Analysis
-
max time kernel
150s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
12/09/2024, 10:21
General
-
Target
d563a043939763a3ea8939d2b98aa1ab026a6553bdf1af0c16a02619289293e7.exe
-
Size
71KB
-
MD5
074ecd6894a7613dd0fd083864d3b5e0
-
SHA1
9eb0e7547db632f030a7c8f320e28562c635941d
-
SHA256
d563a043939763a3ea8939d2b98aa1ab026a6553bdf1af0c16a02619289293e7
-
SHA512
7c3996cc09cebe77563b7b9a9ee07e932f4d135c2a95cfca5af72359e14845a00259ca8cce71aa818efef9d76492dae46c556067de3ab35cfe9229c0f14b1b44
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIb0z6MTSqfjf3:ymb3NkkiQ3mdBjFI4Vv3
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 19 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 23 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d563a043939763a3ea8939d2b98aa1ab026a6553bdf1af0c16a02619289293e7.exe"C:\Users\Admin\AppData\Local\Temp\d563a043939763a3ea8939d2b98aa1ab026a6553bdf1af0c16a02619289293e7.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\fhblrb.exec:\fhblrb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxbvb.exec:\fxbvb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rtjlvn.exec:\rtjlvn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjjprd.exec:\jjjprd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thlpp.exec:\thlpp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vnnjnff.exec:\vnnjnff.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hpxpffv.exec:\hpxpffv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jxxnvj.exec:\jxxnvj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bnlxd.exec:\bnlxd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xfptx.exec:\xfptx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tdnttd.exec:\tdnttd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ljttlxj.exec:\ljttlxj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pxpjnr.exec:\pxpjnr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tbtfv.exec:\tbtfv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lbxtdh.exec:\lbxtdh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dptvdn.exec:\dptvdn.exe17⤵
- Executes dropped EXE
-
\??\c:\nxrbd.exec:\nxrbd.exe18⤵
- Executes dropped EXE
-
\??\c:\rnvnfp.exec:\rnvnfp.exe19⤵
- Executes dropped EXE
-
\??\c:\njttltl.exec:\njttltl.exe20⤵
- Executes dropped EXE
-
\??\c:\rdfhj.exec:\rdfhj.exe21⤵
- Executes dropped EXE
-
\??\c:\jlplxn.exec:\jlplxn.exe22⤵
- Executes dropped EXE
-
\??\c:\hbfdnvp.exec:\hbfdnvp.exe23⤵
- Executes dropped EXE
-
\??\c:\xlvljbn.exec:\xlvljbn.exe24⤵
- Executes dropped EXE
-
\??\c:\phvnflf.exec:\phvnflf.exe25⤵
- Executes dropped EXE
-
\??\c:\nhjpdr.exec:\nhjpdr.exe26⤵
- Executes dropped EXE
-
\??\c:\jphftrl.exec:\jphftrl.exe27⤵
- Executes dropped EXE
-
\??\c:\rtxpxb.exec:\rtxpxb.exe28⤵
- Executes dropped EXE
-
\??\c:\vrjhrrl.exec:\vrjhrrl.exe29⤵
- Executes dropped EXE
-
\??\c:\plrpf.exec:\plrpf.exe30⤵
- Executes dropped EXE
-
\??\c:\xnhdtj.exec:\xnhdtj.exe31⤵
- Executes dropped EXE
-
\??\c:\nvvffj.exec:\nvvffj.exe32⤵
- Executes dropped EXE
-
\??\c:\tvjdr.exec:\tvjdr.exe33⤵
- Executes dropped EXE
-
\??\c:\nthjn.exec:\nthjn.exe34⤵
- Executes dropped EXE
-
\??\c:\fjbxvh.exec:\fjbxvh.exe35⤵
- Executes dropped EXE
-
\??\c:\jnbtlt.exec:\jnbtlt.exe36⤵
- Executes dropped EXE
-
\??\c:\fnfvbh.exec:\fnfvbh.exe37⤵
- Executes dropped EXE
-
\??\c:\nffbtvb.exec:\nffbtvb.exe38⤵
- Executes dropped EXE
-
\??\c:\pvdfbp.exec:\pvdfbp.exe39⤵
- Executes dropped EXE
-
\??\c:\vnnvd.exec:\vnnvd.exe40⤵
- Executes dropped EXE
-
\??\c:\rnjlx.exec:\rnjlx.exe41⤵
- Executes dropped EXE
-
\??\c:\dbrnn.exec:\dbrnn.exe42⤵
- Executes dropped EXE
