Analysis
-
max time kernel
120s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
28/09/2024, 08:37
General
-
Target
5ff125fe3e22ed74e97814b76bf9cb11825bc1054b31eb081b8601971a11cff4N.exe
-
Size
64KB
-
MD5
0e27ecbb18e0117535d284707d2aa900
-
SHA1
cc14e4ec60ca0d8f0cd29398af98a2de9d60b0ca
-
SHA256
5ff125fe3e22ed74e97814b76bf9cb11825bc1054b31eb081b8601971a11cff4
-
SHA512
b3844cd879bd1e9500128534a93a44605a1de6ecfc67cd273654983a507b7fac2cb2be131f26d086c6ffc59ef66771367413b6e698b77817a2af6afb34be84ba
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDI9L27i:ymb3NkkiQ3mdBjFI9t
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 23 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 22 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\5ff125fe3e22ed74e97814b76bf9cb11825bc1054b31eb081b8601971a11cff4N.exe"C:\Users\Admin\AppData\Local\Temp\5ff125fe3e22ed74e97814b76bf9cb11825bc1054b31eb081b8601971a11cff4N.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\tnthbh.exec:\tnthbh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7vvpv.exec:\7vvpv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9jvpv.exec:\9jvpv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pdppd.exec:\pdppd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxxlffr.exec:\lxxlffr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ttbbbt.exec:\ttbbbt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pdjjp.exec:\pdjjp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxrrxxr.exec:\lxrrxxr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bthtbn.exec:\bthtbn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bnnnnh.exec:\bnnnnh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdvjj.exec:\jdvjj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jvdjp.exec:\jvdjp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frxxxxl.exec:\frxxxxl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7lxxlff.exec:\7lxxlff.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbthth.exec:\bbthth.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5hbbhh.exec:\5hbbhh.exe17⤵
- Executes dropped EXE
-
\??\c:\vpvvj.exec:\vpvvj.exe18⤵
- Executes dropped EXE
-
\??\c:\7rlrrxl.exec:\7rlrrxl.exe19⤵
- Executes dropped EXE
-
\??\c:\rfrfflx.exec:\rfrfflx.exe20⤵
- Executes dropped EXE
-
\??\c:\nttbth.exec:\nttbth.exe21⤵
- Executes dropped EXE
-
\??\c:\9nnnnt.exec:\9nnnnt.exe22⤵
