Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
07/09/2024, 21:57
General
-
Target
59f472db4e131e4e644497840a1d2c0fea1557dab2de620e0d6f437b90d4d964.exe
-
Size
106KB
-
MD5
c670a3012341143aa2ceb3fd8aa54400
-
SHA1
fb5b81271c13e3e640af0fa7eddc8e0cd18f9efb
-
SHA256
59f472db4e131e4e644497840a1d2c0fea1557dab2de620e0d6f437b90d4d964
-
SHA512
3861c6461b016e102039af447654635dc6c92a57973ef20b7ac80322766f4a1bcf5c1098b33a6d47c0b6bbeaa7f6e3beffce0f9dd32852c5797b1ee4447c18cf
-
SSDEEP
3072:ymb3NkkiQ3mdBjFo73PYP1lri3KVT+buwUGu3P3CmW:n3C9BRo7MlrWKVT+buBGu3PHW
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 21 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 33 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\59f472db4e131e4e644497840a1d2c0fea1557dab2de620e0d6f437b90d4d964.exe"C:\Users\Admin\AppData\Local\Temp\59f472db4e131e4e644497840a1d2c0fea1557dab2de620e0d6f437b90d4d964.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\nnnbth.exec:\nnnbth.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tbhthb.exec:\tbhthb.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\pvjdp.exec:\pvjdp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rrlxrfx.exec:\rrlxrfx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1bbbnt.exec:\1bbbnt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vppvd.exec:\vppvd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xxxffff.exec:\xxxffff.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhtthn.exec:\nhtthn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvpvj.exec:\vvpvj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9jvjp.exec:\9jvjp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxxflrl.exec:\fxxflrl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfrfrxx.exec:\lfrfrxx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ttnthn.exec:\ttnthn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdpjv.exec:\jdpjv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjjjv.exec:\jjjjv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rfxflrl.exec:\rfxflrl.exe17⤵
- Executes dropped EXE
-
\??\c:\ffrfrfr.exec:\ffrfrfr.exe18⤵
- Executes dropped EXE
-
\??\c:\nhbntb.exec:\nhbntb.exe19⤵
- Executes dropped EXE
-
\??\c:\1dpvd.exec:\1dpvd.exe20⤵
- Executes dropped EXE
-
\??\c:\3pdjp.exec:\3pdjp.exe21⤵
- Executes dropped EXE
-
\??\c:\lfrxrff.exec:\lfrxrff.exe22⤵
- Executes dropped EXE
-
\??\c:\rlfrlrf.exec:\rlfrlrf.exe23⤵
- Executes dropped EXE
-
\??\c:\5hthnn.exec:\5hthnn.exe24⤵
- Executes dropped EXE
-
\??\c:\vpjvp.exec:\vpjvp.exe25⤵
- Executes dropped EXE
-
\??\c:\jjvjp.exec:\jjvjp.exe26⤵
- Executes dropped EXE
-
\??\c:\rlxlrxl.exec:\rlxlrxl.exe27⤵
- Executes dropped EXE
-
\??\c:\9rffxlx.exec:\9rffxlx.exe28⤵
- Executes dropped EXE
-
\??\c:\bbnntb.exec:\bbnntb.exe29⤵
- Executes dropped EXE
-
\??\c:\hnnbth.exec:\hnnbth.exe30⤵
- Executes dropped EXE
-
\??\c:\9jjpd.exec:\9jjpd.exe31⤵
- Executes dropped EXE
-
\??\c:\vpjvj.exec:\vpjvj.exe32⤵
- Executes dropped EXE
-
\??\c:\9fflrxl.exec:\9fflrxl.exe33⤵
- Executes dropped EXE
-
\??\c:\frrlrxl.exec:\frrlrxl.exe34⤵
- Executes dropped EXE
-
\??\c:\hbttbn.exec:\hbttbn.exe35⤵
- Executes dropped EXE
-
\??\c:\1vvvp.exec:\1vvvp.exe36⤵
- Executes dropped EXE
-
\??\c:\vjpjp.exec:\vjpjp.exe37⤵
- Executes dropped EXE
-
\??\c:\tttbnn.exec:\tttbnn.exe38⤵
- Executes dropped EXE
-
\??\c:\vdjdj.exec:\vdjdj.exe39⤵
- Executes dropped EXE
-
\??\c:\jvddj.exec:\jvddj.exe40⤵
- Executes dropped EXE
-
\??\c:\1ppvp.exec:\1ppvp.exe41⤵
- Executes dropped EXE
-
