Analysis
-
max time kernel
120s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
12-09-2024 15:42
General
-
Target
98823d081f9d8f5b7ec5dbd17a9e0ad0N.exe
-
Size
230KB
-
MD5
98823d081f9d8f5b7ec5dbd17a9e0ad0
-
SHA1
9da4a69ecc34731a23cc1f8c0391535c609f7bb8
-
SHA256
5bb121b3a6d6dc16354110ad8849eec1e632567eef4b3b8f55d54d6eecd81fde
-
SHA512
8fc578d1ec11c309b42fdbe50560328009579cfa78776fd07424f23c521049627e78b55a98cff6b55ab3bb1c4941f23f529b887c6d22eee4a4a203934ccf3d61
-
SSDEEP
3072:ymb3NkkiQ3mdBjFo73PYP1lri3KoSV31x4xLjBeG+d:n3C9BRo7MlrWKo+lxKu
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 23 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 29 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\98823d081f9d8f5b7ec5dbd17a9e0ad0N.exe"C:\Users\Admin\AppData\Local\Temp\98823d081f9d8f5b7ec5dbd17a9e0ad0N.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\xxrxlxl.exec:\xxrxlxl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tbthtb.exec:\tbthtb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7nbnhn.exec:\7nbnhn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxrrxxr.exec:\fxrrxxr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhhnbb.exec:\nhhnbb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlxfrfl.exec:\rlxfrfl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3ntnnn.exec:\3ntnnn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thnntt.exec:\thnntt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rflffxr.exec:\rflffxr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhbbbn.exec:\nhbbbn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvjpv.exec:\vvjpv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xlrxflr.exec:\xlrxflr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1lxrfll.exec:\1lxrfll.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btnnht.exec:\btnnht.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdjjp.exec:\jdjjp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxflxxx.exec:\fxflxxx.exe17⤵
- Executes dropped EXE
-
\??\c:\lflrlxl.exec:\lflrlxl.exe18⤵
- Executes dropped EXE
-
\??\c:\bnhhnn.exec:\bnhhnn.exe19⤵
- Executes dropped EXE
-
\??\c:\ddddd.exec:\ddddd.exe20⤵
- Executes dropped EXE
-
\??\c:\9rlrrrr.exec:\9rlrrrr.exe21⤵
- Executes dropped EXE
-
\??\c:\nnnhbn.exec:\nnnhbn.exe22⤵
- Executes dropped EXE
-
\??\c:\ppvdj.exec:\ppvdj.exe23⤵
- Executes dropped EXE
-
\??\c:\jjvdp.exec:\jjvdp.exe24⤵
- Executes dropped EXE
-
\??\c:\nhtbnt.exec:\nhtbnt.exe25⤵
- Executes dropped EXE
-
\??\c:\nnhtnn.exec:\nnhtnn.exe26⤵
- Executes dropped EXE
-
\??\c:\dvdpd.exec:\dvdpd.exe27⤵
- Executes dropped EXE
-
\??\c:\xxrfrrf.exec:\xxrfrrf.exe28⤵
- Executes dropped EXE
-
\??\c:\tbbthb.exec:\tbbthb.exe29⤵
- Executes dropped EXE
-
\??\c:\1pddp.exec:\1pddp.exe30⤵
- Executes dropped EXE
-
\??\c:\7frrxff.exec:\7frrxff.exe31⤵
- Executes dropped EXE
-
\??\c:\nhtbht.exec:\nhtbht.exe32⤵
- Executes dropped EXE
-
\??\c:\vpppv.exec:\vpppv.exe33⤵
- Executes dropped EXE
-
\??\c:\jdpdv.exec:\jdpdv.exe34⤵
- Executes dropped EXE
-
\??\c:\1llrxrr.exec:\1llrxrr.exe35⤵
- Executes dropped EXE
-
\??\c:\fxllxfx.exec:\fxllxfx.exe36⤵
- Executes dropped EXE
-
\??\c:\1htbhn.exec:\1htbhn.exe37⤵
- Executes dropped EXE
-
\??\c:\pdppd.exec:\pdppd.exe38⤵
- Executes dropped EXE
-
\??\c:\pdddd.exec:\pdddd.exe39⤵
- Executes dropped EXE
-
\??\c:\rrfrffr.exec:\rrfrffr.exe40⤵
- Executes dropped EXE
-
\??\c:\fxfxxrx.exec:\fxfxxrx.exe41⤵
- Executes dropped EXE
-
\??\c:\bttthh.exec:\bttthh.exe42⤵
