Analysis
-
max time kernel
120s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
07/09/2024, 04:31
General
-
Target
6f8d2ec8f015ebf2ffd47a5661b883a0N.exe
-
Size
64KB
-
MD5
6f8d2ec8f015ebf2ffd47a5661b883a0
-
SHA1
85dbcc238069a0ffa892167b9e71fe66d4c962eb
-
SHA256
d93e9ea22c67c8a0d974c435e5aac21679247d607fa54eb8cb2831aca08bf0c2
-
SHA512
167f7e1f6ed61d5123aa4687c4a26dd5efaa660ca3513570fb72677cc024bd9a0683c5ec300e6539a7a7f8615e0c646deb859c9bf7ddd5e54ed07c0674f87fa0
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDI9L27Cz:ymb3NkkiQ3mdBjFI9jz
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 19 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 24 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\6f8d2ec8f015ebf2ffd47a5661b883a0N.exe"C:\Users\Admin\AppData\Local\Temp\6f8d2ec8f015ebf2ffd47a5661b883a0N.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\rvdfjr.exec:\rvdfjr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vhdxbf.exec:\vhdxbf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rjxplhd.exec:\rjxplhd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bdfnlbt.exec:\bdfnlbt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xbbnx.exec:\xbbnx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xtvxdh.exec:\xtvxdh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vhfvxn.exec:\vhfvxn.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\vtxbjxv.exec:\vtxbjxv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddxblrr.exec:\ddxblrr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lhbxfxr.exec:\lhbxfxr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lljtdjx.exec:\lljtdjx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dpxbh.exec:\dpxbh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bppnfd.exec:\bppnfd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jhprt.exec:\jhprt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\llxbxn.exec:\llxbxn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddnxddr.exec:\ddnxddr.exe17⤵
- Executes dropped EXE
-
\??\c:\jxvxxfd.exec:\jxvxxfd.exe18⤵
- Executes dropped EXE
-
\??\c:\fxrtjp.exec:\fxrtjp.exe19⤵
- Executes dropped EXE
-
\??\c:\ljfhtb.exec:\ljfhtb.exe20⤵
- Executes dropped EXE
-
\??\c:\ddtrbf.exec:\ddtrbf.exe21⤵
- Executes dropped EXE
-
\??\c:\hblbxhx.exec:\hblbxhx.exe22⤵
- Executes dropped EXE
-
\??\c:\lxrht.exec:\lxrht.exe23⤵
- Executes dropped EXE
-
\??\c:\jxfjhd.exec:\jxfjhd.exe24⤵
- Executes dropped EXE
-
\??\c:\ntfrd.exec:\ntfrd.exe25⤵
- Executes dropped EXE
-
\??\c:\hhtprr.exec:\hhtprr.exe26⤵
- Executes dropped EXE
-
\??\c:\rfhxr.exec:\rfhxr.exe27⤵
- Executes dropped EXE
-
\??\c:\bbtrn.exec:\bbtrn.exe28⤵
- Executes dropped EXE
-
\??\c:\nfbfrp.exec:\nfbfrp.exe29⤵
- Executes dropped EXE
-
\??\c:\dtvpjr.exec:\dtvpjr.exe30⤵
- Executes dropped EXE
-
\??\c:\hxhjp.exec:\hxhjp.exe31⤵
- Executes dropped EXE
-
\??\c:\vldbxd.exec:\vldbxd.exe32⤵
- Executes dropped EXE
-
\??\c:\vpdnnf.exec:\vpdnnf.exe33⤵
- Executes dropped EXE
-
\??\c:\hthtvr.exec:\hthtvr.exe34⤵
- Executes dropped EXE
-
\??\c:\lrvtvx.exec:\lrvtvx.exe35⤵
- Executes dropped EXE
-
\??\c:\jrjxrnv.exec:\jrjxrnv.exe36⤵
- Executes dropped EXE
-
\??\c:\ptjnh.exec:\ptjnh.exe37⤵
- Executes dropped EXE
-
\??\c:\pprdhf.exec:\pprdhf.exe38⤵
- Executes dropped EXE
-
\??\c:\ltltj.exec:\ltltj.exe39⤵
- Executes dropped EXE
-
\??\c:\vdlhv.exec:\vdlhv.exe40⤵
- Executes dropped EXE
-
\??\c:\jtrplv.exec:\jtrplv.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\lrrdlp.exec:\lrrdlp.exe42⤵
- Executes dropped EXE
