Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
19/09/2024, 08:31
General
-
Target
4213f2e773feec566e01edacc062db90d7169a0a61315ea5231eda4c4d27ebd9N.exe
-
Size
82KB
-
MD5
4ab96094fb2149abca2ba8b2b6c43b50
-
SHA1
6db1ea7810c4d2e4c0765961fbfd593926ef0d7f
-
SHA256
4213f2e773feec566e01edacc062db90d7169a0a61315ea5231eda4c4d27ebd9
-
SHA512
9650137aa33a598df8340be867a83fd1a5877894b6a1d66ea9d1a37ceda194ff578ec6466d13f2b1e9f532da8c76018ce8e47ce8aed40ae5e39b6dd646f21d28
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDo73tgygQwKjiawEmBgRc6ciTu:ymb3NkkiQ3mdBjFo73thgQ/wEkMNTTu
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 18 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 21 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4213f2e773feec566e01edacc062db90d7169a0a61315ea5231eda4c4d27ebd9N.exe"C:\Users\Admin\AppData\Local\Temp\4213f2e773feec566e01edacc062db90d7169a0a61315ea5231eda4c4d27ebd9N.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\hthhnn.exec:\hthhnn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bththb.exec:\bththb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jpvjj.exec:\jpvjj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3rflrrx.exec:\3rflrrx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1nbhnn.exec:\1nbhnn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bnhbbb.exec:\bnhbbb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvjvd.exec:\dvjvd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfrxrrx.exec:\lfrxrrx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thhhnh.exec:\thhhnh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnhbnh.exec:\tnhbnh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7vpvv.exec:\7vpvv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdjjp.exec:\jdjjp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrlrrrf.exec:\xrlrrrf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbhnbb.exec:\nbhnbb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjvvj.exec:\pjvvj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5vvvj.exec:\5vvvj.exe17⤵
- Executes dropped EXE
-
\??\c:\fxffllf.exec:\fxffllf.exe18⤵
- Executes dropped EXE
-
\??\c:\rllffff.exec:\rllffff.exe19⤵
- Executes dropped EXE
-
\??\c:\hbnbhn.exec:\hbnbhn.exe20⤵
- Executes dropped EXE
-
\??\c:\9jvdd.exec:\9jvdd.exe21⤵
- Executes dropped EXE
-
\??\c:\1pdpp.exec:\1pdpp.exe22⤵
- Executes dropped EXE
-
\??\c:\rflflfx.exec:\rflflfx.exe23⤵
- Executes dropped EXE
-
\??\c:\nhhnbb.exec:\nhhnbb.exe24⤵
- Executes dropped EXE
-
\??\c:\tthhbt.exec:\tthhbt.exe25⤵
- Executes dropped EXE
-
\??\c:\9djvj.exec:\9djvj.exe26⤵
- Executes dropped EXE
-
\??\c:\5xlxlrx.exec:\5xlxlrx.exe27⤵
- Executes dropped EXE
-
\??\c:\tnbbnn.exec:\tnbbnn.exe28⤵
- Executes dropped EXE
-
\??\c:\9thhnh.exec:\9thhnh.exe29⤵
- Executes dropped EXE
-
\??\c:\dpdvj.exec:\dpdvj.exe30⤵
- Executes dropped EXE
-
\??\c:\5xfxffl.exec:\5xfxffl.exe31⤵
- Executes dropped EXE
-
\??\c:\9nhthh.exec:\9nhthh.exe32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\1hnnnt.exec:\1hnnnt.exe33⤵
- Executes dropped EXE
-
\??\c:\3vpdj.exec:\3vpdj.exe34⤵
- Executes dropped EXE
-
\??\c:\jvppp.exec:\jvppp.exe35⤵
- Executes dropped EXE
-
\??\c:\xrfllll.exec:\xrfllll.exe36⤵
- Executes dropped EXE
-
\??\c:\5thhnt.exec:\5thhnt.exe37⤵
- Executes dropped EXE
-
\??\c:\7btbtn.exec:\7btbtn.exe38⤵
- Executes dropped EXE
-
\??\c:\dvjpj.exec:\dvjpj.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\dpdjp.exec:\dpdjp.exe40⤵
- Executes dropped EXE
-
\??\c:\3frxrxf.exec:\3frxrxf.exe41⤵
