Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
-
submitted
27/09/2024, 13:50
General
-
Target
f1978ba6de51a3170774d29352aeb6b34d8e5d6ad2f8fea3b8e7e54c93dbd543.exe
-
Size
63KB
-
MD5
c8ce151fa3fcd0b1c20882d3a9997df5
-
SHA1
c37d8301a59f9d77912c6eb1587cb7e2c367b57a
-
SHA256
f1978ba6de51a3170774d29352aeb6b34d8e5d6ad2f8fea3b8e7e54c93dbd543
-
SHA512
78a4ecfee64582cd9da0be6eaa9aba068e3273cb5e859fe50d626650fbc6084159ec63630cc288212c4379907bd86b4b9bd895f8c2a054f32af2551da10c52e1
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIrmCeRMBJ:ymb3NkkiQ3mdBjFIjeuv
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 22 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 34 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f1978ba6de51a3170774d29352aeb6b34d8e5d6ad2f8fea3b8e7e54c93dbd543.exe"C:\Users\Admin\AppData\Local\Temp\f1978ba6de51a3170774d29352aeb6b34d8e5d6ad2f8fea3b8e7e54c93dbd543.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\bthnth.exec:\bthnth.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\48006.exec:\48006.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\a0600.exec:\a0600.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxlrxxf.exec:\fxlrxxf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlllrxf.exec:\rlllrxf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\w08680.exec:\w08680.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\86806.exec:\86806.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\o004400.exec:\o004400.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\042240.exec:\042240.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\0868400.exec:\0868400.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rfrxllx.exec:\rfrxllx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxxrlxf.exec:\fxxrlxf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\w20406.exec:\w20406.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\i046204.exec:\i046204.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxfxxlf.exec:\fxfxxlf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\m2060.exec:\m2060.exe17⤵
- Executes dropped EXE
-
\??\c:\64666.exec:\64666.exe18⤵
- Executes dropped EXE
-
\??\c:\s0840.exec:\s0840.exe19⤵
- Executes dropped EXE
-
\??\c:\42822.exec:\42822.exe20⤵
- Executes dropped EXE
-
\??\c:\802482.exec:\802482.exe21⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\e84840.exec:\e84840.exe22⤵
- Executes dropped EXE
-
\??\c:\42024.exec:\42024.exe23⤵
- Executes dropped EXE
-
\??\c:\lrlrrfl.exec:\lrlrrfl.exe24⤵
- Executes dropped EXE
-
\??\c:\644400.exec:\644400.exe25⤵
- Executes dropped EXE
-
\??\c:\602404.exec:\602404.exe26⤵
- Executes dropped EXE
-
\??\c:\82484.exec:\82484.exe27⤵
- Executes dropped EXE
-
\??\c:\6462266.exec:\6462266.exe28⤵
- Executes dropped EXE
-
\??\c:\bhbttt.exec:\bhbttt.exe29⤵
- Executes dropped EXE
-
\??\c:\w68888.exec:\w68888.exe30⤵
- Executes dropped EXE
-
\??\c:\486826.exec:\486826.exe31⤵
- Executes dropped EXE
-
\??\c:\424444.exec:\424444.exe32⤵
- Executes dropped EXE
-
\??\c:\a8680.exec:\a8680.exe33⤵
- Executes dropped EXE
-
\??\c:\ntttnb.exec:\ntttnb.exe34⤵
- Executes dropped EXE
-
\??\c:\0802406.exec:\0802406.exe35⤵
- Executes dropped EXE
-
\??\c:\nhbbhn.exec:\nhbbhn.exe36⤵
- Executes dropped EXE
-
\??\c:\206882.exec:\206882.exe37⤵
- Executes dropped EXE
-
\??\c:\268842.exec:\268842.exe38⤵
- Executes dropped EXE
-
\??\c:\824062.exec:\824062.exe39⤵
- Executes dropped EXE
-
\??\c:\1xlxxrr.exec:\1xlxxrr.exe40⤵
- Executes dropped EXE
-
\??\c:\1xrllrl.exec:\1xrllrl.exe41⤵
- Executes dropped EXE
-
\??\c:\djppv.exec:\djppv.exe42⤵
