Analysis
-
max time kernel
120s -
max time network
20s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
25/09/2024, 08:20
General
-
Target
d1b2b6c2486e6d52050e61033fc7f7855c102638e8cc552fd072b6a15ad8491aN.exe
-
Size
79KB
-
MD5
7d706681cb97d7140e5a9783fbf78bc0
-
SHA1
ca1979422f63e42c1e74229f5929e11e2a0ba475
-
SHA256
d1b2b6c2486e6d52050e61033fc7f7855c102638e8cc552fd072b6a15ad8491a
-
SHA512
7ddaf965cb5d0a264265e4b1eaf480178bf8772cfc377bf28509868c42a81553e2de2ce65364240f2b691d9d425398793e62af470f470f26ede383f1df9a4d24
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIsIpWCz+FR4RzWqC5rINFE4ye6:ymb3NkkiQ3mdBjFIsIpZ+R4RzWqCu4t
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 22 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 27 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d1b2b6c2486e6d52050e61033fc7f7855c102638e8cc552fd072b6a15ad8491aN.exe"C:\Users\Admin\AppData\Local\Temp\d1b2b6c2486e6d52050e61033fc7f7855c102638e8cc552fd072b6a15ad8491aN.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\vjdjp.exec:\vjdjp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dpjpv.exec:\dpjpv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5tbhhn.exec:\5tbhhn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btnbhh.exec:\btnbhh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjddv.exec:\pjddv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9xxrxfr.exec:\9xxrxfr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9btthn.exec:\9btthn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvjvd.exec:\vvjvd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxllxxf.exec:\fxllxxf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhnbnt.exec:\nhnbnt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7tthbn.exec:\7tthbn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3dddj.exec:\3dddj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7rffllr.exec:\7rffllr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrlrxfx.exec:\xrlrxfx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbtnhb.exec:\bbtnhb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9hntnh.exec:\9hntnh.exe17⤵
- Executes dropped EXE
-
\??\c:\ddvdp.exec:\ddvdp.exe18⤵
- Executes dropped EXE
-
\??\c:\lfxrflf.exec:\lfxrflf.exe19⤵
- Executes dropped EXE
-
\??\c:\5bttbn.exec:\5bttbn.exe20⤵
- Executes dropped EXE
-
\??\c:\hbhtbb.exec:\hbhtbb.exe21⤵
- Executes dropped EXE
-
\??\c:\jvpdd.exec:\jvpdd.exe22⤵
- Executes dropped EXE
-
\??\c:\lfrxffr.exec:\lfrxffr.exe23⤵
- Executes dropped EXE
-
\??\c:\9xfflrl.exec:\9xfflrl.exe24⤵
- Executes dropped EXE
-
\??\c:\hbbtnt.exec:\hbbtnt.exe25⤵
- Executes dropped EXE
-
\??\c:\5vdjp.exec:\5vdjp.exe26⤵
- Executes dropped EXE
-
\??\c:\llffffr.exec:\llffffr.exe27⤵
- Executes dropped EXE
-
\??\c:\nnnthh.exec:\nnnthh.exe28⤵
- Executes dropped EXE
-
\??\c:\btbtnn.exec:\btbtnn.exe29⤵
- Executes dropped EXE
-
\??\c:\5djpd.exec:\5djpd.exe30⤵
- Executes dropped EXE
-
\??\c:\rllfrrx.exec:\rllfrrx.exe31⤵
- Executes dropped EXE
-
\??\c:\lxlrxfr.exec:\lxlrxfr.exe32⤵
- Executes dropped EXE
-
\??\c:\1bthhn.exec:\1bthhn.exe33⤵
- Executes dropped EXE
-
\??\c:\bbtthn.exec:\bbtthn.exe34⤵
- Executes dropped EXE
-
\??\c:\vpddp.exec:\vpddp.exe35⤵
- Executes dropped EXE
-
\??\c:\jdjjp.exec:\jdjjp.exe36⤵
- Executes dropped EXE
-
\??\c:\fxlrxff.exec:\fxlrxff.exe37⤵
- Executes dropped EXE
-
\??\c:\9rfrxfx.exec:\9rfrxfx.exe38⤵
- Executes dropped EXE
-
\??\c:\5bnhnn.exec:\5bnhnn.exe39⤵
- Executes dropped EXE
-
\??\c:\7httth.exec:\7httth.exe40⤵
- Executes dropped EXE
-
\??\c:\vppvv.exec:\vppvv.exe41⤵
