Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
14-09-2024 22:45
General
-
Target
5dff1f9213d36b3d18184aff20a62f10N.exe
-
Size
66KB
-
MD5
5dff1f9213d36b3d18184aff20a62f10
-
SHA1
8fc877dc0dc9760d0f0c9481ea2889b50023a864
-
SHA256
84aeac416aa10e32f95e9ffb24b6e245b510fb947cd5686bc4ac7a126825d804
-
SHA512
ce4f1b0c12a6f9924a031deefd36f8c989086ab175a319da0517d339a3e5ebddf9393fecc2ab39e6907a22bfe8924c77e18f7560520800b936861ed15ad571c4
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDI9L27BqfR:ymb3NkkiQ3mdBjFI9cqfR
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 22 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 22 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\5dff1f9213d36b3d18184aff20a62f10N.exe"C:\Users\Admin\AppData\Local\Temp\5dff1f9213d36b3d18184aff20a62f10N.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\lxflrxr.exec:\lxflrxr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1nttnt.exec:\1nttnt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdjvd.exec:\jdjvd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5pddv.exec:\5pddv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1xxfflf.exec:\1xxfflf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hnntbt.exec:\hnntbt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1nntbh.exec:\1nntbh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjdpd.exec:\jjdpd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpjvv.exec:\vpjvv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\llrrflx.exec:\llrrflx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rfxfrxf.exec:\rfxfrxf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbnthh.exec:\hbnthh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jddpd.exec:\jddpd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3bbtbh.exec:\3bbtbh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3hthnb.exec:\3hthnb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rrlfrxf.exec:\rrlfrxf.exe17⤵
- Executes dropped EXE
-
\??\c:\1lxlxlx.exec:\1lxlxlx.exe18⤵
- Executes dropped EXE
-
\??\c:\hhtbnt.exec:\hhtbnt.exe19⤵
- Executes dropped EXE
-
\??\c:\ppjdv.exec:\ppjdv.exe20⤵
- Executes dropped EXE
-
\??\c:\dvpvd.exec:\dvpvd.exe21⤵
- Executes dropped EXE
-
\??\c:\3xxrlfx.exec:\3xxrlfx.exe22⤵
- Executes dropped EXE
-
\??\c:\7tbhnt.exec:\7tbhnt.exe23⤵
- Executes dropped EXE
-
\??\c:\pjdvj.exec:\pjdvj.exe24⤵
- Executes dropped EXE
-
\??\c:\rlxrffr.exec:\rlxrffr.exe25⤵
- Executes dropped EXE
-
\??\c:\rllxflx.exec:\rllxflx.exe26⤵
- Executes dropped EXE
-
\??\c:\1bnhtt.exec:\1bnhtt.exe27⤵
- Executes dropped EXE
-
\??\c:\7nhthn.exec:\7nhthn.exe28⤵
- Executes dropped EXE
-
\??\c:\vvpvp.exec:\vvpvp.exe29⤵
- Executes dropped EXE
-
\??\c:\pppjd.exec:\pppjd.exe30⤵
- Executes dropped EXE
-
\??\c:\xrlrffr.exec:\xrlrffr.exe31⤵
- Executes dropped EXE
-
\??\c:\btthnt.exec:\btthnt.exe32⤵
- Executes dropped EXE
-
\??\c:\vvppv.exec:\vvppv.exe33⤵
- Executes dropped EXE
-
\??\c:\5lxrxrx.exec:\5lxrxrx.exe34⤵
- Executes dropped EXE
-
\??\c:\9lfrflx.exec:\9lfrflx.exe35⤵
- Executes dropped EXE
-
\??\c:\tntbbh.exec:\tntbbh.exe36⤵
- Executes dropped EXE
-
\??\c:\vppjv.exec:\vppjv.exe37⤵
- Executes dropped EXE
-
\??\c:\frlrlrx.exec:\frlrlrx.exe38⤵
- Executes dropped EXE
-
\??\c:\1xlrfxx.exec:\1xlrfxx.exe39⤵
- Executes dropped EXE
-
\??\c:\nnbnbh.exec:\nnbnbh.exe40⤵
- Executes dropped EXE
-
\??\c:\ttnbbn.exec:\ttnbbn.exe41⤵
- Executes dropped EXE
-
\??\c:\5jdpv.exec:\5jdpv.exe42⤵
- Executes dropped EXE
-
\??\c:\vpjvj.exec:\vpjvj.exe43⤵
