Analysis
-
max time kernel
120s -
max time network
20s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
06-09-2024 23:26
General
-
Target
6e4139af8432476340c8bdeb9fa666d0N.exe
-
Size
332KB
-
MD5
6e4139af8432476340c8bdeb9fa666d0
-
SHA1
487630b5ef0ff37ba62964e868ebebf7857c1b21
-
SHA256
8420a5edbff96330ea9e470a2211a039d7a472ad28457c354d1585d91cf0315e
-
SHA512
c31c2180256b739bfbd715a64a64c86ca84e2e5ec1099bc472bdbe0abf59b8e953ab245e7522d1cc3fbdfd7301b8232fbe57d9fc89d7f3ff7c336821697a702a
-
SSDEEP
6144:3cm7ImGddXsJdJIjaRleL42bL37BoTPkhu9gX5yGsTshQc8R0nxA5ij8+RC7tPhp:F7Tc8JdSjylh2b77BoTMA9gX59sTsuT5
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 49 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 35 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\6e4139af8432476340c8bdeb9fa666d0N.exe"C:\Users\Admin\AppData\Local\Temp\6e4139af8432476340c8bdeb9fa666d0N.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\xxlxllf.exec:\xxlxllf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddpdp.exec:\ddpdp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrxxlrf.exec:\xrxxlrf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvjpd.exec:\dvjpd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlfxllx.exec:\rlfxllx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvjvj.exec:\vvjvj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5nbhth.exec:\5nbhth.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbttnb.exec:\hbttnb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpdjv.exec:\vpdjv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hhtnbh.exec:\hhtnbh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3llfxxx.exec:\3llfxxx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bthntt.exec:\bthntt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddjpd.exec:\ddjpd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnbhtt.exec:\tnbhtt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5vjvp.exec:\5vjvp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbnbhn.exec:\bbnbhn.exe17⤵
- Executes dropped EXE
-
\??\c:\jjdvj.exec:\jjdvj.exe18⤵
- Executes dropped EXE
-
\??\c:\rffxxrf.exec:\rffxxrf.exe19⤵
- Executes dropped EXE
-
\??\c:\vvppp.exec:\vvppp.exe20⤵
- Executes dropped EXE
-
\??\c:\ffxrxxf.exec:\ffxrxxf.exe21⤵
- Executes dropped EXE
-
\??\c:\pjvvd.exec:\pjvvd.exe22⤵
- Executes dropped EXE
-
\??\c:\xrlxflr.exec:\xrlxflr.exe23⤵
- Executes dropped EXE
-
\??\c:\nhtntb.exec:\nhtntb.exe24⤵
- Executes dropped EXE
-
\??\c:\5xfflrf.exec:\5xfflrf.exe25⤵
- Executes dropped EXE
-
\??\c:\hbnthn.exec:\hbnthn.exe26⤵
- Executes dropped EXE
-
\??\c:\pjdpp.exec:\pjdpp.exe27⤵
- Executes dropped EXE
-
\??\c:\3htbbb.exec:\3htbbb.exe28⤵
- Executes dropped EXE
-
\??\c:\pppvv.exec:\pppvv.exe29⤵
- Executes dropped EXE
-
\??\c:\5htttb.exec:\5htttb.exe30⤵
- Executes dropped EXE
-
\??\c:\pvppd.exec:\pvppd.exe31⤵
- Executes dropped EXE
-
\??\c:\lfxrxxf.exec:\lfxrxxf.exe32⤵
- Executes dropped EXE
-
\??\c:\5pjpv.exec:\5pjpv.exe33⤵
- Executes dropped EXE
-
\??\c:\lrlfrrx.exec:\lrlfrrx.exe34⤵
- Executes dropped EXE
-
\??\c:\btnbnn.exec:\btnbnn.exe35⤵
- Executes dropped EXE
-
\??\c:\tnbhbb.exec:\tnbhbb.exe36⤵
- Executes dropped EXE
-
\??\c:\ddvpd.exec:\ddvpd.exe37⤵
- Executes dropped EXE
-
\??\c:\1lxxffl.exec:\1lxxffl.exe38⤵
- Executes dropped EXE
-
\??\c:\5htttt.exec:\5htttt.exe39⤵
- Executes dropped EXE
-
\??\c:\jjppj.exec:\jjppj.exe40⤵
- Executes dropped EXE
-
\??\c:\lrlrrrf.exec:\lrlrrrf.exe41⤵
- Executes dropped EXE
-
\??\c:\9tttbb.exec:\9tttbb.exe42⤵
- Executes dropped EXE
