Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
14/09/2024, 23:57
General
-
Target
97236effe0ba091fe2415d628070874ad7358ad06254c5072efa2c648d9fb83b.exe
-
Size
71KB
-
MD5
3c687c9e6027f523f3566aafd37a3b4d
-
SHA1
9b404be7c0c4b5a2c81f41f35a4905e0907973c9
-
SHA256
97236effe0ba091fe2415d628070874ad7358ad06254c5072efa2c648d9fb83b
-
SHA512
c6504e32f1c6107e97072e25a9ceec38ce0ebe0e384cf6cc2f7575cab6c2eeec89602d90e059471751b6ab2cb1a7fdbf673f63cd812962bc1c3a29da05ac5419
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIb0z6MTSqfjW:ymb3NkkiQ3mdBjFI4Vm
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 21 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 28 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\97236effe0ba091fe2415d628070874ad7358ad06254c5072efa2c648d9fb83b.exe"C:\Users\Admin\AppData\Local\Temp\97236effe0ba091fe2415d628070874ad7358ad06254c5072efa2c648d9fb83b.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\btntht.exec:\btntht.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxffflr.exec:\fxffflr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbbhbb.exec:\bbbhbb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbnbhn.exec:\hbnbhn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpjvp.exec:\vpjvp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlfxlrf.exec:\rlfxlrf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hhnhbn.exec:\hhnhbn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nnhntn.exec:\nnhntn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddpvj.exec:\ddpvj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jvjpd.exec:\jvjpd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrrfrrf.exec:\xrrfrrf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nnhnbn.exec:\nnhnbn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btnbnh.exec:\btnbnh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5vvvj.exec:\5vvvj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\llfrxrf.exec:\llfrxrf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ffflxfr.exec:\ffflxfr.exe17⤵
- Executes dropped EXE
-
\??\c:\tthnht.exec:\tthnht.exe18⤵
- Executes dropped EXE
-
\??\c:\btnbnn.exec:\btnbnn.exe19⤵
- Executes dropped EXE
-
\??\c:\vddvj.exec:\vddvj.exe20⤵
- Executes dropped EXE
-
\??\c:\llxlxfx.exec:\llxlxfx.exe21⤵
- Executes dropped EXE
-
\??\c:\lxlrrxl.exec:\lxlrrxl.exe22⤵
- Executes dropped EXE
-
\??\c:\hthbbh.exec:\hthbbh.exe23⤵
- Executes dropped EXE
-
\??\c:\tnhnbb.exec:\tnhnbb.exe24⤵
- Executes dropped EXE
-
\??\c:\vjdpv.exec:\vjdpv.exe25⤵
- Executes dropped EXE
-
\??\c:\lxxfrlf.exec:\lxxfrlf.exe26⤵
- Executes dropped EXE
-
\??\c:\lrrxffr.exec:\lrrxffr.exe27⤵
- Executes dropped EXE
-
\??\c:\3nntbb.exec:\3nntbb.exe28⤵
- Executes dropped EXE
-
\??\c:\dvpdp.exec:\dvpdp.exe29⤵
- Executes dropped EXE
-
\??\c:\xflfllr.exec:\xflfllr.exe30⤵
- Executes dropped EXE
-
\??\c:\tbthbn.exec:\tbthbn.exe31⤵
- Executes dropped EXE
-
\??\c:\tbntbh.exec:\tbntbh.exe32⤵
- Executes dropped EXE
-
\??\c:\pjjpd.exec:\pjjpd.exe33⤵
- Executes dropped EXE
-
\??\c:\lfxfrfr.exec:\lfxfrfr.exe34⤵
- Executes dropped EXE
-
\??\c:\rfxflrf.exec:\rfxflrf.exe35⤵
- Executes dropped EXE
-
\??\c:\tbbhbh.exec:\tbbhbh.exe36⤵
- Executes dropped EXE
-
\??\c:\1ppjj.exec:\1ppjj.exe37⤵
- Executes dropped EXE
-
\??\c:\jdpvj.exec:\jdpvj.exe38⤵
- Executes dropped EXE
-
\??\c:\9lrrxff.exec:\9lrrxff.exe39⤵
- Executes dropped EXE
-
\??\c:\9pdjp.exec:\9pdjp.exe40⤵
- Executes dropped EXE
-
\??\c:\jjjvv.exec:\jjjvv.exe41⤵
- Executes dropped EXE
-
\??\c:\lxfllrx.exec:\lxfllrx.exe42⤵
- Executes dropped EXE