- Executes dropped EXE
-
\??\c:\jjjpd.exec:\jjjpd.exe23⤵
- Executes dropped EXE
-
\??\c:\xxlllll.exec:\xxlllll.exe24⤵
- Executes dropped EXE
-
\??\c:\fxxlxrl.exec:\fxxlxrl.exe25⤵
- Executes dropped EXE
-
\??\c:\hbnttt.exec:\hbnttt.exe26⤵
- Executes dropped EXE
-
\??\c:\hhnnbb.exec:\hhnnbb.exe27⤵
- Executes dropped EXE
-
\??\c:\jvjdj.exec:\jvjdj.exe28⤵
- Executes dropped EXE
-
\??\c:\rlflxlr.exec:\rlflxlr.exe29⤵
- Executes dropped EXE
-
\??\c:\lfxffff.exec:\lfxffff.exe30⤵
- Executes dropped EXE
-
\??\c:\nbtthn.exec:\nbtthn.exe31⤵
- Executes dropped EXE
-
\??\c:\jdjjv.exec:\jdjjv.exe32⤵
- Executes dropped EXE
-
\??\c:\1lflrxr.exec:\1lflrxr.exe33⤵
- Executes dropped EXE
-
\??\c:\fxlrfxr.exec:\fxlrfxr.exe34⤵
- Executes dropped EXE
-
\??\c:\bbnbnb.exec:\bbnbnb.exe35⤵
- Executes dropped EXE
-
\??\c:\btnhnb.exec:\btnhnb.exe36⤵
- Executes dropped EXE
-
\??\c:\dvpvj.exec:\dvpvj.exe37⤵
- Executes dropped EXE
-
\??\c:\pdvvv.exec:\pdvvv.exe38⤵
- Executes dropped EXE
-
\??\c:\rrxrrrf.exec:\rrxrrrf.exe39⤵
- Executes dropped EXE
-
\??\c:\rrrxfxf.exec:\rrrxfxf.exe40⤵
- Executes dropped EXE
-
\??\c:\9hbhnt.exec:\9hbhnt.exe41⤵
- Executes dropped EXE
-
\??\c:\nhttbb.exec:\nhttbb.exe42⤵
- Executes dropped EXE
-
\??\c:\pjdjv.exec:\pjdjv.exe43⤵
- Executes dropped EXE
-
\??\c:\rlrxxfl.exec:\rlrxxfl.exe44⤵
- Executes dropped EXE
-
\??\c:\xxxxflx.exec:\xxxxflx.exe45⤵
- Executes dropped EXE
-
\??\c:\btbhtt.exec:\btbhtt.exe46⤵
- Executes dropped EXE
-
\??\c:\nnnthh.exec:\nnnthh.exe47⤵
- Executes dropped EXE
-
\??\c:\vppdd.exec:\vppdd.exe48⤵
- Executes dropped EXE
-
\??\c:\ppvjv.exec:\ppvjv.exe49⤵
- Executes dropped EXE
-
\??\c:\lfxrxff.exec:\lfxrxff.exe50⤵
- Executes dropped EXE
-
\??\c:\xrxfllf.exec:\xrxfllf.exe51⤵
- Executes dropped EXE
-
\??\c:\hthnnh.exec:\hthnnh.exe52⤵
- Executes dropped EXE
-
\??\c:\tntbnt.exec:\tntbnt.exe53⤵
- Executes dropped EXE
-
\??\c:\jjjpd.exec:\jjjpd.exe54⤵
- Executes dropped EXE
-
\??\c:\ddvdp.exec:\ddvdp.exe55⤵
- Executes dropped EXE
-
\??\c:\lxfxfxl.exec:\lxfxfxl.exe56⤵
- Executes dropped EXE
-
\??\c:\fffrfxl.exec:\fffrfxl.exe57⤵
- Executes dropped EXE
-
\??\c:\hbnhnn.exec:\hbnhnn.exe58⤵
- Executes dropped EXE
-
\??\c:\nnnbht.exec:\nnnbht.exe59⤵
- Executes dropped EXE
-
\??\c:\vjvvv.exec:\vjvvv.exe60⤵
- Executes dropped EXE
-
\??\c:\jdvvp.exec:\jdvvp.exe61⤵
- Executes dropped EXE
-
\??\c:\ffxxlxl.exec:\ffxxlxl.exe62⤵
- Executes dropped EXE
