Analysis
-
max time kernel
120s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
19/09/2024, 03:27
General
-
Target
69cb80d5a3db78996cbef0e7f86182a92e689f3d8d964b244ed0a596fe385cb2N.exe
-
Size
593KB
-
MD5
4081cbe3e7376ce450e2802b823fd6b0
-
SHA1
7e677856ae40d735168aa79bbfdc4edbb47873a9
-
SHA256
69cb80d5a3db78996cbef0e7f86182a92e689f3d8d964b244ed0a596fe385cb2
-
SHA512
4024219d4520e9868527d7cba962a53ee011e2ef753119649b4e52a6c04766e6f055bf627ba9f2560178af3aecc016e1efa8b52ffec4152f07163b7e189491d2
-
SSDEEP
6144:n3C9BRIj+ebjcSbcY+CaQdaFOY4iGFYtRdzzoyYxJAyfgayL6:n3C9Lebz+xt4vFeFmgay+
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 17 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 24 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\69cb80d5a3db78996cbef0e7f86182a92e689f3d8d964b244ed0a596fe385cb2N.exe"C:\Users\Admin\AppData\Local\Temp\69cb80d5a3db78996cbef0e7f86182a92e689f3d8d964b244ed0a596fe385cb2N.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\ddjpv.exec:\ddjpv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvjdj.exec:\dvjdj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnbhnn.exec:\tnbhnn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbhhth.exec:\hbhhth.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlxrxrr.exec:\rlxrxrr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\htnbbb.exec:\htnbbb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjddv.exec:\pjddv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9fffllx.exec:\9fffllx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7vdpp.exec:\7vdpp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jpppv.exec:\jpppv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thbntn.exec:\thbntn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvjjp.exec:\dvjjp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1bnttb.exec:\1bnttb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hnnhhh.exec:\hnnhhh.exe15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\xrxrxxl.exec:\xrxrxxl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thnhhh.exec:\thnhhh.exe17⤵
- Executes dropped EXE
-
\??\c:\frrllrr.exec:\frrllrr.exe18⤵
- Executes dropped EXE
-
\??\c:\hthbbt.exec:\hthbbt.exe19⤵
- Executes dropped EXE
-
\??\c:\fxxxxfl.exec:\fxxxxfl.exe20⤵
- Executes dropped EXE
-
\??\c:\nbbhnn.exec:\nbbhnn.exe21⤵
- Executes dropped EXE
-
\??\c:\dpvvp.exec:\dpvvp.exe22⤵
- Executes dropped EXE
-
\??\c:\xrxxfll.exec:\xrxxfll.exe23⤵
- Executes dropped EXE
-
\??\c:\9bnhnt.exec:\9bnhnt.exe24⤵
- Executes dropped EXE
-
\??\c:\vjppv.exec:\vjppv.exe25⤵
- Executes dropped EXE
-
\??\c:\nhbbnn.exec:\nhbbnn.exe26⤵
- Executes dropped EXE
-
\??\c:\pjppv.exec:\pjppv.exe27⤵
- Executes dropped EXE
-
\??\c:\lxrrxff.exec:\lxrrxff.exe28⤵
- Executes dropped EXE
-
\??\c:\nnnhbn.exec:\nnnhbn.exe29⤵
- Executes dropped EXE
-
\??\c:\llrrrrr.exec:\llrrrrr.exe30⤵
- Executes dropped EXE
-
\??\c:\pjdpd.exec:\pjdpd.exe31⤵
- Executes dropped EXE
-
\??\c:\xrffxxx.exec:\xrffxxx.exe32⤵
- Executes dropped EXE
-
\??\c:\bntnbb.exec:\bntnbb.exe33⤵
- Executes dropped EXE
-
\??\c:\9vjjj.exec:\9vjjj.exe34⤵
- Executes dropped EXE
-
\??\c:\xrfxffl.exec:\xrfxffl.exe35⤵
- Executes dropped EXE
-
\??\c:\htbhbh.exec:\htbhbh.exe36⤵
- Executes dropped EXE
-
\??\c:\thhthn.exec:\thhthn.exe37⤵
- Executes dropped EXE
-
\??\c:\vpddj.exec:\vpddj.exe38⤵
- Executes dropped EXE
-
\??\c:\5rxlfrr.exec:\5rxlfrr.exe39⤵
- Executes dropped EXE
-
\??\c:\tnhbhn.exec:\tnhbhn.exe40⤵
- Executes dropped EXE
-
\??\c:\tthhhn.exec:\tthhhn.exe41⤵
- Executes dropped EXE
