Analysis
-
max time kernel
120s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
11/09/2024, 16:07
General
-
Target
2e40b953d59b8804763e679e05ee0df0N.exe
-
Size
64KB
-
MD5
2e40b953d59b8804763e679e05ee0df0
-
SHA1
3f57054f718861883b2ba0dc8ac2de949fc51549
-
SHA256
08cc0842f6ae02434a696c78b43eac6963d74b913993a3b86fb8348ac410b126
-
SHA512
9543a3afd140d5406d0b97c559feab89946666d5da9f06372439c83ed09109289b3d1ca938809069eaab8afa5d451003da237767937ffc2dc3918ef58f87c181
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDI9L279:ymb3NkkiQ3mdBjFI9m
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 20 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 31 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2e40b953d59b8804763e679e05ee0df0N.exe"C:\Users\Admin\AppData\Local\Temp\2e40b953d59b8804763e679e05ee0df0N.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\jpdjd.exec:\jpdjd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frfrrrx.exec:\frfrrrx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxfxlll.exec:\lxfxlll.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ppjpd.exec:\ppjpd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5flfxrx.exec:\5flfxrx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhtbhb.exec:\nhtbhb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvpvj.exec:\dvpvj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lflxxfl.exec:\lflxxfl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thttth.exec:\thttth.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhbhnt.exec:\nhbhnt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vjjvd.exec:\vjjvd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3llxlrl.exec:\3llxlrl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5bnbhb.exec:\5bnbhb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbbhtb.exec:\hbbhtb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdjpp.exec:\jdjpp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rxfxfff.exec:\rxfxfff.exe17⤵
- Executes dropped EXE
-
\??\c:\bthhnn.exec:\bthhnn.exe18⤵
- Executes dropped EXE
-
\??\c:\7bnntb.exec:\7bnntb.exe19⤵
- Executes dropped EXE
-
\??\c:\dvdvj.exec:\dvdvj.exe20⤵
- Executes dropped EXE
-
\??\c:\3xflxxr.exec:\3xflxxr.exe21⤵
- Executes dropped EXE
-
\??\c:\btnthh.exec:\btnthh.exe22⤵
- Executes dropped EXE
-
\??\c:\nhtbtn.exec:\nhtbtn.exe23⤵
- Executes dropped EXE
-
\??\c:\jdvdj.exec:\jdvdj.exe24⤵
- Executes dropped EXE
-
\??\c:\rrlflfx.exec:\rrlflfx.exe25⤵
- Executes dropped EXE
-
\??\c:\1lxflrx.exec:\1lxflrx.exe26⤵
- Executes dropped EXE
-
\??\c:\bbhhtb.exec:\bbhhtb.exe27⤵
- Executes dropped EXE
-
\??\c:\ttbnnh.exec:\ttbnnh.exe28⤵
- Executes dropped EXE
-
\??\c:\jvjpv.exec:\jvjpv.exe29⤵
- Executes dropped EXE
-
\??\c:\lxfxfxf.exec:\lxfxfxf.exe30⤵
- Executes dropped EXE
-
\??\c:\7frrrrr.exec:\7frrrrr.exe31⤵
- Executes dropped EXE
-
\??\c:\9tnhnn.exec:\9tnhnn.exe32⤵
- Executes dropped EXE
-
\??\c:\hbnnbh.exec:\hbnnbh.exe33⤵
- Executes dropped EXE
-
\??\c:\pppjp.exec:\pppjp.exe34⤵
- Executes dropped EXE
-
\??\c:\pjddv.exec:\pjddv.exe35⤵
- Executes dropped EXE
-
\??\c:\7xlrrrr.exec:\7xlrrrr.exe36⤵
- Executes dropped EXE
-
\??\c:\frllrrx.exec:\frllrrx.exe37⤵
- Executes dropped EXE
-
\??\c:\tthhtt.exec:\tthhtt.exe38⤵
- Executes dropped EXE
-
\??\c:\bbtbhh.exec:\bbtbhh.exe39⤵
- Executes dropped EXE
-
\??\c:\tbnthh.exec:\tbnthh.exe40⤵
- Executes dropped EXE
-
\??\c:\vdjjd.exec:\vdjjd.exe41⤵
- Executes dropped EXE
-
\??\c:\pdppj.exec:\pdppj.exe42⤵
- Executes dropped EXE
-
