Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
02/10/2024, 19:30
General
-
Target
805528b6f5b6337c28330e16993a7c5171c05eb23bed65155e774296b2e12d50N.exe
-
Size
82KB
-
MD5
8646c1bee72794efede31252b58c2910
-
SHA1
94cc318ffdfaf98a951610b4d6c7d9f4fd7506ef
-
SHA256
805528b6f5b6337c28330e16993a7c5171c05eb23bed65155e774296b2e12d50
-
SHA512
59f5a040f4d94d0788881165ef224ae46b89c25f10a8c419022a26e83d404d70bb98ebd4395b0e9589e42d1772df81d46a4d894cd135bf186dc5709d37f15779
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIIpIo60L9QrrA89Qo2:ymb3NkkiQ3mdBjFIIp9L9QrrA8l2
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 17 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 19 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\805528b6f5b6337c28330e16993a7c5171c05eb23bed65155e774296b2e12d50N.exe"C:\Users\Admin\AppData\Local\Temp\805528b6f5b6337c28330e16993a7c5171c05eb23bed65155e774296b2e12d50N.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\dvjjd.exec:\dvjjd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfrfxlx.exec:\lfrfxlx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9frxflr.exec:\9frxflr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhthht.exec:\nhthht.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpdvj.exec:\vpdvj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpddp.exec:\vpddp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xlrrxlx.exec:\xlrrxlx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1tnbbh.exec:\1tnbbh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vdddj.exec:\vdddj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dddpd.exec:\dddpd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrxflll.exec:\xrxflll.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bthbhn.exec:\bthbhn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5bnthn.exec:\5bnthn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dddpd.exec:\dddpd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvdvj.exec:\dvdvj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrrrxfl.exec:\xrrrxfl.exe17⤵
- Executes dropped EXE
-
\??\c:\rfxffrf.exec:\rfxffrf.exe18⤵
- Executes dropped EXE
-
\??\c:\nnbhhn.exec:\nnbhhn.exe19⤵
- Executes dropped EXE
-
\??\c:\hhttbt.exec:\hhttbt.exe20⤵
- Executes dropped EXE
-
\??\c:\vvpdj.exec:\vvpdj.exe21⤵
- Executes dropped EXE
-
\??\c:\ppddd.exec:\ppddd.exe22⤵
- Executes dropped EXE
-
\??\c:\rfrllfr.exec:\rfrllfr.exe23⤵
- Executes dropped EXE
-
\??\c:\rrrffrf.exec:\rrrffrf.exe24⤵
- Executes dropped EXE
-
\??\c:\nhbbht.exec:\nhbbht.exe25⤵
- Executes dropped EXE
-
\??\c:\hhhbhn.exec:\hhhbhn.exe26⤵
- Executes dropped EXE
-
\??\c:\vpvvv.exec:\vpvvv.exe27⤵
- Executes dropped EXE
-
\??\c:\ddvdj.exec:\ddvdj.exe28⤵
- Executes dropped EXE
-
\??\c:\xrxxllr.exec:\xrxxllr.exe29⤵
- Executes dropped EXE
-
\??\c:\rllrrxl.exec:\rllrrxl.exe30⤵
- Executes dropped EXE
-
\??\c:\tthntb.exec:\tthntb.exe31⤵
- Executes dropped EXE
-
\??\c:\1vpvv.exec:\1vpvv.exe32⤵
- Executes dropped EXE
-
\??\c:\dvjpp.exec:\dvjpp.exe33⤵
- Executes dropped EXE
-
\??\c:\5lrxrrx.exec:\5lrxrrx.exe34⤵
- Executes dropped EXE
-
\??\c:\flrlrll.exec:\flrlrll.exe35⤵
- Executes dropped EXE
-
\??\c:\hbhnhn.exec:\hbhnhn.exe36⤵
- Executes dropped EXE
-
\??\c:\nbnhhb.exec:\nbnhhb.exe37⤵
- Executes dropped EXE
-
\??\c:\jdpvd.exec:\jdpvd.exe38⤵
- Executes dropped EXE
-
\??\c:\rlrlfxf.exec:\rlrlfxf.exe39⤵
- Executes dropped EXE
-
\??\c:\rfllxxf.exec:\rfllxxf.exe40⤵
- Executes dropped EXE
-
\??\c:\tbhbbn.exec:\tbhbbn.exe41⤵
- Executes dropped EXE
-
\??\c:\5nnnhh.exec:\5nnnhh.exe42⤵
- Executes dropped EXE
-
\??\c:\3jvdv.exec:\3jvdv.exe43⤵
