Analysis
-
max time kernel
120s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
19-09-2024 06:38
General
-
Target
420ee04e303d000e1ea91aa9790aac6bef2e96ec7c6375d212f34cc7b4e57809N.exe
-
Size
58KB
-
MD5
67848d081fcd57a681130b7fc7895c40
-
SHA1
078724efa39319e70427adad39056f59b61396de
-
SHA256
420ee04e303d000e1ea91aa9790aac6bef2e96ec7c6375d212f34cc7b4e57809
-
SHA512
a8a285015904318a13a70298509cab798f79abe9d3d3649e2c9e2ca10cf5416615b2d37201bf018f7052931f2c175cfb8bc2f9bcbdfff9bc204ba89d86ab8ff7
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIfv781:ymb3NkkiQ3mdBjFIfvY1
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 20 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 24 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\420ee04e303d000e1ea91aa9790aac6bef2e96ec7c6375d212f34cc7b4e57809N.exe"C:\Users\Admin\AppData\Local\Temp\420ee04e303d000e1ea91aa9790aac6bef2e96ec7c6375d212f34cc7b4e57809N.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\xllxxrr.exec:\xllxxrr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhbhtt.exec:\nhbhtt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjppv.exec:\pjppv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dppdp.exec:\dppdp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlrxlrf.exec:\rlrxlrf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfrxlfl.exec:\lfrxlfl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbhhnt.exec:\nbhhnt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5tbbbb.exec:\5tbbbb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jpvpp.exec:\jpvpp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1rrrrrr.exec:\1rrrrrr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3ntntt.exec:\3ntntt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbhbbb.exec:\bbhbbb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ppddv.exec:\ppddv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ppddj.exec:\ppddj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xflllfr.exec:\xflllfr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xllfrll.exec:\xllfrll.exe17⤵
- Executes dropped EXE
-
\??\c:\nbnttb.exec:\nbnttb.exe18⤵
- Executes dropped EXE
-
\??\c:\7nbhnt.exec:\7nbhnt.exe19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\pjjjd.exec:\pjjjd.exe20⤵
- Executes dropped EXE
-
\??\c:\vpdvj.exec:\vpdvj.exe21⤵
- Executes dropped EXE
-
\??\c:\xrxxlll.exec:\xrxxlll.exe22⤵
- Executes dropped EXE
-
\??\c:\fxxxllr.exec:\fxxxllr.exe23⤵
- Executes dropped EXE
-
\??\c:\nbhbnn.exec:\nbhbnn.exe24⤵
- Executes dropped EXE
-
\??\c:\jdvvj.exec:\jdvvj.exe25⤵
- Executes dropped EXE
-
\??\c:\jdppv.exec:\jdppv.exe26⤵
- Executes dropped EXE
-
\??\c:\frxflrx.exec:\frxflrx.exe27⤵
- Executes dropped EXE
-
\??\c:\hbhtbn.exec:\hbhtbn.exe28⤵
- Executes dropped EXE
-
\??\c:\btnthb.exec:\btnthb.exe29⤵
- Executes dropped EXE
-
\??\c:\jdvvd.exec:\jdvvd.exe30⤵
- Executes dropped EXE
-
\??\c:\dpvvj.exec:\dpvvj.exe31⤵
- Executes dropped EXE
-
\??\c:\fxxrfrx.exec:\fxxrfrx.exe32⤵
- Executes dropped EXE
-
\??\c:\ffrxllf.exec:\ffrxllf.exe33⤵
- Executes dropped EXE
-
\??\c:\9nbbnt.exec:\9nbbnt.exe34⤵
- Executes dropped EXE
-
\??\c:\vpjjp.exec:\vpjjp.exe35⤵
- Executes dropped EXE
-
\??\c:\9pddj.exec:\9pddj.exe36⤵
- Executes dropped EXE
-
\??\c:\jjdvj.exec:\jjdvj.exe37⤵
- Executes dropped EXE
-
\??\c:\xlxfxxf.exec:\xlxfxxf.exe38⤵
- Executes dropped EXE
-
\??\c:\lffflrx.exec:\lffflrx.exe39⤵
- Executes dropped EXE
-
\??\c:\nbnntn.exec:\nbnntn.exe40⤵
- Executes dropped EXE
-
\??\c:\hbhtnt.exec:\hbhtnt.exe41⤵
- Executes dropped EXE
-