\??\c:\7fflfxl.exec:\7fflfxl.exe43⤵
- Executes dropped EXE
-
\??\c:\xflrxlx.exec:\xflrxlx.exe44⤵
- Executes dropped EXE
-
\??\c:\tnbhtt.exec:\tnbhtt.exe45⤵
- Executes dropped EXE
-
\??\c:\thnnhb.exec:\thnnhb.exe46⤵
- Executes dropped EXE
-
\??\c:\thnbtb.exec:\thnbtb.exe47⤵
- Executes dropped EXE
-
\??\c:\jjpvj.exec:\jjpvj.exe48⤵
- Executes dropped EXE
-
\??\c:\dvdjp.exec:\dvdjp.exe49⤵
- Executes dropped EXE
-
\??\c:\lxfflfl.exec:\lxfflfl.exe50⤵
- Executes dropped EXE
-
\??\c:\7btttt.exec:\7btttt.exe51⤵
- Executes dropped EXE
-
\??\c:\1hbbbt.exec:\1hbbbt.exe52⤵
- Executes dropped EXE
-
\??\c:\ppdpp.exec:\ppdpp.exe53⤵
- Executes dropped EXE
-
\??\c:\vjdvp.exec:\vjdvp.exe54⤵
- Executes dropped EXE
-
\??\c:\7lfxffl.exec:\7lfxffl.exe55⤵
- Executes dropped EXE
-
\??\c:\1bnhnn.exec:\1bnhnn.exe56⤵
- Executes dropped EXE
-
\??\c:\vpdjd.exec:\vpdjd.exe57⤵
- Executes dropped EXE
-
\??\c:\jdpjj.exec:\jdpjj.exe58⤵
- Executes dropped EXE
-
\??\c:\1rxxxrr.exec:\1rxxxrr.exe59⤵
- Executes dropped EXE
-
\??\c:\3xrllfl.exec:\3xrllfl.exe60⤵
- Executes dropped EXE
-
\??\c:\tbbhtb.exec:\tbbhtb.exe61⤵
- Executes dropped EXE
-
\??\c:\htbttn.exec:\htbttn.exe62⤵
- Executes dropped EXE
-
\??\c:\pjpdj.exec:\pjpdj.exe63⤵
- Executes dropped EXE
-
\??\c:\djpvd.exec:\djpvd.exe64⤵
- Executes dropped EXE
-
\??\c:\frfxfxf.exec:\frfxfxf.exe65⤵
- Executes dropped EXE
-
\??\c:\bnnnbb.exec:\bnnnbb.exe66⤵
-
\??\c:\nhnnbn.exec:\nhnnbn.exe67⤵
-
\??\c:\pjvvd.exec:\pjvvd.exe68⤵
-
\??\c:\9vjjv.exec:\9vjjv.exe69⤵
-
\??\c:\jdvjp.exec:\jdvjp.exe70⤵
-
\??\c:\xflxlxf.exec:\xflxlxf.exe71⤵
-
\??\c:\rfllrrx.exec:\rfllrrx.exe72⤵
-
\??\c:\5btttn.exec:\5btttn.exe73⤵
-
\??\c:\htbhhb.exec:\htbhhb.exe74⤵
-
\??\c:\3jpvj.exec:\3jpvj.exe75⤵
-
\??\c:\5dpjp.exec:\5dpjp.exe76⤵
-
\??\c:\dpjpp.exec:\dpjpp.exe77⤵
-
\??\c:\7xllrrf.exec:\7xllrrf.exe78⤵
-
\??\c:\rfllfff.exec:\rfllfff.exe79⤵
-
\??\c:\3nhnbt.exec:\3nhnbt.exe80⤵
-
\??\c:\nbhhbt.exec:\nbhhbt.exe81⤵
-
\??\c:\jvvpp.exec:\jvvpp.exe82⤵
-
\??\c:\djjvp.exec:\djjvp.exe83⤵
-
\??\c:\7llrfrr.exec:\7llrfrr.exe84⤵
-
\??\c:\9hbbbb.exec:\9hbbbb.exe85⤵
-
\??\c:\thttbt.exec:\thttbt.exe86⤵
-
\??\c:\vppvd.exec:\vppvd.exe87⤵
-
\??\c:\3pvvd.exec:\3pvvd.exe88⤵
-
\??\c:\frxrlll.exec:\frxrlll.exe89⤵
-
\??\c:\frxfllf.exec:\frxfllf.exe90⤵
-
\??\c:\hthhtn.exec:\hthhtn.exe91⤵
-
\??\c:\htbhtb.exec:\htbhtb.exe92⤵
-
\??\c:\dvjjj.exec:\dvjjj.exe93⤵
-
\??\c:\jvjpv.exec:\jvjpv.exe94⤵
-
\??\c:\lxxfrlf.exec:\lxxfrlf.exe95⤵
-
\??\c:\9xrxxxf.exec:\9xrxxxf.exe96⤵
-
\??\c:\bthbhh.exec:\bthbhh.exe97⤵
-
\??\c:\7thnbh.exec:\7thnbh.exe98⤵
-
\??\c:\5dvvj.exec:\5dvvj.exe99⤵
-
\??\c:\9jvdj.exec:\9jvdj.exe100⤵
-
\??\c:\7xxlfxx.exec:\7xxlfxx.exe101⤵
-
\??\c:\fxfflxl.exec:\fxfflxl.exe102⤵
-
\??\c:\9thntn.exec:\9thntn.exe103⤵
-
\??\c:\dvdjv.exec:\dvdjv.exe104⤵
-
\??\c:\jpvvd.exec:\jpvvd.exe105⤵
-
\??\c:\5rllrll.exec:\5rllrll.exe106⤵
-
\??\c:\7frxxrr.exec:\7frxxrr.exe107⤵
-
\??\c:\1frflff.exec:\1frflff.exe108⤵
-
\??\c:\nbnbbb.exec:\nbnbbb.exe109⤵
-
\??\c:\9vppj.exec:\9vppj.exe110⤵
-
\??\c:\vjddj.exec:\vjddj.exe111⤵
-
\??\c:\jvddj.exec:\jvddj.exe112⤵
-
\??\c:\flllfrr.exec:\flllfrr.exe113⤵
-
\??\c:\rflffxl.exec:\rflffxl.exe114⤵
-
\??\c:\tnnbtn.exec:\tnnbtn.exe115⤵
-
\??\c:\bntbhh.exec:\bntbhh.exe116⤵
-
\??\c:\1vdvd.exec:\1vdvd.exe117⤵
-
\??\c:\1dvdj.exec:\1dvdj.exe118⤵
- System Location Discovery: System Language Discovery
-
\??\c:\1lfrxfl.exec:\1lfrxfl.exe119⤵
-
\??\c:\fxxrxrr.exec:\fxxrxrr.exe120⤵
-
\??\c:\nbbbbb.exec:\nbbbbb.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-