Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
09/09/2024, 03:36
General
-
Target
7f856cefe3efe416d097d4ca81a17120N.exe
-
Size
71KB
-
MD5
7f856cefe3efe416d097d4ca81a17120
-
SHA1
3bf1b6d3ee1b1a4947259807fe79f2e7bb71fad9
-
SHA256
d315eede554e0207c397c71d2b5566817b05487b2fd34f7d7482b945f38804a8
-
SHA512
abdc88f5984eb06d4aeefe15a370e67d599587e4a7623c0972d864d7b33fe125a699397cbc53be518a0a400cd6bb2aaa802b7dc6a44ca81b78c5b28036c01bbd
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIb0z6MTSqfjj:ymb3NkkiQ3mdBjFI4VT
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 24 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 30 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\7f856cefe3efe416d097d4ca81a17120N.exe"C:\Users\Admin\AppData\Local\Temp\7f856cefe3efe416d097d4ca81a17120N.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\1rlrrxx.exec:\1rlrrxx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbnhbb.exec:\hbnhbb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jpdvj.exec:\jpdvj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxrrffl.exec:\lxrrffl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdppv.exec:\jdppv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9ddjv.exec:\9ddjv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxlrrxx.exec:\fxlrrxx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhbhbh.exec:\nhbhbh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jddpp.exec:\jddpp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpjpv.exec:\vpjpv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfrxllx.exec:\lfrxllx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhbbhh.exec:\nhbbhh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhbbnn.exec:\nhbbnn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vppvp.exec:\vppvp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxfxfff.exec:\lxfxfff.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xxxxxfr.exec:\xxxxxfr.exe17⤵
- Executes dropped EXE
-
\??\c:\hbntbh.exec:\hbntbh.exe18⤵
- Executes dropped EXE
-
\??\c:\jjvjp.exec:\jjvjp.exe19⤵
- Executes dropped EXE
-
\??\c:\rrlrffr.exec:\rrlrffr.exe20⤵
- Executes dropped EXE
-
\??\c:\lfllrlr.exec:\lfllrlr.exe21⤵
- Executes dropped EXE
-
\??\c:\nhtbnt.exec:\nhtbnt.exe22⤵
- Executes dropped EXE
-
\??\c:\vdpdd.exec:\vdpdd.exe23⤵
- Executes dropped EXE
-
\??\c:\rlxxxff.exec:\rlxxxff.exe24⤵
- Executes dropped EXE
-
\??\c:\rrxrrfx.exec:\rrxrrfx.exe25⤵
- Executes dropped EXE
-
\??\c:\hhbnbb.exec:\hhbnbb.exe26⤵
- Executes dropped EXE
-
\??\c:\tnhhtb.exec:\tnhhtb.exe27⤵
- Executes dropped EXE
-
\??\c:\jjvdd.exec:\jjvdd.exe28⤵
- Executes dropped EXE
-
\??\c:\7frlllr.exec:\7frlllr.exe29⤵
- Executes dropped EXE
-
\??\c:\1btbnt.exec:\1btbnt.exe30⤵
- Executes dropped EXE
-
\??\c:\tnhnhh.exec:\tnhnhh.exe31⤵
- Executes dropped EXE
-
\??\c:\7ppdp.exec:\7ppdp.exe32⤵
- Executes dropped EXE
-
\??\c:\9rllllr.exec:\9rllllr.exe33⤵
- Executes dropped EXE
-
\??\c:\lxlfrlx.exec:\lxlfrlx.exe34⤵
- Executes dropped EXE
-
\??\c:\hbtbhb.exec:\hbtbhb.exe35⤵
- Executes dropped EXE
-
\??\c:\nhnnth.exec:\nhnnth.exe36⤵
- Executes dropped EXE
-
\??\c:\1vjjv.exec:\1vjjv.exe37⤵
- Executes dropped EXE
-
\??\c:\3djdd.exec:\3djdd.exe38⤵
- Executes dropped EXE
-
\??\c:\fxlrfff.exec:\fxlrfff.exe39⤵
- Executes dropped EXE
-
\??\c:\1rrrxlf.exec:\1rrrxlf.exe40⤵
- Executes dropped EXE
-
\??\c:\ntbhhh.exec:\ntbhhh.exe41⤵
- Executes dropped EXE
-
\??\c:\bttbnn.exec:\bttbnn.exe42⤵
- Executes dropped EXE
-
\??\c:\ddvdj.exec:\ddvdj.exe43⤵