\??\c:\vdddd.exec:\vdddd.exe42⤵
- Executes dropped EXE
-
\??\c:\9dvvd.exec:\9dvvd.exe43⤵
- Executes dropped EXE
-
\??\c:\rfflrlf.exec:\rfflrlf.exe44⤵
- Executes dropped EXE
-
\??\c:\lfrrrrx.exec:\lfrrrrx.exe45⤵
- Executes dropped EXE
-
\??\c:\lxxllxx.exec:\lxxllxx.exe46⤵
- Executes dropped EXE
-
\??\c:\htbhtt.exec:\htbhtt.exe47⤵
- Executes dropped EXE
-
\??\c:\thbbhb.exec:\thbbhb.exe48⤵
- Executes dropped EXE
-
\??\c:\vvppv.exec:\vvppv.exe49⤵
- Executes dropped EXE
-
\??\c:\dpvpv.exec:\dpvpv.exe50⤵
- Executes dropped EXE
-
\??\c:\llfrffl.exec:\llfrffl.exe51⤵
- Executes dropped EXE
-
\??\c:\lfrrlrr.exec:\lfrrlrr.exe52⤵
- Executes dropped EXE
-
\??\c:\hntttn.exec:\hntttn.exe53⤵
- Executes dropped EXE
-
\??\c:\hbhtbt.exec:\hbhtbt.exe54⤵
- Executes dropped EXE
-
\??\c:\1vpjj.exec:\1vpjj.exe55⤵
- Executes dropped EXE
-
\??\c:\xlxxxfl.exec:\xlxxxfl.exe56⤵
- Executes dropped EXE
-
\??\c:\bnbnbb.exec:\bnbnbb.exe57⤵
- Executes dropped EXE
-
\??\c:\httnnh.exec:\httnnh.exe58⤵
- Executes dropped EXE
-
\??\c:\bbnthn.exec:\bbnthn.exe59⤵
- Executes dropped EXE
-
\??\c:\pddvd.exec:\pddvd.exe60⤵
- Executes dropped EXE
-
\??\c:\jvddp.exec:\jvddp.exe61⤵
- Executes dropped EXE
-
\??\c:\9lrlxxx.exec:\9lrlxxx.exe62⤵
- Executes dropped EXE
-
\??\c:\1rlrflx.exec:\1rlrflx.exe63⤵
- Executes dropped EXE
-
\??\c:\hnhbhb.exec:\hnhbhb.exe64⤵
- Executes dropped EXE
-
\??\c:\thtnhh.exec:\thtnhh.exe65⤵
- Executes dropped EXE
-
\??\c:\7vjpp.exec:\7vjpp.exe66⤵
-
\??\c:\vjdjp.exec:\vjdjp.exe67⤵
-
\??\c:\xfxfrlr.exec:\xfxfrlr.exe68⤵
-
\??\c:\9rfxfxl.exec:\9rfxfxl.exe69⤵
-
\??\c:\hhhhnh.exec:\hhhhnh.exe70⤵
-
\??\c:\dvddd.exec:\dvddd.exe71⤵
-
\??\c:\7jjdj.exec:\7jjdj.exe72⤵
-
\??\c:\lxrxflr.exec:\lxrxflr.exe73⤵
-
\??\c:\xllrrrx.exec:\xllrrrx.exe74⤵
-
\??\c:\rlxflrf.exec:\rlxflrf.exe75⤵
-
\??\c:\5thnnt.exec:\5thnnt.exe76⤵
-
\??\c:\bhtnnn.exec:\bhtnnn.exe77⤵
-
\??\c:\7dvdd.exec:\7dvdd.exe78⤵
-
\??\c:\dvjjv.exec:\dvjjv.exe79⤵
-
\??\c:\1xllffl.exec:\1xllffl.exe80⤵
-
\??\c:\7rfxffl.exec:\7rfxffl.exe81⤵
-
\??\c:\7bnntb.exec:\7bnntb.exe82⤵
-
\??\c:\hbhnbb.exec:\hbhnbb.exe83⤵
- System Location Discovery: System Language Discovery
-
\??\c:\djjjd.exec:\djjjd.exe84⤵
-
\??\c:\5pdvv.exec:\5pdvv.exe85⤵
-
\??\c:\5jppj.exec:\5jppj.exe86⤵
-
\??\c:\xrlfllr.exec:\xrlfllr.exe87⤵
-
\??\c:\rfrlxxf.exec:\rfrlxxf.exe88⤵
-
\??\c:\nhntbb.exec:\nhntbb.exe89⤵
-
\??\c:\hbhhnb.exec:\hbhhnb.exe90⤵
-
\??\c:\dpvvv.exec:\dpvvv.exe91⤵
-
\??\c:\djpjp.exec:\djpjp.exe92⤵
-
\??\c:\lxxxfxl.exec:\lxxxfxl.exe93⤵
-
\??\c:\rflffxx.exec:\rflffxx.exe94⤵
-
\??\c:\xlxlrxf.exec:\xlxlrxf.exe95⤵
-
\??\c:\9hbhtb.exec:\9hbhtb.exe96⤵
-
\??\c:\nhhhhn.exec:\nhhhhn.exe97⤵
-
\??\c:\thnntt.exec:\thnntt.exe98⤵
-
\??\c:\dvjdv.exec:\dvjdv.exe99⤵
-
\??\c:\7pjjv.exec:\7pjjv.exe100⤵
-
\??\c:\rfrxffl.exec:\rfrxffl.exe101⤵
-
\??\c:\xrxflrx.exec:\xrxflrx.exe102⤵
-
\??\c:\tnbnnt.exec:\tnbnnt.exe103⤵
-
\??\c:\tntbbb.exec:\tntbbb.exe104⤵
-
\??\c:\5vpjv.exec:\5vpjv.exe105⤵
-
\??\c:\pjjjv.exec:\pjjjv.exe106⤵
-
\??\c:\rxlrlfx.exec:\rxlrlfx.exe107⤵
-
\??\c:\rfflrxx.exec:\rfflrxx.exe108⤵
-
\??\c:\nttnnn.exec:\nttnnn.exe109⤵
-
\??\c:\htbbtb.exec:\htbbtb.exe110⤵
-
\??\c:\nnnntt.exec:\nnnntt.exe111⤵
-
\??\c:\3dppp.exec:\3dppp.exe112⤵
-
\??\c:\7jdvd.exec:\7jdvd.exe113⤵
-
\??\c:\lxffxxl.exec:\lxffxxl.exe114⤵
-
\??\c:\rfrrxxf.exec:\rfrrxxf.exe115⤵
-
\??\c:\5ttnbh.exec:\5ttnbh.exe116⤵
-
\??\c:\nbhhhh.exec:\nbhhhh.exe117⤵
-
\??\c:\dvvvd.exec:\dvvvd.exe118⤵
-
\??\c:\djvjv.exec:\djvjv.exe119⤵
-
\??\c:\9dvvd.exec:\9dvvd.exe120⤵
-
\??\c:\lflllll.exec:\lflllll.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-