-
\??\c:\hbbntb.exec:\hbbntb.exe43⤵
- Executes dropped EXE
-
\??\c:\nnbnnb.exec:\nnbnnb.exe44⤵
- Executes dropped EXE
-
\??\c:\5vjpj.exec:\5vjpj.exe45⤵
- Executes dropped EXE
-
\??\c:\pdvjp.exec:\pdvjp.exe46⤵
- Executes dropped EXE
-
\??\c:\llfrxlf.exec:\llfrxlf.exe47⤵
- Executes dropped EXE
-
\??\c:\htnbht.exec:\htnbht.exe48⤵
- Executes dropped EXE
-
\??\c:\1nhtbh.exec:\1nhtbh.exe49⤵
- Executes dropped EXE
-
\??\c:\vvdvv.exec:\vvdvv.exe50⤵
- Executes dropped EXE
-
\??\c:\jddvd.exec:\jddvd.exe51⤵
- Executes dropped EXE
-
\??\c:\lflllxf.exec:\lflllxf.exe52⤵
- Executes dropped EXE
-
\??\c:\9rrfrrx.exec:\9rrfrrx.exe53⤵
- Executes dropped EXE
-
\??\c:\nhtnht.exec:\nhtnht.exe54⤵
- Executes dropped EXE
-
\??\c:\3tnbhn.exec:\3tnbhn.exe55⤵
- Executes dropped EXE
-
\??\c:\ppvvv.exec:\ppvvv.exe56⤵
- Executes dropped EXE
-
\??\c:\llfrxfx.exec:\llfrxfx.exe57⤵
- Executes dropped EXE
-
\??\c:\ffllllr.exec:\ffllllr.exe58⤵
- Executes dropped EXE
-
\??\c:\nntbhn.exec:\nntbhn.exe59⤵
- Executes dropped EXE
-
\??\c:\bhtnnt.exec:\bhtnnt.exe60⤵
- Executes dropped EXE
-
\??\c:\jjddd.exec:\jjddd.exe61⤵
- Executes dropped EXE
-
\??\c:\pvdjv.exec:\pvdjv.exe62⤵
- Executes dropped EXE
-
\??\c:\rlfrllx.exec:\rlfrllx.exe63⤵
- Executes dropped EXE
-
\??\c:\rlxrxrx.exec:\rlxrxrx.exe64⤵
- Executes dropped EXE
-
\??\c:\5tthtb.exec:\5tthtb.exe65⤵
- Executes dropped EXE
-
\??\c:\pvdvd.exec:\pvdvd.exe66⤵
-
\??\c:\jdvpv.exec:\jdvpv.exe67⤵
-
\??\c:\lllflrx.exec:\lllflrx.exe68⤵
-
\??\c:\fffrllf.exec:\fffrllf.exe69⤵
-
\??\c:\bhhnnt.exec:\bhhnnt.exe70⤵
-
\??\c:\nnhbht.exec:\nnhbht.exe71⤵
-
\??\c:\vvvdp.exec:\vvvdp.exe72⤵
-
\??\c:\ddvvv.exec:\ddvvv.exe73⤵
-
\??\c:\lfrfrfl.exec:\lfrfrfl.exe74⤵
-
\??\c:\fxrxrxl.exec:\fxrxrxl.exe75⤵
-
\??\c:\hhbtnb.exec:\hhbtnb.exe76⤵
-
\??\c:\bbthth.exec:\bbthth.exe77⤵
-
\??\c:\vpdpd.exec:\vpdpd.exe78⤵
-
\??\c:\pjpdp.exec:\pjpdp.exe79⤵
-
\??\c:\xxxlflx.exec:\xxxlflx.exe80⤵
-
\??\c:\ttnhnb.exec:\ttnhnb.exe81⤵
-
\??\c:\hhhthh.exec:\hhhthh.exe82⤵
-
\??\c:\vvppd.exec:\vvppd.exe83⤵
-
\??\c:\1dpvd.exec:\1dpvd.exe84⤵
-
\??\c:\lxlrffl.exec:\lxlrffl.exe85⤵
-
\??\c:\5tnnnh.exec:\5tnnnh.exe86⤵
-
\??\c:\dvjvv.exec:\dvjvv.exe87⤵
-
\??\c:\jddvp.exec:\jddvp.exe88⤵
-
\??\c:\xxrlllr.exec:\xxrlllr.exe89⤵
-
\??\c:\nnnhth.exec:\nnnhth.exe90⤵
-
\??\c:\vjjpd.exec:\vjjpd.exe91⤵
-
\??\c:\5dddd.exec:\5dddd.exe92⤵
-
\??\c:\fllxrfl.exec:\fllxrfl.exe93⤵
-
\??\c:\nhtbnt.exec:\nhtbnt.exe94⤵
-
\??\c:\5hnntt.exec:\5hnntt.exe95⤵
-
\??\c:\jjjvd.exec:\jjjvd.exe96⤵
-
\??\c:\dvvdd.exec:\dvvdd.exe97⤵
-
\??\c:\xlxxflr.exec:\xlxxflr.exe98⤵
- System Location Discovery: System Language Discovery
-
\??\c:\xrrrfxr.exec:\xrrrfxr.exe99⤵
-
\??\c:\nttntb.exec:\nttntb.exe100⤵
-
\??\c:\vdvpj.exec:\vdvpj.exe101⤵
-
\??\c:\9vdjj.exec:\9vdjj.exe102⤵
-
\??\c:\9flflff.exec:\9flflff.exe103⤵
-
\??\c:\btnthh.exec:\btnthh.exe104⤵
-
\??\c:\tbbntn.exec:\tbbntn.exe105⤵
-
\??\c:\pvpjv.exec:\pvpjv.exe106⤵
-
\??\c:\pppdp.exec:\pppdp.exe107⤵
-
\??\c:\7xfffxx.exec:\7xfffxx.exe108⤵
-
\??\c:\xxrrlrl.exec:\xxrrlrl.exe109⤵
-
\??\c:\3rrlrxf.exec:\3rrlrxf.exe110⤵
-
\??\c:\bhthbh.exec:\bhthbh.exe111⤵
-
\??\c:\vjjjp.exec:\vjjjp.exe112⤵
-
\??\c:\dpvjv.exec:\dpvjv.exe113⤵
-
\??\c:\1xxxxll.exec:\1xxxxll.exe114⤵
-
\??\c:\xxlxxfx.exec:\xxlxxfx.exe115⤵
-
\??\c:\dvdpj.exec:\dvdpj.exe116⤵
-
\??\c:\jvppj.exec:\jvppj.exe117⤵
- System Location Discovery: System Language Discovery
-
\??\c:\rrflxfl.exec:\rrflxfl.exe118⤵
-
\??\c:\1frxfxr.exec:\1frxfxr.exe119⤵
-
\??\c:\rrfrrrx.exec:\rrfrrrx.exe120⤵
-
\??\c:\3hbhhn.exec:\3hbhhn.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-