-
\??\c:\ltxpplf.exec:\ltxpplf.exe43⤵
- Executes dropped EXE
-
\??\c:\ljjlr.exec:\ljjlr.exe44⤵
- Executes dropped EXE
-
\??\c:\xhrpv.exec:\xhrpv.exe45⤵
- Executes dropped EXE
-
\??\c:\fbvtn.exec:\fbvtn.exe46⤵
- Executes dropped EXE
-
\??\c:\lvlpxfb.exec:\lvlpxfb.exe47⤵
- Executes dropped EXE
-
\??\c:\dvrvn.exec:\dvrvn.exe48⤵
- Executes dropped EXE
-
\??\c:\btjtndn.exec:\btjtndn.exe49⤵
- Executes dropped EXE
-
\??\c:\ldxffpt.exec:\ldxffpt.exe50⤵
- Executes dropped EXE
-
\??\c:\bjhrn.exec:\bjhrn.exe51⤵
- Executes dropped EXE
-
\??\c:\hrhfvlv.exec:\hrhfvlv.exe52⤵
- Executes dropped EXE
-
\??\c:\rpdrrx.exec:\rpdrrx.exe53⤵
- Executes dropped EXE
-
\??\c:\hdpjj.exec:\hdpjj.exe54⤵
- Executes dropped EXE
-
\??\c:\jjjhh.exec:\jjjhh.exe55⤵
- Executes dropped EXE
-
\??\c:\hnhdf.exec:\hnhdf.exe56⤵
- Executes dropped EXE
-
\??\c:\rrntfpx.exec:\rrntfpx.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\dxdptt.exec:\dxdptt.exe58⤵
- Executes dropped EXE
-
\??\c:\hpxjn.exec:\hpxjn.exe59⤵
- Executes dropped EXE
-
\??\c:\dflxt.exec:\dflxt.exe60⤵
- Executes dropped EXE
-
\??\c:\vtvnlft.exec:\vtvnlft.exe61⤵
- Executes dropped EXE
-
\??\c:\pdvprh.exec:\pdvprh.exe62⤵
- Executes dropped EXE
-
\??\c:\vrxvd.exec:\vrxvd.exe63⤵
- Executes dropped EXE
-
\??\c:\xtxbdt.exec:\xtxbdt.exe64⤵
- Executes dropped EXE
-
\??\c:\flxhbtn.exec:\flxhbtn.exe65⤵
- Executes dropped EXE
-
\??\c:\rtjlj.exec:\rtjlj.exe66⤵
-
\??\c:\pvtnvxt.exec:\pvtnvxt.exe67⤵
-
\??\c:\dxfhf.exec:\dxfhf.exe68⤵
-
\??\c:\jlvlhf.exec:\jlvlhf.exe69⤵
-
\??\c:\hpjtljl.exec:\hpjtljl.exe70⤵
-
\??\c:\dljxtbt.exec:\dljxtbt.exe71⤵
-
\??\c:\hvpfrtf.exec:\hvpfrtf.exe72⤵
-
\??\c:\lvvbv.exec:\lvvbv.exe73⤵
-
\??\c:\vdjvdvp.exec:\vdjvdvp.exe74⤵
-
\??\c:\pxdrlp.exec:\pxdrlp.exe75⤵
-
\??\c:\tlvrt.exec:\tlvrt.exe76⤵
- System Location Discovery: System Language Discovery
-
\??\c:\rfhth.exec:\rfhth.exe77⤵
-
\??\c:\vfvvjbv.exec:\vfvvjbv.exe78⤵
-
\??\c:\lbnxdf.exec:\lbnxdf.exe79⤵
-
\??\c:\vnldjf.exec:\vnldjf.exe80⤵
-
\??\c:\dltjlvp.exec:\dltjlvp.exe81⤵
-
\??\c:\vtrjtn.exec:\vtrjtn.exe82⤵
-
\??\c:\ndvbr.exec:\ndvbr.exe83⤵
-
\??\c:\xfnldvv.exec:\xfnldvv.exe84⤵
-
\??\c:\jrdlhff.exec:\jrdlhff.exe85⤵
-
\??\c:\hlnpb.exec:\hlnpb.exe86⤵
-
\??\c:\jvfptv.exec:\jvfptv.exe87⤵
-
\??\c:\dftjb.exec:\dftjb.exe88⤵
-
\??\c:\tpffv.exec:\tpffv.exe89⤵
-
\??\c:\bfljfhr.exec:\bfljfhr.exe90⤵
-
\??\c:\btvtrv.exec:\btvtrv.exe91⤵
-
\??\c:\nbbfl.exec:\nbbfl.exe92⤵
- System Location Discovery: System Language Discovery
-
\??\c:\dhlvrhl.exec:\dhlvrhl.exe93⤵
-
\??\c:\rrpvrv.exec:\rrpvrv.exe94⤵
-
\??\c:\btxlrnr.exec:\btxlrnr.exe95⤵
-
\??\c:\fpbfpl.exec:\fpbfpl.exe96⤵
-
\??\c:\ltphht.exec:\ltphht.exe97⤵
-
\??\c:\tjfvnt.exec:\tjfvnt.exe98⤵
-
\??\c:\tpbvlpd.exec:\tpbvlpd.exe99⤵
-
\??\c:\xlvvxt.exec:\xlvvxt.exe100⤵
-
\??\c:\bvbnrd.exec:\bvbnrd.exe101⤵
-
\??\c:\lrtjjff.exec:\lrtjjff.exe102⤵
-
\??\c:\jnbvvrb.exec:\jnbvvrb.exe103⤵
-
\??\c:\vjtpfj.exec:\vjtpfj.exe104⤵
-
\??\c:\rjlbn.exec:\rjlbn.exe105⤵
-
\??\c:\hjpxrhv.exec:\hjpxrhv.exe106⤵
-
\??\c:\hlfplt.exec:\hlfplt.exe107⤵
-
\??\c:\rvdlx.exec:\rvdlx.exe108⤵
-
\??\c:\fxfrdb.exec:\fxfrdb.exe109⤵
-
\??\c:\lbthvl.exec:\lbthvl.exe110⤵
-
\??\c:\xthxl.exec:\xthxl.exe111⤵
-
\??\c:\fjjbtx.exec:\fjjbtx.exe112⤵
-
\??\c:\fvnftdp.exec:\fvnftdp.exe113⤵
-
\??\c:\jhhrv.exec:\jhhrv.exe114⤵
-
\??\c:\dvlfh.exec:\dvlfh.exe115⤵
-
\??\c:\rblptvt.exec:\rblptvt.exe116⤵
-
\??\c:\vfdnn.exec:\vfdnn.exe117⤵
-
\??\c:\dhxhbb.exec:\dhxhbb.exe118⤵
-
\??\c:\bvdfp.exec:\bvdfp.exe119⤵
-
\??\c:\fjxnfjv.exec:\fjxnfjv.exe120⤵
-
\??\c:\ftptf.exec:\ftptf.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-