Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
21-09-2024 12:24
General
-
Target
6281c3bd3847542a6dd73c29a6d73d16748848e1c9c60d99e38634b86ae808faN.exe
-
Size
418KB
-
MD5
4ad438824d278a6a85ac68d0079d10d0
-
SHA1
a0dc803bc7b73cb775304be6a11fd1417aa9fd05
-
SHA256
6281c3bd3847542a6dd73c29a6d73d16748848e1c9c60d99e38634b86ae808fa
-
SHA512
b12be3338ed39e705b4ae4a07d3faade087e0c4d5e58da004a6ff0b04bffe965478325d8f8582c93f6dbad0075468a367668f3b06fa5f4cb71cd64f2e0a7e173
-
SSDEEP
12288:n3C9ytvngQj4DtvnV9wLn9UTfC8eieJNBNIsYPT:SgdnJUdnV9z
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 20 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 34 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\6281c3bd3847542a6dd73c29a6d73d16748848e1c9c60d99e38634b86ae808faN.exe"C:\Users\Admin\AppData\Local\Temp\6281c3bd3847542a6dd73c29a6d73d16748848e1c9c60d99e38634b86ae808faN.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\xxrfrxl.exec:\xxrfrxl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xlrxfll.exec:\xlrxfll.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ppdjv.exec:\ppdjv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btthth.exec:\btthth.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xfxflrx.exec:\xfxflrx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbtbhn.exec:\hbtbhn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xxlrflr.exec:\xxlrflr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ntnbnt.exec:\ntnbnt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xllrxxf.exec:\xllrxxf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hhbhnt.exec:\hhbhnt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7lfffxx.exec:\7lfffxx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnttbh.exec:\tnttbh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3pjvd.exec:\3pjvd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5xfxffl.exec:\5xfxffl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddppp.exec:\ddppp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrrxffl.exec:\xrrxffl.exe17⤵
- Executes dropped EXE
-
\??\c:\vjvpv.exec:\vjvpv.exe18⤵
- Executes dropped EXE
-
\??\c:\dpvdd.exec:\dpvdd.exe19⤵
- Executes dropped EXE
-
\??\c:\tnbhhn.exec:\tnbhhn.exe20⤵
- Executes dropped EXE
-
\??\c:\pdppd.exec:\pdppd.exe21⤵
- Executes dropped EXE
-
\??\c:\1lxffxr.exec:\1lxffxr.exe22⤵
- Executes dropped EXE
-
\??\c:\bbtbnn.exec:\bbtbnn.exe23⤵
- Executes dropped EXE
-
\??\c:\xllflfx.exec:\xllflfx.exe24⤵
- Executes dropped EXE
-
\??\c:\rfrxffr.exec:\rfrxffr.exe25⤵
- Executes dropped EXE
-
\??\c:\1jvvp.exec:\1jvvp.exe26⤵
- Executes dropped EXE
-
\??\c:\nnnntb.exec:\nnnntb.exe27⤵
- Executes dropped EXE
-
\??\c:\3jvpp.exec:\3jvpp.exe28⤵
- Executes dropped EXE
-
\??\c:\xfllrxx.exec:\xfllrxx.exe29⤵
- Executes dropped EXE
-
\??\c:\jdpvd.exec:\jdpvd.exe30⤵
- Executes dropped EXE
-
\??\c:\fxllrrx.exec:\fxllrrx.exe31⤵
- Executes dropped EXE
-
\??\c:\thnnnn.exec:\thnnnn.exe32⤵
- Executes dropped EXE
-
\??\c:\jvjjv.exec:\jvjjv.exe33⤵
- Executes dropped EXE
-
\??\c:\9thhnn.exec:\9thhnn.exe34⤵
- Executes dropped EXE
-
\??\c:\1jdpv.exec:\1jdpv.exe35⤵
- Executes dropped EXE
-
\??\c:\3lxxfrx.exec:\3lxxfrx.exe36⤵
- Executes dropped EXE
-
\??\c:\hthhhh.exec:\hthhhh.exe37⤵
- Executes dropped EXE
-
\??\c:\jvjdv.exec:\jvjdv.exe38⤵
- Executes dropped EXE
-
\??\c:\1vvvd.exec:\1vvvd.exe39⤵
- Executes dropped EXE
-
\??\c:\rfxlrlr.exec:\rfxlrlr.exe40⤵
- Executes dropped EXE
-
\??\c:\bntbnh.exec:\bntbnh.exe41⤵
- Executes dropped EXE
-
