Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
-
submitted
12/09/2024, 20:11
General
-
Target
4e079399b2592aea9229a2b7835c3f10N.exe
-
Size
382KB
-
MD5
4e079399b2592aea9229a2b7835c3f10
-
SHA1
ec1ea741310214a084b557b89e58d056e9f68342
-
SHA256
c904229d29d39b1477c0f9fe59b118f14c9162efebe421b47f876bc165340907
-
SHA512
497f1cba79c6f640bf29b48eab0562901ad0c90ff847447bd319dd2cf62f0d93ae2755d9940cb8d90dddaab5ac4f282c31eefc0966ab5b2f11bc4b362d075c9f
-
SSDEEP
3072:ymb3NkkiQ3mdBjFo73tvn+Yp99zm+/KZBHqL3yeHmlwe+axBcot39vUDbYhzod05:n3C9BRo7tvnJ99T/KZEL3c5BTkPXKph
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 19 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 22 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4e079399b2592aea9229a2b7835c3f10N.exe"C:\Users\Admin\AppData\Local\Temp\4e079399b2592aea9229a2b7835c3f10N.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\8828064.exec:\8828064.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\q64640.exec:\q64640.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\82024.exec:\82024.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\o480624.exec:\o480624.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\8206408.exec:\8206408.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\q66862.exec:\q66862.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\00208.exec:\00208.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnbbbh.exec:\tnbbbh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\2200286.exec:\2200286.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\8606646.exec:\8606646.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\82068.exec:\82068.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\20420.exec:\20420.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\04606.exec:\04606.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\268408.exec:\268408.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\48680.exec:\48680.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\202480.exec:\202480.exe17⤵
- Executes dropped EXE
-
\??\c:\602400.exec:\602400.exe18⤵
- Executes dropped EXE
-
\??\c:\82008.exec:\82008.exe19⤵
- Executes dropped EXE
-
\??\c:\jdpdp.exec:\jdpdp.exe20⤵
- Executes dropped EXE
-
\??\c:\88246.exec:\88246.exe21⤵
- Executes dropped EXE
-
\??\c:\06206.exec:\06206.exe22⤵
- Executes dropped EXE
-
\??\c:\dpvjd.exec:\dpvjd.exe23⤵
- Executes dropped EXE
-
\??\c:\ttthbh.exec:\ttthbh.exe24⤵
- Executes dropped EXE
-
\??\c:\ddvvj.exec:\ddvvj.exe25⤵
- Executes dropped EXE
-
\??\c:\86406.exec:\86406.exe26⤵
- Executes dropped EXE
-
\??\c:\486280.exec:\486280.exe27⤵
- Executes dropped EXE
-
\??\c:\00086.exec:\00086.exe28⤵
- Executes dropped EXE
-
\??\c:\868844.exec:\868844.exe29⤵
- Executes dropped EXE
-
\??\c:\08004.exec:\08004.exe30⤵
- Executes dropped EXE
-
\??\c:\82602.exec:\82602.exe31⤵
- Executes dropped EXE
-
\??\c:\3llrfrf.exec:\3llrfrf.exe32⤵
- Executes dropped EXE
-
\??\c:\tthntb.exec:\tthntb.exe33⤵
- Executes dropped EXE
-
\??\c:\040840.exec:\040840.exe34⤵
- Executes dropped EXE
-
\??\c:\llxlrxf.exec:\llxlrxf.exe35⤵
- Executes dropped EXE
-
\??\c:\9xrrxlx.exec:\9xrrxlx.exe36⤵
- Executes dropped EXE
-
\??\c:\jddjp.exec:\jddjp.exe37⤵
- Executes dropped EXE
-
\??\c:\26844.exec:\26844.exe38⤵
- Executes dropped EXE
-
\??\c:\9xllxxl.exec:\9xllxxl.exe39⤵
- Executes dropped EXE
-
\??\c:\jpjjp.exec:\jpjjp.exe40⤵
- Executes dropped EXE
-
\??\c:\4266262.exec:\4266262.exe41⤵
- Executes dropped EXE
-
\??\c:\4682844.exec:\4682844.exe42⤵
- Executes dropped EXE
-
\??\c:\btnbhn.exec:\btnbhn.exe43⤵
