Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
11/09/2024, 03:44
General
-
Target
e49bf9cce2b81bd69e0d8ff004817a6c86fa0fe838bdd571cd747b93cb7c35f8.exe
-
Size
249KB
-
MD5
977911e4ef768c58c6b7001d425548c4
-
SHA1
95c8d45a2f2a5fdc76da6ad3b1dea07a74a4290a
-
SHA256
e49bf9cce2b81bd69e0d8ff004817a6c86fa0fe838bdd571cd747b93cb7c35f8
-
SHA512
896cd9defcd11a818d65d262041ef2e09981e7aa575e8e0dd88e71b503922da271e67b755d1a39ae12ee74d0129931b2debc666a259fd7012c1c4ef63c295d26
-
SSDEEP
6144:n3C9BRo/AIX27NHWpU00VIxas1oa3YiFRlitB:n3C9uD6AUDCa4NYmRMj
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 23 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 28 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e49bf9cce2b81bd69e0d8ff004817a6c86fa0fe838bdd571cd747b93cb7c35f8.exe"C:\Users\Admin\AppData\Local\Temp\e49bf9cce2b81bd69e0d8ff004817a6c86fa0fe838bdd571cd747b93cb7c35f8.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\3nhhbb.exec:\3nhhbb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pppvj.exec:\pppvj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvdvj.exec:\vvdvj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\llfrxfx.exec:\llfrxfx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nnhhtt.exec:\nnhhtt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9dvvd.exec:\9dvvd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bhnhnh.exec:\bhnhnh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lrxrxll.exec:\lrxrxll.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbttnh.exec:\hbttnh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpddp.exec:\vpddp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lrrlxrx.exec:\lrrlxrx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nnnbht.exec:\nnnbht.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pvpjp.exec:\pvpjp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5lrlfll.exec:\5lrlfll.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7ppvd.exec:\7ppvd.exe16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\dppvd.exec:\dppvd.exe17⤵
- Executes dropped EXE
-
\??\c:\lfrrxfl.exec:\lfrrxfl.exe18⤵
- Executes dropped EXE
-
\??\c:\pvjjj.exec:\pvjjj.exe19⤵
- Executes dropped EXE
-
\??\c:\flflxxr.exec:\flflxxr.exe20⤵
- Executes dropped EXE
-
\??\c:\bbntbh.exec:\bbntbh.exe21⤵
- Executes dropped EXE
-
\??\c:\nhbhnb.exec:\nhbhnb.exe22⤵
