Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
09/09/2024, 04:13
General
-
Target
edd230ed5dc98255ce6e311b135ef01152eb77475368e2bf5ba37c5c5923fa8d.exe
-
Size
438KB
-
MD5
ba18d9456e85927e1ef6ab9810c31b82
-
SHA1
1a91a56e602a7353c4bdf926a7c326c1985ed476
-
SHA256
edd230ed5dc98255ce6e311b135ef01152eb77475368e2bf5ba37c5c5923fa8d
-
SHA512
11e1bd483f1b05af4b8963fa9402578b9e30ba80bed7ac319e36392a41ebd484f9c0c8550f8f361a199f26de49f59dba922ec113bb904ac160979d640942db92
-
SSDEEP
6144:n3C9BRo7tvnJ9Fywhk/T4i37K3BoKg0p5WI09JN:n3C9ytvn8whkb4i3e3GFO6JN
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 20 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 25 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\edd230ed5dc98255ce6e311b135ef01152eb77475368e2bf5ba37c5c5923fa8d.exe"C:\Users\Admin\AppData\Local\Temp\edd230ed5dc98255ce6e311b135ef01152eb77475368e2bf5ba37c5c5923fa8d.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\bthntn.exec:\bthntn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3jpjp.exec:\3jpjp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xlxlllx.exec:\xlxlllx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3btttb.exec:\3btttb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjddj.exec:\pjddj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5ffxflx.exec:\5ffxflx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbbbnh.exec:\hbbbnh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxllfxl.exec:\lxllfxl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdpvd.exec:\jdpvd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7rlxffr.exec:\7rlxffr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhtthn.exec:\nhtthn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pdvvd.exec:\pdvvd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9xrxlrx.exec:\9xrxlrx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvpdp.exec:\dvpdp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xxlrflf.exec:\xxlrflf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nnhhtt.exec:\nnhhtt.exe17⤵
- Executes dropped EXE
-
\??\c:\xlllfxl.exec:\xlllfxl.exe18⤵
- Executes dropped EXE
-
\??\c:\hnhtnb.exec:\hnhtnb.exe19⤵
- Executes dropped EXE
-
\??\c:\vvjjd.exec:\vvjjd.exe20⤵
- Executes dropped EXE
-
\??\c:\fxrflxr.exec:\fxrflxr.exe21⤵
- Executes dropped EXE
-
\??\c:\thbbbb.exec:\thbbbb.exe22⤵
