Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
-
submitted
05/09/2024, 13:10
General
-
Target
95cc35dc4b0467c6803c09f0511bff20N.exe
-
Size
82KB
-
MD5
95cc35dc4b0467c6803c09f0511bff20
-
SHA1
7e450267b168828cf70dc957c9df1ebdec08a9a0
-
SHA256
8112ff3c2918f04c162df37fc1fc7026d0512e321659e4568319d7149d266d2f
-
SHA512
ca2b556b396e40a26bccd22497ff62d9e8f6094dcd7181bac713ead18186cf6eda30328c6a4aa926a70e1ecfc40aa2eb1b39bafcbfa2af69ac4a2196a273b45e
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIIpIo60L9QrrA89QD:ymb3NkkiQ3mdBjFIIp9L9QrrA8S
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 24 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 24 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\95cc35dc4b0467c6803c09f0511bff20N.exe"C:\Users\Admin\AppData\Local\Temp\95cc35dc4b0467c6803c09f0511bff20N.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\k20408.exec:\k20408.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9hbbhh.exec:\9hbbhh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvpvd.exec:\dvpvd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrxlrll.exec:\xrxlrll.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\226200.exec:\226200.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\o480884.exec:\o480884.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hhbbnt.exec:\hhbbnt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\a2666.exec:\a2666.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\604482.exec:\604482.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ntttbn.exec:\ntttbn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnhnbn.exec:\tnhnbn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\46288.exec:\46288.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\0846884.exec:\0846884.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\44624.exec:\44624.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bnbbtb.exec:\bnbbtb.exe16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\9bttbb.exec:\9bttbb.exe17⤵
- Executes dropped EXE
-
\??\c:\082422.exec:\082422.exe18⤵
- Executes dropped EXE
-
\??\c:\4068682.exec:\4068682.exe19⤵
- Executes dropped EXE
-
\??\c:\7ppvj.exec:\7ppvj.exe20⤵
- Executes dropped EXE
-
\??\c:\jdjpv.exec:\jdjpv.exe21⤵
- Executes dropped EXE
-
\??\c:\e08200.exec:\e08200.exe22⤵
- Executes dropped EXE
-
\??\c:\602806.exec:\602806.exe23⤵
- Executes dropped EXE
-
\??\c:\hththn.exec:\hththn.exe24⤵
- Executes dropped EXE
-
\??\c:\vpjjv.exec:\vpjjv.exe25⤵
- Executes dropped EXE
-
\??\c:\7xlllrf.exec:\7xlllrf.exe26⤵
- Executes dropped EXE
-
\??\c:\hbbhnt.exec:\hbbhnt.exe27⤵
- Executes dropped EXE
-
\??\c:\jjpjp.exec:\jjpjp.exe28⤵
- Executes dropped EXE
-
\??\c:\204406.exec:\204406.exe29⤵
- Executes dropped EXE
-
\??\c:\s0806.exec:\s0806.exe30⤵
- Executes dropped EXE
-
\??\c:\u600628.exec:\u600628.exe31⤵
- Executes dropped EXE
-
\??\c:\k08062.exec:\k08062.exe32⤵
- Executes dropped EXE
-
\??\c:\rlxfxrx.exec:\rlxfxrx.exe33⤵
- Executes dropped EXE
-
\??\c:\thntnn.exec:\thntnn.exe34⤵
-
\??\c:\rlrrlll.exec:\rlrrlll.exe35⤵
- Executes dropped EXE
-
\??\c:\20662.exec:\20662.exe36⤵
- Executes dropped EXE
-
\??\c:\q40628.exec:\q40628.exe37⤵
- Executes dropped EXE
-
\??\c:\002288.exec:\002288.exe38⤵
- Executes dropped EXE
-
\??\c:\lfxffrf.exec:\lfxffrf.exe39⤵
- Executes dropped EXE
-
\??\c:\668488.exec:\668488.exe40⤵
- Executes dropped EXE
-
\??\c:\lxxxllr.exec:\lxxxllr.exe41⤵
- Executes dropped EXE
-
\??\c:\pjjvd.exec:\pjjvd.exe42⤵
- Executes dropped EXE
-
