Analysis
-
max time kernel
150s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
19/09/2024, 03:51
General
-
Target
9470bea50c62ee7f6a001a5b43c162dae9c1af6594cf12b8a541dc156b44d62eN.exe
-
Size
67KB
-
MD5
3d7f150d61e1b668d68ef7f24d2dbb70
-
SHA1
41a1a1bec653332adf3d3f209ca2db80075e8198
-
SHA256
9470bea50c62ee7f6a001a5b43c162dae9c1af6594cf12b8a541dc156b44d62e
-
SHA512
55ebdcb87d2d6be2bfd5e608062f303fe0699a251864d696dc01f5186e08aa19d2cc4c8ff78d049f6e5db2862471bf9bed3401916636468ffc15f9dc515b33b4
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDI9L27Bqfo4o:ymb3NkkiQ3mdBjFI9cqfVo
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 19 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 34 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\9470bea50c62ee7f6a001a5b43c162dae9c1af6594cf12b8a541dc156b44d62eN.exe"C:\Users\Admin\AppData\Local\Temp\9470bea50c62ee7f6a001a5b43c162dae9c1af6594cf12b8a541dc156b44d62eN.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\ltjnjn.exec:\ltjnjn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lhtnh.exec:\lhtnh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fbfvprv.exec:\fbfvprv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rrdbp.exec:\rrdbp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fntfpl.exec:\fntfpl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nlddlxl.exec:\nlddlxl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rthdhfn.exec:\rthdhfn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ndhvtp.exec:\ndhvtp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thpft.exec:\thpft.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pvbnxt.exec:\pvbnxt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bfdvvh.exec:\bfdvvh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rjjbhf.exec:\rjjbhf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hnvbn.exec:\hnvbn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hthdx.exec:\hthdx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fllfxn.exec:\fllfxn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pdlfhh.exec:\pdlfhh.exe17⤵
- Executes dropped EXE
-
\??\c:\jbdftr.exec:\jbdftr.exe18⤵
- Executes dropped EXE
-
\??\c:\flnjt.exec:\flnjt.exe19⤵
- Executes dropped EXE
-
\??\c:\fjhjj.exec:\fjhjj.exe20⤵
- Executes dropped EXE
-
\??\c:\jvjldh.exec:\jvjldh.exe21⤵
- Executes dropped EXE
-
\??\c:\rbtjnbn.exec:\rbtjnbn.exe22⤵
- Executes dropped EXE
-
\??\c:\nnlhb.exec:\nnlhb.exe23⤵
- Executes dropped EXE
-
\??\c:\vhhpdf.exec:\vhhpdf.exe24⤵
- Executes dropped EXE
-
\??\c:\bpnjhp.exec:\bpnjhp.exe25⤵
- Executes dropped EXE
-
\??\c:\hrvlbd.exec:\hrvlbd.exe26⤵
- Executes dropped EXE
-
\??\c:\ppvttxb.exec:\ppvttxb.exe27⤵
- Executes dropped EXE
-
\??\c:\llplx.exec:\llplx.exe28⤵
- Executes dropped EXE
-
\??\c:\djdhxn.exec:\djdhxn.exe29⤵
- Executes dropped EXE
-
\??\c:\hnjrd.exec:\hnjrd.exe30⤵
- Executes dropped EXE
-
\??\c:\dhbbp.exec:\dhbbp.exe31⤵
- Executes dropped EXE
-
\??\c:\txvblh.exec:\txvblh.exe32⤵
- Executes dropped EXE
-
\??\c:\bntrfj.exec:\bntrfj.exe33⤵
- Executes dropped EXE
-
\??\c:\fjtrbv.exec:\fjtrbv.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\nhnxn.exec:\nhnxn.exe35⤵
- Executes dropped EXE
-
\??\c:\thptjbj.exec:\thptjbj.exe36⤵
- Executes dropped EXE
-
\??\c:\pfrrbj.exec:\pfrrbj.exe37⤵
- Executes dropped EXE
-
\??\c:\lpfxtr.exec:\lpfxtr.exe38⤵
- Executes dropped EXE
-
\??\c:\lvfdlfj.exec:\lvfdlfj.exe39⤵
- Executes dropped EXE
-
\??\c:\bfnrrl.exec:\bfnrrl.exe40⤵
- Executes dropped EXE
-
\??\c:\vptff.exec:\vptff.exe41⤵
