Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
09/09/2024, 13:48
General
-
Target
4f887d89e0a1198f2bd82aa5b4d62d39ef65998bad876822fecbef6e59b6eb59.exe
-
Size
82KB
-
MD5
89ea02a71fbabafafff6639c845654a0
-
SHA1
9b7a5a817071a4873b596ee4f006b38df125e3e3
-
SHA256
4f887d89e0a1198f2bd82aa5b4d62d39ef65998bad876822fecbef6e59b6eb59
-
SHA512
cf872cf14e856916791be94a197af77b1ab71e1ada2ad7023cc4f029c493a3ad7a6bbde78752ff90a22815c10423e9c8a58d289f3f91d57ee602b178d9287cf8
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIIpIo60L9QrrA89Qw:ymb3NkkiQ3mdBjFIIp9L9QrrA8T
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 18 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 32 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4f887d89e0a1198f2bd82aa5b4d62d39ef65998bad876822fecbef6e59b6eb59.exe"C:\Users\Admin\AppData\Local\Temp\4f887d89e0a1198f2bd82aa5b4d62d39ef65998bad876822fecbef6e59b6eb59.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\btnntt.exec:\btnntt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjdjp.exec:\pjdjp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfllffr.exec:\lfllffr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nnbhtb.exec:\nnbhtb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\djpvv.exec:\djpvv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xxllxfl.exec:\xxllxfl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxrxfff.exec:\fxrxfff.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbnntb.exec:\bbnntb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdjvp.exec:\jdjvp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3frxrrf.exec:\3frxrrf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7xxflrf.exec:\7xxflrf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btbbtt.exec:\btbbtt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbtbhn.exec:\hbtbhn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dpvvd.exec:\dpvvd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxlfflr.exec:\fxlfflr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxlrflx.exec:\fxlrflx.exe17⤵
- Executes dropped EXE
-
\??\c:\hhbbhh.exec:\hhbbhh.exe18⤵
- Executes dropped EXE
-
\??\c:\pddjj.exec:\pddjj.exe19⤵
- Executes dropped EXE
-
\??\c:\3vppv.exec:\3vppv.exe20⤵
- Executes dropped EXE
-
\??\c:\fxlflrr.exec:\fxlflrr.exe21⤵
- Executes dropped EXE
-
\??\c:\rxrrxrl.exec:\rxrrxrl.exe22⤵
- Executes dropped EXE
-
\??\c:\bnthnn.exec:\bnthnn.exe23⤵
- Executes dropped EXE
-
\??\c:\nttbnb.exec:\nttbnb.exe24⤵
- Executes dropped EXE
-
\??\c:\3jvvj.exec:\3jvvj.exe25⤵
- Executes dropped EXE
-
\??\c:\rlflxfl.exec:\rlflxfl.exe26⤵
- Executes dropped EXE
-
\??\c:\llfflll.exec:\llfflll.exe27⤵
- Executes dropped EXE
-
\??\c:\7lrrfff.exec:\7lrrfff.exe28⤵
- Executes dropped EXE
-
\??\c:\9bhnnn.exec:\9bhnnn.exe29⤵
- Executes dropped EXE
-
\??\c:\7vjjj.exec:\7vjjj.exe30⤵
- Executes dropped EXE
-
\??\c:\pjdjv.exec:\pjdjv.exe31⤵
- Executes dropped EXE
-
\??\c:\fxlxfrx.exec:\fxlxfrx.exe32⤵
- Executes dropped EXE
-
\??\c:\thnbhh.exec:\thnbhh.exe33⤵
- Executes dropped EXE
-
\??\c:\nbbbnt.exec:\nbbbnt.exe34⤵
- Executes dropped EXE
-
\??\c:\vvdvv.exec:\vvdvv.exe35⤵
- Executes dropped EXE
-
\??\c:\7jvvd.exec:\7jvvd.exe36⤵
- Executes dropped EXE
-
\??\c:\xrllrrf.exec:\xrllrrf.exe37⤵
- Executes dropped EXE
-
\??\c:\rlxflll.exec:\rlxflll.exe38⤵
- Executes dropped EXE
-
\??\c:\nhbnbb.exec:\nhbnbb.exe39⤵
- Executes dropped EXE
-
\??\c:\ttbnnt.exec:\ttbnnt.exe40⤵
- Executes dropped EXE
-
\??\c:\pjdvd.exec:\pjdvd.exe41⤵
- Executes dropped EXE