-
\??\c:\pjvjd.exec:\pjvjd.exe43⤵
- Executes dropped EXE
-
\??\c:\jjdjv.exec:\jjdjv.exe44⤵
- Executes dropped EXE
-
\??\c:\7lxflrx.exec:\7lxflrx.exe45⤵
- Executes dropped EXE
-
\??\c:\tbtbnt.exec:\tbtbnt.exe46⤵
- Executes dropped EXE
-
\??\c:\pjvvd.exec:\pjvvd.exe47⤵
- Executes dropped EXE
-
\??\c:\5frxrxf.exec:\5frxrxf.exe48⤵
- Executes dropped EXE
-
\??\c:\5btbht.exec:\5btbht.exe49⤵
- Executes dropped EXE
-
\??\c:\bbhnbb.exec:\bbhnbb.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\pvpdv.exec:\pvpdv.exe51⤵
- Executes dropped EXE
-
\??\c:\xrxxflr.exec:\xrxxflr.exe52⤵
- Executes dropped EXE
-
\??\c:\9bhtnt.exec:\9bhtnt.exe53⤵
- Executes dropped EXE
-
\??\c:\nnhthh.exec:\nnhthh.exe54⤵
- Executes dropped EXE
-
\??\c:\xrfxrxl.exec:\xrfxrxl.exe55⤵
- Executes dropped EXE
-
\??\c:\xxrrffr.exec:\xxrrffr.exe56⤵
- Executes dropped EXE
-
\??\c:\btntnt.exec:\btntnt.exe57⤵
- Executes dropped EXE
-
\??\c:\vvpdp.exec:\vvpdp.exe58⤵
- Executes dropped EXE
-
\??\c:\rrlrxxl.exec:\rrlrxxl.exe59⤵
- Executes dropped EXE
-
\??\c:\hhhtth.exec:\hhhtth.exe60⤵
- Executes dropped EXE
-
\??\c:\htnntt.exec:\htnntt.exe61⤵
- Executes dropped EXE
-
\??\c:\pjppv.exec:\pjppv.exe62⤵
- Executes dropped EXE
-
\??\c:\rxrxflx.exec:\rxrxflx.exe63⤵
- Executes dropped EXE
-
\??\c:\tnttth.exec:\tnttth.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\dpjjv.exec:\dpjjv.exe65⤵
- Executes dropped EXE
-
\??\c:\7rrfrxx.exec:\7rrfrxx.exe66⤵
-
\??\c:\5tttbb.exec:\5tttbb.exe67⤵
-
\??\c:\7nbnnt.exec:\7nbnnt.exe68⤵
-
\??\c:\vpjpv.exec:\vpjpv.exe69⤵
- System Location Discovery: System Language Discovery
-
\??\c:\3xrlllr.exec:\3xrlllr.exe70⤵
-
\??\c:\tnnbht.exec:\tnnbht.exe71⤵
-
\??\c:\vjvvp.exec:\vjvvp.exe72⤵
-
\??\c:\jvjjp.exec:\jvjjp.exe73⤵
-
\??\c:\7xrxxfl.exec:\7xrxxfl.exe74⤵
-
\??\c:\7tbhhh.exec:\7tbhhh.exe75⤵
-
\??\c:\jjvdj.exec:\jjvdj.exe76⤵
-
\??\c:\lfrrffl.exec:\lfrrffl.exe77⤵
-
\??\c:\hhbntt.exec:\hhbntt.exe78⤵
-
\??\c:\tnhhtt.exec:\tnhhtt.exe79⤵
-
\??\c:\vpjpd.exec:\vpjpd.exe80⤵
-
\??\c:\7lrlrrx.exec:\7lrlrrx.exe81⤵
-
\??\c:\bbnntn.exec:\bbnntn.exe82⤵
-
\??\c:\tnthht.exec:\tnthht.exe83⤵
-
\??\c:\7jjpp.exec:\7jjpp.exe84⤵
-
\??\c:\jdpvp.exec:\jdpvp.exe85⤵
-
\??\c:\xrllxxr.exec:\xrllxxr.exe86⤵
-
\??\c:\tbntbn.exec:\tbntbn.exe87⤵
-
\??\c:\vvppv.exec:\vvppv.exe88⤵
-
\??\c:\9jvvd.exec:\9jvvd.exe89⤵
-
\??\c:\rlfflrl.exec:\rlfflrl.exe90⤵
-
\??\c:\bthntb.exec:\bthntb.exe91⤵
-
\??\c:\nhbhhn.exec:\nhbhhn.exe92⤵
-
\??\c:\pjjpv.exec:\pjjpv.exe93⤵
-
\??\c:\ffxfllx.exec:\ffxfllx.exe94⤵
-
\??\c:\rlflrxl.exec:\rlflrxl.exe95⤵
-
\??\c:\5bnthb.exec:\5bnthb.exe96⤵
-
\??\c:\dvdvj.exec:\dvdvj.exe97⤵
-
\??\c:\xfrxlrf.exec:\xfrxlrf.exe98⤵
-
\??\c:\xrrlrlx.exec:\xrrlrlx.exe99⤵
-
\??\c:\hhtbtb.exec:\hhtbtb.exe100⤵
-
\??\c:\vvvdv.exec:\vvvdv.exe101⤵
-
\??\c:\3rfflrr.exec:\3rfflrr.exe102⤵
-
\??\c:\llxrxrf.exec:\llxrxrf.exe103⤵
-
\??\c:\tthnbb.exec:\tthnbb.exe104⤵
-
\??\c:\5djjp.exec:\5djjp.exe105⤵
-
\??\c:\7jvjp.exec:\7jvjp.exe106⤵
-
\??\c:\rrllxxl.exec:\rrllxxl.exe107⤵
-
\??\c:\bbtthn.exec:\bbtthn.exe108⤵
-
\??\c:\nnhhtn.exec:\nnhhtn.exe109⤵
-
\??\c:\ppddp.exec:\ppddp.exe110⤵
-
\??\c:\3xrrxfr.exec:\3xrrxfr.exe111⤵
-
\??\c:\tnhhnt.exec:\tnhhnt.exe112⤵
-
\??\c:\hhbnbh.exec:\hhbnbh.exe113⤵
-
\??\c:\vpdjp.exec:\vpdjp.exe114⤵
-
\??\c:\xrllrrl.exec:\xrllrrl.exe115⤵
-
\??\c:\rlrxfrr.exec:\rlrxfrr.exe116⤵
-
\??\c:\1ththt.exec:\1ththt.exe117⤵
-
\??\c:\dvppd.exec:\dvppd.exe118⤵
-
\??\c:\fxrrrrx.exec:\fxrrrrx.exe119⤵
-
\??\c:\hbttht.exec:\hbttht.exe120⤵
-
\??\c:\dvppd.exec:\dvppd.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-