Analysis
-
max time kernel
120s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
-
submitted
06/09/2024, 16:27
General
-
Target
490e934f46974786dab38398928dc4f0N.exe
-
Size
106KB
-
MD5
490e934f46974786dab38398928dc4f0
-
SHA1
ed18d4739888f3844bcaf8a372c405b7414013a2
-
SHA256
aff61582365b4b40262a068c03faf58711e3c58febc67a8009c2c4c7c0c11da3
-
SHA512
954f945ca0ad67512d132463ca48667d8fae70d40e2a8884dcfb789a2bcc499c1541fbe9f4a0fb2c7b43c891c0f728fc0f2410fdd52654d8ea73f7c074d8b9b3
-
SSDEEP
3072:ymb3NkkiQ3mdBjFo73PYP1lri3KVT+buwUGu3P3CmC+:n3C9BRo7MlrWKVT+buBGu3PHC+
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 22 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 33 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\490e934f46974786dab38398928dc4f0N.exe"C:\Users\Admin\AppData\Local\Temp\490e934f46974786dab38398928dc4f0N.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\20600.exec:\20600.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lflrrxf.exec:\lflrrxf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frfxlfx.exec:\frfxlfx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ththtn.exec:\ththtn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\042284.exec:\042284.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\e42888.exec:\e42888.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\04240.exec:\04240.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\868800.exec:\868800.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\088204.exec:\088204.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjppv.exec:\jjppv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9jpvj.exec:\9jpvj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\e86806.exec:\e86806.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\42400.exec:\42400.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\486622.exec:\486622.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlffllr.exec:\rlffllr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfflxfl.exec:\lfflxfl.exe17⤵
- Executes dropped EXE
-
\??\c:\4262444.exec:\4262444.exe18⤵
- Executes dropped EXE
-
\??\c:\nbnttt.exec:\nbnttt.exe19⤵
- Executes dropped EXE
-
\??\c:\9tttbh.exec:\9tttbh.exe20⤵
- Executes dropped EXE
-
\??\c:\42002.exec:\42002.exe21⤵
- Executes dropped EXE
-
\??\c:\822804.exec:\822804.exe22⤵
- Executes dropped EXE
-
\??\c:\pjvvj.exec:\pjvvj.exe23⤵
- Executes dropped EXE
-
\??\c:\dpdvp.exec:\dpdvp.exe24⤵
- Executes dropped EXE
-
\??\c:\tbtntn.exec:\tbtntn.exe25⤵
- Executes dropped EXE
-
\??\c:\5hbnht.exec:\5hbnht.exe26⤵
- Executes dropped EXE
-
\??\c:\602244.exec:\602244.exe27⤵
- Executes dropped EXE
-
\??\c:\1pvvv.exec:\1pvvv.exe28⤵
- Executes dropped EXE
-
\??\c:\7hbbnh.exec:\7hbbnh.exe29⤵
- Executes dropped EXE
-
\??\c:\6806224.exec:\6806224.exe30⤵
- Executes dropped EXE
-
\??\c:\006266.exec:\006266.exe31⤵
- Executes dropped EXE
-
\??\c:\824844.exec:\824844.exe32⤵
- Executes dropped EXE
-
\??\c:\6848488.exec:\6848488.exe33⤵
- Executes dropped EXE
-
\??\c:\u602468.exec:\u602468.exe34⤵
- Executes dropped EXE
-
\??\c:\060486.exec:\060486.exe35⤵
- Executes dropped EXE
-
\??\c:\nnbhhn.exec:\nnbhhn.exe36⤵
- Executes dropped EXE
-
\??\c:\20624.exec:\20624.exe37⤵
- Executes dropped EXE
-
\??\c:\xxrxllx.exec:\xxrxllx.exe38⤵
- Executes dropped EXE
-
\??\c:\tnbtnn.exec:\tnbtnn.exe39⤵
- Executes dropped EXE
-
\??\c:\u600008.exec:\u600008.exe40⤵
- Executes dropped EXE
-
\??\c:\llfrxrf.exec:\llfrxrf.exe41⤵
- Executes dropped EXE
-
\??\c:\82446.exec:\82446.exe42⤵
- Executes dropped EXE
