Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
14/09/2024, 09:32
General
-
Target
f8bada5cec555b89b501558e4b1806d0N.exe
-
Size
228KB
-
MD5
f8bada5cec555b89b501558e4b1806d0
-
SHA1
0894b6439db785689ac11d354b809fe440d1e642
-
SHA256
5917ef2041dba11a95169a46f3c42bb765914da3d384f1228cdb4cb398075331
-
SHA512
3df56ada561d3e64ddd9a737de69fa5325173e551630b53ba2b4c1ee38bac573f364c4c0cbc9f8cf838785557f484bf98a6941d44312f33bd08bd8b98bad371c
-
SSDEEP
3072:ymb3NkkiQ3mdBjFo73PYP1lri3KoSV31x4xLjBeGdr:n3C9BRo7MlrWKo+lxK/
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 20 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 24 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f8bada5cec555b89b501558e4b1806d0N.exe"C:\Users\Admin\AppData\Local\Temp\f8bada5cec555b89b501558e4b1806d0N.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\jdvpv.exec:\jdvpv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfrxfrf.exec:\lfrxfrf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxrxfll.exec:\lxrxfll.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tttnnh.exec:\tttnnh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xfllrrx.exec:\xfllrrx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hhtntb.exec:\hhtntb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dpvpv.exec:\dpvpv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7xxxrxr.exec:\7xxxrxr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5xfxxxl.exec:\5xfxxxl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddpvd.exec:\ddpvd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jpvpd.exec:\jpvpd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hnhtnb.exec:\hnhtnb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbhtnh.exec:\nbhtnh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dpjpj.exec:\dpjpj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xllflrf.exec:\xllflrf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1ntbhh.exec:\1ntbhh.exe17⤵
- Executes dropped EXE
-
\??\c:\pdjvv.exec:\pdjvv.exe18⤵
- Executes dropped EXE
-
\??\c:\9rrlrlx.exec:\9rrlrlx.exe19⤵
- Executes dropped EXE
-
\??\c:\lfflrfl.exec:\lfflrfl.exe20⤵
- Executes dropped EXE
-
\??\c:\ntbtbn.exec:\ntbtbn.exe21⤵
- Executes dropped EXE
-
\??\c:\pjjpv.exec:\pjjpv.exe22⤵
- Executes dropped EXE
-
\??\c:\1fffllf.exec:\1fffllf.exe23⤵
- Executes dropped EXE
-
\??\c:\tbhbhn.exec:\tbhbhn.exe24⤵
- Executes dropped EXE
-
\??\c:\tthnnh.exec:\tthnnh.exe25⤵
- Executes dropped EXE
-
\??\c:\3vpvp.exec:\3vpvp.exe26⤵
- Executes dropped EXE
-
\??\c:\xffxffx.exec:\xffxffx.exe27⤵
- Executes dropped EXE
-
\??\c:\hbhnth.exec:\hbhnth.exe28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\jvdvv.exec:\jvdvv.exe29⤵
- Executes dropped EXE
-
\??\c:\xxlrrxf.exec:\xxlrrxf.exe30⤵
- Executes dropped EXE
-
\??\c:\flrrxlr.exec:\flrrxlr.exe31⤵
- Executes dropped EXE
-
\??\c:\tbhbhh.exec:\tbhbhh.exe32⤵
- Executes dropped EXE
-
\??\c:\5jpjp.exec:\5jpjp.exe33⤵
- Executes dropped EXE
-
\??\c:\lxfflfl.exec:\lxfflfl.exe34⤵
- Executes dropped EXE
-
\??\c:\btnthh.exec:\btnthh.exe35⤵
- Executes dropped EXE
-
\??\c:\btbtnt.exec:\btbtnt.exe36⤵
- Executes dropped EXE
-
\??\c:\vjvdv.exec:\vjvdv.exe37⤵
- Executes dropped EXE
-
\??\c:\lfllxfl.exec:\lfllxfl.exe38⤵
- Executes dropped EXE
-
\??\c:\ffxlrfl.exec:\ffxlrfl.exe39⤵
- Executes dropped EXE
-
\??\c:\tnthth.exec:\tnthth.exe40⤵
- Executes dropped EXE
-
\??\c:\3tnntt.exec:\3tnntt.exe41⤵
- Executes dropped EXE
-
\??\c:\jdpvd.exec:\jdpvd.exe42⤵
- Executes dropped EXE
-
