Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
09/09/2024, 20:40
General
-
Target
3b6f1561650b909203a282bf3296f0cb52c7f1e36cf5882618c4b691cecb489a.exe
-
Size
87KB
-
MD5
b0e850857ce61d7e28d703a28faff60b
-
SHA1
ebbd0ae36ca7022088af31157225b8fa4e9fdd1c
-
SHA256
3b6f1561650b909203a282bf3296f0cb52c7f1e36cf5882618c4b691cecb489a
-
SHA512
6749bf13c304aae8656086b089595915d159cc1a639f711833a107c17ed81932521dbeedf19b915f5bd1a0782f68f7f967727f75b4b991dafb526d22516aa98c
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxND+3T4+C2iJvRirE0DmoLZsOS:ymb3NkkiQ3mdBjF+3TU2iBRioSnZsb
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 22 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 27 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\3b6f1561650b909203a282bf3296f0cb52c7f1e36cf5882618c4b691cecb489a.exe"C:\Users\Admin\AppData\Local\Temp\3b6f1561650b909203a282bf3296f0cb52c7f1e36cf5882618c4b691cecb489a.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\tnhthh.exec:\tnhthh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfrxxlx.exec:\lfrxxlx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbthtt.exec:\bbthtt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvvdd.exec:\vvvdd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjpvv.exec:\pjpvv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjvjj.exec:\jjvjj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3llrlfr.exec:\3llrlfr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hhbhth.exec:\hhbhth.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tthtth.exec:\tthtth.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvjjp.exec:\dvjjp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjvjv.exec:\jjvjv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxlxflr.exec:\lxlxflr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlfxflx.exec:\rlfxflx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbntbh.exec:\nbntbh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\htnbnn.exec:\htnbnn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jddjp.exec:\jddjp.exe17⤵
- Executes dropped EXE
-
\??\c:\dddpp.exec:\dddpp.exe18⤵
- Executes dropped EXE
-
\??\c:\5xlrfrx.exec:\5xlrfrx.exe19⤵
- Executes dropped EXE
-
\??\c:\rxrxfrl.exec:\rxrxfrl.exe20⤵
- Executes dropped EXE
-
\??\c:\7htbhn.exec:\7htbhn.exe21⤵
- Executes dropped EXE
-
\??\c:\9nnhbt.exec:\9nnhbt.exe22⤵
- Executes dropped EXE
-
\??\c:\pjdjp.exec:\pjdjp.exe23⤵
- Executes dropped EXE
-
\??\c:\jpppv.exec:\jpppv.exe24⤵
- Executes dropped EXE
-
\??\c:\xrlrxlx.exec:\xrlrxlx.exe25⤵
- Executes dropped EXE
-
\??\c:\7rrfrxl.exec:\7rrfrxl.exe26⤵
- Executes dropped EXE
-
\??\c:\nhnthn.exec:\nhnthn.exe27⤵
- Executes dropped EXE
-
\??\c:\9hhhhn.exec:\9hhhhn.exe28⤵
- Executes dropped EXE
-
\??\c:\ppjvd.exec:\ppjvd.exe29⤵
- Executes dropped EXE
-
\??\c:\jjddd.exec:\jjddd.exe30⤵
- Executes dropped EXE
-
\??\c:\ffxrflx.exec:\ffxrflx.exe31⤵
- Executes dropped EXE
-
\??\c:\3xllllr.exec:\3xllllr.exe32⤵
- Executes dropped EXE
-
\??\c:\nhtbtt.exec:\nhtbtt.exe33⤵
- Executes dropped EXE
-
\??\c:\ttnnbh.exec:\ttnnbh.exe34⤵
- Executes dropped EXE
-
\??\c:\vpdpj.exec:\vpdpj.exe35⤵
- Executes dropped EXE
-
\??\c:\ppppj.exec:\ppppj.exe36⤵
- Executes dropped EXE
-
\??\c:\lxxxfrf.exec:\lxxxfrf.exe37⤵
- Executes dropped EXE
-
\??\c:\lrlflxx.exec:\lrlflxx.exe38⤵
- Executes dropped EXE
-
\??\c:\nhthht.exec:\nhthht.exe39⤵
- Executes dropped EXE
-
\??\c:\3thhth.exec:\3thhth.exe40⤵
- Executes dropped EXE
-
\??\c:\1jdjj.exec:\1jdjj.exe41⤵
- Executes dropped EXE