- Executes dropped EXE
-
\??\c:\vdjvp.exec:\vdjvp.exe23⤵
- Executes dropped EXE
-
\??\c:\nthhnh.exec:\nthhnh.exe24⤵
- Executes dropped EXE
-
\??\c:\xfrffxx.exec:\xfrffxx.exe25⤵
- Executes dropped EXE
-
\??\c:\tbhtnn.exec:\tbhtnn.exe26⤵
- Executes dropped EXE
-
\??\c:\9hhtbn.exec:\9hhtbn.exe27⤵
- Executes dropped EXE
-
\??\c:\jvdpv.exec:\jvdpv.exe28⤵
- Executes dropped EXE
-
\??\c:\btnbht.exec:\btnbht.exe29⤵
- Executes dropped EXE
-
\??\c:\hbthtb.exec:\hbthtb.exe30⤵
- Executes dropped EXE
-
\??\c:\1vppd.exec:\1vppd.exe31⤵
- Executes dropped EXE
-
\??\c:\1xxflrx.exec:\1xxflrx.exe32⤵
- Executes dropped EXE
-
\??\c:\dpjpv.exec:\dpjpv.exe33⤵
- Executes dropped EXE
-
\??\c:\tbhbbb.exec:\tbhbbb.exe34⤵
- Executes dropped EXE
-
\??\c:\vvjvd.exec:\vvjvd.exe35⤵
- Executes dropped EXE
-
\??\c:\pvvvj.exec:\pvvvj.exe36⤵
- Executes dropped EXE
-
\??\c:\fxllxff.exec:\fxllxff.exe37⤵
- Executes dropped EXE
-
\??\c:\bbnbhn.exec:\bbnbhn.exe38⤵
- Executes dropped EXE
-
\??\c:\nnbhhh.exec:\nnbhhh.exe39⤵
- Executes dropped EXE
-
\??\c:\vjdvp.exec:\vjdvp.exe40⤵
- Executes dropped EXE
-
\??\c:\rrrlxll.exec:\rrrlxll.exe41⤵
- Executes dropped EXE
-
\??\c:\rflxxll.exec:\rflxxll.exe42⤵
- Executes dropped EXE
-
\??\c:\bbnnbt.exec:\bbnnbt.exe43⤵
- Executes dropped EXE
-
\??\c:\1jddp.exec:\1jddp.exe44⤵
- Executes dropped EXE
-
\??\c:\ffxfxlx.exec:\ffxfxlx.exe45⤵
- Executes dropped EXE
-
\??\c:\fllxrlr.exec:\fllxrlr.exe46⤵
- Executes dropped EXE
-
\??\c:\tbhhtn.exec:\tbhhtn.exe47⤵
- Executes dropped EXE
-
\??\c:\pppvj.exec:\pppvj.exe48⤵
- Executes dropped EXE
-
\??\c:\xfxrxxx.exec:\xfxrxxx.exe49⤵
- Executes dropped EXE
-
\??\c:\fxrxlrx.exec:\fxrxlrx.exe50⤵
- Executes dropped EXE
-
\??\c:\nnbhtb.exec:\nnbhtb.exe51⤵
- Executes dropped EXE
-
\??\c:\djjjd.exec:\djjjd.exe52⤵
- Executes dropped EXE
-
\??\c:\dddjj.exec:\dddjj.exe53⤵
- Executes dropped EXE
-
\??\c:\lxfxrll.exec:\lxfxrll.exe54⤵
- Executes dropped EXE
-
\??\c:\nhbtnh.exec:\nhbtnh.exe55⤵
- Executes dropped EXE
-
\??\c:\tttbth.exec:\tttbth.exe56⤵
- Executes dropped EXE
-
\??\c:\vpjvp.exec:\vpjvp.exe57⤵
- Executes dropped EXE
-
\??\c:\rxrfxrr.exec:\rxrfxrr.exe58⤵
- Executes dropped EXE
-
\??\c:\ttttnn.exec:\ttttnn.exe59⤵
- Executes dropped EXE
-
\??\c:\7tbnhb.exec:\7tbnhb.exe60⤵
- Executes dropped EXE
-
\??\c:\ppjpj.exec:\ppjpj.exe61⤵
- Executes dropped EXE