- Executes dropped EXE
-
\??\c:\5fxrrlx.exec:\5fxrrlx.exe42⤵
- Executes dropped EXE
-
\??\c:\7bbbbb.exec:\7bbbbb.exe43⤵
- Executes dropped EXE
-
\??\c:\nhtntn.exec:\nhtntn.exe44⤵
- Executes dropped EXE
-
\??\c:\jvddv.exec:\jvddv.exe45⤵
- Executes dropped EXE
-
\??\c:\rrxfllr.exec:\rrxfllr.exe46⤵
- Executes dropped EXE
-
\??\c:\rfllrlx.exec:\rfllrlx.exe47⤵
- Executes dropped EXE
-
\??\c:\7ffrrlr.exec:\7ffrrlr.exe48⤵
- Executes dropped EXE
-
\??\c:\nnhtnn.exec:\nnhtnn.exe49⤵
- Executes dropped EXE
-
\??\c:\bthhnn.exec:\bthhnn.exe50⤵
- Executes dropped EXE
-
\??\c:\9vdvp.exec:\9vdvp.exe51⤵
- Executes dropped EXE
-
\??\c:\jdpvv.exec:\jdpvv.exe52⤵
- Executes dropped EXE
-
\??\c:\7fxllrx.exec:\7fxllrx.exe53⤵
- Executes dropped EXE
-
\??\c:\fflxrrf.exec:\fflxrrf.exe54⤵
- Executes dropped EXE
-
\??\c:\tnnthb.exec:\tnnthb.exe55⤵
- Executes dropped EXE
-
\??\c:\7jvjv.exec:\7jvjv.exe56⤵
- Executes dropped EXE
-
\??\c:\pjdjj.exec:\pjdjj.exe57⤵
- Executes dropped EXE
-
\??\c:\rxlllxf.exec:\rxlllxf.exe58⤵
- Executes dropped EXE
-
\??\c:\fxrffll.exec:\fxrffll.exe59⤵
- Executes dropped EXE
-
\??\c:\5nbttt.exec:\5nbttt.exe60⤵
- Executes dropped EXE
-
\??\c:\7tbbhh.exec:\7tbbhh.exe61⤵
- Executes dropped EXE
-
\??\c:\1dppd.exec:\1dppd.exe62⤵
- Executes dropped EXE
-
\??\c:\pjpdv.exec:\pjpdv.exe63⤵
- Executes dropped EXE
-
\??\c:\rrffxfr.exec:\rrffxfr.exe64⤵
- Executes dropped EXE
-
\??\c:\9frxfll.exec:\9frxfll.exe65⤵
- Executes dropped EXE
-
\??\c:\hbhthh.exec:\hbhthh.exe66⤵
-
\??\c:\hbthnt.exec:\hbthnt.exe67⤵
-
\??\c:\dvjjj.exec:\dvjjj.exe68⤵
-
\??\c:\ddpvj.exec:\ddpvj.exe69⤵
-
\??\c:\1vpdv.exec:\1vpdv.exe70⤵
-
\??\c:\lxllllr.exec:\lxllllr.exe71⤵
-
\??\c:\rlfllrx.exec:\rlfllrx.exe72⤵
-
\??\c:\hbnbtn.exec:\hbnbtn.exe73⤵
-
\??\c:\jvdvd.exec:\jvdvd.exe74⤵
-
\??\c:\jdvdv.exec:\jdvdv.exe75⤵
-
\??\c:\7dppp.exec:\7dppp.exe76⤵
-
\??\c:\7rlrflr.exec:\7rlrflr.exe77⤵
-
\??\c:\bnbntn.exec:\bnbntn.exe78⤵
-
\??\c:\nnnnnn.exec:\nnnnnn.exe79⤵
-
\??\c:\dvjdd.exec:\dvjdd.exe80⤵
-
\??\c:\vvppv.exec:\vvppv.exe81⤵
-
\??\c:\vpjvd.exec:\vpjvd.exe82⤵
-
\??\c:\lflfrlr.exec:\lflfrlr.exe83⤵
-
\??\c:\xxffrxf.exec:\xxffrxf.exe84⤵
-
\??\c:\1bbnnt.exec:\1bbnnt.exe85⤵
-
\??\c:\dpvvv.exec:\dpvvv.exe86⤵
-
\??\c:\pjvdp.exec:\pjvdp.exe87⤵
-
\??\c:\rlrrrrr.exec:\rlrrrrr.exe88⤵
-
\??\c:\3rrxllr.exec:\3rrxllr.exe89⤵
-
\??\c:\hhhbtt.exec:\hhhbtt.exe90⤵
-
\??\c:\bnbbhb.exec:\bnbbhb.exe91⤵
-
\??\c:\vdjvj.exec:\vdjvj.exe92⤵
-
\??\c:\9jjdj.exec:\9jjdj.exe93⤵
-
\??\c:\9rfxfxf.exec:\9rfxfxf.exe94⤵
-
\??\c:\frxxfxf.exec:\frxxfxf.exe95⤵
-
\??\c:\hhbthb.exec:\hhbthb.exe96⤵
-
\??\c:\htntbh.exec:\htntbh.exe97⤵
-
\??\c:\vjppv.exec:\vjppv.exe98⤵
-
\??\c:\jvvpv.exec:\jvvpv.exe99⤵
-
\??\c:\3vvvp.exec:\3vvvp.exe100⤵
-
\??\c:\lxlxxrf.exec:\lxlxxrf.exe101⤵
-
\??\c:\hthnnn.exec:\hthnnn.exe102⤵
-
\??\c:\thbttt.exec:\thbttt.exe103⤵
-
\??\c:\1dpjj.exec:\1dpjj.exe104⤵
-
\??\c:\3jpvj.exec:\3jpvj.exe105⤵
-
\??\c:\jvjjp.exec:\jvjjp.exe106⤵
-
\??\c:\xrxxlfx.exec:\xrxxlfx.exe107⤵
-
\??\c:\rfrrfxx.exec:\rfrrfxx.exe108⤵
-
\??\c:\bthntb.exec:\bthntb.exe109⤵
-
\??\c:\7nnbbh.exec:\7nnbbh.exe110⤵
-
\??\c:\vpdjd.exec:\vpdjd.exe111⤵
-
\??\c:\jvddj.exec:\jvddj.exe112⤵
-
\??\c:\5fxrxrx.exec:\5fxrxrx.exe113⤵
-
\??\c:\frxxfxx.exec:\frxxfxx.exe114⤵
-
\??\c:\tbhtbh.exec:\tbhtbh.exe115⤵
-
\??\c:\ttttbn.exec:\ttttbn.exe116⤵
-
\??\c:\vjvpp.exec:\vjvpp.exe117⤵
-
\??\c:\1vpjp.exec:\1vpjp.exe118⤵
-
\??\c:\xlrfrxf.exec:\xlrfrxf.exe119⤵
-
\??\c:\rlfxxxr.exec:\rlfxxxr.exe120⤵
-
\??\c:\nnbbtn.exec:\nnbbtn.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-