-
\??\c:\jjpvd.exec:\jjpvd.exe42⤵
- Executes dropped EXE
-
\??\c:\fxflxxf.exec:\fxflxxf.exe43⤵
- Executes dropped EXE
-
\??\c:\nbtttt.exec:\nbtttt.exe44⤵
- Executes dropped EXE
-
\??\c:\bbnntb.exec:\bbnntb.exe45⤵
- Executes dropped EXE
-
\??\c:\pvvvv.exec:\pvvvv.exe46⤵
- Executes dropped EXE
-
\??\c:\ddvpd.exec:\ddvpd.exe47⤵
- Executes dropped EXE
-
\??\c:\lxfflll.exec:\lxfflll.exe48⤵
- Executes dropped EXE
-
\??\c:\9fxxffl.exec:\9fxxffl.exe49⤵
- Executes dropped EXE
-
\??\c:\ntbntt.exec:\ntbntt.exe50⤵
- Executes dropped EXE
-
\??\c:\1ttbbh.exec:\1ttbbh.exe51⤵
- Executes dropped EXE
-
\??\c:\vpvdj.exec:\vpvdj.exe52⤵
- Executes dropped EXE
-
\??\c:\pdppv.exec:\pdppv.exe53⤵
- Executes dropped EXE
-
\??\c:\flxrxlr.exec:\flxrxlr.exe54⤵
- Executes dropped EXE
-
\??\c:\9lxfllx.exec:\9lxfllx.exe55⤵
- Executes dropped EXE
-
\??\c:\htnnnn.exec:\htnnnn.exe56⤵
- Executes dropped EXE
-
\??\c:\1bhtnb.exec:\1bhtnb.exe57⤵
- Executes dropped EXE
-
\??\c:\dvdjp.exec:\dvdjp.exe58⤵
- Executes dropped EXE
-
\??\c:\vpjjj.exec:\vpjjj.exe59⤵
- Executes dropped EXE
-
\??\c:\frxffxf.exec:\frxffxf.exe60⤵
- Executes dropped EXE
-
\??\c:\lxflrrx.exec:\lxflrrx.exe61⤵
- Executes dropped EXE
-
\??\c:\tnhtbh.exec:\tnhtbh.exe62⤵
- Executes dropped EXE
-
\??\c:\nhbtbb.exec:\nhbtbb.exe63⤵
- Executes dropped EXE
-
\??\c:\dvdjj.exec:\dvdjj.exe64⤵
- Executes dropped EXE
-
\??\c:\vpddj.exec:\vpddj.exe65⤵
- Executes dropped EXE
-
\??\c:\7xfxllr.exec:\7xfxllr.exe66⤵
-
\??\c:\rlxflll.exec:\rlxflll.exe67⤵
-
\??\c:\bttttb.exec:\bttttb.exe68⤵
-
\??\c:\hhnhtn.exec:\hhnhtn.exe69⤵
-
\??\c:\3jdjj.exec:\3jdjj.exe70⤵
-
\??\c:\jdvpp.exec:\jdvpp.exe71⤵
-
\??\c:\3fxrrxl.exec:\3fxrrxl.exe72⤵
-
\??\c:\9frflfr.exec:\9frflfr.exe73⤵
-
\??\c:\tthhnn.exec:\tthhnn.exe74⤵
-
\??\c:\7thhnt.exec:\7thhnt.exe75⤵
-
\??\c:\dvvvd.exec:\dvvvd.exe76⤵
-
\??\c:\dpppv.exec:\dpppv.exe77⤵
-
\??\c:\xllrxlx.exec:\xllrxlx.exe78⤵
-
\??\c:\lxlfllx.exec:\lxlfllx.exe79⤵
-
\??\c:\ttbbhh.exec:\ttbbhh.exe80⤵
-
\??\c:\nbnttt.exec:\nbnttt.exe81⤵
-
\??\c:\jdvjj.exec:\jdvjj.exe82⤵
-
\??\c:\3pvvv.exec:\3pvvv.exe83⤵
-
\??\c:\7vjjj.exec:\7vjjj.exe84⤵
-
\??\c:\9fffrrx.exec:\9fffrrx.exe85⤵
-
\??\c:\xxrlxxf.exec:\xxrlxxf.exe86⤵
-
\??\c:\hbbnbb.exec:\hbbnbb.exe87⤵
-
\??\c:\nntntb.exec:\nntntb.exe88⤵
-
\??\c:\7pvjd.exec:\7pvjd.exe89⤵
-
\??\c:\jdppp.exec:\jdppp.exe90⤵
-
\??\c:\lfrxllr.exec:\lfrxllr.exe91⤵
-
\??\c:\xxrxffl.exec:\xxrxffl.exe92⤵
-
\??\c:\9nhnbh.exec:\9nhnbh.exe93⤵
-
\??\c:\nnhtbh.exec:\nnhtbh.exe94⤵
-
\??\c:\jdddd.exec:\jdddd.exe95⤵
-
\??\c:\jdvjj.exec:\jdvjj.exe96⤵
-
\??\c:\llrlxxl.exec:\llrlxxl.exe97⤵
-
\??\c:\lfrfllx.exec:\lfrfllx.exe98⤵
-
\??\c:\5ntnth.exec:\5ntnth.exe99⤵
-
\??\c:\nhttbh.exec:\nhttbh.exe100⤵
-
\??\c:\hthhbn.exec:\hthhbn.exe101⤵
-
\??\c:\3vpvp.exec:\3vpvp.exe102⤵
-
\??\c:\9vvvp.exec:\9vvvp.exe103⤵
-
\??\c:\9fffrxx.exec:\9fffrxx.exe104⤵
-
\??\c:\3lxxxfl.exec:\3lxxxfl.exe105⤵
-
\??\c:\nhbhbh.exec:\nhbhbh.exe106⤵
-
\??\c:\1bttbh.exec:\1bttbh.exe107⤵
-
\??\c:\ddpdp.exec:\ddpdp.exe108⤵
-
\??\c:\1jjdj.exec:\1jjdj.exe109⤵
-
\??\c:\jjvjv.exec:\jjvjv.exe110⤵
-
\??\c:\rfrxllx.exec:\rfrxllx.exe111⤵
-
\??\c:\lffxflx.exec:\lffxflx.exe112⤵
-
\??\c:\hbttbh.exec:\hbttbh.exe113⤵
-
\??\c:\bbtbnb.exec:\bbtbnb.exe114⤵
-
\??\c:\tnbnnt.exec:\tnbnnt.exe115⤵
-
\??\c:\djpvp.exec:\djpvp.exe116⤵
-
\??\c:\dpjjj.exec:\dpjjj.exe117⤵
-
\??\c:\lfllrxl.exec:\lfllrxl.exe118⤵
-
\??\c:\lfrffff.exec:\lfrffff.exe119⤵
-
\??\c:\btntbh.exec:\btntbh.exe120⤵
-
\??\c:\tntthh.exec:\tntthh.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-