Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
11/09/2024, 13:32
General
-
Target
d52e6a28da8050a2a9aaa7c1df6f5080N.exe
-
Size
592KB
-
MD5
d52e6a28da8050a2a9aaa7c1df6f5080
-
SHA1
e2734c62abe5f27d6a9f57ba720a47f6cd1a9056
-
SHA256
90b504c2aed3515b5d57e6adc34a2b917f5a44fdb27763dee23ea2388609e7fb
-
SHA512
6c9f1b61d08df11ffda05d5931eb7664858b6f0c1479d7acde1d6fd0e3410ef4669530bccbb9919a18fecf9002ee18e3e5dcdbdb554a4f96bcde4edab1826f07
-
SSDEEP
6144:n3C9BRIj+ebjcSbcY+CaQdaFOY4iGFYtRdzzoyYxJAyfgayLn:n3C9Lebz+xt4vFeFmgayj
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 20 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 32 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d52e6a28da8050a2a9aaa7c1df6f5080N.exe"C:\Users\Admin\AppData\Local\Temp\d52e6a28da8050a2a9aaa7c1df6f5080N.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\bdfrtdt.exec:\bdfrtdt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddtlrn.exec:\ddtlrn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pxxtll.exec:\pxxtll.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\phfvpd.exec:\phfvpd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rfddhpd.exec:\rfddhpd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ttnljf.exec:\ttnljf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dnjltv.exec:\dnjltv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dtfnvnx.exec:\dtfnvnx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hhbfxd.exec:\hhbfxd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\prrrf.exec:\prrrf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\phrhb.exec:\phrhb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jrtrpv.exec:\jrtrpv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xplfd.exec:\xplfd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nnlpfd.exec:\nnlpfd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\txvtl.exec:\txvtl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pbdtd.exec:\pbdtd.exe17⤵
- Executes dropped EXE
-
\??\c:\fjjhv.exec:\fjjhv.exe18⤵
- Executes dropped EXE
-
\??\c:\flxlbl.exec:\flxlbl.exe19⤵
- Executes dropped EXE
-
\??\c:\jtfvrjb.exec:\jtfvrjb.exe20⤵
- Executes dropped EXE
-
\??\c:\hfxjvb.exec:\hfxjvb.exe21⤵
- Executes dropped EXE
-
\??\c:\bvpnx.exec:\bvpnx.exe22⤵
- Executes dropped EXE
-
\??\c:\nfrdtb.exec:\nfrdtb.exe23⤵
- Executes dropped EXE