\??\c:\vvjjj.exec:\vvjjj.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\nbnttn.exec:\nbnttn.exe44⤵
- Executes dropped EXE
-
\??\c:\bbnthn.exec:\bbnthn.exe45⤵
- Executes dropped EXE
-
\??\c:\0862862.exec:\0862862.exe46⤵
- Executes dropped EXE
-
\??\c:\w68422.exec:\w68422.exe47⤵
- Executes dropped EXE
-
\??\c:\0666648.exec:\0666648.exe48⤵
- Executes dropped EXE
-
\??\c:\9bbbbb.exec:\9bbbbb.exe49⤵
- Executes dropped EXE
-
\??\c:\w82284.exec:\w82284.exe50⤵
- Executes dropped EXE
-
\??\c:\0006460.exec:\0006460.exe51⤵
- Executes dropped EXE
-
\??\c:\bthhnt.exec:\bthhnt.exe52⤵
- Executes dropped EXE
-
\??\c:\2208664.exec:\2208664.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\hhnbnt.exec:\hhnbnt.exe54⤵
- Executes dropped EXE
-
\??\c:\vvpvd.exec:\vvpvd.exe55⤵
- Executes dropped EXE
-
\??\c:\0422222.exec:\0422222.exe56⤵
- Executes dropped EXE
-
\??\c:\7rfxrfx.exec:\7rfxrfx.exe57⤵
- Executes dropped EXE
-
\??\c:\9hbbhn.exec:\9hbbhn.exe58⤵
- Executes dropped EXE
-
\??\c:\dvpvp.exec:\dvpvp.exe59⤵
- Executes dropped EXE
-
\??\c:\86884.exec:\86884.exe60⤵
- Executes dropped EXE
-
\??\c:\rlllrlr.exec:\rlllrlr.exe61⤵
- Executes dropped EXE
-
\??\c:\bthtnh.exec:\bthtnh.exe62⤵
- Executes dropped EXE
-
\??\c:\rffflfx.exec:\rffflfx.exe63⤵
- Executes dropped EXE
-
\??\c:\dpjjv.exec:\dpjjv.exe64⤵
- Executes dropped EXE
-
\??\c:\xrrxlrx.exec:\xrrxlrx.exe65⤵
- Executes dropped EXE
-
\??\c:\jdpdv.exec:\jdpdv.exe66⤵
- Executes dropped EXE
-
\??\c:\88068.exec:\88068.exe67⤵
-
\??\c:\nhnbnb.exec:\nhnbnb.exe68⤵
-
\??\c:\424066.exec:\424066.exe69⤵
-
\??\c:\6862222.exec:\6862222.exe70⤵
-
\??\c:\vppjp.exec:\vppjp.exe71⤵
-
\??\c:\a4662.exec:\a4662.exe72⤵
-
\??\c:\08622.exec:\08622.exe73⤵
-
\??\c:\vpjpd.exec:\vpjpd.exe74⤵
-
\??\c:\4288800.exec:\4288800.exe75⤵
-
\??\c:\fxfflxf.exec:\fxfflxf.exe76⤵
-
\??\c:\xlxxfll.exec:\xlxxfll.exe77⤵
-
\??\c:\jdddd.exec:\jdddd.exe78⤵
-
\??\c:\thnnbt.exec:\thnnbt.exe79⤵
-
\??\c:\086648.exec:\086648.exe80⤵
-
\??\c:\3dpvd.exec:\3dpvd.exe81⤵
-
\??\c:\w20060.exec:\w20060.exe82⤵
-
\??\c:\24044.exec:\24044.exe83⤵
-
\??\c:\042864.exec:\042864.exe84⤵
-
\??\c:\0800280.exec:\0800280.exe85⤵
-
\??\c:\lrlxxrf.exec:\lrlxxrf.exe86⤵
-
\??\c:\42480.exec:\42480.exe87⤵
-
\??\c:\jvdjj.exec:\jvdjj.exe88⤵
-
\??\c:\3pjpv.exec:\3pjpv.exe89⤵
-
\??\c:\a8282.exec:\a8282.exe90⤵
-
\??\c:\462660.exec:\462660.exe91⤵
-
\??\c:\q20402.exec:\q20402.exe92⤵
-
\??\c:\fxrrlll.exec:\fxrrlll.exe93⤵
-
\??\c:\i628226.exec:\i628226.exe94⤵
-
\??\c:\9frrrrl.exec:\9frrrrl.exe95⤵
-
\??\c:\g0668.exec:\g0668.exe96⤵
-
\??\c:\rrxfxrf.exec:\rrxfxrf.exe97⤵
-
\??\c:\448208.exec:\448208.exe98⤵
-
\??\c:\jdpjp.exec:\jdpjp.exe99⤵
-
\??\c:\466204.exec:\466204.exe100⤵
-
\??\c:\nhtbtt.exec:\nhtbtt.exe101⤵
-
\??\c:\04242.exec:\04242.exe102⤵
-
\??\c:\hbtnnn.exec:\hbtnnn.exe103⤵
-
\??\c:\nhbntb.exec:\nhbntb.exe104⤵
-
\??\c:\nbhbbb.exec:\nbhbbb.exe105⤵
-
\??\c:\7hhbnt.exec:\7hhbnt.exe106⤵
-
\??\c:\3bnntt.exec:\3bnntt.exe107⤵
-
\??\c:\jvdvd.exec:\jvdvd.exe108⤵
-
\??\c:\nbbhtn.exec:\nbbhtn.exe109⤵
-
\??\c:\008642.exec:\008642.exe110⤵
-
\??\c:\dpvpv.exec:\dpvpv.exe111⤵
-
\??\c:\vppjv.exec:\vppjv.exe112⤵
-
\??\c:\4622226.exec:\4622226.exe113⤵
-
\??\c:\o206666.exec:\o206666.exe114⤵
-
\??\c:\m4066.exec:\m4066.exe115⤵
-
\??\c:\9vdpp.exec:\9vdpp.exe116⤵
-
\??\c:\200406.exec:\200406.exe117⤵
-
\??\c:\vjvpj.exec:\vjvpj.exe118⤵
-
\??\c:\9vppv.exec:\9vppv.exe119⤵
-
\??\c:\q02288.exec:\q02288.exe120⤵
-
\??\c:\824088.exec:\824088.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-