\??\c:\3nnthn.exec:\3nnthn.exe42⤵
- Executes dropped EXE
-
\??\c:\1pvpd.exec:\1pvpd.exe43⤵
- Executes dropped EXE
-
\??\c:\frxrxrx.exec:\frxrxrx.exe44⤵
- Executes dropped EXE
-
\??\c:\3thttt.exec:\3thttt.exe45⤵
- Executes dropped EXE
-
\??\c:\9vpvp.exec:\9vpvp.exe46⤵
- Executes dropped EXE
-
\??\c:\xrllxfr.exec:\xrllxfr.exe47⤵
- Executes dropped EXE
-
\??\c:\xrffrrx.exec:\xrffrrx.exe48⤵
- Executes dropped EXE
-
\??\c:\nhhhtn.exec:\nhhhtn.exe49⤵
- Executes dropped EXE
-
\??\c:\jjppv.exec:\jjppv.exe50⤵
- Executes dropped EXE
-
\??\c:\jdjpp.exec:\jdjpp.exe51⤵
- Executes dropped EXE
-
\??\c:\xlrllll.exec:\xlrllll.exe52⤵
- Executes dropped EXE
-
\??\c:\tntbhn.exec:\tntbhn.exe53⤵
- Executes dropped EXE
-
\??\c:\ddppj.exec:\ddppj.exe54⤵
- Executes dropped EXE
-
\??\c:\5dpjp.exec:\5dpjp.exe55⤵
- Executes dropped EXE
-
\??\c:\rflffxf.exec:\rflffxf.exe56⤵
- Executes dropped EXE
-
\??\c:\hbhbnt.exec:\hbhbnt.exe57⤵
- Executes dropped EXE
-
\??\c:\vjvpv.exec:\vjvpv.exe58⤵
- Executes dropped EXE
-
\??\c:\pjvvd.exec:\pjvvd.exe59⤵
- Executes dropped EXE
-
\??\c:\fxrxlxr.exec:\fxrxlxr.exe60⤵
- Executes dropped EXE
-
\??\c:\nhbhtb.exec:\nhbhtb.exe61⤵
- Executes dropped EXE
-
\??\c:\bbnntt.exec:\bbnntt.exe62⤵
- Executes dropped EXE
-
\??\c:\9pppp.exec:\9pppp.exe63⤵
- Executes dropped EXE
-
\??\c:\rrxxlff.exec:\rrxxlff.exe64⤵
- Executes dropped EXE
-
\??\c:\htnntn.exec:\htnntn.exe65⤵
- Executes dropped EXE
-
\??\c:\1tbttt.exec:\1tbttt.exe66⤵
-
\??\c:\7pjpj.exec:\7pjpj.exe67⤵
-
\??\c:\3xxlrrx.exec:\3xxlrrx.exe68⤵
-
\??\c:\fxrxxxf.exec:\fxrxxxf.exe69⤵
-
\??\c:\thnnhn.exec:\thnnhn.exe70⤵
-
\??\c:\vvjdp.exec:\vvjdp.exe71⤵
-
\??\c:\dpddj.exec:\dpddj.exe72⤵
-
\??\c:\ffrxflx.exec:\ffrxflx.exe73⤵
-
\??\c:\btbbhb.exec:\btbbhb.exe74⤵
-
\??\c:\htbntn.exec:\htbntn.exe75⤵
-
\??\c:\pvjdd.exec:\pvjdd.exe76⤵
-
\??\c:\lfxfllx.exec:\lfxfllx.exe77⤵
-
\??\c:\xrxlxxl.exec:\xrxlxxl.exe78⤵
-
\??\c:\tnhntb.exec:\tnhntb.exe79⤵
-
\??\c:\pjvpp.exec:\pjvpp.exe80⤵
-
\??\c:\fxrxllx.exec:\fxrxllx.exe81⤵
-
\??\c:\lfrxxrx.exec:\lfrxxrx.exe82⤵
-
\??\c:\3hhttb.exec:\3hhttb.exe83⤵
-
\??\c:\vppjj.exec:\vppjj.exe84⤵
-
\??\c:\jvjjp.exec:\jvjjp.exe85⤵
-
\??\c:\lflrflr.exec:\lflrflr.exe86⤵
-
\??\c:\1bbbnn.exec:\1bbbnn.exe87⤵
-
\??\c:\1pjjp.exec:\1pjjp.exe88⤵
-
\??\c:\5vpvv.exec:\5vpvv.exe89⤵
-
\??\c:\lfrxllr.exec:\lfrxllr.exe90⤵
-
\??\c:\9hbhnn.exec:\9hbhnn.exe91⤵
-
\??\c:\hbhbhb.exec:\hbhbhb.exe92⤵
-
\??\c:\dvjpj.exec:\dvjpj.exe93⤵
-
\??\c:\3fxxflr.exec:\3fxxflr.exe94⤵
-
\??\c:\9hbtbb.exec:\9hbtbb.exe95⤵
-
\??\c:\bbhhtn.exec:\bbhhtn.exe96⤵
-
\??\c:\pjvdj.exec:\pjvdj.exe97⤵
-
\??\c:\9llrflr.exec:\9llrflr.exe98⤵
-
\??\c:\hbhhtb.exec:\hbhhtb.exe99⤵
-
\??\c:\nbhbhh.exec:\nbhbhh.exe100⤵
-
\??\c:\ppdjp.exec:\ppdjp.exe101⤵
-
\??\c:\lxrllfl.exec:\lxrllfl.exe102⤵
-
\??\c:\thtthh.exec:\thtthh.exe103⤵
-
\??\c:\ntnbnn.exec:\ntnbnn.exe104⤵
-
\??\c:\djdjp.exec:\djdjp.exe105⤵
-
\??\c:\lxlrxxf.exec:\lxlrxxf.exe106⤵
-
\??\c:\llxlllx.exec:\llxlllx.exe107⤵
-
\??\c:\7bnthh.exec:\7bnthh.exe108⤵
-
\??\c:\7jppp.exec:\7jppp.exe109⤵
-
\??\c:\vjdvp.exec:\vjdvp.exe110⤵
-
\??\c:\xrrrlll.exec:\xrrrlll.exe111⤵
-
\??\c:\bhtbhh.exec:\bhtbhh.exe112⤵
-
\??\c:\tnbbhh.exec:\tnbbhh.exe113⤵
-
\??\c:\jjjvp.exec:\jjjvp.exe114⤵
-
\??\c:\fxfrrxl.exec:\fxfrrxl.exe115⤵
-
\??\c:\rlxxllr.exec:\rlxxllr.exe116⤵
-
\??\c:\hbtbht.exec:\hbtbht.exe117⤵
-
\??\c:\vjppv.exec:\vjppv.exe118⤵
-
\??\c:\9vvdp.exec:\9vvdp.exe119⤵
-
\??\c:\rlrlllr.exec:\rlrlllr.exe120⤵
-
\??\c:\hbnthh.exec:\hbnthh.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-