- Executes dropped EXE
-
\??\c:\xrlllxl.exec:\xrlllxl.exe42⤵
- Executes dropped EXE
-
\??\c:\ffxlflx.exec:\ffxlflx.exe43⤵
- Executes dropped EXE
-
\??\c:\3lfxfff.exec:\3lfxfff.exe44⤵
- Executes dropped EXE
-
\??\c:\9tnbhh.exec:\9tnbhh.exe45⤵
- Executes dropped EXE
-
\??\c:\bnhnnt.exec:\bnhnnt.exe46⤵
- Executes dropped EXE
-
\??\c:\vvvjp.exec:\vvvjp.exe47⤵
- Executes dropped EXE
-
\??\c:\9jjvd.exec:\9jjvd.exe48⤵
- Executes dropped EXE
-
\??\c:\xrxfllr.exec:\xrxfllr.exe49⤵
- Executes dropped EXE
-
\??\c:\rrrrflr.exec:\rrrrflr.exe50⤵
- Executes dropped EXE
-
\??\c:\btthht.exec:\btthht.exe51⤵
- Executes dropped EXE
-
\??\c:\7bbhbh.exec:\7bbhbh.exe52⤵
- Executes dropped EXE
-
\??\c:\5jpvj.exec:\5jpvj.exe53⤵
- Executes dropped EXE
-
\??\c:\9pppv.exec:\9pppv.exe54⤵
- Executes dropped EXE
-
\??\c:\3ffrffl.exec:\3ffrffl.exe55⤵
- Executes dropped EXE
-
\??\c:\xrlxxxf.exec:\xrlxxxf.exe56⤵
- Executes dropped EXE
-
\??\c:\nbnntb.exec:\nbnntb.exe57⤵
- Executes dropped EXE
-
\??\c:\vpppv.exec:\vpppv.exe58⤵
- Executes dropped EXE
-
\??\c:\ppddj.exec:\ppddj.exe59⤵
- Executes dropped EXE
-
\??\c:\lfrlxxr.exec:\lfrlxxr.exe60⤵
- Executes dropped EXE
-
\??\c:\thntnh.exec:\thntnh.exe61⤵
- Executes dropped EXE
-
\??\c:\9vjjp.exec:\9vjjp.exe62⤵
- Executes dropped EXE
-
\??\c:\7jdvd.exec:\7jdvd.exe63⤵
- Executes dropped EXE
-
\??\c:\fffrrlf.exec:\fffrrlf.exe64⤵
- Executes dropped EXE
-
\??\c:\rrlrrxf.exec:\rrlrrxf.exe65⤵
- Executes dropped EXE
-
\??\c:\ttnthh.exec:\ttnthh.exe66⤵
-
\??\c:\tthhnt.exec:\tthhnt.exe67⤵
-
\??\c:\jdjpv.exec:\jdjpv.exe68⤵
-
\??\c:\pvvpd.exec:\pvvpd.exe69⤵
-
\??\c:\rlffrrf.exec:\rlffrrf.exe70⤵
-
\??\c:\xfrfllr.exec:\xfrfllr.exe71⤵
-
\??\c:\bnbtbn.exec:\bnbtbn.exe72⤵
-
\??\c:\3dpjp.exec:\3dpjp.exe73⤵
-
\??\c:\vpvdd.exec:\vpvdd.exe74⤵
-
\??\c:\rfllllx.exec:\rfllllx.exe75⤵
-
\??\c:\ffflflx.exec:\ffflflx.exe76⤵
-
\??\c:\hbhnbb.exec:\hbhnbb.exe77⤵
-
\??\c:\hbnntt.exec:\hbnntt.exe78⤵
-
\??\c:\jdvdd.exec:\jdvdd.exe79⤵
-
\??\c:\vvpvp.exec:\vvpvp.exe80⤵
-
\??\c:\rlllrxl.exec:\rlllrxl.exe81⤵
-
\??\c:\nnnnnn.exec:\nnnnnn.exe82⤵
-
\??\c:\hhtbbb.exec:\hhtbbb.exe83⤵
-
\??\c:\nnnbnb.exec:\nnnbnb.exe84⤵
-
\??\c:\jjdvp.exec:\jjdvp.exe85⤵
-
\??\c:\lfrxxlx.exec:\lfrxxlx.exe86⤵
-
\??\c:\lfrlrrr.exec:\lfrlrrr.exe87⤵
-
\??\c:\nhbhnb.exec:\nhbhnb.exe88⤵
-
\??\c:\nhttbt.exec:\nhttbt.exe89⤵
-
\??\c:\jdppp.exec:\jdppp.exe90⤵
-
\??\c:\dvvvd.exec:\dvvvd.exe91⤵
-
\??\c:\9frxflr.exec:\9frxflr.exe92⤵
-
\??\c:\rflxffx.exec:\rflxffx.exe93⤵
-
\??\c:\hbthbh.exec:\hbthbh.exe94⤵
-
\??\c:\btntbt.exec:\btntbt.exe95⤵
-
\??\c:\hbtbbn.exec:\hbtbbn.exe96⤵
-
\??\c:\pjppp.exec:\pjppp.exe97⤵
-
\??\c:\7djjv.exec:\7djjv.exe98⤵
-
\??\c:\frffrrl.exec:\frffrrl.exe99⤵
-
\??\c:\xxffrrf.exec:\xxffrrf.exe100⤵
-
\??\c:\3nbbbn.exec:\3nbbbn.exe101⤵
-
\??\c:\nnhnbh.exec:\nnhnbh.exe102⤵
-
\??\c:\1dvvd.exec:\1dvvd.exe103⤵
-
\??\c:\pjdjp.exec:\pjdjp.exe104⤵
-
\??\c:\rrfrffl.exec:\rrfrffl.exe105⤵
-
\??\c:\lfrxflr.exec:\lfrxflr.exe106⤵
-
\??\c:\hthbbb.exec:\hthbbb.exe107⤵
-
\??\c:\3bbtbb.exec:\3bbtbb.exe108⤵
-
\??\c:\hbbhtb.exec:\hbbhtb.exe109⤵
-
\??\c:\ppjvd.exec:\ppjvd.exe110⤵
-
\??\c:\pjvpv.exec:\pjvpv.exe111⤵
-
\??\c:\5xrfxxr.exec:\5xrfxxr.exe112⤵
-
\??\c:\3rfrxfl.exec:\3rfrxfl.exe113⤵
-
\??\c:\btthtt.exec:\btthtt.exe114⤵
-
\??\c:\nhttbh.exec:\nhttbh.exe115⤵
-
\??\c:\pjppv.exec:\pjppv.exe116⤵
-
\??\c:\rfrlxrx.exec:\rfrlxrx.exe117⤵
-
\??\c:\9rxlrxr.exec:\9rxlrxr.exe118⤵
-
\??\c:\1ffrxxl.exec:\1ffrxxl.exe119⤵
-
\??\c:\hbtbhn.exec:\hbtbhn.exe120⤵
-
\??\c:\nhbbhh.exec:\nhbbhh.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-