:\vvvdp.exe78⤵
-
\??\c:\xfrfllf.exec:\xfrfllf.exe79⤵
-
\??\c:\bhhnbh.exec:\bhhnbh.exe80⤵
-
\??\c:\9hhbtb.exec:\9hhbtb.exe81⤵
-
\??\c:\vpdjj.exec:\vpdjj.exe82⤵
-
\??\c:\jjpvp.exec:\jjpvp.exe83⤵
-
\??\c:\llflxxf.exec:\llflxxf.exe84⤵
-
\??\c:\flllffx.exec:\flllffx.exe85⤵
-
\??\c:\hhnbtb.exec:\hhnbtb.exe86⤵
-
\??\c:\tntnnb.exec:\tntnnb.exe87⤵
-
\??\c:\hhhnnt.exec:\hhhnnt.exe88⤵
-
\??\c:\ppvvd.exec:\ppvvd.exe89⤵
-
\??\c:\xfxfrfr.exec:\xfxfrfr.exe90⤵
-
\??\c:\5lllxrl.exec:\5lllxrl.exe91⤵
-
\??\c:\nbthht.exec:\nbthht.exe92⤵
-
\??\c:\tththt.exec:\tththt.exe93⤵
-
\??\c:\hbtbht.exec:\hbtbht.exe94⤵
-
\??\c:\dvvjp.exec:\dvvjp.exe95⤵
-
\??\c:\jjdvv.exec:\jjdvv.exe96⤵
-
\??\c:\rrlrxll.exec:\rrlrxll.exe97⤵
-
\??\c:\xflrlxl.exec:\xflrlxl.exe98⤵
-
\??\c:\9hhnbt.exec:\9hhnbt.exe99⤵
-
\??\c:\nbbtnh.exec:\nbbtnh.exe100⤵
-
\??\c:\ddppd.exec:\ddppd.exe101⤵
-
\??\c:\djppp.exec:\djppp.exe102⤵
-
\??\c:\5llxxrl.exec:\5llxxrl.exe103⤵
- System Location Discovery: System Language Discovery
-
\??\c:\xxrlfrl.exec:\xxrlfrl.exe104⤵
-
\??\c:\htntbh.exec:\htntbh.exe105⤵
-
\??\c:\hbthtb.exec:\hbthtb.exe106⤵
-
\??\c:\ddpdp.exec:\ddpdp.exe107⤵
-
\??\c:\jjjdv.exec:\jjjdv.exe108⤵
-
\??\c:\fxlrflf.exec:\fxlrflf.exe109⤵
-
\??\c:\rxrflxr.exec:\rxrflxr.exe110⤵
-
\??\c:\5tnbnn.exec:\5tnbnn.exe111⤵
-
\??\c:\bbbnnb.exec:\bbbnnb.exe112⤵
-
\??\c:\9vdpd.exec:\9vdpd.exe113⤵
-
\??\c:\pjpdp.exec:\pjpdp.exe114⤵
-
\??\c:\9ffrrll.exec:\9ffrrll.exe115⤵
-
\??\c:\rxxrllf.exec:\rxxrllf.exe116⤵
-
\??\c:\1tbbnt.exec:\1tbbnt.exe117⤵
-
\??\c:\nhbnth.exec:\nhbnth.exe118⤵
-
\??\c:\ppddd.exec:\ppddd.exe119⤵
-
\??\c:\vdvjp.exec:\vdvjp.exe120⤵
-
\??\c:\lrlllxr.exec:\lrlllxr.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-