-
\??\c:\frlfflx.exec:\frlfflx.exe42⤵
- Executes dropped EXE
-
\??\c:\nhntbh.exec:\nhntbh.exe43⤵
- Executes dropped EXE
-
\??\c:\jpjdv.exec:\jpjdv.exe44⤵
- Executes dropped EXE
-
\??\c:\3rxflxl.exec:\3rxflxl.exe45⤵
- Executes dropped EXE
-
\??\c:\bhbnhb.exec:\bhbnhb.exe46⤵
- Executes dropped EXE
-
\??\c:\dvdvj.exec:\dvdvj.exe47⤵
- Executes dropped EXE
-
\??\c:\fflrffr.exec:\fflrffr.exe48⤵
- Executes dropped EXE
-
\??\c:\nnnnht.exec:\nnnnht.exe49⤵
- Executes dropped EXE
-
\??\c:\nnthnb.exec:\nnthnb.exe50⤵
- Executes dropped EXE
-
\??\c:\pjvpd.exec:\pjvpd.exe51⤵
- Executes dropped EXE
-
\??\c:\fxlrllr.exec:\fxlrllr.exe52⤵
- Executes dropped EXE
-
\??\c:\tbthth.exec:\tbthth.exe53⤵
- Executes dropped EXE
-
\??\c:\5hnhtb.exec:\5hnhtb.exe54⤵
- Executes dropped EXE
-
\??\c:\ddjpj.exec:\ddjpj.exe55⤵
- Executes dropped EXE
-
\??\c:\9rlrrfr.exec:\9rlrrfr.exe56⤵
- Executes dropped EXE
-
\??\c:\tnhnhn.exec:\tnhnhn.exe57⤵
- Executes dropped EXE
-
\??\c:\hhtnbh.exec:\hhtnbh.exe58⤵
- Executes dropped EXE
-
\??\c:\vpjdp.exec:\vpjdp.exe59⤵
- Executes dropped EXE
-
\??\c:\xxrfrxl.exec:\xxrfrxl.exe60⤵
- Executes dropped EXE
-
\??\c:\3rxlfrl.exec:\3rxlfrl.exe61⤵
- Executes dropped EXE
-
\??\c:\rxlfrlf.exec:\rxlfrlf.exe62⤵
- Executes dropped EXE
-
\??\c:\hhtbtt.exec:\hhtbtt.exe63⤵
- Executes dropped EXE
-
\??\c:\tnbtnb.exec:\tnbtnb.exe64⤵
- Executes dropped EXE
-
\??\c:\1vpvv.exec:\1vpvv.exe65⤵
- Executes dropped EXE
-
\??\c:\ddjvp.exec:\ddjvp.exe66⤵
-
\??\c:\lfrrxfx.exec:\lfrrxfx.exe67⤵
-
\??\c:\llxrfrf.exec:\llxrfrf.exe68⤵
-
\??\c:\nnhnnt.exec:\nnhnnt.exe69⤵
-
\??\c:\ttthht.exec:\ttthht.exe70⤵
-
\??\c:\ppjvd.exec:\ppjvd.exe71⤵
-
\??\c:\9jddv.exec:\9jddv.exe72⤵
-
\??\c:\7flfxxx.exec:\7flfxxx.exe73⤵
-
\??\c:\ffllrxl.exec:\ffllrxl.exe74⤵
-
\??\c:\7nbtnb.exec:\7nbtnb.exe75⤵
-
\??\c:\5ppdv.exec:\5ppdv.exe76⤵
-
\??\c:\dddpj.exec:\dddpj.exe77⤵
-
\??\c:\pjdjj.exec:\pjdjj.exe78⤵
-
\??\c:\rlllrxl.exec:\rlllrxl.exe79⤵
-
\??\c:\7thnbh.exec:\7thnbh.exe80⤵
-
\??\c:\9nhbtn.exec:\9nhbtn.exe81⤵
-
\??\c:\5ppdj.exec:\5ppdj.exe82⤵
-
\??\c:\vpppp.exec:\vpppp.exe83⤵
-
\??\c:\9lxxlxr.exec:\9lxxlxr.exe84⤵
-
\??\c:\flrlfrl.exec:\flrlfrl.exe85⤵
-
\??\c:\xfxxrfl.exec:\xfxxrfl.exe86⤵
-
\??\c:\hbhnhn.exec:\hbhnhn.exe87⤵
-
\??\c:\bnnbbh.exec:\bnnbbh.exe88⤵
-
\??\c:\vvpjj.exec:\vvpjj.exe89⤵
-
\??\c:\vpddv.exec:\vpddv.exe90⤵
-
\??\c:\ffffxlf.exec:\ffffxlf.exe91⤵
-
\??\c:\9lfrlxf.exec:\9lfrlxf.exe92⤵
-
\??\c:\hntntt.exec:\hntntt.exe93⤵
-
\??\c:\tbntbh.exec:\tbntbh.exe94⤵
-
\??\c:\ppvpp.exec:\ppvpp.exe95⤵
-
\??\c:\1jddj.exec:\1jddj.exe96⤵
-
\??\c:\xxrfffl.exec:\xxrfffl.exe97⤵
-
\??\c:\xlxflrr.exec:\xlxflrr.exe98⤵
-
\??\c:\bbnnhn.exec:\bbnnhn.exe99⤵
-
\??\c:\tnbnnn.exec:\tnbnnn.exe100⤵
-
\??\c:\ppvpp.exec:\ppvpp.exe101⤵
-
\??\c:\vvpvj.exec:\vvpvj.exe102⤵
-
\??\c:\ffxllxl.exec:\ffxllxl.exe103⤵
-
\??\c:\llrfflr.exec:\llrfflr.exe104⤵
-
\??\c:\1hbhtb.exec:\1hbhtb.exe105⤵
-
\??\c:\nnhthh.exec:\nnhthh.exe106⤵
-
\??\c:\ddvpj.exec:\ddvpj.exe107⤵
-
\??\c:\vjppj.exec:\vjppj.exe108⤵
-
\??\c:\fxxlrfr.exec:\fxxlrfr.exe109⤵
-
\??\c:\xlxfrxf.exec:\xlxfrxf.exe110⤵
-
\??\c:\ttthnh.exec:\ttthnh.exe111⤵
-
\??\c:\nhbnbh.exec:\nhbnbh.exe112⤵
-
\??\c:\dvjjp.exec:\dvjjp.exe113⤵
-
\??\c:\vpppp.exec:\vpppp.exe114⤵
-
\??\c:\rxxllxx.exec:\rxxllxx.exe115⤵
-
\??\c:\9ffllrx.exec:\9ffllrx.exe116⤵
-
\??\c:\hbnhth.exec:\hbnhth.exe117⤵
-
\??\c:\bththb.exec:\bththb.exe118⤵
-
\??\c:\dvvpj.exec:\dvvpj.exe119⤵
-
\??\c:\vpddv.exec:\vpddv.exe120⤵
-
\??\c:\9rlrfff.exec:\9rlrfff.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-