- Executes dropped EXE
-
\??\c:\1xxxffl.exec:\1xxxffl.exe44⤵
- Executes dropped EXE
-
\??\c:\1ffxrfx.exec:\1ffxrfx.exe45⤵
- Executes dropped EXE
-
\??\c:\nhbbhh.exec:\nhbbhh.exe46⤵
- Executes dropped EXE
-
\??\c:\jjdvp.exec:\jjdvp.exe47⤵
- Executes dropped EXE
-
\??\c:\5jdvj.exec:\5jdvj.exe48⤵
- Executes dropped EXE
-
\??\c:\3rrrxfr.exec:\3rrrxfr.exe49⤵
- Executes dropped EXE
-
\??\c:\rrlxlxl.exec:\rrlxlxl.exe50⤵
- Executes dropped EXE
-
\??\c:\tnbhbb.exec:\tnbhbb.exe51⤵
- Executes dropped EXE
-
\??\c:\btnthh.exec:\btnthh.exe52⤵
- Executes dropped EXE
-
\??\c:\pjdjp.exec:\pjdjp.exe53⤵
- Executes dropped EXE
-
\??\c:\rfrxflx.exec:\rfrxflx.exe54⤵
- Executes dropped EXE
-
\??\c:\5nhnhh.exec:\5nhnhh.exe55⤵
- Executes dropped EXE
-
\??\c:\bttbht.exec:\bttbht.exe56⤵
- Executes dropped EXE
-
\??\c:\vjdvd.exec:\vjdvd.exe57⤵
- Executes dropped EXE
-
\??\c:\rflrxxl.exec:\rflrxxl.exe58⤵
- Executes dropped EXE
-
\??\c:\1frlrll.exec:\1frlrll.exe59⤵
- Executes dropped EXE
-
\??\c:\tthnbh.exec:\tthnbh.exe60⤵
- Executes dropped EXE
-
\??\c:\9pjjj.exec:\9pjjj.exe61⤵
- Executes dropped EXE
-
\??\c:\xlflrxf.exec:\xlflrxf.exe62⤵
- Executes dropped EXE
-
\??\c:\hnhhth.exec:\hnhhth.exe63⤵
- Executes dropped EXE
-
\??\c:\pjvdj.exec:\pjvdj.exe64⤵
- Executes dropped EXE
-
\??\c:\jddjv.exec:\jddjv.exe65⤵
- Executes dropped EXE
-
\??\c:\xlxrrxx.exec:\xlxrrxx.exe66⤵
-
\??\c:\hhttbt.exec:\hhttbt.exe67⤵
-
\??\c:\ttnthh.exec:\ttnthh.exe68⤵
-
\??\c:\pdpdj.exec:\pdpdj.exe69⤵
-
\??\c:\xrxflxl.exec:\xrxflxl.exe70⤵
-
\??\c:\fxlrxxf.exec:\fxlrxxf.exe71⤵
-
\??\c:\5bbbhh.exec:\5bbbhh.exe72⤵
-
\??\c:\ntnhhb.exec:\ntnhhb.exe73⤵
-
\??\c:\pjppd.exec:\pjppd.exe74⤵
-
\??\c:\lflxxxl.exec:\lflxxxl.exe75⤵
-
\??\c:\rfrxxrf.exec:\rfrxxrf.exe76⤵
-
\??\c:\hbntbh.exec:\hbntbh.exe77⤵
-
\??\c:\btnbbt.exec:\btnbbt.exe78⤵
-
\??\c:\3ddvv.exec:\3ddvv.exe79⤵
-
\??\c:\vjdjp.exec:\vjdjp.exe80⤵
-
\??\c:\lfxlllx.exec:\lfxlllx.exe81⤵
-
\??\c:\fxffffl.exec:\fxffffl.exe82⤵
-
\??\c:\nbnhtb.exec:\nbnhtb.exe83⤵
-
\??\c:\1jpjv.exec:\1jpjv.exe84⤵
-
\??\c:\jvvpv.exec:\jvvpv.exe85⤵
-
\??\c:\rllrxfl.exec:\rllrxfl.exe86⤵
-
\??\c:\7lfrxxr.exec:\7lfrxxr.exe87⤵
-
\??\c:\bbbhbh.exec:\bbbhbh.exe88⤵
-
\??\c:\hbhnnn.exec:\hbhnnn.exe89⤵
-
\??\c:\1pjvd.exec:\1pjvd.exe90⤵
-
\??\c:\jvvvd.exec:\jvvvd.exe91⤵
-
\??\c:\lxrrrrx.exec:\lxrrrrx.exe92⤵
-
\??\c:\7lflrlx.exec:\7lflrlx.exe93⤵
-
\??\c:\tnhhtb.exec:\tnhhtb.exe94⤵
-
\??\c:\hbnbbh.exec:\hbnbbh.exe95⤵
-
\??\c:\5jvdd.exec:\5jvdd.exe96⤵
-
\??\c:\7vjpv.exec:\7vjpv.exe97⤵
-
\??\c:\9xrlrrx.exec:\9xrlrrx.exe98⤵
-
\??\c:\xrlrxfl.exec:\xrlrxfl.exe99⤵
-
\??\c:\nnbhtt.exec:\nnbhtt.exe100⤵
-
\??\c:\bthhhh.exec:\bthhhh.exe101⤵
-
\??\c:\dvjdd.exec:\dvjdd.exe102⤵
-
\??\c:\fxlrllr.exec:\fxlrllr.exe103⤵
-
\??\c:\7fxffrx.exec:\7fxffrx.exe104⤵
-
\??\c:\7bhbbn.exec:\7bhbbn.exe105⤵
-
\??\c:\hhhhnn.exec:\hhhhnn.exe106⤵
-
\??\c:\ppdpd.exec:\ppdpd.exe107⤵
-
\??\c:\pjdvd.exec:\pjdvd.exe108⤵
-
\??\c:\5rflxfl.exec:\5rflxfl.exe109⤵
-
\??\c:\3lxlrrx.exec:\3lxlrrx.exe110⤵
-
\??\c:\3hhbhn.exec:\3hhbhn.exe111⤵
-
\??\c:\bbtnhb.exec:\bbtnhb.exe112⤵
-
\??\c:\pdvjd.exec:\pdvjd.exe113⤵
-
\??\c:\jdpvj.exec:\jdpvj.exe114⤵
-
\??\c:\lffllfr.exec:\lffllfr.exe115⤵
-
\??\c:\5lxfrrx.exec:\5lxfrrx.exe116⤵
-
\??\c:\tnhtbh.exec:\tnhtbh.exe117⤵
-
\??\c:\httbhh.exec:\httbhh.exe118⤵
- System Location Discovery: System Language Discovery
-
\??\c:\3pdpv.exec:\3pdpv.exe119⤵
-
\??\c:\vjdjv.exec:\vjdjv.exe120⤵
-
\??\c:\lflflrf.exec:\lflflrf.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-