- Executes dropped EXE
-
\??\c:\7fxfrfr.exec:\7fxfrfr.exe23⤵
- Executes dropped EXE
-
\??\c:\5bntnn.exec:\5bntnn.exe24⤵
- Executes dropped EXE
-
\??\c:\nbnthh.exec:\nbnthh.exe25⤵
- Executes dropped EXE
-
\??\c:\pjddj.exec:\pjddj.exe26⤵
- Executes dropped EXE
-
\??\c:\xxflrxl.exec:\xxflrxl.exe27⤵
- Executes dropped EXE
-
\??\c:\7djpv.exec:\7djpv.exe28⤵
- Executes dropped EXE
-
\??\c:\hnbhtb.exec:\hnbhtb.exe29⤵
- Executes dropped EXE
-
\??\c:\ppvdv.exec:\ppvdv.exe30⤵
- Executes dropped EXE
-
\??\c:\3thtnt.exec:\3thtnt.exe31⤵
- Executes dropped EXE
-
\??\c:\vvjjp.exec:\vvjjp.exe32⤵
- Executes dropped EXE
-
\??\c:\vjvvv.exec:\vjvvv.exe33⤵
- Executes dropped EXE
-
\??\c:\xrllfxl.exec:\xrllfxl.exe34⤵
- Executes dropped EXE
-
\??\c:\3vjpp.exec:\3vjpp.exe35⤵
- Executes dropped EXE
-
\??\c:\jjddv.exec:\jjddv.exe36⤵
- Executes dropped EXE
-
\??\c:\1xllllx.exec:\1xllllx.exe37⤵
- Executes dropped EXE
-
\??\c:\nnbbhh.exec:\nnbbhh.exe38⤵
- Executes dropped EXE
-
\??\c:\bbnthh.exec:\bbnthh.exe39⤵
- Executes dropped EXE
-
\??\c:\jjdjv.exec:\jjdjv.exe40⤵
- Executes dropped EXE
-
\??\c:\xrrxflx.exec:\xrrxflx.exe41⤵
- Executes dropped EXE
-
\??\c:\hbntbb.exec:\hbntbb.exe42⤵
- Executes dropped EXE
-
\??\c:\hbbhtb.exec:\hbbhtb.exe43⤵
- Executes dropped EXE
-
\??\c:\vjppv.exec:\vjppv.exe44⤵
- Executes dropped EXE
-
\??\c:\3fxxflx.exec:\3fxxflx.exe45⤵
- Executes dropped EXE
-
\??\c:\7rffllx.exec:\7rffllx.exe46⤵
- Executes dropped EXE
-
\??\c:\nhttbh.exec:\nhttbh.exe47⤵
- Executes dropped EXE
-
\??\c:\7vvjv.exec:\7vvjv.exe48⤵
- Executes dropped EXE
-
\??\c:\xlffrxl.exec:\xlffrxl.exe49⤵
- Executes dropped EXE
-
\??\c:\3fffrxl.exec:\3fffrxl.exe50⤵
- Executes dropped EXE
-
\??\c:\nbtntt.exec:\nbtntt.exe51⤵
- Executes dropped EXE
-
\??\c:\pdvpj.exec:\pdvpj.exe52⤵
- Executes dropped EXE
-
\??\c:\rlrffrl.exec:\rlrffrl.exe53⤵
- Executes dropped EXE
-
\??\c:\frlrxxf.exec:\frlrxxf.exe54⤵
- Executes dropped EXE
-
\??\c:\nhhhnt.exec:\nhhhnt.exe55⤵
- Executes dropped EXE
-
\??\c:\jjvjv.exec:\jjvjv.exe56⤵
- Executes dropped EXE
-
\??\c:\ppppd.exec:\ppppd.exe57⤵
- Executes dropped EXE
-
\??\c:\xrfllfl.exec:\xrfllfl.exe58⤵
- Executes dropped EXE
-
\??\c:\tbhtbn.exec:\tbhtbn.exe59⤵
- Executes dropped EXE
-
\??\c:\bbthbb.exec:\bbthbb.exe60⤵
- Executes dropped EXE
-
\??\c:\5vppj.exec:\5vppj.exe61⤵
- Executes dropped EXE
-
\??\c:\xfllrxx.exec:\xfllrxx.exe62⤵