-
\??\c:\blhjx.exec:\blhjx.exe24⤵
- Executes dropped EXE
-
\??\c:\txtldx.exec:\txtldx.exe25⤵
- Executes dropped EXE
-
\??\c:\vhlnjdn.exec:\vhlnjdn.exe26⤵
- Executes dropped EXE
-
\??\c:\fxtxx.exec:\fxtxx.exe27⤵
- Executes dropped EXE
-
\??\c:\ptnhf.exec:\ptnhf.exe28⤵
- Executes dropped EXE
-
\??\c:\hxvxtlb.exec:\hxvxtlb.exe29⤵
- Executes dropped EXE
-
\??\c:\vjfphpp.exec:\vjfphpp.exe30⤵
- Executes dropped EXE
-
\??\c:\bthpnxp.exec:\bthpnxp.exe31⤵
- Executes dropped EXE
-
\??\c:\xnvhpfl.exec:\xnvhpfl.exe32⤵
- Executes dropped EXE
-
\??\c:\hlxrjx.exec:\hlxrjx.exe33⤵
- Executes dropped EXE
-
\??\c:\tlpppbp.exec:\tlpppbp.exe34⤵
- Executes dropped EXE
-
\??\c:\frbtdv.exec:\frbtdv.exe35⤵
- Executes dropped EXE
-
\??\c:\phflnpx.exec:\phflnpx.exe36⤵
- Executes dropped EXE
-
\??\c:\dbfvvd.exec:\dbfvvd.exe37⤵
- Executes dropped EXE
-
\??\c:\pddtvd.exec:\pddtvd.exe38⤵
- Executes dropped EXE
-
\??\c:\bhjxdp.exec:\bhjxdp.exe39⤵
- Executes dropped EXE
-
\??\c:\xhbtpbh.exec:\xhbtpbh.exe40⤵
- Executes dropped EXE
-
\??\c:\ttfdt.exec:\ttfdt.exe41⤵
- Executes dropped EXE
-
\??\c:\vlpdp.exec:\vlpdp.exe42⤵
- Executes dropped EXE
-
\??\c:\xhhprv.exec:\xhhprv.exe43⤵
- Executes dropped EXE
-
\??\c:\fhljpl.exec:\fhljpl.exe44⤵
- Executes dropped EXE
-
\??\c:\dtvntr.exec:\dtvntr.exe45⤵
- Executes dropped EXE
-
\??\c:\rjltxl.exec:\rjltxl.exe46⤵
- Executes dropped EXE
-
\??\c:\ldnfj.exec:\ldnfj.exe47⤵
- Executes dropped EXE
-
\??\c:\tpxvft.exec:\tpxvft.exe48⤵
- Executes dropped EXE
-
\??\c:\xvvptx.exec:\xvvptx.exe49⤵
- Executes dropped EXE
-
\??\c:\xvlbdh.exec:\xvlbdh.exe50⤵
- Executes dropped EXE
-
\??\c:\prdxddf.exec:\prdxddf.exe51⤵
- Executes dropped EXE
-
\??\c:\pbpxnl.exec:\pbpxnl.exe52⤵
- Executes dropped EXE
-
\??\c:\ffjjphp.exec:\ffjjphp.exe53⤵
- Executes dropped EXE
-
\??\c:\nnrdn.exec:\nnrdn.exe54⤵
- Executes dropped EXE
-
\??\c:\vnfvlhd.exec:\vnfvlhd.exe55⤵
- Executes dropped EXE
-
\??\c:\bbntv.exec:\bbntv.exe56⤵
- Executes dropped EXE
-
\??\c:\fndpxpb.exec:\fndpxpb.exe57⤵
- Executes dropped EXE
-
\??\c:\ljbpr.exec:\ljbpr.exe58⤵
- Executes dropped EXE
-
\??\c:\pvdvbh.exec:\pvdvbh.exe59⤵
- Executes dropped EXE
-
\??\c:\pbxprx.exec:\pbxprx.exe60⤵
- Executes dropped EXE
-
\??\c:\pvlhr.exec:\pvlhr.exe61⤵
- Executes dropped EXE
-
\??\c:\pppjhvb.exec:\pppjhvb.exe62⤵
- Executes dropped EXE
-
