Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
06/09/2024, 08:44
General
-
Target
e46dabac27499cf1feeee9245b19d470N.exe
-
Size
453KB
-
MD5
e46dabac27499cf1feeee9245b19d470
-
SHA1
1362e3146be3dc78dce7f2e42090fa4b841bd635
-
SHA256
59442b9ccc0711cb132e1cd178fad01e842cccc093025ae58f203dd35d2b3bcd
-
SHA512
0d203359407239b2545f1806cc2e6830e33f3f627e7fdd380377b6f080054d8bc651a0c84212d25ecc3aeb77a65df801a8860ed9e5ce80a20471c19c22c7a810
-
SSDEEP
12288:n3C9uDIPh2kkkkK4kXkkkkkkkkl888888888888888888nu:ShPh2kkkkK4kXkkkkkkkkA
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 17 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 21 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e46dabac27499cf1feeee9245b19d470N.exe"C:\Users\Admin\AppData\Local\Temp\e46dabac27499cf1feeee9245b19d470N.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\bhhbtb.exec:\bhhbtb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrffxlr.exec:\xrffxlr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bttbtb.exec:\bttbtb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rxrfxrf.exec:\rxrfxrf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnnnht.exec:\tnnnht.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3xlfrrx.exec:\3xlfrrx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ttnnbh.exec:\ttnnbh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbbnhh.exec:\bbbnhh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjdpd.exec:\jjdpd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ffxxfxl.exec:\ffxxfxl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpjjp.exec:\vpjjp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9httbt.exec:\9httbt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rrffxfr.exec:\rrffxfr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1bnbnt.exec:\1bnbnt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dpdpd.exec:\dpdpd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9llflrl.exec:\9llflrl.exe17⤵
- Executes dropped EXE
-
\??\c:\ttnbtb.exec:\ttnbtb.exe18⤵
- Executes dropped EXE
-
\??\c:\pvpdj.exec:\pvpdj.exe19⤵
- Executes dropped EXE
-
\??\c:\fxlrffx.exec:\fxlrffx.exe20⤵
- Executes dropped EXE
-
\??\c:\vjvvd.exec:\vjvvd.exe21⤵
- Executes dropped EXE
-
\??\c:\xrlrxrr.exec:\xrlrxrr.exe22⤵
- Executes dropped EXE
-
\??\c:\frfxxfx.exec:\frfxxfx.exe23⤵
- Executes dropped EXE
-
\??\c:\1pvdd.exec:\1pvdd.exe24⤵
- Executes dropped EXE
-
\??\c:\jddjd.exec:\jddjd.exe25⤵
- Executes dropped EXE
-
\??\c:\nhhnth.exec:\nhhnth.exe26⤵
- Executes dropped EXE
-
\??\c:\jjdpd.exec:\jjdpd.exe27⤵
- Executes dropped EXE
-
\??\c:\xllrxfr.exec:\xllrxfr.exe28⤵
- Executes dropped EXE
-
\??\c:\pdvdp.exec:\pdvdp.exe29⤵
- Executes dropped EXE
-
\??\c:\rlrxlrx.exec:\rlrxlrx.exe30⤵
- Executes dropped EXE
-
\??\c:\xffxfxr.exec:\xffxfxr.exe31⤵
- Executes dropped EXE
-
\??\c:\nnnhht.exec:\nnnhht.exe32⤵
- Executes dropped EXE
-
\??\c:\thttnn.exec:\thttnn.exe33⤵
- Executes dropped EXE
-
\??\c:\ppddj.exec:\ppddj.exe34⤵
- Executes dropped EXE
-
\??\c:\xrfrllx.exec:\xrfrllx.exe35⤵
- Executes dropped EXE
-
\??\c:\frflffr.exec:\frflffr.exe36⤵
- Executes dropped EXE
-
\??\c:\btttbh.exec:\btttbh.exe37⤵
- Executes dropped EXE
-
\??\c:\1vppj.exec:\1vppj.exe38⤵
- Executes dropped EXE
-
\??\c:\ththhh.exec:\ththhh.exe39⤵
- Executes dropped EXE
-
\??\c:\jjvjd.exec:\jjvjd.exe40⤵
- Executes dropped EXE
-
\??\c:\xxlllrl.exec:\xxlllrl.exe41⤵
- Executes dropped EXE
-
\??\c:\ffxxrxl.exec:\ffxxrxl.exe42⤵
- Executes dropped EXE
-