- Executes dropped EXE
-
\??\c:\lxrxxxf.exec:\lxrxxxf.exe63⤵
- Executes dropped EXE
-
\??\c:\3bnnbb.exec:\3bnnbb.exe64⤵
- Executes dropped EXE
-
\??\c:\pjvvd.exec:\pjvvd.exe65⤵
- Executes dropped EXE
-
\??\c:\ppppv.exec:\ppppv.exe66⤵
-
\??\c:\1fxfllx.exec:\1fxfllx.exe67⤵
-
\??\c:\7hbbhn.exec:\7hbbhn.exe68⤵
-
\??\c:\nntthb.exec:\nntthb.exe69⤵
-
\??\c:\vpjjp.exec:\vpjjp.exe70⤵
-
\??\c:\rrlxflx.exec:\rrlxflx.exe71⤵
-
\??\c:\thbbhn.exec:\thbbhn.exe72⤵
-
\??\c:\5tnntb.exec:\5tnntb.exe73⤵
-
\??\c:\pjvdj.exec:\pjvdj.exe74⤵
-
\??\c:\xlfflrf.exec:\xlfflrf.exe75⤵
-
\??\c:\5fflrlr.exec:\5fflrlr.exe76⤵
-
\??\c:\bthnbh.exec:\bthnbh.exe77⤵
-
\??\c:\1vpvj.exec:\1vpvj.exe78⤵
-
\??\c:\xlxxfxf.exec:\xlxxfxf.exe79⤵
-
\??\c:\7xxxxff.exec:\7xxxxff.exe80⤵
-
\??\c:\htnhtb.exec:\htnhtb.exe81⤵
- System Location Discovery: System Language Discovery
-
\??\c:\dvppp.exec:\dvppp.exe82⤵
-
\??\c:\1ddjp.exec:\1ddjp.exe83⤵
-
\??\c:\rlxxllx.exec:\rlxxllx.exe84⤵
-
\??\c:\nhbhtb.exec:\nhbhtb.exe85⤵
-
\??\c:\bnhbbh.exec:\bnhbbh.exe86⤵
-
\??\c:\ddpdp.exec:\ddpdp.exe87⤵
-
\??\c:\xrllxfr.exec:\xrllxfr.exe88⤵
-
\??\c:\9lxfrxl.exec:\9lxfrxl.exe89⤵
-
\??\c:\nhbbhn.exec:\nhbbhn.exe90⤵
-
\??\c:\pdvjp.exec:\pdvjp.exe91⤵
-
\??\c:\rlflrrf.exec:\rlflrrf.exe92⤵
-
\??\c:\lxrxxlr.exec:\lxrxxlr.exe93⤵
-
\??\c:\bbnbnt.exec:\bbnbnt.exe94⤵
-
\??\c:\9dvdp.exec:\9dvdp.exe95⤵
-
\??\c:\jdjjp.exec:\jdjjp.exe96⤵
-
\??\c:\lfxfrrl.exec:\lfxfrrl.exe97⤵
-
\??\c:\1lxrfff.exec:\1lxrfff.exe98⤵
-
\??\c:\tbtttt.exec:\tbtttt.exe99⤵
-
\??\c:\jvjpj.exec:\jvjpj.exe100⤵
-
\??\c:\9xrrfxl.exec:\9xrrfxl.exe101⤵
-
\??\c:\lxrrrxf.exec:\lxrrrxf.exe102⤵
-
\??\c:\nnbhtt.exec:\nnbhtt.exe103⤵
-
\??\c:\vpjvj.exec:\vpjvj.exe104⤵
-
\??\c:\dvpvd.exec:\dvpvd.exe105⤵
-
\??\c:\3lrllxf.exec:\3lrllxf.exe106⤵
-
\??\c:\nhbhnn.exec:\nhbhnn.exe107⤵
-
\??\c:\nnhntn.exec:\nnhntn.exe108⤵
-
\??\c:\pjdjv.exec:\pjdjv.exe109⤵
-
\??\c:\5rllrrf.exec:\5rllrrf.exe110⤵
-
\??\c:\1xxxlrf.exec:\1xxxlrf.exe111⤵
-
\??\c:\bnhbhh.exec:\bnhbhh.exe112⤵
-
\??\c:\7vpdj.exec:\7vpdj.exe113⤵
-
\??\c:\vjvvd.exec:\vjvvd.exe114⤵
-
\??\c:\5lxxxxl.exec:\5lxxxxl.exe115⤵
-
\??\c:\nbhbhh.exec:\nbhbhh.exe116⤵
-
\??\c:\httbnt.exec:\httbnt.exe117⤵
-
\??\c:\dvjjv.exec:\dvjjv.exe118⤵
-
\??\c:\rlxfrxf.exec:\rlxfrxf.exe119⤵
-
\??\c:\1rrrffl.exec:\1rrrffl.exe120⤵
-
\??\c:\9bbhbn.exec:\9bbhbn.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-