\??\c:\jvbrvtx.exec:\jvbrvtx.exe63⤵
- Executes dropped EXE
-
\??\c:\xllnbx.exec:\xllnbx.exe64⤵
- Executes dropped EXE
-
\??\c:\hxhnn.exec:\hxhnn.exe65⤵
- Executes dropped EXE
-
\??\c:\vjtpjlr.exec:\vjtpjlr.exe66⤵
-
\??\c:\bjjdfh.exec:\bjjdfh.exe67⤵
-
\??\c:\ljhhr.exec:\ljhhr.exe68⤵
-
\??\c:\hvtlp.exec:\hvtlp.exe69⤵
-
\??\c:\pftrxf.exec:\pftrxf.exe70⤵
-
\??\c:\rlhbpdt.exec:\rlhbpdt.exe71⤵
-
\??\c:\xxttl.exec:\xxttl.exe72⤵
-
\??\c:\blvtpvt.exec:\blvtpvt.exe73⤵
-
\??\c:\lbtnhf.exec:\lbtnhf.exe74⤵
-
\??\c:\pfvpb.exec:\pfvpb.exe75⤵
-
\??\c:\fbtdr.exec:\fbtdr.exe76⤵
-
\??\c:\xjxpn.exec:\xjxpn.exe77⤵
-
\??\c:\plvlx.exec:\plvlx.exe78⤵
-
\??\c:\bldnlx.exec:\bldnlx.exe79⤵
-
\??\c:\hxfdbfr.exec:\hxfdbfr.exe80⤵
-
\??\c:\tjhtxvn.exec:\tjhtxvn.exe81⤵
-
\??\c:\xvpltt.exec:\xvpltt.exe82⤵
-
\??\c:\frndx.exec:\frndx.exe83⤵
-
\??\c:\xlxpv.exec:\xlxpv.exe84⤵
-
\??\c:\xhfvhr.exec:\xhfvhr.exe85⤵
-
\??\c:\jnttx.exec:\jnttx.exe86⤵
-
\??\c:\vnfrf.exec:\vnfrf.exe87⤵
-
\??\c:\bjvdjx.exec:\bjvdjx.exe88⤵
-
\??\c:\trlhp.exec:\trlhp.exe89⤵
-
\??\c:\bbfbx.exec:\bbfbx.exe90⤵
-
\??\c:\lrrbjrh.exec:\lrrbjrh.exe91⤵
-
\??\c:\hnvbnd.exec:\hnvbnd.exe92⤵
-
\??\c:\vnxtlv.exec:\vnxtlv.exe93⤵
-
\??\c:\fdhbpr.exec:\fdhbpr.exe94⤵
-
\??\c:\njvbnbj.exec:\njvbnbj.exe95⤵
-
\??\c:\nvfrn.exec:\nvfrn.exe96⤵
-
\??\c:\hvtjpf.exec:\hvtjpf.exe97⤵
-
\??\c:\jpnpxhx.exec:\jpnpxhx.exe98⤵
- System Location Discovery: System Language Discovery
-
\??\c:\tbrvhl.exec:\tbrvhl.exe99⤵
-
\??\c:\dplrb.exec:\dplrb.exe100⤵
-
\??\c:\tbfvrbf.exec:\tbfvrbf.exe101⤵
-
\??\c:\npbhp.exec:\npbhp.exe102⤵
-
\??\c:\dbbbxv.exec:\dbbbxv.exe103⤵
-
\??\c:\fdnxpdl.exec:\fdnxpdl.exe104⤵
-
\??\c:\bpfhf.exec:\bpfhf.exe105⤵
- System Location Discovery: System Language Discovery
-
\??\c:\bdrfh.exec:\bdrfh.exe106⤵
-
\??\c:\thvxfv.exec:\thvxfv.exe107⤵
-
\??\c:\lpddfv.exec:\lpddfv.exe108⤵
-
\??\c:\dlxbdp.exec:\dlxbdp.exe109⤵
-
\??\c:\fxhvr.exec:\fxhvr.exe110⤵
-
\??\c:\rpjht.exec:\rpjht.exe111⤵
-
\??\c:\ttxbd.exec:\ttxbd.exe112⤵
-
\??\c:\xflbbh.exec:\xflbbh.exe113⤵
-
\??\c:\tnplt.exec:\tnplt.exe114⤵
-
\??\c:\tldtfh.exec:\tldtfh.exe115⤵
-
\??\c:\ntvjprn.exec:\ntvjprn.exe116⤵
-
\??\c:\lttlh.exec:\lttlh.exe117⤵
-
\??\c:\vxpdxxt.exec:\vxpdxxt.exe118⤵
-
\??\c:\phlpdfv.exec:\phlpdfv.exe119⤵
-
\??\c:\lpvbtj.exec:\lpvbtj.exe120⤵
-
\??\c:\dbfntt.exec:\dbfntt.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-