Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
11-09-2024 05:23
General
-
Target
7f6fb5b7c50fa7773545c8c2112189a0N.exe
-
Size
82KB
-
MD5
7f6fb5b7c50fa7773545c8c2112189a0
-
SHA1
529b3c9ad72c977c5ad64a765c07b3ed64f0e58f
-
SHA256
a5a1c4fcf2518b4d73d53569fdaa1f36773836081975ab35080769c55461b667
-
SHA512
0aea601c91b5f4212b6f5e723557f00447c81d7284f828c7068e90e031931b5a08c1face0179fb49205f87cc3e4d8806ffb1df8e22e188df7eef4a37fdf0bacf
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIIpIo60L9QrrA89QFq:ymb3NkkiQ3mdBjFIIp9L9QrrA8T
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 21 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 31 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\7f6fb5b7c50fa7773545c8c2112189a0N.exe"C:\Users\Admin\AppData\Local\Temp\7f6fb5b7c50fa7773545c8c2112189a0N.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\nhnntt.exec:\nhnntt.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\jvjjv.exec:\jvjjv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxrlrxf.exec:\fxrlrxf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hnhntb.exec:\hnhntb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pvdpv.exec:\pvdpv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3rlrlrf.exec:\3rlrlrf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5btbhb.exec:\5btbhb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btnbbh.exec:\btnbbh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dpjpv.exec:\dpjpv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrllflx.exec:\xrllflx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3frrxxl.exec:\3frrxxl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btthtb.exec:\btthtb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnbnth.exec:\tnbnth.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjvdp.exec:\jjvdp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfrxrrf.exec:\lfrxrrf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3rrfffr.exec:\3rrfffr.exe17⤵
- Executes dropped EXE
-
\??\c:\hthbnb.exec:\hthbnb.exe18⤵
- Executes dropped EXE
-
\??\c:\pdvdp.exec:\pdvdp.exe19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\7xrllrx.exec:\7xrllrx.exe20⤵
- Executes dropped EXE
-
\??\c:\3xrlrlr.exec:\3xrlrlr.exe21⤵
- Executes dropped EXE
-
\??\c:\htbtbh.exec:\htbtbh.exe22⤵
- Executes dropped EXE
-
\??\c:\9tntnh.exec:\9tntnh.exe23⤵
- Executes dropped EXE
-
\??\c:\djdjv.exec:\djdjv.exe24⤵
- Executes dropped EXE
-
\??\c:\3fllrrx.exec:\3fllrrx.exe25⤵
- Executes dropped EXE
-
\??\c:\xrfxfll.exec:\xrfxfll.exe26⤵
- Executes dropped EXE
-
\??\c:\3nhhnh.exec:\3nhhnh.exe27⤵
- Executes dropped EXE
-
\??\c:\btntbt.exec:\btntbt.exe28⤵
- Executes dropped EXE
-
\??\c:\1dpdp.exec:\1dpdp.exe29⤵
- Executes dropped EXE
-
\??\c:\lxxflxl.exec:\lxxflxl.exe30⤵
- Executes dropped EXE
-
\??\c:\fxlrxfl.exec:\fxlrxfl.exe31⤵
- Executes dropped EXE
-
\??\c:\hhthbh.exec:\hhthbh.exe32⤵
- Executes dropped EXE
-
\??\c:\3vpvd.exec:\3vpvd.exe33⤵
- Executes dropped EXE
-
\??\c:\pjvpj.exec:\pjvpj.exe34⤵
- Executes dropped EXE
-
\??\c:\lxrxxfx.exec:\lxrxxfx.exe35⤵
- Executes dropped EXE
-
\??\c:\7lxxflr.exec:\7lxxflr.exe36⤵
- Executes dropped EXE
-
\??\c:\tntbtt.exec:\tntbtt.exe37⤵
- Executes dropped EXE
-
\??\c:\tnbtnh.exec:\tnbtnh.exe38⤵
- Executes dropped EXE
-
\??\c:\vjvdj.exec:\vjvdj.exe39⤵
- Executes dropped EXE
-
\??\c:\dvjpv.exec:\dvjpv.exe40⤵
- Executes dropped EXE
-
\??\c:\xxllxxl.exec:\xxllxxl.exe41⤵
- Executes dropped EXE
-
\??\c:\xrrxxlx.exec:\xrrxxlx.exe42⤵
