Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
08/09/2024, 18:55
General
-
Target
1227009ad34adcf3881c869a05f1859a3ff95e9368897260200864a172d9e5f6.exe
-
Size
82KB
-
MD5
ede0967ff87cc55acdde654977abf7c0
-
SHA1
c5bf62be175da58c387c4ede379e389ca782c85c
-
SHA256
1227009ad34adcf3881c869a05f1859a3ff95e9368897260200864a172d9e5f6
-
SHA512
473566f480745b9d3b32605b290dafb128377793efd45153f67dee6d8690619ee6953ecf97a09f950cd09d267dace0c6cf59edcc7dac7a7338c2fc41544cc77f
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIIpIo60L9QrrA89Qc:ymb3NkkiQ3mdBjFIIp9L9QrrA8d
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 22 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 29 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1227009ad34adcf3881c869a05f1859a3ff95e9368897260200864a172d9e5f6.exe"C:\Users\Admin\AppData\Local\Temp\1227009ad34adcf3881c869a05f1859a3ff95e9368897260200864a172d9e5f6.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\jdvvd.exec:\jdvvd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3lxxffl.exec:\3lxxffl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bnbntb.exec:\bnbntb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvdpp.exec:\dvdpp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vjpvj.exec:\vjpvj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rrfflrf.exec:\rrfflrf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thhbbt.exec:\thhbbt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdvvd.exec:\jdvvd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xxxlfll.exec:\xxxlfll.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7tthtb.exec:\7tthtb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thnnhh.exec:\thnnhh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnbhtb.exec:\tnbhtb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dpjdv.exec:\dpjdv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rfxxxfl.exec:\rfxxxfl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frxrrll.exec:\frxrrll.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnbntt.exec:\tnbntt.exe17⤵
- Executes dropped EXE
-
\??\c:\nbnhhb.exec:\nbnhhb.exe18⤵
- Executes dropped EXE
-
\??\c:\5pdvv.exec:\5pdvv.exe19⤵
- Executes dropped EXE
-
\??\c:\jvjjj.exec:\jvjjj.exe20⤵
- Executes dropped EXE
-
\??\c:\3xrlrrx.exec:\3xrlrrx.exe21⤵
- Executes dropped EXE
-
\??\c:\lxlrrrx.exec:\lxlrrrx.exe22⤵
- Executes dropped EXE
-
\??\c:\bbtbbb.exec:\bbtbbb.exe23⤵
- Executes dropped EXE
-
\??\c:\nbnttt.exec:\nbnttt.exe24⤵
- Executes dropped EXE
-
\??\c:\5vvpv.exec:\5vvpv.exe25⤵
- Executes dropped EXE
-
\??\c:\pjvpp.exec:\pjvpp.exe26⤵
- Executes dropped EXE
-
\??\c:\vpddv.exec:\vpddv.exe27⤵
- Executes dropped EXE
-
\??\c:\lfrlrrx.exec:\lfrlrrx.exe28⤵
- Executes dropped EXE
-
\??\c:\btntht.exec:\btntht.exe29⤵
- Executes dropped EXE
-
\??\c:\3hbthh.exec:\3hbthh.exe30⤵
- Executes dropped EXE
-
\??\c:\9jvdj.exec:\9jvdj.exe31⤵
- Executes dropped EXE
-
\??\c:\1xrrxxx.exec:\1xrrxxx.exe32⤵
- Executes dropped EXE
-
\??\c:\xrffllr.exec:\xrffllr.exe33⤵
- Executes dropped EXE
-
\??\c:\lfxlfxx.exec:\lfxlfxx.exe34⤵
- Executes dropped EXE
-
\??\c:\nhnbbh.exec:\nhnbbh.exe35⤵
- Executes dropped EXE
-
\??\c:\5nbttb.exec:\5nbttb.exe36⤵
- Executes dropped EXE
-
\??\c:\pdpvd.exec:\pdpvd.exe37⤵
- Executes dropped EXE
-
\??\c:\vdppj.exec:\vdppj.exe38⤵
- Executes dropped EXE
-
\??\c:\frflfxx.exec:\frflfxx.exe39⤵
- Executes dropped EXE
-
\??\c:\lxrxrll.exec:\lxrxrll.exe40⤵
- Executes dropped EXE
-
\??\c:\7frfrxx.exec:\7frfrxx.exe41⤵
- Executes dropped EXE
