Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
19/09/2024, 01:09
General
-
Target
6809381156afeb450f60530851c697753136102ecc0d71915b9301dda8abe408N.exe
-
Size
62KB
-
MD5
b6c4de73e2e2079bcfb1966400628eb0
-
SHA1
bab17a1d46e6c61c8dbaf33b90ccf1393e00ff68
-
SHA256
6809381156afeb450f60530851c697753136102ecc0d71915b9301dda8abe408
-
SHA512
0bc4c7ce902510ac3c8220a2a35f7009ce32f6fdd4fea1e3657564a256e199e676de01c6f9305ccc4761b184b8c2a1c97ff578e145ec5e3cc4fd1d2be8131971
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIsIms9H:ymb3NkkiQ3mdBjFIsIFZ
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 24 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 23 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\6809381156afeb450f60530851c697753136102ecc0d71915b9301dda8abe408N.exe"C:\Users\Admin\AppData\Local\Temp\6809381156afeb450f60530851c697753136102ecc0d71915b9301dda8abe408N.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\btnnbh.exec:\btnnbh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbbbnt.exec:\hbbbnt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bthtbb.exec:\bthtbb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pppvp.exec:\pppvp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pdvvd.exec:\pdvvd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlxfflr.exec:\rlxfflr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbhttn.exec:\bbhttn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpdjj.exec:\vpdjj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vjvvv.exec:\vjvvv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfrxflr.exec:\lfrxflr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lrxlfrf.exec:\lrxlfrf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nthhbh.exec:\nthhbh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbnhtn.exec:\bbnhtn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fflrxrr.exec:\fflrxrr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlfxxff.exec:\rlfxxff.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5tbtth.exec:\5tbtth.exe17⤵
- Executes dropped EXE
-
\??\c:\1bbbnh.exec:\1bbbnh.exe18⤵
- Executes dropped EXE
-
\??\c:\dvpvj.exec:\dvpvj.exe19⤵
- Executes dropped EXE
-
\??\c:\3lxflrx.exec:\3lxflrx.exe20⤵
- Executes dropped EXE
-
\??\c:\fxrxllx.exec:\fxrxllx.exe21⤵
- Executes dropped EXE
-
\??\c:\1tnhtt.exec:\1tnhtt.exe22⤵
- Executes dropped EXE
-
\??\c:\pjdjp.exec:\pjdjp.exe23⤵
- Executes dropped EXE
-
\??\c:\pdpvd.exec:\pdpvd.exe24⤵
- Executes dropped EXE
-
\??\c:\lfrrffl.exec:\lfrrffl.exe25⤵
- Executes dropped EXE
-
\??\c:\nbhhnn.exec:\nbhhnn.exe26⤵
- Executes dropped EXE
-
\??\c:\pjdvj.exec:\pjdvj.exe27⤵
- Executes dropped EXE
-
\??\c:\dvvjj.exec:\dvvjj.exe28⤵
- Executes dropped EXE
-
\??\c:\pjddd.exec:\pjddd.exe29⤵
- Executes dropped EXE
-
\??\c:\rllxllx.exec:\rllxllx.exe30⤵
- Executes dropped EXE
-
\??\c:\9hbbnn.exec:\9hbbnn.exe31⤵
- Executes dropped EXE
-
\??\c:\5bbnbb.exec:\5bbnbb.exe32⤵
- Executes dropped EXE
-
\??\c:\dvjjj.exec:\dvjjj.exe33⤵
- Executes dropped EXE
-
\??\c:\5xrrflr.exec:\5xrrflr.exe34⤵
- Executes dropped EXE
-
\??\c:\lrfffxx.exec:\lrfffxx.exe35⤵
- Executes dropped EXE
-
\??\c:\7tntth.exec:\7tntth.exe36⤵
- Executes dropped EXE
-
\??\c:\hbhnbh.exec:\hbhnbh.exe37⤵
- Executes dropped EXE
-
\??\c:\5tnntb.exec:\5tnntb.exe38⤵
- Executes dropped EXE
-
\??\c:\djddv.exec:\djddv.exe39⤵
- Executes dropped EXE
-
\??\c:\jdjjj.exec:\jdjjj.exe40⤵
- Executes dropped EXE
-
\??\c:\fxrxxfl.exec:\fxrxxfl.exe41⤵
- Executes dropped EXE
-