- Executes dropped EXE
-
\??\c:\dvjvp.exec:\dvjvp.exe44⤵
- Executes dropped EXE
-
\??\c:\lfxfrrf.exec:\lfxfrrf.exe45⤵
- Executes dropped EXE
-
\??\c:\5lflxfr.exec:\5lflxfr.exe46⤵
- Executes dropped EXE
-
\??\c:\bttnbt.exec:\bttnbt.exe47⤵
- Executes dropped EXE
-
\??\c:\bnhhhb.exec:\bnhhhb.exe48⤵
- Executes dropped EXE
-
\??\c:\jvddv.exec:\jvddv.exe49⤵
- Executes dropped EXE
-
\??\c:\1dppd.exec:\1dppd.exe50⤵
- Executes dropped EXE
-
\??\c:\xlxfffl.exec:\xlxfffl.exe51⤵
- Executes dropped EXE
-
\??\c:\rfllrxf.exec:\rfllrxf.exe52⤵
- Executes dropped EXE
-
\??\c:\bhhthh.exec:\bhhthh.exe53⤵
- Executes dropped EXE
-
\??\c:\nbbtnh.exec:\nbbtnh.exe54⤵
- Executes dropped EXE
-
\??\c:\7djjp.exec:\7djjp.exe55⤵
- Executes dropped EXE
-
\??\c:\vvddj.exec:\vvddj.exe56⤵
- Executes dropped EXE
-
\??\c:\xlfrlrx.exec:\xlfrlrx.exe57⤵
- Executes dropped EXE
-
\??\c:\xlllrll.exec:\xlllrll.exe58⤵
- Executes dropped EXE
-
\??\c:\bbhntb.exec:\bbhntb.exe59⤵
- Executes dropped EXE
-
\??\c:\nbhtbh.exec:\nbhtbh.exe60⤵
- Executes dropped EXE
-
\??\c:\vjppv.exec:\vjppv.exe61⤵
- Executes dropped EXE
-
\??\c:\dpdvp.exec:\dpdvp.exe62⤵
- Executes dropped EXE
-
\??\c:\lfrlrrr.exec:\lfrlrrr.exe63⤵
- Executes dropped EXE
-
\??\c:\fxfffxr.exec:\fxfffxr.exe64⤵
- Executes dropped EXE
-
\??\c:\9hbbhh.exec:\9hbbhh.exe65⤵
- Executes dropped EXE
-
\??\c:\hthbbb.exec:\hthbbb.exe66⤵
-
\??\c:\vvpdd.exec:\vvpdd.exe67⤵
-
\??\c:\jdjdd.exec:\jdjdd.exe68⤵
-
\??\c:\lflllff.exec:\lflllff.exe69⤵
-
\??\c:\1rxrrxx.exec:\1rxrrxx.exe70⤵
-
\??\c:\xlxfffl.exec:\xlxfffl.exe71⤵
-
\??\c:\1hbtnh.exec:\1hbtnh.exe72⤵
-
\??\c:\nhnttb.exec:\nhnttb.exe73⤵
-
\??\c:\jvjpp.exec:\jvjpp.exe74⤵
-
\??\c:\dpdjv.exec:\dpdjv.exe75⤵
-
\??\c:\lxlllfl.exec:\lxlllfl.exe76⤵
-
\??\c:\xrfxffr.exec:\xrfxffr.exe77⤵
-
\??\c:\thtbnh.exec:\thtbnh.exe78⤵
-
\??\c:\bthbbt.exec:\bthbbt.exe79⤵
- System Location Discovery: System Language Discovery
-
\??\c:\dpddd.exec:\dpddd.exe80⤵
-
\??\c:\vjdvv.exec:\vjdvv.exe81⤵
-
\??\c:\7jdpv.exec:\7jdpv.exe82⤵
-
\??\c:\fxllllr.exec:\fxllllr.exe83⤵
-
\??\c:\rfxflfl.exec:\rfxflfl.exe84⤵
-
\??\c:\fxrxrxx.exec:\fxrxrxx.exe85⤵
-
\??\c:\tnhbnt.exec:\tnhbnt.exe86⤵
-
\??\c:\nttnnh.exec:\nttnnh.exe87⤵
-
\??\c:\pdvvj.exec:\pdvvj.exe88⤵
-
\??\c:\pjpvd.exec:\pjpvd.exe89⤵
-
\??\c:\lxlxxrr.exec:\lxlxxrr.exe90⤵
-
\??\c:\5rffffx.exec:\5rffffx.exe91⤵
-
\??\c:\hbtnnt.exec:\hbtnnt.exe92⤵
-
\??\c:\httbbh.exec:\httbbh.exe93⤵
-
\??\c:\hhbbhn.exec:\hhbbhn.exe94⤵
- System Location Discovery: System Language Discovery
-
\??\c:\vpvdd.exec:\vpvdd.exe95⤵
-
\??\c:\7dpjd.exec:\7dpjd.exe96⤵
-
\??\c:\xrflflf.exec:\xrflflf.exe97⤵
-
\??\c:\xlxxfll.exec:\xlxxfll.exe98⤵
-
\??\c:\bthhnn.exec:\bthhnn.exe99⤵
-
\??\c:\hbnhtt.exec:\hbnhtt.exe100⤵
-
\??\c:\3htnnh.exec:\3htnnh.exe101⤵
-
\??\c:\1ppvj.exec:\1ppvj.exe102⤵
-
\??\c:\pjpvv.exec:\pjpvv.exe103⤵
-
\??\c:\rlffrxx.exec:\rlffrxx.exe104⤵
-
\??\c:\rlrrfxr.exec:\rlrrfxr.exe105⤵
-
\??\c:\hhnbhh.exec:\hhnbhh.exe106⤵
-
\??\c:\5hthnn.exec:\5hthnn.exe107⤵
-
\??\c:\hbtbhh.exec:\hbtbhh.exe108⤵
- System Location Discovery: System Language Discovery
-
\??\c:\vvddv.exec:\vvddv.exe109⤵
-
\??\c:\pdvjp.exec:\pdvjp.exe110⤵
-
\??\c:\rfrrrxf.exec:\rfrrrxf.exe111⤵
-
\??\c:\lxllllx.exec:\lxllllx.exe112⤵
-
\??\c:\xrxffxf.exec:\xrxffxf.exe113⤵
-
\??\c:\bnbhhn.exec:\bnbhhn.exe114⤵
-
\??\c:\vvpvp.exec:\vvpvp.exe115⤵
-
\??\c:\pjvdj.exec:\pjvdj.exe116⤵
-
\??\c:\frxfxlr.exec:\frxfxlr.exe117⤵
-
\??\c:\xrflrxl.exec:\xrflrxl.exe118⤵
-
\??\c:\lxrxfrr.exec:\lxrxfrr.exe119⤵
-
\??\c:\nhtbnh.exec:\nhtbnh.exe120⤵
-
\??\c:\hbtbhb.exec:\hbtbhb.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-