-
\??\c:\bhhbtn.exec:\bhhbtn.exe42⤵
- Executes dropped EXE
-
\??\c:\nbnbtt.exec:\nbnbtt.exe43⤵
- Executes dropped EXE
-
\??\c:\5djjv.exec:\5djjv.exe44⤵
- Executes dropped EXE
-
\??\c:\dppvd.exec:\dppvd.exe45⤵
- Executes dropped EXE
-
\??\c:\vjddd.exec:\vjddd.exe46⤵
- Executes dropped EXE
-
\??\c:\5rlrrrr.exec:\5rlrrrr.exe47⤵
- Executes dropped EXE
-
\??\c:\1lxrrrl.exec:\1lxrrrl.exe48⤵
- Executes dropped EXE
-
\??\c:\hhtttb.exec:\hhtttb.exe49⤵
- Executes dropped EXE
-
\??\c:\nhbhnn.exec:\nhbhnn.exe50⤵
- Executes dropped EXE
-
\??\c:\vjvdd.exec:\vjvdd.exe51⤵
- Executes dropped EXE
-
\??\c:\dpddd.exec:\dpddd.exe52⤵
- Executes dropped EXE
-
\??\c:\flxxrxx.exec:\flxxrxx.exe53⤵
- Executes dropped EXE
-
\??\c:\lfrxffl.exec:\lfrxffl.exe54⤵
- Executes dropped EXE
-
\??\c:\bnnttn.exec:\bnnttn.exe55⤵
- Executes dropped EXE
-
\??\c:\5nbttt.exec:\5nbttt.exe56⤵
- Executes dropped EXE
-
\??\c:\9vdvd.exec:\9vdvd.exe57⤵
- Executes dropped EXE
-
\??\c:\3pdjv.exec:\3pdjv.exe58⤵
- Executes dropped EXE
-
\??\c:\7jpjd.exec:\7jpjd.exe59⤵
- Executes dropped EXE
-
\??\c:\xlffllf.exec:\xlffllf.exe60⤵
- Executes dropped EXE
-
\??\c:\1xrxxxr.exec:\1xrxxxr.exe61⤵
- Executes dropped EXE
-
\??\c:\pjpvd.exec:\pjpvd.exe62⤵
- Executes dropped EXE
-
\??\c:\dvppv.exec:\dvppv.exe63⤵
- Executes dropped EXE
-
\??\c:\xlxrxfx.exec:\xlxrxfx.exe64⤵
- Executes dropped EXE
-
\??\c:\rffrxff.exec:\rffrxff.exe65⤵
- Executes dropped EXE
-
\??\c:\nbnnhh.exec:\nbnnhh.exe66⤵
-
\??\c:\5bntbh.exec:\5bntbh.exe67⤵
-
\??\c:\dvpdj.exec:\dvpdj.exe68⤵
-
\??\c:\9jpdp.exec:\9jpdp.exe69⤵
-
\??\c:\3lfflfl.exec:\3lfflfl.exe70⤵
-
\??\c:\xxlrlrf.exec:\xxlrlrf.exe71⤵
-
\??\c:\hbnttb.exec:\hbnttb.exe72⤵
-
\??\c:\1bttbb.exec:\1bttbb.exe73⤵
-
\??\c:\jddjp.exec:\jddjp.exe74⤵
-
\??\c:\pjdjp.exec:\pjdjp.exe75⤵
-
\??\c:\1lxxxff.exec:\1lxxxff.exe76⤵
-
\??\c:\fxfflxx.exec:\fxfflxx.exe77⤵
-
\??\c:\7nhhht.exec:\7nhhht.exe78⤵
-
\??\c:\thbbhh.exec:\thbbhh.exe79⤵
-
\??\c:\dpvvv.exec:\dpvvv.exe80⤵
-
\??\c:\dvvdp.exec:\dvvdp.exe81⤵
-
\??\c:\rfxflrf.exec:\rfxflrf.exe82⤵
-
\??\c:\xrffllr.exec:\xrffllr.exe83⤵
-
\??\c:\7thhnb.exec:\7thhnb.exe84⤵
-
\??\c:\tnbthh.exec:\tnbthh.exe85⤵
-
\??\c:\tnhttb.exec:\tnhttb.exe86⤵
-
\??\c:\pjvvj.exec:\pjvvj.exe87⤵
-
\??\c:\xlrxxfl.exec:\xlrxxfl.exe88⤵
-
\??\c:\xrlrllx.exec:\xrlrllx.exe89⤵
-
\??\c:\frlrxff.exec:\frlrxff.exe90⤵
-
\??\c:\tthnbh.exec:\tthnbh.exe91⤵
-
\??\c:\hthnnt.exec:\hthnnt.exe92⤵
-
\??\c:\pjvdd.exec:\pjvdd.exe93⤵
-
\??\c:\lfxxxff.exec:\lfxxxff.exe94⤵
-
\??\c:\frrlffx.exec:\frrlffx.exe95⤵
-
\??\c:\3ttttt.exec:\3ttttt.exe96⤵
-
\??\c:\hthhhn.exec:\hthhhn.exe97⤵
-
\??\c:\ppjvd.exec:\ppjvd.exe98⤵
-
\??\c:\ddvdp.exec:\ddvdp.exe99⤵
-
\??\c:\fffrrll.exec:\fffrrll.exe100⤵
-
\??\c:\rrxrlfx.exec:\rrxrlfx.exe101⤵
-
\??\c:\1hbhtb.exec:\1hbhtb.exe102⤵
-
\??\c:\pjjpv.exec:\pjjpv.exe103⤵
-
\??\c:\5vpjd.exec:\5vpjd.exe104⤵
-
\??\c:\llflrxx.exec:\llflrxx.exe105⤵
-
\??\c:\lffxrrl.exec:\lffxrrl.exe106⤵
-
\??\c:\tnbbhb.exec:\tnbbhb.exe107⤵
-
\??\c:\thtnbt.exec:\thtnbt.exe108⤵
-
\??\c:\pdjjd.exec:\pdjjd.exe109⤵
-
\??\c:\dppjd.exec:\dppjd.exe110⤵
-
\??\c:\fxrrflx.exec:\fxrrflx.exe111⤵
-
\??\c:\frffffl.exec:\frffffl.exe112⤵
-
\??\c:\9tntbb.exec:\9tntbb.exe113⤵
-
\??\c:\3bthbh.exec:\3bthbh.exe114⤵
-
\??\c:\nbhnbb.exec:\nbhnbb.exe115⤵
-
\??\c:\dpvdd.exec:\dpvdd.exe116⤵
-
\??\c:\jdpvv.exec:\jdpvv.exe117⤵
-
\??\c:\xfrrrlr.exec:\xfrrrlr.exe118⤵
-
\??\c:\ffflflx.exec:\ffflflx.exe119⤵
-
\??\c:\5thhtt.exec:\5thhtt.exe120⤵
-
\??\c:\nnntbh.exec:\nnntbh.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-