Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
14/09/2024, 00:31
General
-
Target
a1d101f004cb9f664df7868ce64a2530N.exe
-
Size
375KB
-
MD5
a1d101f004cb9f664df7868ce64a2530
-
SHA1
2a835710eee2634b0945c90266da38e091fec3f8
-
SHA256
1d3fa556d01d134b5155cbd1721738d767705828b9986c6a7ed2eec30cdaddfb
-
SHA512
4e964e53dce6d8d2728426533eee987adb083cd183959784cd3f197184d0845b5bb43dda946988d869b493a97271792b2d62601a08dda8de9ee994451a64b3dd
-
SSDEEP
6144:n3C9BRIG0asYFm71mJl3/X8mak5gNv9rC8IwLaYNUvtTxTKMMI:n3C9uYA7i3/stR9HGYyvtTxTKMD
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 22 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 33 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a1d101f004cb9f664df7868ce64a2530N.exe"C:\Users\Admin\AppData\Local\Temp\a1d101f004cb9f664df7868ce64a2530N.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\btbhtb.exec:\btbhtb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1jddj.exec:\1jddj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbnhth.exec:\bbnhth.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3bhbnn.exec:\3bhbnn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrxfflx.exec:\xrxfflx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnbhtt.exec:\tnbhtt.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\lfxxffx.exec:\lfxxffx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thntbh.exec:\thntbh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpvvp.exec:\vpvvp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbnbbh.exec:\nbnbbh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vjppd.exec:\vjppd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xlxxfff.exec:\xlxxfff.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ppvdj.exec:\ppvdj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjjpv.exec:\jjjpv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bthntb.exec:\bthntb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dpdjp.exec:\dpdjp.exe17⤵
- Executes dropped EXE
-
\??\c:\rfrxxxf.exec:\rfrxxxf.exe18⤵
- Executes dropped EXE
-
\??\c:\hbttht.exec:\hbttht.exe19⤵
- Executes dropped EXE
-
\??\c:\vvpvd.exec:\vvpvd.exe20⤵
- Executes dropped EXE
-
\??\c:\1rxffll.exec:\1rxffll.exe21⤵
- Executes dropped EXE
-
\??\c:\9bbbhh.exec:\9bbbhh.exe22⤵
- Executes dropped EXE
-
\??\c:\vvvjp.exec:\vvvjp.exe23⤵
- Executes dropped EXE
-
\??\c:\bnhbht.exec:\bnhbht.exe24⤵
- Executes dropped EXE
-
\??\c:\3jpjd.exec:\3jpjd.exe25⤵
- Executes dropped EXE
-
\??\c:\bnhbbt.exec:\bnhbbt.exe26⤵
- Executes dropped EXE
-
\??\c:\5dvdp.exec:\5dvdp.exe27⤵
- Executes dropped EXE
-
\??\c:\rlflrfl.exec:\rlflrfl.exe28⤵
- Executes dropped EXE
-
\??\c:\bbnntt.exec:\bbnntt.exe29⤵
- Executes dropped EXE
-
\??\c:\pvvjd.exec:\pvvjd.exe30⤵
- Executes dropped EXE
-
\??\c:\rfrrxfx.exec:\rfrrxfx.exe31⤵
- Executes dropped EXE
-
\??\c:\nnttbh.exec:\nnttbh.exe32⤵
- Executes dropped EXE
-
\??\c:\1bhhhb.exec:\1bhhhb.exe33⤵
- Executes dropped EXE
-
\??\c:\7xrlxll.exec:\7xrlxll.exe34⤵
- Executes dropped EXE
-
\??\c:\nnnbnb.exec:\nnnbnb.exe35⤵
- Executes dropped EXE
-
\??\c:\vvjvv.exec:\vvjvv.exe36⤵
- Executes dropped EXE
-
\??\c:\1vjvp.exec:\1vjvp.exe37⤵
- Executes dropped EXE
-
\??\c:\lfxxffr.exec:\lfxxffr.exe38⤵
- Executes dropped EXE
-
\??\c:\3fxfrfx.exec:\3fxfrfx.exe39⤵
- Executes dropped EXE
-
\??\c:\tnhhnt.exec:\tnhhnt.exe40⤵
- Executes dropped EXE
-
\??\c:\ddvvv.exec:\ddvvv.exe41⤵
- Executes dropped EXE
-
\??\c:\1dpdd.exec:\1dpdd.exe42⤵
- Executes dropped EXE
-
\??\c:\ffxxrlx.exec:\ffxxrlx.exe43⤵