-
\??\c:\lfrxffx.exec:\lfrxffx.exe63⤵
- Executes dropped EXE
-
\??\c:\rlflrrx.exec:\rlflrrx.exe64⤵
- Executes dropped EXE
-
\??\c:\hthbhh.exec:\hthbhh.exe65⤵
- Executes dropped EXE
-
\??\c:\bnbhtn.exec:\bnbhtn.exe66⤵
-
\??\c:\jjddj.exec:\jjddj.exe67⤵
-
\??\c:\dvjpj.exec:\dvjpj.exe68⤵
-
\??\c:\1xxflxf.exec:\1xxflxf.exe69⤵
-
\??\c:\3lxlrxf.exec:\3lxlrxf.exe70⤵
-
\??\c:\1thnth.exec:\1thnth.exe71⤵
-
\??\c:\btnbnt.exec:\btnbnt.exe72⤵
-
\??\c:\pjjpj.exec:\pjjpj.exe73⤵
-
\??\c:\jjjvj.exec:\jjjvj.exe74⤵
-
\??\c:\xxrxlll.exec:\xxrxlll.exe75⤵
-
\??\c:\lxllrrx.exec:\lxllrrx.exe76⤵
-
\??\c:\5tnbnt.exec:\5tnbnt.exe77⤵
-
\??\c:\vpdpd.exec:\vpdpd.exe78⤵
-
\??\c:\jdddp.exec:\jdddp.exe79⤵
-
\??\c:\pddvv.exec:\pddvv.exe80⤵
-
\??\c:\fxrlrxl.exec:\fxrlrxl.exe81⤵
-
\??\c:\lxrxffl.exec:\lxrxffl.exe82⤵
-
\??\c:\btthtb.exec:\btthtb.exe83⤵
-
\??\c:\9bbhhh.exec:\9bbhhh.exe84⤵
-
\??\c:\jdjjd.exec:\jdjjd.exe85⤵
-
\??\c:\3vvpv.exec:\3vvpv.exe86⤵
- System Location Discovery: System Language Discovery
-
\??\c:\lrlxrrf.exec:\lrlxrrf.exe87⤵
-
\??\c:\rlrxllr.exec:\rlrxllr.exe88⤵
-
\??\c:\btnbhh.exec:\btnbhh.exe89⤵
-
\??\c:\1hthnn.exec:\1hthnn.exe90⤵
-
\??\c:\vvvdp.exec:\vvvdp.exe91⤵
-
\??\c:\dpvpv.exec:\dpvpv.exe92⤵
-
\??\c:\xlrlxxf.exec:\xlrlxxf.exe93⤵
-
\??\c:\bnnntn.exec:\bnnntn.exe94⤵
-
\??\c:\bbbthn.exec:\bbbthn.exe95⤵
-
\??\c:\vpddj.exec:\vpddj.exe96⤵
-
\??\c:\jjvdp.exec:\jjvdp.exe97⤵
-
\??\c:\1xrrxlr.exec:\1xrrxlr.exe98⤵
-
\??\c:\rrrxrlr.exec:\rrrxrlr.exe99⤵
-
\??\c:\xlrlrrr.exec:\xlrlrrr.exe100⤵
-
\??\c:\nbbnbn.exec:\nbbnbn.exe101⤵
-
\??\c:\hbhhhn.exec:\hbhhhn.exe102⤵
-
\??\c:\pjjpj.exec:\pjjpj.exe103⤵
-
\??\c:\vvjjp.exec:\vvjjp.exe104⤵
-
\??\c:\rfflrxf.exec:\rfflrxf.exe105⤵
-
\??\c:\lxffffr.exec:\lxffffr.exe106⤵
-
\??\c:\hnhthh.exec:\hnhthh.exe107⤵
-
\??\c:\3bntbh.exec:\3bntbh.exe108⤵
-
\??\c:\pdvpd.exec:\pdvpd.exe109⤵
-
\??\c:\dvjpv.exec:\dvjpv.exe110⤵
-
\??\c:\fxxfllx.exec:\fxxfllx.exe111⤵
-
\??\c:\rlxrxxf.exec:\rlxrxxf.exe112⤵
-
\??\c:\hbntbh.exec:\hbntbh.exe113⤵
-
\??\c:\bthbtn.exec:\bthbtn.exe114⤵
-
\??\c:\3pjpd.exec:\3pjpd.exe115⤵
-
\??\c:\9jjpp.exec:\9jjpp.exe116⤵
-
\??\c:\rrrflxx.exec:\rrrflxx.exe117⤵
-
\??\c:\xrflrrf.exec:\xrflrrf.exe118⤵
-
\??\c:\nhthnt.exec:\nhthnt.exe119⤵
-
\??\c:\nbnttn.exec:\nbnttn.exe120⤵
- System Location Discovery: System Language Discovery
-
\??\c:\tnhnnb.exec:\tnhnnb.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-