-
\??\c:\dhhrnt.exec:\dhhrnt.exe43⤵
- Executes dropped EXE
-
\??\c:\fdhht.exec:\fdhht.exe44⤵
- Executes dropped EXE
-
\??\c:\jjphhd.exec:\jjphhd.exe45⤵
- Executes dropped EXE
-
\??\c:\nrblnrt.exec:\nrblnrt.exe46⤵
- Executes dropped EXE
-
\??\c:\lfbxpd.exec:\lfbxpd.exe47⤵
- Executes dropped EXE
-
\??\c:\vhjxph.exec:\vhjxph.exe48⤵
- Executes dropped EXE
-
\??\c:\ndhbt.exec:\ndhbt.exe49⤵
- Executes dropped EXE
-
\??\c:\jrxfb.exec:\jrxfb.exe50⤵
- Executes dropped EXE
-
\??\c:\lrhrp.exec:\lrhrp.exe51⤵
- Executes dropped EXE
-
\??\c:\jvntp.exec:\jvntp.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\fhlxbb.exec:\fhlxbb.exe53⤵
- Executes dropped EXE
-
\??\c:\nbthh.exec:\nbthh.exe54⤵
- Executes dropped EXE
-
\??\c:\jpjph.exec:\jpjph.exe55⤵
- Executes dropped EXE
-
\??\c:\vfxjlpf.exec:\vfxjlpf.exe56⤵
- Executes dropped EXE
-
\??\c:\dxjbv.exec:\dxjbv.exe57⤵
- Executes dropped EXE
-
\??\c:\dldvp.exec:\dldvp.exe58⤵
- Executes dropped EXE
-
\??\c:\vrdftj.exec:\vrdftj.exe59⤵
- Executes dropped EXE
-
\??\c:\hvtpn.exec:\hvtpn.exe60⤵
- Executes dropped EXE
-
\??\c:\dlxnrx.exec:\dlxnrx.exe61⤵
- Executes dropped EXE
-
\??\c:\lfbvh.exec:\lfbvh.exe62⤵
- Executes dropped EXE
-
\??\c:\hjjpxn.exec:\hjjpxn.exe63⤵
- Executes dropped EXE
-
\??\c:\lxdbhfr.exec:\lxdbhfr.exe64⤵
- Executes dropped EXE
-
\??\c:\fxfnpt.exec:\fxfnpt.exe65⤵
- Executes dropped EXE
-
\??\c:\ffddpp.exec:\ffddpp.exe66⤵
-
\??\c:\rtfrpln.exec:\rtfrpln.exe67⤵
-
\??\c:\lfdthx.exec:\lfdthx.exe68⤵
-
\??\c:\fxlfxv.exec:\fxlfxv.exe69⤵
-
\??\c:\npjldn.exec:\npjldn.exe70⤵
-
\??\c:\flthbj.exec:\flthbj.exe71⤵
-
\??\c:\txlndhn.exec:\txlndhn.exe72⤵
-
\??\c:\htnpv.exec:\htnpv.exe73⤵
-
\??\c:\djdvfv.exec:\djdvfv.exe74⤵
-
\??\c:\lpflvxx.exec:\lpflvxx.exe75⤵
-
\??\c:\vpxpvtr.exec:\vpxpvtr.exe76⤵
-
\??\c:\xxvdf.exec:\xxvdf.exe77⤵
-
\??\c:\hpxdjp.exec:\hpxdjp.exe78⤵
- System Location Discovery: System Language Discovery
-
\??\c:\hplhv.exec:\hplhv.exe79⤵
-
\??\c:\prjtd.exec:\prjtd.exe80⤵
-
\??\c:\njvxdn.exec:\njvxdn.exe81⤵
-
\??\c:\bpnxhtr.exec:\bpnxhtr.exe82⤵
-
\??\c:\fbrxbt.exec:\fbrxbt.exe83⤵
-
\??\c:\bnvvrx.exec:\bnvvrx.exe84⤵
-
\??\c:\ljxnrv.exec:\ljxnrv.exe85⤵
-
\??\c:\vbhtpf.exec:\vbhtpf.exe86⤵
-
\??\c:\vhdxh.exec:\vhdxh.exe87⤵
-
\??\c:\lxtlj.exec:\lxtlj.exe88⤵
-
\??\c:\rpfxrbp.exec:\rpfxrbp.exe89⤵
-
\??\c:\jfhbx.exec:\jfhbx.exe90⤵
-
\??\c:\hxddx.exec:\hxddx.exe91⤵
-
\??\c:\blrdj.exec:\blrdj.exe92⤵
-
\??\c:\jtxvxbd.exec:\jtxvxbd.exe93⤵
-
\??\c:\hbpdvhn.exec:\hbpdvhn.exe94⤵
-
\??\c:\pvvfxbb.exec:\pvvfxbb.exe95⤵
-
\??\c:\rhhhd.exec:\rhhhd.exe96⤵
-
\??\c:\jvnlhp.exec:\jvnlhp.exe97⤵
-
\??\c:\fbhtj.exec:\fbhtj.exe98⤵
-
\??\c:\xpxvjp.exec:\xpxvjp.exe99⤵
-
\??\c:\xfjhj.exec:\xfjhj.exe100⤵
-
\??\c:\pfbddvb.exec:\pfbddvb.exe101⤵
-
\??\c:\ldrfhd.exec:\ldrfhd.exe102⤵
-
\??\c:\vtrtrd.exec:\vtrtrd.exe103⤵
-
\??\c:\rhfxv.exec:\rhfxv.exe104⤵
-
\??\c:\rxdddlh.exec:\rxdddlh.exe105⤵
-
\??\c:\rjbrl.exec:\rjbrl.exe106⤵
-
\??\c:\nrhrp.exec:\nrhrp.exe107⤵
-
\??\c:\jptnrb.exec:\jptnrb.exe108⤵
-
\??\c:\rljbpdx.exec:\rljbpdx.exe109⤵
-
\??\c:\lffhjvn.exec:\lffhjvn.exe110⤵
-
\??\c:\rnxpbjf.exec:\rnxpbjf.exe111⤵
-
\??\c:\pxbrhxp.exec:\pxbrhxp.exe112⤵
-
\??\c:\jhdnftx.exec:\jhdnftx.exe113⤵
-
\??\c:\drffh.exec:\drffh.exe114⤵
-
\??\c:\hxfxj.exec:\hxfxj.exe115⤵
-
\??\c:\blbdr.exec:\blbdr.exe116⤵
-
\??\c:\tjlrv.exec:\tjlrv.exe117⤵
-
\??\c:\ltvhnhl.exec:\ltvhnhl.exe118⤵
-
\??\c:\nnnvvvn.exec:\nnnvvvn.exe119⤵
-
\??\c:\jvhtj.exec:\jvhtj.exe120⤵
-
\??\c:\ttxvttt.exec:\ttxvttt.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-