Analysis
-
max time kernel
120s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
29/09/2024, 21:56
General
-
Target
18f28bed7ab0d17eacc82f1d113c8cd5f8d4216ef0c043657b513499c87a0362N.exe
-
Size
71KB
-
MD5
97c2b47c015b7f2e0dff6dba3c36da50
-
SHA1
5d1612d3a43829242c9ef57b0cb978e6f4b84ea7
-
SHA256
18f28bed7ab0d17eacc82f1d113c8cd5f8d4216ef0c043657b513499c87a0362
-
SHA512
22d2d9a92f19e80072ccfd0f0b6879dee04124841b3917db2998b4b51d261f4fc840d7c8c8c42cc9b93090aa17e4c428c4037de0054b59e8ea37b09ed59d69b9
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIb0z6MTSqfjJ:ymb3NkkiQ3mdBjFI4VZ
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 22 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 31 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\18f28bed7ab0d17eacc82f1d113c8cd5f8d4216ef0c043657b513499c87a0362N.exe"C:\Users\Admin\AppData\Local\Temp\18f28bed7ab0d17eacc82f1d113c8cd5f8d4216ef0c043657b513499c87a0362N.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\lfxxrfx.exec:\lfxxrfx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\htnnhh.exec:\htnnhh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3rrrfrx.exec:\3rrrfrx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbthtt.exec:\hbthtt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bnbhnn.exec:\bnbhnn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9dvjj.exec:\9dvjj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3rfflrf.exec:\3rfflrf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thhnnn.exec:\thhnnn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdddj.exec:\jdddj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xlxfxlx.exec:\xlxfxlx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlffxxl.exec:\rlffxxl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9bnnnn.exec:\9bnnnn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvdvp.exec:\vvdvp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rfrlxxf.exec:\rfrlxxf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rfxxxfl.exec:\rfxxxfl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1bnhbh.exec:\1bnhbh.exe17⤵
- Executes dropped EXE
-
\??\c:\pjdvd.exec:\pjdvd.exe18⤵
- Executes dropped EXE
-
\??\c:\pppvj.exec:\pppvj.exe19⤵
- Executes dropped EXE
-
\??\c:\xxffllx.exec:\xxffllx.exe20⤵
- Executes dropped EXE
-
\??\c:\xrrlxxl.exec:\xrrlxxl.exe21⤵
- Executes dropped EXE
-
\??\c:\hbtttb.exec:\hbtttb.exe22⤵
- Executes dropped EXE
-
\??\c:\jdjjj.exec:\jdjjj.exe23⤵
- Executes dropped EXE
-
\??\c:\pjjjp.exec:\pjjjp.exe24⤵
- Executes dropped EXE
-
\??\c:\fffxxll.exec:\fffxxll.exe25⤵
- Executes dropped EXE
-
\??\c:\nhttht.exec:\nhttht.exe26⤵
- Executes dropped EXE
-
\??\c:\hntnhb.exec:\hntnhb.exe27⤵
- Executes dropped EXE
-
\??\c:\3pvpv.exec:\3pvpv.exe28⤵
- Executes dropped EXE
-
\??\c:\lllfxxl.exec:\lllfxxl.exe29⤵
- Executes dropped EXE
-
\??\c:\1xxxlrl.exec:\1xxxlrl.exe30⤵
- Executes dropped EXE
-
\??\c:\hbnnbb.exec:\hbnnbb.exe31⤵
- Executes dropped EXE
-
\??\c:\dvjpv.exec:\dvjpv.exe32⤵
- Executes dropped EXE
-
\??\c:\djjvv.exec:\djjvv.exe33⤵
- Executes dropped EXE
-
\??\c:\rlflxxl.exec:\rlflxxl.exe34⤵
- Executes dropped EXE
-
\??\c:\htbhbb.exec:\htbhbb.exe35⤵
- Executes dropped EXE
-
\??\c:\nbhhtn.exec:\nbhhtn.exe36⤵
- Executes dropped EXE
-
\??\c:\nhbhnt.exec:\nhbhnt.exe37⤵
- Executes dropped EXE
-
\??\c:\9djvp.exec:\9djvp.exe38⤵
- Executes dropped EXE
-
\??\c:\vjvpp.exec:\vjvpp.exe39⤵
- Executes dropped EXE
-
\??\c:\xrffllr.exec:\xrffllr.exe40⤵
- Executes dropped EXE
-
\??\c:\bhhhtn.exec:\bhhhtn.exe41⤵
- Executes dropped EXE
-
\??\c:\bhtbhh.exec:\bhtbhh.exe42⤵