-
\??\c:\2684280.exec:\2684280.exe43⤵
- Executes dropped EXE
-
\??\c:\9fflrxf.exec:\9fflrxf.exe44⤵
- Executes dropped EXE
-
\??\c:\06266.exec:\06266.exe45⤵
- Executes dropped EXE
-
\??\c:\486462.exec:\486462.exe46⤵
- Executes dropped EXE
-
\??\c:\48062.exec:\48062.exe47⤵
- Executes dropped EXE
-
\??\c:\lxllffx.exec:\lxllffx.exe48⤵
- Executes dropped EXE
-
\??\c:\fflrllr.exec:\fflrllr.exe49⤵
- Executes dropped EXE
-
\??\c:\pjvdp.exec:\pjvdp.exe50⤵
- Executes dropped EXE
-
\??\c:\rrfllxl.exec:\rrfllxl.exe51⤵
- Executes dropped EXE
-
\??\c:\04280.exec:\04280.exe52⤵
- Executes dropped EXE
-
\??\c:\ffllxxl.exec:\ffllxxl.exe53⤵
- Executes dropped EXE
-
\??\c:\1vjvd.exec:\1vjvd.exe54⤵
- Executes dropped EXE
-
\??\c:\8262468.exec:\8262468.exe55⤵
- Executes dropped EXE
-
\??\c:\04808.exec:\04808.exe56⤵
- Executes dropped EXE
-
\??\c:\9dvpj.exec:\9dvpj.exe57⤵
- Executes dropped EXE
-
\??\c:\4824406.exec:\4824406.exe58⤵
- Executes dropped EXE
-
\??\c:\1vvpd.exec:\1vvpd.exe59⤵
- Executes dropped EXE
-
\??\c:\hbtntb.exec:\hbtntb.exe60⤵
- Executes dropped EXE
-
\??\c:\86246.exec:\86246.exe61⤵
- Executes dropped EXE
-
\??\c:\4868468.exec:\4868468.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\vvpvp.exec:\vvpvp.exe63⤵
- Executes dropped EXE
-
\??\c:\vvjvj.exec:\vvjvj.exe64⤵
- Executes dropped EXE
-
\??\c:\26280.exec:\26280.exe65⤵
- Executes dropped EXE
-
\??\c:\3ntbtn.exec:\3ntbtn.exe66⤵
-
\??\c:\9bbhbh.exec:\9bbhbh.exe67⤵
-
\??\c:\a6068.exec:\a6068.exe68⤵
- System Location Discovery: System Language Discovery
-
\??\c:\a6402.exec:\a6402.exe69⤵
-
\??\c:\xxrfxfx.exec:\xxrfxfx.exe70⤵
-
\??\c:\ttntbn.exec:\ttntbn.exe71⤵
-
\??\c:\060028.exec:\060028.exe72⤵
-
\??\c:\04006.exec:\04006.exe73⤵
-
\??\c:\xxrxffl.exec:\xxrxffl.exe74⤵
-
\??\c:\04242.exec:\04242.exe75⤵
-
\??\c:\482402.exec:\482402.exe76⤵
-
\??\c:\hnnhbn.exec:\hnnhbn.exe77⤵
-
\??\c:\9ttthn.exec:\9ttthn.exe78⤵
-
\??\c:\26428.exec:\26428.exe79⤵
-
\??\c:\lfllrxf.exec:\lfllrxf.exe80⤵
-
\??\c:\o606220.exec:\o606220.exe81⤵
-
\??\c:\lxxrxfl.exec:\lxxrxfl.exe82⤵
-
\??\c:\s0082.exec:\s0082.exe83⤵
-
\??\c:\fffrlrf.exec:\fffrlrf.exe84⤵
-
\??\c:\60842.exec:\60842.exe85⤵
-
\??\c:\e08028.exec:\e08028.exe86⤵
-
\??\c:\fxrxlrf.exec:\fxrxlrf.exe87⤵
-
\??\c:\i460408.exec:\i460408.exe88⤵
-
\??\c:\e04080.exec:\e04080.exe89⤵
-
\??\c:\26020.exec:\26020.exe90⤵
-
\??\c:\tnhttt.exec:\tnhttt.exe91⤵
-
\??\c:\ddpdj.exec:\ddpdj.exe92⤵
-
\??\c:\886022.exec:\886022.exe93⤵
-
\??\c:\008684.exec:\008684.exe94⤵
-
\??\c:\lfrlrrr.exec:\lfrlrrr.exe95⤵
-
\??\c:\xlrxxxl.exec:\xlrxxxl.exe96⤵
-
\??\c:\rrrflrr.exec:\rrrflrr.exe97⤵
-
\??\c:\g0884.exec:\g0884.exe98⤵
-
\??\c:\282880.exec:\282880.exe99⤵
-
\??\c:\lfrxxfr.exec:\lfrxxfr.exe100⤵
-
\??\c:\nhtbnt.exec:\nhtbnt.exe101⤵
-
\??\c:\7pjpp.exec:\7pjpp.exe102⤵
-
\??\c:\0848602.exec:\0848602.exe103⤵
-
\??\c:\824060.exec:\824060.exe104⤵
-
\??\c:\rlrllfl.exec:\rlrllfl.exe105⤵
-
\??\c:\fxlxffl.exec:\fxlxffl.exe106⤵
-
\??\c:\1jvpp.exec:\1jvpp.exe107⤵
-
\??\c:\6640880.exec:\6640880.exe108⤵
-
\??\c:\nbbbnb.exec:\nbbbnb.exe109⤵
-
\??\c:\9jvvv.exec:\9jvvv.exe110⤵
-
\??\c:\2628000.exec:\2628000.exe111⤵
-
\??\c:\nnnhbt.exec:\nnnhbt.exe112⤵
-
\??\c:\08044.exec:\08044.exe113⤵
-
\??\c:\nhbnbt.exec:\nhbnbt.exe114⤵
-
\??\c:\fxrrxfr.exec:\fxrrxfr.exe115⤵
-
\??\c:\82628.exec:\82628.exe116⤵
-
\??\c:\dpppd.exec:\dpppd.exe117⤵
-
\??\c:\1ppdd.exec:\1ppdd.exe118⤵
-
\??\c:\0800222.exec:\0800222.exe119⤵
-
\??\c:\9vjdj.exec:\9vjdj.exe120⤵
-
\??\c:\q68882.exec:\q68882.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-