\??\c:\thbhbh.exec:\thbhbh.exe43⤵
- Executes dropped EXE
-
\??\c:\9vvpd.exec:\9vvpd.exe44⤵
- Executes dropped EXE
-
\??\c:\rlffxxr.exec:\rlffxxr.exe45⤵
- Executes dropped EXE
-
\??\c:\ttthbh.exec:\ttthbh.exe46⤵
- Executes dropped EXE
-
\??\c:\1jddj.exec:\1jddj.exe47⤵
- Executes dropped EXE
-
\??\c:\3jpvd.exec:\3jpvd.exe48⤵
- Executes dropped EXE
-
\??\c:\xxrflxl.exec:\xxrflxl.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\nhhbhh.exec:\nhhbhh.exe50⤵
- Executes dropped EXE
-
\??\c:\nttbht.exec:\nttbht.exe51⤵
- Executes dropped EXE
-
\??\c:\ppjvd.exec:\ppjvd.exe52⤵
- Executes dropped EXE
-
\??\c:\xxlrffr.exec:\xxlrffr.exe53⤵
- Executes dropped EXE
-
\??\c:\xxxfrfr.exec:\xxxfrfr.exe54⤵
- Executes dropped EXE
-
\??\c:\ttnbtb.exec:\ttnbtb.exe55⤵
- Executes dropped EXE
-
\??\c:\pppvp.exec:\pppvp.exe56⤵
- Executes dropped EXE
-
\??\c:\llfrxfr.exec:\llfrxfr.exe57⤵
- Executes dropped EXE
-
\??\c:\xfxlrxr.exec:\xfxlrxr.exe58⤵
- Executes dropped EXE
-
\??\c:\ththnt.exec:\ththnt.exe59⤵
- Executes dropped EXE
-
\??\c:\5djpd.exec:\5djpd.exe60⤵
- Executes dropped EXE
-
\??\c:\rxxrlxx.exec:\rxxrlxx.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\fxlrxfl.exec:\fxlrxfl.exe62⤵
- Executes dropped EXE
-
\??\c:\nhhnbh.exec:\nhhnbh.exe63⤵
- Executes dropped EXE
-
\??\c:\dvvpd.exec:\dvvpd.exe64⤵
- Executes dropped EXE
-
\??\c:\lfrlxfr.exec:\lfrlxfr.exe65⤵
- Executes dropped EXE
-
\??\c:\9lffrlr.exec:\9lffrlr.exe66⤵
-
\??\c:\nnnbnb.exec:\nnnbnb.exe67⤵
-
\??\c:\9jvpv.exec:\9jvpv.exe68⤵
-
\??\c:\pdvvv.exec:\pdvvv.exe69⤵
-
\??\c:\ffxlflf.exec:\ffxlflf.exe70⤵
-
\??\c:\bthtbh.exec:\bthtbh.exe71⤵
-
\??\c:\3hnhnn.exec:\3hnhnn.exe72⤵
-
\??\c:\pvpjv.exec:\pvpjv.exe73⤵
-
\??\c:\fxlflxl.exec:\fxlflxl.exe74⤵
-
\??\c:\lxxlffx.exec:\lxxlffx.exe75⤵
-
\??\c:\hhbnhh.exec:\hhbnhh.exe76⤵
-
\??\c:\pvppd.exec:\pvppd.exe77⤵
-
\??\c:\7fxflrx.exec:\7fxflrx.exe78⤵
-
\??\c:\rxxrfrf.exec:\rxxrfrf.exe79⤵
-
\??\c:\3btbnb.exec:\3btbnb.exe80⤵
-
\??\c:\3hnthn.exec:\3hnthn.exe81⤵
-
\??\c:\pjdpv.exec:\pjdpv.exe82⤵
-
\??\c:\rlfrfrl.exec:\rlfrfrl.exe83⤵
-
\??\c:\frflxfl.exec:\frflxfl.exe84⤵
-
\??\c:\tbnnnt.exec:\tbnnnt.exe85⤵
-
\??\c:\jddvv.exec:\jddvv.exe86⤵
-
\??\c:\lfflrxr.exec:\lfflrxr.exe87⤵
-
\??\c:\flllxxl.exec:\flllxxl.exe88⤵
-
\??\c:\nnnbht.exec:\nnnbht.exe89⤵
-
\??\c:\ddvjd.exec:\ddvjd.exe90⤵
-
\??\c:\9vpjv.exec:\9vpjv.exe91⤵
-
\??\c:\7fllxfl.exec:\7fllxfl.exe92⤵
-
\??\c:\hhthbn.exec:\hhthbn.exe93⤵
-
\??\c:\bhthtb.exec:\bhthtb.exe94⤵
-
\??\c:\ppdpd.exec:\ppdpd.exe95⤵
-
\??\c:\rfxlxrf.exec:\rfxlxrf.exe96⤵
-
\??\c:\7ntnbn.exec:\7ntnbn.exe97⤵
-
\??\c:\hbnhbt.exec:\hbnhbt.exe98⤵
-
\??\c:\1pddv.exec:\1pddv.exe99⤵
-
\??\c:\fxrxlrf.exec:\fxrxlrf.exe100⤵
-
\??\c:\rllxflf.exec:\rllxflf.exe101⤵
-
\??\c:\bttbnt.exec:\bttbnt.exe102⤵
-
\??\c:\jdpjv.exec:\jdpjv.exe103⤵
-
\??\c:\dpvdd.exec:\dpvdd.exe104⤵
-
\??\c:\xrrxrxl.exec:\xrrxrxl.exe105⤵
-
\??\c:\ththht.exec:\ththht.exe106⤵
-
\??\c:\nhhnnt.exec:\nhhnnt.exe107⤵
-
\??\c:\vvpdd.exec:\vvpdd.exe108⤵
-
\??\c:\rrrxlrl.exec:\rrrxlrl.exe109⤵
-
\??\c:\xrrxlxr.exec:\xrrxlxr.exe110⤵
-
\??\c:\hbthbb.exec:\hbthbb.exe111⤵
-
\??\c:\5hnntb.exec:\5hnntb.exe112⤵
-
\??\c:\7vpdp.exec:\7vpdp.exe113⤵
-
\??\c:\rrrlflr.exec:\rrrlflr.exe114⤵
-
\??\c:\hbttbb.exec:\hbttbb.exe115⤵
-
\??\c:\httbnt.exec:\httbnt.exe116⤵
-
\??\c:\1vpdp.exec:\1vpdp.exe117⤵
-
\??\c:\ffxflrx.exec:\ffxflrx.exe118⤵
-
\??\c:\flxrllx.exec:\flxrllx.exe119⤵
-
\??\c:\nhbhtt.exec:\nhbhtt.exe120⤵
-
\??\c:\nnhhhh.exec:\nnhhhh.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-