-
\??\c:\dvvvj.exec:\dvvvj.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\fxrxffl.exec:\fxrxffl.exe43⤵
- Executes dropped EXE
-
\??\c:\tbhnnn.exec:\tbhnnn.exe44⤵
- Executes dropped EXE
-
\??\c:\tthbnn.exec:\tthbnn.exe45⤵
- Executes dropped EXE
-
\??\c:\vpddj.exec:\vpddj.exe46⤵
- Executes dropped EXE
-
\??\c:\lfllrff.exec:\lfllrff.exe47⤵
- Executes dropped EXE
-
\??\c:\bbtntt.exec:\bbtntt.exe48⤵
- Executes dropped EXE
-
\??\c:\btnhnn.exec:\btnhnn.exe49⤵
- Executes dropped EXE
-
\??\c:\jjddj.exec:\jjddj.exe50⤵
- Executes dropped EXE
-
\??\c:\rlxrffl.exec:\rlxrffl.exe51⤵
- Executes dropped EXE
-
\??\c:\nhtbhb.exec:\nhtbhb.exe52⤵
- Executes dropped EXE
-
\??\c:\ttntbh.exec:\ttntbh.exe53⤵
- Executes dropped EXE
-
\??\c:\pdvdd.exec:\pdvdd.exe54⤵
- Executes dropped EXE
-
\??\c:\xrxfllr.exec:\xrxfllr.exe55⤵
- Executes dropped EXE
-
\??\c:\htbhtt.exec:\htbhtt.exe56⤵
- Executes dropped EXE
-
\??\c:\thhhhh.exec:\thhhhh.exe57⤵
- Executes dropped EXE
-
\??\c:\jvddv.exec:\jvddv.exe58⤵
- Executes dropped EXE
-
\??\c:\xxllrfl.exec:\xxllrfl.exe59⤵
- Executes dropped EXE
-
\??\c:\hbnttn.exec:\hbnttn.exe60⤵
- Executes dropped EXE
-
\??\c:\vjjdd.exec:\vjjdd.exe61⤵
- Executes dropped EXE
-
\??\c:\pvddj.exec:\pvddj.exe62⤵
- Executes dropped EXE
-
\??\c:\9rlrxxl.exec:\9rlrxxl.exe63⤵
- Executes dropped EXE
-
\??\c:\thhhbt.exec:\thhhbt.exe64⤵
- Executes dropped EXE
-
\??\c:\nhtttb.exec:\nhtttb.exe65⤵
- Executes dropped EXE
-
\??\c:\vjvvd.exec:\vjvvd.exe66⤵
-
\??\c:\lrfxflf.exec:\lrfxflf.exe67⤵
-
\??\c:\rlxllll.exec:\rlxllll.exe68⤵
-
\??\c:\htbbhb.exec:\htbbhb.exe69⤵
-
\??\c:\dppvd.exec:\dppvd.exe70⤵
-
\??\c:\rlrflxf.exec:\rlrflxf.exe71⤵
-
\??\c:\lffffll.exec:\lffffll.exe72⤵
-
\??\c:\bthnnn.exec:\bthnnn.exe73⤵
-
\??\c:\vpvdv.exec:\vpvdv.exe74⤵
-
\??\c:\frllxxf.exec:\frllxxf.exe75⤵
-
\??\c:\nbnntn.exec:\nbnntn.exe76⤵
-
\??\c:\1bbhnb.exec:\1bbhnb.exe77⤵
-
\??\c:\vpjpv.exec:\vpjpv.exe78⤵
-
\??\c:\lllxlfl.exec:\lllxlfl.exe79⤵
-
\??\c:\ttbnhh.exec:\ttbnhh.exe80⤵
-
\??\c:\9vjvj.exec:\9vjvj.exe81⤵
-
\??\c:\vdjpd.exec:\vdjpd.exe82⤵
-
\??\c:\7rlrrrx.exec:\7rlrrrx.exe83⤵
-
\??\c:\5bbhht.exec:\5bbhht.exe84⤵
-
\??\c:\pdvjv.exec:\pdvjv.exe85⤵
-
\??\c:\xxxrfxf.exec:\xxxrfxf.exe86⤵
-
\??\c:\1fxffll.exec:\1fxffll.exe87⤵
-
\??\c:\hbnnhn.exec:\hbnnhn.exe88⤵
-
\??\c:\pjppv.exec:\pjppv.exe89⤵
-
\??\c:\5lxrrrr.exec:\5lxrrrr.exe90⤵
-
\??\c:\tnnnbt.exec:\tnnnbt.exe91⤵
-
\??\c:\5htnnh.exec:\5htnnh.exe92⤵
-
\??\c:\vvjjp.exec:\vvjjp.exe93⤵
-
\??\c:\3hbhhh.exec:\3hbhhh.exe94⤵
-
\??\c:\hbntbt.exec:\hbntbt.exe95⤵
-
\??\c:\1pvpp.exec:\1pvpp.exe96⤵
-
\??\c:\rfrffrr.exec:\rfrffrr.exe97⤵
-
\??\c:\5btntn.exec:\5btntn.exe98⤵
-
\??\c:\3nnhhn.exec:\3nnhhn.exe99⤵
-
\??\c:\pvjjp.exec:\pvjjp.exe100⤵
-
\??\c:\lfrxflr.exec:\lfrxflr.exe101⤵
-
\??\c:\3bntnn.exec:\3bntnn.exe102⤵
-
\??\c:\ntbhth.exec:\ntbhth.exe103⤵
-
\??\c:\pjppj.exec:\pjppj.exe104⤵
-
\??\c:\lxrlflf.exec:\lxrlflf.exe105⤵
-
\??\c:\flfrrxl.exec:\flfrrxl.exe106⤵
-
\??\c:\htnnhb.exec:\htnnhb.exe107⤵
-
\??\c:\dpppv.exec:\dpppv.exe108⤵
-
\??\c:\xrxxlll.exec:\xrxxlll.exe109⤵
-
\??\c:\xfflrxr.exec:\xfflrxr.exe110⤵
-
\??\c:\bbthnt.exec:\bbthnt.exe111⤵
-
\??\c:\jdddv.exec:\jdddv.exe112⤵
-
\??\c:\jdddd.exec:\jdddd.exe113⤵
-
\??\c:\lflrrxl.exec:\lflrrxl.exe114⤵
-
\??\c:\nhhhbt.exec:\nhhhbt.exe115⤵
-
\??\c:\5dpvp.exec:\5dpvp.exe116⤵
-
\??\c:\jdppp.exec:\jdppp.exe117⤵
-
\??\c:\lfrxxlf.exec:\lfrxxlf.exe118⤵
-
\??\c:\tnnnnn.exec:\tnnnnn.exe119⤵
-
\??\c:\3pvpp.exec:\3pvpp.exe120⤵
-
\??\c:\xxllrxf.exec:\xxllrxf.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-