- Executes dropped EXE
-
\??\c:\9hhbbn.exec:\9hhbbn.exe44⤵
- Executes dropped EXE
-
\??\c:\rrllxfx.exec:\rrllxfx.exe45⤵
- Executes dropped EXE
-
\??\c:\rlflrrf.exec:\rlflrrf.exe46⤵
- Executes dropped EXE
-
\??\c:\0800880.exec:\0800880.exe47⤵
- Executes dropped EXE
-
\??\c:\u008620.exec:\u008620.exe48⤵
- Executes dropped EXE
-
\??\c:\604800.exec:\604800.exe49⤵
- Executes dropped EXE
-
\??\c:\82062.exec:\82062.exe50⤵
- Executes dropped EXE
-
\??\c:\bnbbbb.exec:\bnbbbb.exe51⤵
- Executes dropped EXE
-
\??\c:\djvdd.exec:\djvdd.exe52⤵
- Executes dropped EXE
-
\??\c:\8684068.exec:\8684068.exe53⤵
- Executes dropped EXE
-
\??\c:\u048404.exec:\u048404.exe54⤵
- Executes dropped EXE
-
\??\c:\4202464.exec:\4202464.exe55⤵
- Executes dropped EXE
-
\??\c:\486262.exec:\486262.exe56⤵
- Executes dropped EXE
-
\??\c:\w82022.exec:\w82022.exe57⤵
- Executes dropped EXE
-
\??\c:\5bnhnn.exec:\5bnhnn.exe58⤵
- Executes dropped EXE
-
\??\c:\k68000.exec:\k68000.exe59⤵
- Executes dropped EXE
-
\??\c:\hbhhnn.exec:\hbhhnn.exe60⤵
- Executes dropped EXE
-
\??\c:\g8628.exec:\g8628.exe61⤵
- Executes dropped EXE
-
\??\c:\7rfllrl.exec:\7rfllrl.exe62⤵
- Executes dropped EXE
-
\??\c:\k40060.exec:\k40060.exe63⤵
- Executes dropped EXE
-
\??\c:\240626.exec:\240626.exe64⤵
- Executes dropped EXE
-
\??\c:\5ffxrfl.exec:\5ffxrfl.exe65⤵
- Executes dropped EXE
-
\??\c:\nnbtnt.exec:\nnbtnt.exe66⤵
-
\??\c:\hthnnn.exec:\hthnnn.exe67⤵
-
\??\c:\1xlffxf.exec:\1xlffxf.exe68⤵
-
\??\c:\42884.exec:\42884.exe69⤵
-
\??\c:\k68800.exec:\k68800.exe70⤵
-
\??\c:\xflxrlf.exec:\xflxrlf.exe71⤵
-
\??\c:\4068640.exec:\4068640.exe72⤵
-
\??\c:\s4044.exec:\s4044.exe73⤵
- System Location Discovery: System Language Discovery
-
\??\c:\2022840.exec:\2022840.exe74⤵
-
\??\c:\httnnh.exec:\httnnh.exe75⤵
-
\??\c:\48804.exec:\48804.exe76⤵
-
\??\c:\20840.exec:\20840.exe77⤵
-
\??\c:\fxrlrrf.exec:\fxrlrrf.exe78⤵
-
\??\c:\820062.exec:\820062.exe79⤵
-
\??\c:\6008484.exec:\6008484.exe80⤵
-
\??\c:\4824220.exec:\4824220.exe81⤵
-
\??\c:\9vpvd.exec:\9vpvd.exe82⤵
-
\??\c:\9dvpv.exec:\9dvpv.exe83⤵
-
\??\c:\5rrflfr.exec:\5rrflfr.exe84⤵
-
\??\c:\208028.exec:\208028.exe85⤵
-
\??\c:\1xxxflx.exec:\1xxxflx.exe86⤵
-
\??\c:\480628.exec:\480628.exe87⤵
-
\??\c:\3jvdj.exec:\3jvdj.exe88⤵
-
\??\c:\0802884.exec:\0802884.exe89⤵
-
\??\c:\rfxlrxf.exec:\rfxlrxf.exe90⤵
-
\??\c:\rllrrxf.exec:\rllrrxf.exe91⤵
- System Location Discovery: System Language Discovery
-
\??\c:\66020.exec:\66020.exe92⤵
-
\??\c:\k22800.exec:\k22800.exe93⤵
-
\??\c:\82028.exec:\82028.exe94⤵
-
\??\c:\48684.exec:\48684.exe95⤵
-
\??\c:\tbbtbn.exec:\tbbtbn.exe96⤵
-
\??\c:\tbtnht.exec:\tbtnht.exe97⤵
-
\??\c:\26024.exec:\26024.exe98⤵
-
\??\c:\8208208.exec:\8208208.exe99⤵
-
\??\c:\482866.exec:\482866.exe100⤵
-
\??\c:\822806.exec:\822806.exe101⤵
-
\??\c:\vpjpv.exec:\vpjpv.exe102⤵
-
\??\c:\3tthnn.exec:\3tthnn.exe103⤵
-
\??\c:\c866840.exec:\c866840.exe104⤵
-
\??\c:\826840.exec:\826840.exe105⤵
-
\??\c:\tnhhtt.exec:\tnhhtt.exe106⤵
-
\??\c:\pdpjj.exec:\pdpjj.exe107⤵
-
\??\c:\5vjjv.exec:\5vjjv.exe108⤵
-
\??\c:\868680.exec:\868680.exe109⤵
-
\??\c:\6080284.exec:\6080284.exe110⤵
-
\??\c:\lfrxlrf.exec:\lfrxlrf.exe111⤵
-
\??\c:\0406840.exec:\0406840.exe112⤵
-
\??\c:\22424.exec:\22424.exe113⤵
-
\??\c:\8862064.exec:\8862064.exe114⤵
-
\??\c:\6646882.exec:\6646882.exe115⤵
-
\??\c:\jjdpd.exec:\jjdpd.exe116⤵
-
\??\c:\5xrxlrf.exec:\5xrxlrf.exe117⤵
-
\??\c:\g0228.exec:\g0228.exe118⤵
-
\??\c:\jpjjd.exec:\jpjjd.exe119⤵
-
\??\c:\7vpvv.exec:\7vpvv.exe120⤵
-
\??\c:\44240.exec:\44240.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-