- Executes dropped EXE
-
\??\c:\dpppp.exec:\dpppp.exe44⤵
- Executes dropped EXE
-
\??\c:\xrllrrl.exec:\xrllrrl.exe45⤵
- Executes dropped EXE
-
\??\c:\xrlrfrf.exec:\xrlrfrf.exe46⤵
- Executes dropped EXE
-
\??\c:\nntbtt.exec:\nntbtt.exe47⤵
- Executes dropped EXE
-
\??\c:\nhtbnb.exec:\nhtbnb.exe48⤵
- Executes dropped EXE
-
\??\c:\pjddv.exec:\pjddv.exe49⤵
- Executes dropped EXE
-
\??\c:\9vvpd.exec:\9vvpd.exe50⤵
- Executes dropped EXE
-
\??\c:\rrrxffr.exec:\rrrxffr.exe51⤵
- Executes dropped EXE
-
\??\c:\hbtbbh.exec:\hbtbbh.exe52⤵
- Executes dropped EXE
-
\??\c:\pppdp.exec:\pppdp.exe53⤵
- Executes dropped EXE
-
\??\c:\vvppd.exec:\vvppd.exe54⤵
- Executes dropped EXE
-
\??\c:\xxxlxxr.exec:\xxxlxxr.exe55⤵
- Executes dropped EXE
-
\??\c:\ttnbhh.exec:\ttnbhh.exe56⤵
- Executes dropped EXE
-
\??\c:\ttnnnb.exec:\ttnnnb.exe57⤵
- Executes dropped EXE
-
\??\c:\vvvdd.exec:\vvvdd.exe58⤵
- Executes dropped EXE
-
\??\c:\vjdvd.exec:\vjdvd.exe59⤵
- Executes dropped EXE
-
\??\c:\dvdjp.exec:\dvdjp.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\xrrrrrf.exec:\xrrrrrf.exe61⤵
- Executes dropped EXE
-
\??\c:\lfrrxxf.exec:\lfrrxxf.exe62⤵
- Executes dropped EXE
-
\??\c:\tnbhhn.exec:\tnbhhn.exe63⤵
- Executes dropped EXE
-
\??\c:\bnbbbb.exec:\bnbbbb.exe64⤵
- Executes dropped EXE
-
\??\c:\jvjjj.exec:\jvjjj.exe65⤵
- Executes dropped EXE
-
\??\c:\vvppd.exec:\vvppd.exe66⤵
-
\??\c:\rlfxrrf.exec:\rlfxrrf.exe67⤵
-
\??\c:\ffrxlrr.exec:\ffrxlrr.exe68⤵
-
\??\c:\1tnnbh.exec:\1tnnbh.exe69⤵
-
\??\c:\7tnbnt.exec:\7tnbnt.exe70⤵
-
\??\c:\9pddj.exec:\9pddj.exe71⤵
-
\??\c:\ddjpd.exec:\ddjpd.exe72⤵
-
\??\c:\9lxxffl.exec:\9lxxffl.exe73⤵
-
\??\c:\1rrxxxl.exec:\1rrxxxl.exe74⤵
-
\??\c:\5hnnnn.exec:\5hnnnn.exe75⤵
-
\??\c:\btntbb.exec:\btntbb.exe76⤵
-
\??\c:\vpjvp.exec:\vpjvp.exe77⤵
-
\??\c:\pdpvv.exec:\pdpvv.exe78⤵
-
\??\c:\xxlrrrx.exec:\xxlrrrx.exe79⤵
-
\??\c:\xrlrxxx.exec:\xrlrxxx.exe80⤵
-
\??\c:\llxlxfr.exec:\llxlxfr.exe81⤵
-
\??\c:\ntbhnh.exec:\ntbhnh.exe82⤵
-
\??\c:\5vvdj.exec:\5vvdj.exe83⤵
-
\??\c:\3dddd.exec:\3dddd.exe84⤵
-
\??\c:\9lxxxfl.exec:\9lxxxfl.exe85⤵
-
\??\c:\1rxlflx.exec:\1rxlflx.exe86⤵
-
\??\c:\9rfflrx.exec:\9rfflrx.exe87⤵
-
\??\c:\nnhnhn.exec:\nnhnhn.exe88⤵
-
\??\c:\5jpjj.exec:\5jpjj.exe89⤵
-
\??\c:\dvpvp.exec:\dvpvp.exe90⤵
-
\??\c:\9fffrlr.exec:\9fffrlr.exe91⤵
-
\??\c:\fxllrxf.exec:\fxllrxf.exe92⤵
-
\??\c:\xrlrlrl.exec:\xrlrlrl.exe93⤵
-
\??\c:\nhtnbh.exec:\nhtnbh.exe94⤵
-
\??\c:\pjppp.exec:\pjppp.exe95⤵
-
\??\c:\pjvdp.exec:\pjvdp.exe96⤵
-
\??\c:\ffxrrrf.exec:\ffxrrrf.exe97⤵
-
\??\c:\3rlxffl.exec:\3rlxffl.exe98⤵
-
\??\c:\rrlxrrl.exec:\rrlxrrl.exe99⤵
-
\??\c:\7tnbbb.exec:\7tnbbb.exe100⤵
-
\??\c:\9btttb.exec:\9btttb.exe101⤵
-
\??\c:\djjjj.exec:\djjjj.exe102⤵
-
\??\c:\1dvpd.exec:\1dvpd.exe103⤵
-
\??\c:\xrffllx.exec:\xrffllx.exe104⤵
- System Location Discovery: System Language Discovery
-
\??\c:\fxrrxfl.exec:\fxrrxfl.exe105⤵
-
\??\c:\btnnnt.exec:\btnnnt.exe106⤵
-
\??\c:\hbtbhb.exec:\hbtbhb.exe107⤵
-
\??\c:\1pjvd.exec:\1pjvd.exe108⤵
-
\??\c:\llxfflx.exec:\llxfflx.exe109⤵
-
\??\c:\xxlxrfl.exec:\xxlxrfl.exe110⤵
-
\??\c:\nhtthh.exec:\nhtthh.exe111⤵
-
\??\c:\bttbhn.exec:\bttbhn.exe112⤵
-
\??\c:\pdjjv.exec:\pdjjv.exe113⤵
-
\??\c:\jdppv.exec:\jdppv.exe114⤵
-
\??\c:\rlxxflr.exec:\rlxxflr.exe115⤵
-
\??\c:\7rrxllr.exec:\7rrxllr.exe116⤵
-
\??\c:\hhthhn.exec:\hhthhn.exe117⤵
-
\??\c:\hbnntb.exec:\hbnntb.exe118⤵
-
\??\c:\5ddjv.exec:\5ddjv.exe119⤵
-
\??\c:\pjdvd.exec:\pjdvd.exe120⤵
-
\??\c:\xxlrflx.exec:\xxlrflx.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-