Analysis
-
max time kernel
110s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
14-09-2024 22:25
General
-
Target
7c47f433d92b00c56035a4896117c6c0N.exe
-
Size
79KB
-
MD5
7c47f433d92b00c56035a4896117c6c0
-
SHA1
8dc89daedfb8bee7cb00853107150edd94b0a1d9
-
SHA256
8101b34d5b2b8aa262eb4382bf6b2d161945053aa1aacba1fe21588bf09b301e
-
SHA512
42bd29d6dfeb94ec8b988e097cf952f28c3f099f4f2019da6c6ba0c70e8e21d60c08965faa1845be607285a04683a355fc7e8dcc614a1f7f9d13e30f166677ea
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIb0z6MTSqfjDbOXY8Rn:ymb3NkkiQ3mdBjFI4VAYA
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 24 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 33 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\7c47f433d92b00c56035a4896117c6c0N.exe"C:\Users\Admin\AppData\Local\Temp\7c47f433d92b00c56035a4896117c6c0N.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\pddpv.exec:\pddpv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3vvdj.exec:\3vvdj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxrrxll.exec:\lxrrxll.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hhhthn.exec:\hhhthn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbhhtt.exec:\hbhhtt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvjpp.exec:\dvjpp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdjpv.exec:\jdjpv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfllllr.exec:\lfllllr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bthhhn.exec:\bthhhn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bnbnbh.exec:\bnbnbh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9bnbbh.exec:\9bnbbh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5pjjp.exec:\5pjjp.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\9lrrrxl.exec:\9lrrrxl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3lrxxxx.exec:\3lrxxxx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfrlxrr.exec:\lfrlxrr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5hbbtt.exec:\5hbbtt.exe17⤵
- Executes dropped EXE
-
\??\c:\htbttn.exec:\htbttn.exe18⤵
- Executes dropped EXE
-
\??\c:\3pvvd.exec:\3pvvd.exe19⤵
- Executes dropped EXE
-
\??\c:\vpvvd.exec:\vpvvd.exe20⤵
- Executes dropped EXE
-
\??\c:\frllllx.exec:\frllllx.exe21⤵
- Executes dropped EXE
-
\??\c:\frflrxf.exec:\frflrxf.exe22⤵
- Executes dropped EXE
-
\??\c:\7bntbn.exec:\7bntbn.exe23⤵
- Executes dropped EXE
-
\??\c:\htttnn.exec:\htttnn.exe24⤵
- Executes dropped EXE
-
\??\c:\dpdvv.exec:\dpdvv.exe25⤵
- Executes dropped EXE
-
\??\c:\vjpvp.exec:\vjpvp.exe26⤵
- Executes dropped EXE
-
\??\c:\vjvpv.exec:\vjvpv.exe27⤵
- Executes dropped EXE
-
\??\c:\ffxrxlf.exec:\ffxrxlf.exe28⤵
- Executes dropped EXE
-
\??\c:\thnhhb.exec:\thnhhb.exe29⤵
- Executes dropped EXE
-
\??\c:\1bnbht.exec:\1bnbht.exe30⤵
- Executes dropped EXE
-
\??\c:\vjjdj.exec:\vjjdj.exe31⤵
- Executes dropped EXE
-
\??\c:\jdpvd.exec:\jdpvd.exe32⤵
- Executes dropped EXE
-
\??\c:\xrllrrx.exec:\xrllrrx.exe33⤵
- Executes dropped EXE
-
\??\c:\frfllll.exec:\frfllll.exe34⤵
- Executes dropped EXE
-
\??\c:\xrflflx.exec:\xrflflx.exe35⤵
- Executes dropped EXE
-
\??\c:\xrrxrxl.exec:\xrrxrxl.exe36⤵
- Executes dropped EXE
-
\??\c:\htbtbb.exec:\htbtbb.exe37⤵
- Executes dropped EXE
-
\??\c:\httnbt.exec:\httnbt.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\hbhhhn.exec:\hbhhhn.exe39⤵
- Executes dropped EXE
-
\??\c:\vpdjv.exec:\vpdjv.exe40⤵
- Executes dropped EXE
-
\??\c:\1vpvp.exec:\1vpvp.exe41⤵
- Executes dropped EXE
-
\??\c:\frlfrrx.exec:\frlfrrx.exe42⤵
- Executes dropped EXE