-
\??\c:\xffxxrr.exec:\xffxxrr.exe62⤵
- Executes dropped EXE
-
\??\c:\3nnthn.exec:\3nnthn.exe63⤵
- Executes dropped EXE
-
\??\c:\hththn.exec:\hththn.exe64⤵
- Executes dropped EXE
-
\??\c:\vpdjj.exec:\vpdjj.exe65⤵
- Executes dropped EXE
-
\??\c:\rlrfrfr.exec:\rlrfrfr.exe66⤵
-
\??\c:\lfrxffx.exec:\lfrxffx.exe67⤵
-
\??\c:\bbtthh.exec:\bbtthh.exe68⤵
-
\??\c:\pdpjj.exec:\pdpjj.exe69⤵
-
\??\c:\fllxlxf.exec:\fllxlxf.exe70⤵
-
\??\c:\7tttbn.exec:\7tttbn.exe71⤵
-
\??\c:\hhtnbb.exec:\hhtnbb.exe72⤵
-
\??\c:\vdpjp.exec:\vdpjp.exe73⤵
-
\??\c:\fxxfflf.exec:\fxxfflf.exe74⤵
-
\??\c:\xxllrxf.exec:\xxllrxf.exe75⤵
-
\??\c:\tthbnt.exec:\tthbnt.exe76⤵
-
\??\c:\pjvvj.exec:\pjvvj.exe77⤵
-
\??\c:\jdvvj.exec:\jdvvj.exe78⤵
-
\??\c:\5ffrllx.exec:\5ffrllx.exe79⤵
-
\??\c:\nttbhb.exec:\nttbhb.exe80⤵
-
\??\c:\bbtnhn.exec:\bbtnhn.exe81⤵
-
\??\c:\jdvdv.exec:\jdvdv.exe82⤵
-
\??\c:\rlxfxxl.exec:\rlxfxxl.exe83⤵
-
\??\c:\bhbbbn.exec:\bhbbbn.exe84⤵
-
\??\c:\5tbhtn.exec:\5tbhtn.exe85⤵
-
\??\c:\jjdpd.exec:\jjdpd.exe86⤵
-
\??\c:\flrlfrr.exec:\flrlfrr.exe87⤵
-
\??\c:\lrlxrff.exec:\lrlxrff.exe88⤵
-
\??\c:\tnthhb.exec:\tnthhb.exe89⤵
-
\??\c:\djpjj.exec:\djpjj.exe90⤵
-
\??\c:\rrlxfxr.exec:\rrlxfxr.exe91⤵
-
\??\c:\rrlxlxr.exec:\rrlxlxr.exe92⤵
-
\??\c:\hhbnbh.exec:\hhbnbh.exe93⤵
-
\??\c:\jppdp.exec:\jppdp.exe94⤵
-
\??\c:\5ddvv.exec:\5ddvv.exe95⤵
-
\??\c:\rrrfxrf.exec:\rrrfxrf.exe96⤵
-
\??\c:\tbbtnb.exec:\tbbtnb.exe97⤵
-
\??\c:\nttnht.exec:\nttnht.exe98⤵
-
\??\c:\5jjdv.exec:\5jjdv.exe99⤵
-
\??\c:\9xxfxrf.exec:\9xxfxrf.exe100⤵
-
\??\c:\9xxfrfl.exec:\9xxfrfl.exe101⤵
-
\??\c:\3bbnbn.exec:\3bbnbn.exe102⤵
-
\??\c:\7dvvd.exec:\7dvvd.exe103⤵
-
\??\c:\7jjvp.exec:\7jjvp.exe104⤵
-
\??\c:\llrxlrf.exec:\llrxlrf.exe105⤵
-
\??\c:\nhthht.exec:\nhthht.exe106⤵
-
\??\c:\bbbhbh.exec:\bbbhbh.exe107⤵
-
\??\c:\3jpvv.exec:\3jpvv.exe108⤵
-
\??\c:\llxffrl.exec:\llxffrl.exe109⤵
-
\??\c:\xrlxrxf.exec:\xrlxrxf.exe110⤵
-
\??\c:\7nhtnt.exec:\7nhtnt.exe111⤵
-
\??\c:\7pjpj.exec:\7pjpj.exe112⤵
-
\??\c:\7djpj.exec:\7djpj.exe113⤵
-
\??\c:\1fxfxfr.exec:\1fxfxfr.exe114⤵
-
\??\c:\7hhnbt.exec:\7hhnbt.exe115⤵
-
\??\c:\1vpvj.exec:\1vpvj.exe116⤵
-
\??\c:\5vvdd.exec:\5vvdd.exe117⤵
-
\??\c:\xflxfxx.exec:\xflxfxx.exe118⤵
-
\??\c:\xrrllrx.exec:\xrrllrx.exe119⤵
-
\??\c:\hhtnnh.exec:\hhtnnh.exe120⤵
-
\??\c:\7vdvp.exec:\7vdvp.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-