- Executes dropped EXE
-
\??\c:\pdjjp.exec:\pdjjp.exe43⤵
- Executes dropped EXE
-
\??\c:\k46620.exec:\k46620.exe44⤵
- Executes dropped EXE
-
\??\c:\lfrrrlr.exec:\lfrrrlr.exe45⤵
- Executes dropped EXE
-
\??\c:\llrrxlr.exec:\llrrxlr.exe46⤵
- Executes dropped EXE
-
\??\c:\8028824.exec:\8028824.exe47⤵
- Executes dropped EXE
-
\??\c:\hnnnhh.exec:\hnnnhh.exe48⤵
- Executes dropped EXE
-
\??\c:\200648.exec:\200648.exe49⤵
- Executes dropped EXE
-
\??\c:\k40664.exec:\k40664.exe50⤵
- Executes dropped EXE
-
\??\c:\2400600.exec:\2400600.exe51⤵
- Executes dropped EXE
-
\??\c:\684404.exec:\684404.exe52⤵
- Executes dropped EXE
-
\??\c:\bhtnnh.exec:\bhtnnh.exe53⤵
- Executes dropped EXE
-
\??\c:\820400.exec:\820400.exe54⤵
- Executes dropped EXE
-
\??\c:\q42840.exec:\q42840.exe55⤵
- Executes dropped EXE
-
\??\c:\lfxxxff.exec:\lfxxxff.exe56⤵
- Executes dropped EXE
-
\??\c:\008462.exec:\008462.exe57⤵
- Executes dropped EXE
-
\??\c:\bbbhnt.exec:\bbbhnt.exe58⤵
- Executes dropped EXE
-
\??\c:\rfxrxlx.exec:\rfxrxlx.exe59⤵
- Executes dropped EXE
-
\??\c:\26462.exec:\26462.exe60⤵
- Executes dropped EXE
-
\??\c:\bnnbbb.exec:\bnnbbb.exe61⤵
- Executes dropped EXE
-
\??\c:\djppv.exec:\djppv.exe62⤵
- Executes dropped EXE
-
\??\c:\pddpv.exec:\pddpv.exe63⤵
- Executes dropped EXE
-
\??\c:\5tnttn.exec:\5tnttn.exe64⤵
- Executes dropped EXE
-
\??\c:\bttttt.exec:\bttttt.exe65⤵
- Executes dropped EXE
-
\??\c:\xffxfxl.exec:\xffxfxl.exe66⤵
-
\??\c:\42224.exec:\42224.exe67⤵
-
\??\c:\806666.exec:\806666.exe68⤵
-
\??\c:\086884.exec:\086884.exe69⤵
-
\??\c:\8028448.exec:\8028448.exe70⤵
-
\??\c:\tnhbbt.exec:\tnhbbt.exe71⤵
-
\??\c:\rrffffx.exec:\rrffffx.exe72⤵
-
\??\c:\rxllflf.exec:\rxllflf.exe73⤵
- System Location Discovery: System Language Discovery
-
\??\c:\i468666.exec:\i468666.exe74⤵
-
\??\c:\3ttntt.exec:\3ttntt.exe75⤵
-
\??\c:\vpdvv.exec:\vpdvv.exe76⤵
-
\??\c:\vjddd.exec:\vjddd.exe77⤵
-
\??\c:\nhttnh.exec:\nhttnh.exe78⤵
-
\??\c:\086844.exec:\086844.exe79⤵
-
\??\c:\20622.exec:\20622.exe80⤵
-
\??\c:\04666.exec:\04666.exe81⤵
-
\??\c:\lxffxlx.exec:\lxffxlx.exe82⤵
-
\??\c:\22062.exec:\22062.exe83⤵
-
\??\c:\rfrrrrf.exec:\rfrrrrf.exe84⤵
-
\??\c:\jppjp.exec:\jppjp.exe85⤵
-
\??\c:\o204062.exec:\o204062.exe86⤵
-
\??\c:\xxfffrr.exec:\xxfffrr.exe87⤵
-
\??\c:\200684.exec:\200684.exe88⤵
-
\??\c:\20802.exec:\20802.exe89⤵
-
\??\c:\htbttn.exec:\htbttn.exe90⤵
-
\??\c:\04884.exec:\04884.exe91⤵
-
\??\c:\lfllffl.exec:\lfllffl.exe92⤵
-
\??\c:\vjvdj.exec:\vjvdj.exe93⤵
-
\??\c:\644288.exec:\644288.exe94⤵
-
\??\c:\6068062.exec:\6068062.exe95⤵
-
\??\c:\vpjjj.exec:\vpjjj.exe96⤵
-
\??\c:\fxlxfrf.exec:\fxlxfrf.exe97⤵
-
\??\c:\64646.exec:\64646.exe98⤵
-
\??\c:\7jdjp.exec:\7jdjp.exe99⤵
-
\??\c:\82666.exec:\82666.exe100⤵
-
\??\c:\9nnhnt.exec:\9nnhnt.exe101⤵
-
\??\c:\rlrrrxf.exec:\rlrrrxf.exe102⤵
-
\??\c:\tththt.exec:\tththt.exe103⤵
-
\??\c:\ddvvd.exec:\ddvvd.exe104⤵
-
\??\c:\hhnthn.exec:\hhnthn.exe105⤵
-
\??\c:\8280688.exec:\8280688.exe106⤵
-
\??\c:\a0406.exec:\a0406.exe107⤵
-
\??\c:\2640624.exec:\2640624.exe108⤵
-
\??\c:\1pvjp.exec:\1pvjp.exe109⤵
-
\??\c:\48284.exec:\48284.exe110⤵
-
\??\c:\rlrlxll.exec:\rlrlxll.exe111⤵
-
\??\c:\48028.exec:\48028.exe112⤵
-
\??\c:\ffrxlrx.exec:\ffrxlrx.exe113⤵
-
\??\c:\i206280.exec:\i206280.exe114⤵
-
\??\c:\266800.exec:\266800.exe115⤵
-
\??\c:\7fxflrl.exec:\7fxflrl.exe116⤵
-
\??\c:\8206824.exec:\8206824.exe117⤵
-
\??\c:\ddjpd.exec:\ddjpd.exe118⤵
-
\??\c:\7lrlrxl.exec:\7lrlrxl.exe119⤵
-
\??\c:\rlfrrxl.exec:\rlfrrxl.exe120⤵
- System Location Discovery: System Language Discovery
-
\??\c:\xxxfrlf.exec:\xxxfrlf.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-