-
\??\c:\rrxlxxl.exec:\rrxlxxl.exe43⤵
- Executes dropped EXE
-
\??\c:\9rxrflr.exec:\9rxrflr.exe44⤵
- Executes dropped EXE
-
\??\c:\5lflxfl.exec:\5lflxfl.exe45⤵
- Executes dropped EXE
-
\??\c:\tnbbnn.exec:\tnbbnn.exe46⤵
- Executes dropped EXE
-
\??\c:\thhhtt.exec:\thhhtt.exe47⤵
- Executes dropped EXE
-
\??\c:\bhtnnh.exec:\bhtnnh.exe48⤵
- Executes dropped EXE
-
\??\c:\7dpvj.exec:\7dpvj.exe49⤵
- Executes dropped EXE
-
\??\c:\dvdjp.exec:\dvdjp.exe50⤵
- Executes dropped EXE
-
\??\c:\3vppd.exec:\3vppd.exe51⤵
- Executes dropped EXE
-
\??\c:\5rxxxrr.exec:\5rxxxrr.exe52⤵
- Executes dropped EXE
-
\??\c:\5xxllrx.exec:\5xxllrx.exe53⤵
- Executes dropped EXE
-
\??\c:\fxfrfll.exec:\fxfrfll.exe54⤵
- Executes dropped EXE
-
\??\c:\fxxfrrf.exec:\fxxfrrf.exe55⤵
- Executes dropped EXE
-
\??\c:\hbnbhh.exec:\hbnbhh.exe56⤵
- Executes dropped EXE
-
\??\c:\ttnttt.exec:\ttnttt.exe57⤵
- Executes dropped EXE
-
\??\c:\7nhhbb.exec:\7nhhbb.exe58⤵
- Executes dropped EXE
-
\??\c:\dvdvd.exec:\dvdvd.exe59⤵
- Executes dropped EXE
-
\??\c:\5dppj.exec:\5dppj.exe60⤵
- Executes dropped EXE
-
\??\c:\dpdjp.exec:\dpdjp.exe61⤵
- Executes dropped EXE
-
\??\c:\xffrxxf.exec:\xffrxxf.exe62⤵
- Executes dropped EXE
-
\??\c:\xxxfrxf.exec:\xxxfrxf.exe63⤵
- Executes dropped EXE
-
\??\c:\rllfllr.exec:\rllfllr.exe64⤵
- Executes dropped EXE
-
\??\c:\thnttn.exec:\thnttn.exe65⤵
- Executes dropped EXE
-
\??\c:\hthhnh.exec:\hthhnh.exe66⤵
-
\??\c:\7hntnt.exec:\7hntnt.exe67⤵
-
\??\c:\7jvpp.exec:\7jvpp.exe68⤵
-
\??\c:\5jvdj.exec:\5jvdj.exe69⤵
-
\??\c:\vjjpd.exec:\vjjpd.exe70⤵
-
\??\c:\1flxlrx.exec:\1flxlrx.exe71⤵
-
\??\c:\lffllrx.exec:\lffllrx.exe72⤵
-
\??\c:\fxrflll.exec:\fxrflll.exe73⤵
-
\??\c:\tbhnbn.exec:\tbhnbn.exe74⤵
-
\??\c:\nbbbhb.exec:\nbbbhb.exe75⤵
-
\??\c:\1hnttn.exec:\1hnttn.exe76⤵
-
\??\c:\3btttb.exec:\3btttb.exe77⤵
-
\??\c:\dvjjj.exec:\dvjjj.exe78⤵
-
\??\c:\pjdjv.exec:\pjdjv.exe79⤵
-
\??\c:\frxrfff.exec:\frxrfff.exe80⤵
-
\??\c:\5flrffx.exec:\5flrffx.exe81⤵
-
\??\c:\nbhhnn.exec:\nbhhnn.exe82⤵
-
\??\c:\lfrrflr.exec:\lfrrflr.exe83⤵
-
\??\c:\tnhhhb.exec:\tnhhhb.exe84⤵
-
\??\c:\5bhnbh.exec:\5bhnbh.exe85⤵
-
\??\c:\pjpjj.exec:\pjpjj.exe86⤵
-
\??\c:\lfrfxlx.exec:\lfrfxlx.exe87⤵
-
\??\c:\nbntbb.exec:\nbntbb.exe88⤵
-
\??\c:\9thhnn.exec:\9thhnn.exe89⤵
-
\??\c:\7jvvp.exec:\7jvvp.exe90⤵
-
\??\c:\pdjpv.exec:\pdjpv.exe91⤵
-
\??\c:\xlrxfxl.exec:\xlrxfxl.exe92⤵
-
\??\c:\5nttbb.exec:\5nttbb.exe93⤵
-
\??\c:\7pjvd.exec:\7pjvd.exe94⤵
-
\??\c:\1xflxrx.exec:\1xflxrx.exe95⤵
-
\??\c:\thtttb.exec:\thtttb.exe96⤵
-
\??\c:\hhbbbt.exec:\hhbbbt.exe97⤵
-
\??\c:\9pvdd.exec:\9pvdd.exe98⤵
-
\??\c:\htbhnb.exec:\htbhnb.exe99⤵
-
\??\c:\vjddj.exec:\vjddj.exe100⤵
-
\??\c:\vdjvp.exec:\vdjvp.exe101⤵
-
\??\c:\rlxlflf.exec:\rlxlflf.exe102⤵
-
\??\c:\rrfxlrx.exec:\rrfxlrx.exe103⤵
-
\??\c:\3bhbnn.exec:\3bhbnn.exe104⤵
-
\??\c:\5dvdp.exec:\5dvdp.exe105⤵
-
\??\c:\rrxfxlr.exec:\rrxfxlr.exe106⤵
-
\??\c:\lffflrr.exec:\lffflrr.exe107⤵
-
\??\c:\bnbntb.exec:\bnbntb.exe108⤵
-
\??\c:\nbthhn.exec:\nbthhn.exe109⤵
-
\??\c:\1jvdv.exec:\1jvdv.exe110⤵
-
\??\c:\1xlxfxf.exec:\1xlxfxf.exe111⤵
- System Location Discovery: System Language Discovery
-
\??\c:\rlrfrfr.exec:\rlrfrfr.exe112⤵
-
\??\c:\htbhbh.exec:\htbhbh.exe113⤵
-
\??\c:\pdpvd.exec:\pdpvd.exe114⤵
-
\??\c:\pdjjd.exec:\pdjjd.exe115⤵
-
\??\c:\lffflfl.exec:\lffflfl.exe116⤵
-
\??\c:\nbnntn.exec:\nbnntn.exe117⤵
-
\??\c:\3dddv.exec:\3dddv.exe118⤵
-
\??\c:\frxfflr.exec:\frxfflr.exe119⤵
-
\??\c:\rfllrxf.exec:\rfllrxf.exe120⤵
-
\??\c:\tnbnhn.exec:\tnbnhn.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-