\??\c:\fxlrrfr.exec:\fxlrrfr.exe42⤵
- Executes dropped EXE
-
\??\c:\9rrfrlx.exec:\9rrfrlx.exe43⤵
- Executes dropped EXE
-
\??\c:\ttnbth.exec:\ttnbth.exe44⤵
- Executes dropped EXE
-
\??\c:\7hnbnt.exec:\7hnbnt.exe45⤵
- Executes dropped EXE
-
\??\c:\pvpdp.exec:\pvpdp.exe46⤵
- Executes dropped EXE
-
\??\c:\ddjpj.exec:\ddjpj.exe47⤵
- Executes dropped EXE
-
\??\c:\rrrrflx.exec:\rrrrflx.exe48⤵
- Executes dropped EXE
-
\??\c:\rlrxfxl.exec:\rlrxfxl.exe49⤵
- Executes dropped EXE
-
\??\c:\hbnttt.exec:\hbnttt.exe50⤵
- Executes dropped EXE
-
\??\c:\9btbtb.exec:\9btbtb.exe51⤵
- Executes dropped EXE
-
\??\c:\7vdjd.exec:\7vdjd.exe52⤵
- Executes dropped EXE
-
\??\c:\1dpvp.exec:\1dpvp.exe53⤵
- Executes dropped EXE
-
\??\c:\xxffrfx.exec:\xxffrfx.exe54⤵
- Executes dropped EXE
-
\??\c:\bbnnhn.exec:\bbnnhn.exe55⤵
- Executes dropped EXE
-
\??\c:\nhtbhn.exec:\nhtbhn.exe56⤵
- Executes dropped EXE
-
\??\c:\nnthtb.exec:\nnthtb.exe57⤵
- Executes dropped EXE
-
\??\c:\pjvpj.exec:\pjvpj.exe58⤵
- Executes dropped EXE
-
\??\c:\lrfrlff.exec:\lrfrlff.exe59⤵
- Executes dropped EXE
-
\??\c:\lrfxlfl.exec:\lrfxlfl.exe60⤵
- Executes dropped EXE
-
\??\c:\tbtbnb.exec:\tbtbnb.exe61⤵
- Executes dropped EXE
-
\??\c:\7bnntt.exec:\7bnntt.exe62⤵
- Executes dropped EXE
-
\??\c:\5tthtb.exec:\5tthtb.exe63⤵
- Executes dropped EXE
-
\??\c:\3dvjj.exec:\3dvjj.exe64⤵
- Executes dropped EXE
-
\??\c:\vvpdj.exec:\vvpdj.exe65⤵
- Executes dropped EXE
-
\??\c:\lfrrxxf.exec:\lfrrxxf.exe66⤵
-
\??\c:\fxlrflr.exec:\fxlrflr.exe67⤵
-
\??\c:\hnbhbt.exec:\hnbhbt.exe68⤵
-
\??\c:\nhhhnn.exec:\nhhhnn.exe69⤵
-
\??\c:\5jjjv.exec:\5jjjv.exe70⤵
-
\??\c:\ppppj.exec:\ppppj.exe71⤵
-
\??\c:\llfrxfr.exec:\llfrxfr.exe72⤵
-
\??\c:\llflflr.exec:\llflflr.exe73⤵
-
\??\c:\bbhtnb.exec:\bbhtnb.exe74⤵
-
\??\c:\bbtthn.exec:\bbtthn.exe75⤵
-
\??\c:\ppdvp.exec:\ppdvp.exe76⤵
-
\??\c:\1dvdd.exec:\1dvdd.exe77⤵
-
\??\c:\pjddv.exec:\pjddv.exe78⤵
-
\??\c:\fxxxrfr.exec:\fxxxrfr.exe79⤵
-
\??\c:\fflfxxx.exec:\fflfxxx.exe80⤵
-
\??\c:\btbnnb.exec:\btbnnb.exe81⤵
-
\??\c:\9ntbtb.exec:\9ntbtb.exe82⤵
-
\??\c:\pjdvp.exec:\pjdvp.exe83⤵
-
\??\c:\vvpvp.exec:\vvpvp.exe84⤵
-
\??\c:\dvpdj.exec:\dvpdj.exe85⤵
-
\??\c:\fflflfl.exec:\fflflfl.exe86⤵
-
\??\c:\xxlrlrl.exec:\xxlrlrl.exe87⤵
-
\??\c:\1btnbn.exec:\1btnbn.exe88⤵
-
\??\c:\3bbnht.exec:\3bbnht.exe89⤵
-
\??\c:\djjvj.exec:\djjvj.exe90⤵
-
\??\c:\vvjjj.exec:\vvjjj.exe91⤵
-
\??\c:\dvjpd.exec:\dvjpd.exe92⤵
-
\??\c:\rlllrxf.exec:\rlllrxf.exe93⤵
-
\??\c:\lfrlxxl.exec:\lfrlxxl.exe94⤵
-
\??\c:\tbthbh.exec:\tbthbh.exe95⤵
-
\??\c:\hbtbbh.exec:\hbtbbh.exe96⤵
-
\??\c:\vpdvp.exec:\vpdvp.exe97⤵
-
\??\c:\3vppj.exec:\3vppj.exe98⤵
-
\??\c:\rlllxlf.exec:\rlllxlf.exe99⤵
-
\??\c:\rxflrll.exec:\rxflrll.exe100⤵
-
\??\c:\bbbbnn.exec:\bbbbnn.exe101⤵
-
\??\c:\hthnbn.exec:\hthnbn.exe102⤵
-
\??\c:\vpvvp.exec:\vpvvp.exe103⤵
-
\??\c:\vpjpj.exec:\vpjpj.exe104⤵
-
\??\c:\rrlxlrf.exec:\rrlxlrf.exe105⤵
-
\??\c:\llxlrxr.exec:\llxlrxr.exe106⤵
-
\??\c:\nhthth.exec:\nhthth.exe107⤵
-
\??\c:\dvdvj.exec:\dvdvj.exe108⤵
-
\??\c:\ppvdv.exec:\ppvdv.exe109⤵
-
\??\c:\rrxxfrl.exec:\rrxxfrl.exe110⤵
-
\??\c:\lrlxrff.exec:\lrlxrff.exe111⤵
-
\??\c:\nhbhnh.exec:\nhbhnh.exe112⤵
-
\??\c:\nnbnbt.exec:\nnbnbt.exe113⤵
-
\??\c:\ddjpp.exec:\ddjpp.exe114⤵
-
\??\c:\jjjvp.exec:\jjjvp.exe115⤵
-
\??\c:\hbtbnn.exec:\hbtbnn.exe116⤵
-
\??\c:\hhnntb.exec:\hhnntb.exe117⤵
-
\??\c:\ddvdd.exec:\ddvdd.exe118⤵
-
\??\c:\dvjpj.exec:\dvjpj.exe119⤵
-
\??\c:\lfxlxfr.exec:\lfxlxfr.exe120⤵
-
\??\c:\ttnthn.exec:\ttnthn.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-