- Executes dropped EXE
-
\??\c:\7rrxffl.exec:\7rrxffl.exe43⤵
- Executes dropped EXE
-
\??\c:\tntbbh.exec:\tntbbh.exe44⤵
- Executes dropped EXE
-
\??\c:\tbbbhb.exec:\tbbbhb.exe45⤵
- Executes dropped EXE
-
\??\c:\1dvvd.exec:\1dvvd.exe46⤵
- Executes dropped EXE
-
\??\c:\lxrrffl.exec:\lxrrffl.exe47⤵
- Executes dropped EXE
-
\??\c:\9bnnnb.exec:\9bnnnb.exe48⤵
- Executes dropped EXE
-
\??\c:\ntbhbh.exec:\ntbhbh.exe49⤵
- Executes dropped EXE
-
\??\c:\djdpj.exec:\djdpj.exe50⤵
- Executes dropped EXE
-
\??\c:\vpjvd.exec:\vpjvd.exe51⤵
- Executes dropped EXE
-
\??\c:\5xrllff.exec:\5xrllff.exe52⤵
- Executes dropped EXE
-
\??\c:\fxxxlrr.exec:\fxxxlrr.exe53⤵
- Executes dropped EXE
-
\??\c:\5hbhnh.exec:\5hbhnh.exe54⤵
- Executes dropped EXE
-
\??\c:\tntbbh.exec:\tntbbh.exe55⤵
- Executes dropped EXE
-
\??\c:\pdvpp.exec:\pdvpp.exe56⤵
- Executes dropped EXE
-
\??\c:\pvdpj.exec:\pvdpj.exe57⤵
- Executes dropped EXE
-
\??\c:\xrrxffx.exec:\xrrxffx.exe58⤵
- Executes dropped EXE
-
\??\c:\lxfflff.exec:\lxfflff.exe59⤵
- Executes dropped EXE
-
\??\c:\tnnnhh.exec:\tnnnhh.exe60⤵
- Executes dropped EXE
-
\??\c:\nbbtht.exec:\nbbtht.exe61⤵
- Executes dropped EXE
-
\??\c:\nbnhht.exec:\nbnhht.exe62⤵
- Executes dropped EXE
-
\??\c:\pjjdv.exec:\pjjdv.exe63⤵
- Executes dropped EXE
-
\??\c:\jpvvp.exec:\jpvvp.exe64⤵
- Executes dropped EXE
-
\??\c:\xlxxfrr.exec:\xlxxfrr.exe65⤵
- Executes dropped EXE
-
\??\c:\xlxflll.exec:\xlxflll.exe66⤵
-
\??\c:\frrfxxr.exec:\frrfxxr.exe67⤵
-
\??\c:\hbnnbh.exec:\hbnnbh.exe68⤵
-
\??\c:\tnhtnb.exec:\tnhtnb.exe69⤵
-
\??\c:\ntbntb.exec:\ntbntb.exe70⤵
-
\??\c:\1vddj.exec:\1vddj.exe71⤵
-
\??\c:\7dppv.exec:\7dppv.exe72⤵
-
\??\c:\xlrrlxx.exec:\xlrrlxx.exe73⤵
-
\??\c:\lffffff.exec:\lffffff.exe74⤵
-
\??\c:\thnnhn.exec:\thnnhn.exe75⤵
-
\??\c:\tnbtnh.exec:\tnbtnh.exe76⤵
-
\??\c:\vjjjd.exec:\vjjjd.exe77⤵
-
\??\c:\jvjvp.exec:\jvjvp.exe78⤵
-
\??\c:\frxxxxl.exec:\frxxxxl.exe79⤵
-
\??\c:\lflrrrx.exec:\lflrrrx.exe80⤵
-
\??\c:\nthhhn.exec:\nthhhn.exe81⤵
-
\??\c:\9nbbhb.exec:\9nbbhb.exe82⤵
-
\??\c:\bhnnnn.exec:\bhnnnn.exe83⤵
-
\??\c:\vjvdv.exec:\vjvdv.exe84⤵
-
\??\c:\pjvdv.exec:\pjvdv.exe85⤵
-
\??\c:\7lrrrrr.exec:\7lrrrrr.exe86⤵
-
\??\c:\3hnntt.exec:\3hnntt.exe87⤵
-
\??\c:\3nnnhn.exec:\3nnnhn.exe88⤵
-
\??\c:\9nbbht.exec:\9nbbht.exe89⤵
-
\??\c:\pvpjd.exec:\pvpjd.exe90⤵
-
\??\c:\1jddd.exec:\1jddd.exe91⤵
-
\??\c:\rrxxffx.exec:\rrxxffx.exe92⤵
-
\??\c:\lxrllff.exec:\lxrllff.exe93⤵
-
\??\c:\5frflfl.exec:\5frflfl.exe94⤵
-
\??\c:\btbhnn.exec:\btbhnn.exe95⤵
-
\??\c:\tbnbbn.exec:\tbnbbn.exe96⤵
-
\??\c:\vppvv.exec:\vppvv.exe97⤵
-
\??\c:\vjpjj.exec:\vjpjj.exe98⤵
-
\??\c:\lrfrxfr.exec:\lrfrxfr.exe99⤵
-
\??\c:\rrllrfx.exec:\rrllrfx.exe100⤵
-
\??\c:\lfxxlrx.exec:\lfxxlrx.exe101⤵
-
\??\c:\ntnnnt.exec:\ntnnnt.exe102⤵
-
\??\c:\bnbhbb.exec:\bnbhbb.exe103⤵
-
\??\c:\1dpdp.exec:\1dpdp.exe104⤵
-
\??\c:\dpvpj.exec:\dpvpj.exe105⤵
-
\??\c:\flrrrrx.exec:\flrrrrx.exe106⤵
-
\??\c:\lxlrrll.exec:\lxlrrll.exe107⤵
-
\??\c:\btnbbh.exec:\btnbbh.exe108⤵
-
\??\c:\1bbbbb.exec:\1bbbbb.exe109⤵
-
\??\c:\pjddd.exec:\pjddd.exe110⤵
-
\??\c:\pvjdp.exec:\pvjdp.exe111⤵
-
\??\c:\1vdpp.exec:\1vdpp.exe112⤵
-
\??\c:\ffxlfll.exec:\ffxlfll.exe113⤵
-
\??\c:\7nhbbh.exec:\7nhbbh.exe114⤵
-
\??\c:\hbhhhb.exec:\hbhhhb.exe115⤵
-
\??\c:\dvppp.exec:\dvppp.exe116⤵
-
\??\c:\vjpjv.exec:\vjpjv.exe117⤵
-
\??\c:\vjppd.exec:\vjppd.exe118⤵
-
\??\c:\frrlfxx.exec:\frrlfxx.exe119⤵
-
\??\c:\9bhhhh.exec:\9bhhhh.exe120⤵
-
\??\c:\thnhnn.exec:\thnhnn.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-