\??\c:\frffrrf.exec:\frffrrf.exe42⤵
- Executes dropped EXE
-
\??\c:\nhbtbt.exec:\nhbtbt.exe43⤵
- Executes dropped EXE
-
\??\c:\hbhntt.exec:\hbhntt.exe44⤵
- Executes dropped EXE
-
\??\c:\ddvdj.exec:\ddvdj.exe45⤵
- Executes dropped EXE
-
\??\c:\dpddd.exec:\dpddd.exe46⤵
- Executes dropped EXE
-
\??\c:\jjjpv.exec:\jjjpv.exe47⤵
- Executes dropped EXE
-
\??\c:\llffrxf.exec:\llffrxf.exe48⤵
- Executes dropped EXE
-
\??\c:\fxrflrf.exec:\fxrflrf.exe49⤵
- Executes dropped EXE
-
\??\c:\ttbntt.exec:\ttbntt.exe50⤵
- Executes dropped EXE
-
\??\c:\9bhnbb.exec:\9bhnbb.exe51⤵
- Executes dropped EXE
-
\??\c:\jdppv.exec:\jdppv.exe52⤵
- Executes dropped EXE
-
\??\c:\dpppv.exec:\dpppv.exe53⤵
- Executes dropped EXE
-
\??\c:\fxrrrlr.exec:\fxrrrlr.exe54⤵
- Executes dropped EXE
-
\??\c:\fxffffl.exec:\fxffffl.exe55⤵
- Executes dropped EXE
-
\??\c:\nhnntt.exec:\nhnntt.exe56⤵
- Executes dropped EXE
-
\??\c:\nntbbh.exec:\nntbbh.exe57⤵
- Executes dropped EXE
-
\??\c:\ppddj.exec:\ppddj.exe58⤵
- Executes dropped EXE
-
\??\c:\ppdpv.exec:\ppdpv.exe59⤵
- Executes dropped EXE
-
\??\c:\lrfxxxf.exec:\lrfxxxf.exe60⤵
- Executes dropped EXE
-
\??\c:\xxrfffr.exec:\xxrfffr.exe61⤵
- Executes dropped EXE
-
\??\c:\hbhntt.exec:\hbhntt.exe62⤵
- Executes dropped EXE
-
\??\c:\tnhbnh.exec:\tnhbnh.exe63⤵
- Executes dropped EXE
-
\??\c:\jdpvj.exec:\jdpvj.exe64⤵
- Executes dropped EXE
-
\??\c:\llflrrx.exec:\llflrrx.exe65⤵
- Executes dropped EXE
-
\??\c:\rfrrfff.exec:\rfrrfff.exe66⤵
-
\??\c:\rxffxll.exec:\rxffxll.exe67⤵
-
\??\c:\nbhhhh.exec:\nbhhhh.exe68⤵
-
\??\c:\3jvvv.exec:\3jvvv.exe69⤵
-
\??\c:\pdvvp.exec:\pdvvp.exe70⤵
-
\??\c:\rllflrf.exec:\rllflrf.exe71⤵
-
\??\c:\btbhnn.exec:\btbhnn.exe72⤵
-
\??\c:\pdjjp.exec:\pdjjp.exe73⤵
-
\??\c:\lfxffll.exec:\lfxffll.exe74⤵
-
\??\c:\lllllff.exec:\lllllff.exe75⤵
-
\??\c:\1rrrrrf.exec:\1rrrrrf.exe76⤵
-
\??\c:\5hbhbh.exec:\5hbhbh.exe77⤵
-
\??\c:\tbntbt.exec:\tbntbt.exe78⤵
-
\??\c:\vvjpp.exec:\vvjpp.exe79⤵
-
\??\c:\3dvdp.exec:\3dvdp.exe80⤵
-
\??\c:\3jvdj.exec:\3jvdj.exe81⤵
-
\??\c:\lfxffrf.exec:\lfxffrf.exe82⤵
-
\??\c:\xrxffxr.exec:\xrxffxr.exe83⤵
-
\??\c:\nhbthb.exec:\nhbthb.exe84⤵
-
\??\c:\nnbhbb.exec:\nnbhbb.exe85⤵
-
\??\c:\nbnhhh.exec:\nbnhhh.exe86⤵
-
\??\c:\3vjjd.exec:\3vjjd.exe87⤵
-
\??\c:\5vpdj.exec:\5vpdj.exe88⤵
-
\??\c:\xlfxrll.exec:\xlfxrll.exe89⤵
-
\??\c:\rlllfff.exec:\rlllfff.exe90⤵
-
\??\c:\1bbbbb.exec:\1bbbbb.exe91⤵
-
\??\c:\nbhnnn.exec:\nbhnnn.exe92⤵
-
\??\c:\1jjdd.exec:\1jjdd.exe93⤵
-
\??\c:\1vppp.exec:\1vppp.exe94⤵
-
\??\c:\pdppv.exec:\pdppv.exe95⤵
-
\??\c:\1xffxxf.exec:\1xffxxf.exe96⤵
-
\??\c:\rflrrlr.exec:\rflrrlr.exe97⤵
-
\??\c:\nbbhbh.exec:\nbbhbh.exe98⤵
-
\??\c:\jjppp.exec:\jjppp.exe99⤵
-
\??\c:\pjdjp.exec:\pjdjp.exe100⤵
-
\??\c:\jvvjj.exec:\jvvjj.exe101⤵
-
\??\c:\rfxlrxx.exec:\rfxlrxx.exe102⤵
-
\??\c:\1xllfxr.exec:\1xllfxr.exe103⤵
-
\??\c:\htntbb.exec:\htntbb.exe104⤵
-
\??\c:\jvppp.exec:\jvppp.exe105⤵
-
\??\c:\dpddj.exec:\dpddj.exe106⤵
-
\??\c:\dpdjj.exec:\dpdjj.exe107⤵
-
\??\c:\xlxxxxf.exec:\xlxxxxf.exe108⤵
-
\??\c:\9lrlllr.exec:\9lrlllr.exe109⤵
-
\??\c:\btnntt.exec:\btnntt.exe110⤵
-
\??\c:\thhtbb.exec:\thhtbb.exe111⤵
-
\??\c:\vpvdp.exec:\vpvdp.exe112⤵
-
\??\c:\jvjvp.exec:\jvjvp.exe113⤵
-
\??\c:\lfxfllr.exec:\lfxfllr.exe114⤵
-
\??\c:\hbnnhb.exec:\hbnnhb.exe115⤵
-
\??\c:\nhnntt.exec:\nhnntt.exe116⤵
-
\??\c:\bbbnnh.exec:\bbbnnh.exe117⤵
-
\??\c:\dvjdp.exec:\dvjdp.exe118⤵
-
\??\c:\7fxxlll.exec:\7fxxlll.exe119⤵
-
\??\c:\xrflrrx.exec:\xrflrrx.exe120⤵
-
\??\c:\nhhhtt.exec:\nhhhtt.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-