- Executes dropped EXE
-
\??\c:\5tntbb.exec:\5tntbb.exe43⤵
- Executes dropped EXE
-
\??\c:\pjdjp.exec:\pjdjp.exe44⤵
- Executes dropped EXE
-
\??\c:\dppdj.exec:\dppdj.exe45⤵
- Executes dropped EXE
-
\??\c:\rxxxxlr.exec:\rxxxxlr.exe46⤵
- Executes dropped EXE
-
\??\c:\thhhtn.exec:\thhhtn.exe47⤵
- Executes dropped EXE
-
\??\c:\ppjdp.exec:\ppjdp.exe48⤵
- Executes dropped EXE
-
\??\c:\ddvdp.exec:\ddvdp.exe49⤵
- Executes dropped EXE
-
\??\c:\xrrxflx.exec:\xrrxflx.exe50⤵
- Executes dropped EXE
-
\??\c:\xrrrxxx.exec:\xrrrxxx.exe51⤵
- Executes dropped EXE
-
\??\c:\bbtnhh.exec:\bbtnhh.exe52⤵
- Executes dropped EXE
-
\??\c:\1pjjd.exec:\1pjjd.exe53⤵
- Executes dropped EXE
-
\??\c:\7pppd.exec:\7pppd.exe54⤵
- Executes dropped EXE
-
\??\c:\1rrfffr.exec:\1rrfffr.exe55⤵
- Executes dropped EXE
-
\??\c:\nhtbhh.exec:\nhtbhh.exe56⤵
- Executes dropped EXE
-
\??\c:\9thbbt.exec:\9thbbt.exe57⤵
- Executes dropped EXE
-
\??\c:\dpvdd.exec:\dpvdd.exe58⤵
- Executes dropped EXE
-
\??\c:\lffxflx.exec:\lffxflx.exe59⤵
- Executes dropped EXE
-
\??\c:\1xxxffx.exec:\1xxxffx.exe60⤵
- Executes dropped EXE
-
\??\c:\htthbh.exec:\htthbh.exe61⤵
- Executes dropped EXE
-
\??\c:\ddvjj.exec:\ddvjj.exe62⤵
- Executes dropped EXE
-
\??\c:\jjdpp.exec:\jjdpp.exe63⤵
- Executes dropped EXE
-
\??\c:\rrflxfr.exec:\rrflxfr.exe64⤵
- Executes dropped EXE
-
\??\c:\xrxlxlr.exec:\xrxlxlr.exe65⤵
- Executes dropped EXE
-
\??\c:\nhbhtt.exec:\nhbhtt.exe66⤵
-
\??\c:\btnntb.exec:\btnntb.exe67⤵
-
\??\c:\vvpvp.exec:\vvpvp.exe68⤵
-
\??\c:\dvppd.exec:\dvppd.exe69⤵
-
\??\c:\lllrllx.exec:\lllrllx.exe70⤵
-
\??\c:\7ffflxf.exec:\7ffflxf.exe71⤵
-
\??\c:\bbnbnn.exec:\bbnbnn.exe72⤵
-
\??\c:\bbthtt.exec:\bbthtt.exe73⤵
-
\??\c:\7dpvd.exec:\7dpvd.exe74⤵
-
\??\c:\jdvvv.exec:\jdvvv.exe75⤵
-
\??\c:\rfflxrf.exec:\rfflxrf.exe76⤵
-
\??\c:\9htbbb.exec:\9htbbb.exe77⤵
-
\??\c:\5bbbhb.exec:\5bbbhb.exe78⤵
-
\??\c:\pjjpd.exec:\pjjpd.exe79⤵
-
\??\c:\5jpjd.exec:\5jpjd.exe80⤵
-
\??\c:\ffxfxfx.exec:\ffxfxfx.exe81⤵
-
\??\c:\rlxlxrf.exec:\rlxlxrf.exe82⤵
-
\??\c:\hbtntn.exec:\hbtntn.exe83⤵
-
\??\c:\1htnbn.exec:\1htnbn.exe84⤵
-
\??\c:\jjpvd.exec:\jjpvd.exe85⤵
-
\??\c:\jdjpj.exec:\jdjpj.exe86⤵
-
\??\c:\ffxflrx.exec:\ffxflrx.exe87⤵
-
\??\c:\rxlfllr.exec:\rxlfllr.exe88⤵
-
\??\c:\3bbntt.exec:\3bbntt.exe89⤵
-
\??\c:\nhnthn.exec:\nhnthn.exe90⤵
-
\??\c:\dvjjv.exec:\dvjjv.exe91⤵
-
\??\c:\pjjpd.exec:\pjjpd.exe92⤵
-
\??\c:\rrrfflx.exec:\rrrfflx.exe93⤵
-
\??\c:\xrxxxfr.exec:\xrxxxfr.exe94⤵
-
\??\c:\ttnhnb.exec:\ttnhnb.exe95⤵
-
\??\c:\7btttb.exec:\7btttb.exe96⤵
-
\??\c:\jdvdj.exec:\jdvdj.exe97⤵
-
\??\c:\dvppd.exec:\dvppd.exe98⤵
-
\??\c:\5xxlxrf.exec:\5xxlxrf.exe99⤵
-
\??\c:\tntbht.exec:\tntbht.exe100⤵
-
\??\c:\9thnbn.exec:\9thnbn.exe101⤵
-
\??\c:\dvjpd.exec:\dvjpd.exe102⤵
-
\??\c:\1vjvv.exec:\1vjvv.exe103⤵
-
\??\c:\lrrlrrx.exec:\lrrlrrx.exe104⤵
-
\??\c:\ffxflxl.exec:\ffxflxl.exe105⤵
-
\??\c:\nbntbh.exec:\nbntbh.exe106⤵
-
\??\c:\3thtbb.exec:\3thtbb.exe107⤵
-
\??\c:\hththn.exec:\hththn.exe108⤵
-
\??\c:\pjvjp.exec:\pjvjp.exe109⤵
-
\??\c:\7lxxfll.exec:\7lxxfll.exe110⤵
-
\??\c:\7rflrrx.exec:\7rflrrx.exe111⤵
-
\??\c:\hbbhbb.exec:\hbbhbb.exe112⤵
-
\??\c:\nntnbb.exec:\nntnbb.exe113⤵
-
\??\c:\3vjpv.exec:\3vjpv.exe114⤵
-
\??\c:\ddvvd.exec:\ddvvd.exe115⤵
-
\??\c:\rlflxxl.exec:\rlflxxl.exe116⤵
-
\??\c:\7xrrrxf.exec:\7xrrrxf.exe117⤵
-
\??\c:\hbntnb.exec:\hbntnb.exe118⤵
-
\??\c:\hbnthn.exec:\hbnthn.exe119⤵
-
\??\c:\ppdjp.exec:\ppdjp.exe120⤵
-
\??\c:\jpjjd.exec:\jpjjd.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-