- Executes dropped EXE
-
\??\c:\xxrlxlx.exec:\xxrlxlx.exe44⤵
- Executes dropped EXE
-
\??\c:\1bbhth.exec:\1bbhth.exe45⤵
- Executes dropped EXE
-
\??\c:\ppppd.exec:\ppppd.exe46⤵
- Executes dropped EXE
-
\??\c:\7fxxxfx.exec:\7fxxxfx.exe47⤵
- Executes dropped EXE
-
\??\c:\bntbhn.exec:\bntbhn.exe48⤵
- Executes dropped EXE
-
\??\c:\dvpdd.exec:\dvpdd.exe49⤵
- Executes dropped EXE
-
\??\c:\9lrxflr.exec:\9lrxflr.exe50⤵
- Executes dropped EXE
-
\??\c:\1hbhnt.exec:\1hbhnt.exe51⤵
- Executes dropped EXE
-
\??\c:\vdpvj.exec:\vdpvj.exe52⤵
- Executes dropped EXE
-
\??\c:\3vvpv.exec:\3vvpv.exe53⤵
- Executes dropped EXE
-
\??\c:\lflxfrf.exec:\lflxfrf.exe54⤵
- Executes dropped EXE
-
\??\c:\bnbbhh.exec:\bnbbhh.exe55⤵
- Executes dropped EXE
-
\??\c:\tnhntt.exec:\tnhntt.exe56⤵
- Executes dropped EXE
-
\??\c:\pjpjj.exec:\pjpjj.exe57⤵
- Executes dropped EXE
-
\??\c:\lflrflr.exec:\lflrflr.exe58⤵
- Executes dropped EXE
-
\??\c:\rrlrxlf.exec:\rrlrxlf.exe59⤵
- Executes dropped EXE
-
\??\c:\nhhntt.exec:\nhhntt.exe60⤵
- Executes dropped EXE
-
\??\c:\vpppd.exec:\vpppd.exe61⤵
- Executes dropped EXE
-
\??\c:\dvpdv.exec:\dvpdv.exe62⤵
- Executes dropped EXE
-
\??\c:\3fllxxf.exec:\3fllxxf.exe63⤵
- Executes dropped EXE
-
\??\c:\tnbbnh.exec:\tnbbnh.exe64⤵
- Executes dropped EXE
-
\??\c:\1jddd.exec:\1jddd.exe65⤵
- Executes dropped EXE
-
\??\c:\vppvj.exec:\vppvj.exe66⤵
-
\??\c:\fxrxffl.exec:\fxrxffl.exe67⤵
-
\??\c:\hbtthn.exec:\hbtthn.exe68⤵
-
\??\c:\tnnthn.exec:\tnnthn.exe69⤵
-
\??\c:\dvjdj.exec:\dvjdj.exe70⤵
-
\??\c:\rlxlxxf.exec:\rlxlxxf.exe71⤵
-
\??\c:\fxllffl.exec:\fxllffl.exe72⤵
-
\??\c:\hbtthh.exec:\hbtthh.exe73⤵
-
\??\c:\thbhth.exec:\thbhth.exe74⤵
-
\??\c:\dvjpv.exec:\dvjpv.exe75⤵
-
\??\c:\xrffrxf.exec:\xrffrxf.exe76⤵
-
\??\c:\5bnnbb.exec:\5bnnbb.exe77⤵
-
\??\c:\1tnhhh.exec:\1tnhhh.exe78⤵
-
\??\c:\9vpvj.exec:\9vpvj.exe79⤵
-
\??\c:\dppvd.exec:\dppvd.exe80⤵
-
\??\c:\lfffxlr.exec:\lfffxlr.exe81⤵
-
\??\c:\lfxxlrr.exec:\lfxxlrr.exe82⤵
-
\??\c:\hthhtt.exec:\hthhtt.exe83⤵
-
\??\c:\pjvdj.exec:\pjvdj.exe84⤵
-
\??\c:\jvdvv.exec:\jvdvv.exe85⤵
-
\??\c:\rfrrflr.exec:\rfrrflr.exe86⤵
-
\??\c:\hthbtt.exec:\hthbtt.exe87⤵
-
\??\c:\nhttbb.exec:\nhttbb.exe88⤵
-
\??\c:\jdvjp.exec:\jdvjp.exe89⤵
-
\??\c:\xrrlllr.exec:\xrrlllr.exe90⤵
-
\??\c:\rfflxxr.exec:\rfflxxr.exe91⤵
-
\??\c:\hbbhbt.exec:\hbbhbt.exe92⤵
-
\??\c:\bbbbhh.exec:\bbbbhh.exe93⤵
-
\??\c:\7pddj.exec:\7pddj.exe94⤵
- System Location Discovery: System Language Discovery
-
\??\c:\xfrxflx.exec:\xfrxflx.exe95⤵
-
\??\c:\xrrrxfl.exec:\xrrrxfl.exe96⤵
-
\??\c:\ntntnb.exec:\ntntnb.exe97⤵
-
\??\c:\jdjdd.exec:\jdjdd.exe98⤵
-
\??\c:\3vdjp.exec:\3vdjp.exe99⤵
-
\??\c:\lrllxll.exec:\lrllxll.exe100⤵
-
\??\c:\7hnthn.exec:\7hnthn.exe101⤵
-
\??\c:\bnnntt.exec:\bnnntt.exe102⤵
-
\??\c:\vpdjp.exec:\vpdjp.exe103⤵
-
\??\c:\7xllrxl.exec:\7xllrxl.exe104⤵
-
\??\c:\rfrfrxl.exec:\rfrfrxl.exe105⤵
-
\??\c:\nbtthn.exec:\nbtthn.exe106⤵
-
\??\c:\jdvvv.exec:\jdvvv.exe107⤵
-
\??\c:\pjjpj.exec:\pjjpj.exe108⤵
-
\??\c:\7xrflrx.exec:\7xrflrx.exe109⤵
-
\??\c:\xrfllfl.exec:\xrfllfl.exe110⤵
-
\??\c:\nbbhnt.exec:\nbbhnt.exe111⤵
-
\??\c:\vpjpp.exec:\vpjpp.exe112⤵
-
\??\c:\ppdpv.exec:\ppdpv.exe113⤵
-
\??\c:\flxlfrf.exec:\flxlfrf.exe114⤵
-
\??\c:\ntthth.exec:\ntthth.exe115⤵
-
\??\c:\nhtthb.exec:\nhtthb.exe116⤵
-
\??\c:\ppjvj.exec:\ppjvj.exe117⤵
-
\??\c:\rrflrrf.exec:\rrflrrf.exe118⤵
-
\??\c:\3fllrrx.exec:\3fllrrx.exe119⤵
-
\??\c:\btnhnn.exec:\btnhnn.exe120⤵
-
\??\c:\9nhntt.exec:\9nhntt.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-