- Executes dropped EXE
-
\??\c:\ftxhhjv.exec:\ftxhhjv.exe42⤵
- Executes dropped EXE
-
\??\c:\vljbjt.exec:\vljbjt.exe43⤵
- Executes dropped EXE
-
\??\c:\hlrjv.exec:\hlrjv.exe44⤵
- Executes dropped EXE
-
\??\c:\hfllf.exec:\hfllf.exe45⤵
- Executes dropped EXE
-
\??\c:\hvvpjb.exec:\hvvpjb.exe46⤵
- Executes dropped EXE
-
\??\c:\hrtlvn.exec:\hrtlvn.exe47⤵
- Executes dropped EXE
-
\??\c:\bdvjx.exec:\bdvjx.exe48⤵
- Executes dropped EXE
-
\??\c:\ttbprtv.exec:\ttbprtv.exe49⤵
- Executes dropped EXE
-
\??\c:\rvfvjnv.exec:\rvfvjnv.exe50⤵
- Executes dropped EXE
-
\??\c:\nhtvx.exec:\nhtvx.exe51⤵
- Executes dropped EXE
-
\??\c:\fbnfjn.exec:\fbnfjn.exe52⤵
- Executes dropped EXE
-
\??\c:\rnjrp.exec:\rnjrp.exe53⤵
- Executes dropped EXE
-
\??\c:\ntrxvjj.exec:\ntrxvjj.exe54⤵
- Executes dropped EXE
-
\??\c:\nhvbnt.exec:\nhvbnt.exe55⤵
- Executes dropped EXE
-
\??\c:\tbtnv.exec:\tbtnv.exe56⤵
- Executes dropped EXE
-
\??\c:\vxbdjhj.exec:\vxbdjhj.exe57⤵
- Executes dropped EXE
-
\??\c:\xfrjxh.exec:\xfrjxh.exe58⤵
- Executes dropped EXE
-
\??\c:\lfbpj.exec:\lfbpj.exe59⤵
- Executes dropped EXE
-
\??\c:\vtbhn.exec:\vtbhn.exe60⤵
- Executes dropped EXE
-
\??\c:\jbflpl.exec:\jbflpl.exe61⤵
- Executes dropped EXE
-
\??\c:\rxtln.exec:\rxtln.exe62⤵
- Executes dropped EXE
-
\??\c:\fdxjn.exec:\fdxjn.exe63⤵
- Executes dropped EXE
-
\??\c:\pldvbv.exec:\pldvbv.exe64⤵
- Executes dropped EXE
-
\??\c:\bhtft.exec:\bhtft.exe65⤵
- Executes dropped EXE
-
\??\c:\pvrvdt.exec:\pvrvdt.exe66⤵
-
\??\c:\xhrfxvh.exec:\xhrfxvh.exe67⤵
-
\??\c:\xfpvv.exec:\xfpvv.exe68⤵
-
\??\c:\rfddb.exec:\rfddb.exe69⤵
-
\??\c:\tdpbr.exec:\tdpbr.exe70⤵
-
\??\c:\xhxjnft.exec:\xhxjnft.exe71⤵
-
\??\c:\xxjxpp.exec:\xxjxpp.exe72⤵
-
\??\c:\phtlx.exec:\phtlx.exe73⤵
-
\??\c:\blpxxfj.exec:\blpxxfj.exe74⤵
-
\??\c:\hflvnv.exec:\hflvnv.exe75⤵
-
\??\c:\lrdfhvb.exec:\lrdfhvb.exe76⤵
-
\??\c:\djnhl.exec:\djnhl.exe77⤵
-
\??\c:\hbxlxxh.exec:\hbxlxxh.exe78⤵
-
\??\c:\pnbrnl.exec:\pnbrnl.exe79⤵
-
\??\c:\rvhlp.exec:\rvhlp.exe80⤵
-
\??\c:\thfjf.exec:\thfjf.exe81⤵
-
\??\c:\pxppv.exec:\pxppv.exe82⤵
-
\??\c:\vtbltj.exec:\vtbltj.exe83⤵
-
\??\c:\pdffrb.exec:\pdffrb.exe84⤵
-
\??\c:\rvfxn.exec:\rvfxn.exe85⤵
-
\??\c:\fxrtlf.exec:\fxrtlf.exe86⤵
-
\??\c:\ntdnjf.exec:\ntdnjf.exe87⤵
-
\??\c:\jbrpr.exec:\jbrpr.exe88⤵
-
\??\c:\nhtnnb.exec:\nhtnnb.exe89⤵
-
\??\c:\dldrvdn.exec:\dldrvdn.exe90⤵
-
\??\c:\bttft.exec:\bttft.exe91⤵
-
\??\c:\lhxflv.exec:\lhxflv.exe92⤵
-
\??\c:\rvpvt.exec:\rvpvt.exe93⤵
-
\??\c:\fbdbj.exec:\fbdbj.exe94⤵
-
\??\c:\xjpjtb.exec:\xjpjtb.exe95⤵
-
\??\c:\vnrbxtv.exec:\vnrbxtv.exe96⤵
-
\??\c:\ftppv.exec:\ftppv.exe97⤵
-
\??\c:\bnnhvh.exec:\bnnhvh.exe98⤵
-
\??\c:\bjlvnv.exec:\bjlvnv.exe99⤵
-
\??\c:\fxrxvp.exec:\fxrxvp.exe100⤵
-
\??\c:\thpppf.exec:\thpppf.exe101⤵
-
\??\c:\hrrtxhx.exec:\hrrtxhx.exe102⤵
-
\??\c:\jjrpn.exec:\jjrpn.exe103⤵
-
\??\c:\vftjhdb.exec:\vftjhdb.exe104⤵
-
\??\c:\htxjjx.exec:\htxjjx.exe105⤵
-
\??\c:\rxfrf.exec:\rxfrf.exe106⤵
-
\??\c:\nfbxpr.exec:\nfbxpr.exe107⤵
-
\??\c:\vtdpp.exec:\vtdpp.exe108⤵
-
\??\c:\hfxdhfb.exec:\hfxdhfb.exe109⤵
-
\??\c:\htbjdbf.exec:\htbjdbf.exe110⤵
-
\??\c:\dffvlf.exec:\dffvlf.exe111⤵
-
\??\c:\xbfdt.exec:\xbfdt.exe112⤵
-
\??\c:\plbtx.exec:\plbtx.exe113⤵
-
\??\c:\lbhrn.exec:\lbhrn.exe114⤵
-
\??\c:\fjxpjr.exec:\fjxpjr.exe115⤵
-
\??\c:\lthnv.exec:\lthnv.exe116⤵
-
\??\c:\nnljn.exec:\nnljn.exe117⤵
-
\??\c:\bfphvn.exec:\bfphvn.exe118⤵
-
\??\c:\fpffrdn.exec:\fpffrdn.exe119⤵
-
\??\c:\vtxlfr.exec:\vtxlfr.exe120⤵
-
\??\c:\fbhbrx.exec:\fbhbrx.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-