\??\c:\xrllrxf.exec:\xrllrxf.exe43⤵
- Executes dropped EXE
-
\??\c:\ffrfxrf.exec:\ffrfxrf.exe44⤵
- Executes dropped EXE
-
\??\c:\5nhnbh.exec:\5nhnbh.exe45⤵
- Executes dropped EXE
-
\??\c:\jjjdp.exec:\jjjdp.exe46⤵
- Executes dropped EXE
-
\??\c:\jjvdj.exec:\jjvdj.exe47⤵
- Executes dropped EXE
-
\??\c:\rxrfxfr.exec:\rxrfxfr.exe48⤵
- Executes dropped EXE
-
\??\c:\5lffflr.exec:\5lffflr.exe49⤵
- Executes dropped EXE
-
\??\c:\hththt.exec:\hththt.exe50⤵
- Executes dropped EXE
-
\??\c:\bnnbbt.exec:\bnnbbt.exe51⤵
- Executes dropped EXE
-
\??\c:\vvjvp.exec:\vvjvp.exe52⤵
- Executes dropped EXE
-
\??\c:\xllrxxr.exec:\xllrxxr.exe53⤵
- Executes dropped EXE
-
\??\c:\ffllxfr.exec:\ffllxfr.exe54⤵
- Executes dropped EXE
-
\??\c:\hbbbnt.exec:\hbbbnt.exe55⤵
- Executes dropped EXE
-
\??\c:\hbtbht.exec:\hbtbht.exe56⤵
- Executes dropped EXE
-
\??\c:\jjjjd.exec:\jjjjd.exe57⤵
- Executes dropped EXE
-
\??\c:\pdppj.exec:\pdppj.exe58⤵
- Executes dropped EXE
-
\??\c:\rlrxffr.exec:\rlrxffr.exe59⤵
- Executes dropped EXE
-
\??\c:\fxrxflr.exec:\fxrxflr.exe60⤵
- Executes dropped EXE
-
\??\c:\ttbntb.exec:\ttbntb.exe61⤵
- Executes dropped EXE
-
\??\c:\jdpvv.exec:\jdpvv.exe62⤵
- Executes dropped EXE
-
\??\c:\7pvpd.exec:\7pvpd.exe63⤵
- Executes dropped EXE
-
\??\c:\rffrrrf.exec:\rffrrrf.exe64⤵
- Executes dropped EXE
-
\??\c:\fxrflxl.exec:\fxrflxl.exe65⤵
- Executes dropped EXE
-
\??\c:\bhbntt.exec:\bhbntt.exe66⤵
-
\??\c:\tbbnbn.exec:\tbbnbn.exe67⤵
-
\??\c:\vpvpv.exec:\vpvpv.exe68⤵
-
\??\c:\pjvjv.exec:\pjvjv.exe69⤵
-
\??\c:\lxlrxll.exec:\lxlrxll.exe70⤵
-
\??\c:\5tnhth.exec:\5tnhth.exe71⤵
-
\??\c:\nnhhtb.exec:\nnhhtb.exe72⤵
-
\??\c:\djpdv.exec:\djpdv.exe73⤵
-
\??\c:\jdpvv.exec:\jdpvv.exe74⤵
-
\??\c:\llxxxxr.exec:\llxxxxr.exe75⤵
-
\??\c:\9nbhth.exec:\9nbhth.exe76⤵
-
\??\c:\htbtnb.exec:\htbtnb.exe77⤵
-
\??\c:\pdvvj.exec:\pdvvj.exe78⤵
-
\??\c:\jddjv.exec:\jddjv.exe79⤵
-
\??\c:\1frxrfr.exec:\1frxrfr.exe80⤵
-
\??\c:\9hnttb.exec:\9hnttb.exe81⤵
-
\??\c:\hbtntt.exec:\hbtntt.exe82⤵
-
\??\c:\djdjd.exec:\djdjd.exe83⤵
-
\??\c:\pvdpv.exec:\pvdpv.exe84⤵
-
\??\c:\xrxflxl.exec:\xrxflxl.exe85⤵
-
\??\c:\xlrxlrf.exec:\xlrxlrf.exe86⤵
-
\??\c:\tttnhn.exec:\tttnhn.exe87⤵
-
\??\c:\nnhtbn.exec:\nnhtbn.exe88⤵
-
\??\c:\jdpvp.exec:\jdpvp.exe89⤵
-
\??\c:\xrfflrx.exec:\xrfflrx.exe90⤵
-
\??\c:\xxrfxxf.exec:\xxrfxxf.exe91⤵
-
\??\c:\nhtbhn.exec:\nhtbhn.exe92⤵
-
\??\c:\ppddd.exec:\ppddd.exe93⤵
-
\??\c:\dvppd.exec:\dvppd.exe94⤵
-
\??\c:\xrxxxxr.exec:\xrxxxxr.exe95⤵
-
\??\c:\xxflxxf.exec:\xxflxxf.exe96⤵
-
\??\c:\nbhntb.exec:\nbhntb.exe97⤵
-
\??\c:\9bttbb.exec:\9bttbb.exe98⤵
-
\??\c:\9jpjd.exec:\9jpjd.exe99⤵
-
\??\c:\rlxflff.exec:\rlxflff.exe100⤵
-
\??\c:\lfllflr.exec:\lfllflr.exe101⤵
-
\??\c:\nhntbn.exec:\nhntbn.exe102⤵
-
\??\c:\5bhhhn.exec:\5bhhhn.exe103⤵
-
\??\c:\dpvjp.exec:\dpvjp.exe104⤵
-
\??\c:\pjjvd.exec:\pjjvd.exe105⤵
-
\??\c:\lrxrrll.exec:\lrxrrll.exe106⤵
-
\??\c:\hbbnbn.exec:\hbbnbn.exe107⤵
-
\??\c:\hnnnbt.exec:\hnnnbt.exe108⤵
-
\??\c:\jdddp.exec:\jdddp.exe109⤵
-
\??\c:\3jddj.exec:\3jddj.exe110⤵
-
\??\c:\5lxxllr.exec:\5lxxllr.exe111⤵
-
\??\c:\tnbhnt.exec:\tnbhnt.exe112⤵
-
\??\c:\hhhtnb.exec:\hhhtnb.exe113⤵
-
\??\c:\1jvdj.exec:\1jvdj.exe114⤵
-
\??\c:\jdpdv.exec:\jdpdv.exe115⤵
-
\??\c:\xrlxffr.exec:\xrlxffr.exe116⤵
-
\??\c:\nhhhhn.exec:\nhhhhn.exe117⤵
-
\??\c:\nhhnbb.exec:\nhhnbb.exe118⤵
- System Location Discovery: System Language Discovery
-
\??\c:\5vjjp.exec:\5vjjp.exe119⤵
-
\??\c:\9ddpp.exec:\9ddpp.exe120⤵
-
\??\c:\lfrflxx.exec:\lfrflxx.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-