- Executes dropped EXE
-
\??\c:\jdppd.exec:\jdppd.exe43⤵
- Executes dropped EXE
-
\??\c:\vvdvd.exec:\vvdvd.exe44⤵
- Executes dropped EXE
-
\??\c:\xlfrxll.exec:\xlfrxll.exe45⤵
- Executes dropped EXE
-
\??\c:\xrffrxf.exec:\xrffrxf.exe46⤵
- Executes dropped EXE
-
\??\c:\tthhhh.exec:\tthhhh.exe47⤵
- Executes dropped EXE
-
\??\c:\jdddj.exec:\jdddj.exe48⤵
- Executes dropped EXE
-
\??\c:\pdppd.exec:\pdppd.exe49⤵
- Executes dropped EXE
-
\??\c:\lflfxfx.exec:\lflfxfx.exe50⤵
- Executes dropped EXE
-
\??\c:\tnhnbb.exec:\tnhnbb.exe51⤵
- Executes dropped EXE
-
\??\c:\hbnnhn.exec:\hbnnhn.exe52⤵
- Executes dropped EXE
-
\??\c:\tntbtn.exec:\tntbtn.exe53⤵
- Executes dropped EXE
-
\??\c:\jvjvj.exec:\jvjvj.exe54⤵
- Executes dropped EXE
-
\??\c:\1vjpd.exec:\1vjpd.exe55⤵
- Executes dropped EXE
-
\??\c:\rfrxxxf.exec:\rfrxxxf.exe56⤵
- Executes dropped EXE
-
\??\c:\frfxxff.exec:\frfxxff.exe57⤵
- Executes dropped EXE
-
\??\c:\bbbhhn.exec:\bbbhhn.exe58⤵
- Executes dropped EXE
-
\??\c:\hbnhtt.exec:\hbnhtt.exe59⤵
- Executes dropped EXE
-
\??\c:\5vjjd.exec:\5vjjd.exe60⤵
- Executes dropped EXE
-
\??\c:\xrfrxfr.exec:\xrfrxfr.exe61⤵
- Executes dropped EXE
-
\??\c:\rlfrxxf.exec:\rlfrxxf.exe62⤵
- Executes dropped EXE
-
\??\c:\hnttnn.exec:\hnttnn.exe63⤵
- Executes dropped EXE
-
\??\c:\tntbbh.exec:\tntbbh.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\5jjdd.exec:\5jjdd.exe65⤵
- Executes dropped EXE
-
\??\c:\pdppd.exec:\pdppd.exe66⤵
-
\??\c:\rlxflrx.exec:\rlxflrx.exe67⤵
-
\??\c:\1fflxfl.exec:\1fflxfl.exe68⤵
-
\??\c:\nhnhhh.exec:\nhnhhh.exe69⤵
-
\??\c:\7bntbb.exec:\7bntbb.exe70⤵
-
\??\c:\pjjpd.exec:\pjjpd.exe71⤵
-
\??\c:\dvppj.exec:\dvppj.exe72⤵
-
\??\c:\rlxxlrx.exec:\rlxxlrx.exe73⤵
-
\??\c:\frllllr.exec:\frllllr.exe74⤵
-
\??\c:\xrxxllr.exec:\xrxxllr.exe75⤵
-
\??\c:\nhnntn.exec:\nhnntn.exe76⤵
-
\??\c:\tnbntn.exec:\tnbntn.exe77⤵
-
\??\c:\vpjjp.exec:\vpjjp.exe78⤵
-
\??\c:\jdvdj.exec:\jdvdj.exe79⤵
-
\??\c:\lfxrrrr.exec:\lfxrrrr.exe80⤵
-
\??\c:\lrlfrrf.exec:\lrlfrrf.exe81⤵
-
\??\c:\hbtbbh.exec:\hbtbbh.exe82⤵
-
\??\c:\bhthbh.exec:\bhthbh.exe83⤵
-
\??\c:\tntbhn.exec:\tntbhn.exe84⤵
-
\??\c:\3jpvd.exec:\3jpvd.exe85⤵
-
\??\c:\dvdvj.exec:\dvdvj.exe86⤵
-
\??\c:\7xxxrxr.exec:\7xxxrxr.exe87⤵
-
\??\c:\rlrflll.exec:\rlrflll.exe88⤵
-
\??\c:\hhbnbh.exec:\hhbnbh.exe89⤵
-
\??\c:\bthttt.exec:\bthttt.exe90⤵
-
\??\c:\tnbhnt.exec:\tnbhnt.exe91⤵
-
\??\c:\pjjjv.exec:\pjjjv.exe92⤵
-
\??\c:\jddpv.exec:\jddpv.exe93⤵
-
\??\c:\xrffllr.exec:\xrffllr.exe94⤵
- System Location Discovery: System Language Discovery
-
\??\c:\7xxxfrx.exec:\7xxxfrx.exe95⤵
-
\??\c:\7llfffx.exec:\7llfffx.exe96⤵
-
\??\c:\tnhtbb.exec:\tnhtbb.exe97⤵
-
\??\c:\bthnbb.exec:\bthnbb.exe98⤵
-
\??\c:\pjvvv.exec:\pjvvv.exe99⤵
-
\??\c:\9jdjj.exec:\9jdjj.exe100⤵
-
\??\c:\ppdjj.exec:\ppdjj.exe101⤵
-
\??\c:\fxxxffl.exec:\fxxxffl.exe102⤵
-
\??\c:\9ffllxf.exec:\9ffllxf.exe103⤵
-
\??\c:\nhbbhn.exec:\nhbbhn.exe104⤵
-
\??\c:\5htthn.exec:\5htthn.exe105⤵
-
\??\c:\5bhhhh.exec:\5bhhhh.exe106⤵
-
\??\c:\vpddv.exec:\vpddv.exe107⤵
-
\??\c:\pvjjj.exec:\pvjjj.exe108⤵
-
\??\c:\rlrxxfl.exec:\rlrxxfl.exe109⤵
-
\??\c:\9xllrrf.exec:\9xllrrf.exe110⤵
-
\??\c:\1bttbb.exec:\1bttbb.exe111⤵
-
\??\c:\hbnnnn.exec:\hbnnnn.exe112⤵
-
\??\c:\bbbhnh.exec:\bbbhnh.exe113⤵
-
\??\c:\3jvvd.exec:\3jvvd.exe114⤵
-
\??\c:\vvvjd.exec:\vvvjd.exe115⤵
-
\??\c:\pjvdv.exec:\pjvdv.exe116⤵
-
\??\c:\xrlrxxf.exec:\xrlrxxf.exe117⤵
-
\??\c:\llxfflr.exec:\llxfflr.exe118⤵
-
\??\c:\tthnbh.exec:\tthnbh.exe119⤵
-
\??\c:\7hbbnt.exec:\7hbbnt.exe120⤵
-
\??\c:\htntbn.exec:\htntbn.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-