Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
02-10-2024 19:50
General
-
Target
70df64508365c758623d945497efa4aeafb6d4a1ab0a611650bac2324580a971N.exe
-
Size
106KB
-
MD5
196222614f4d7f8e424927d7a09ceb30
-
SHA1
8bfaaf9f1aedfbbb18088620abe80de30adde225
-
SHA256
70df64508365c758623d945497efa4aeafb6d4a1ab0a611650bac2324580a971
-
SHA512
bb029b4a94a065ba872ee0274f36da218405a49c98e3e9ba5336e358297d9a918bfcdafc9ae40933463bf6c7749cf6dc8b51d7edacd560bdb593bee2171c5116
-
SSDEEP
3072:ymb3NkkiQ3mdBjFo73PYP1lri3KVT+buwUGu3P3CA+:n3C9BRo7MlrWKVT+buBGu3PC
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 21 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 24 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\70df64508365c758623d945497efa4aeafb6d4a1ab0a611650bac2324580a971N.exe"C:\Users\Admin\AppData\Local\Temp\70df64508365c758623d945497efa4aeafb6d4a1ab0a611650bac2324580a971N.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\xrlxrrx.exec:\xrlxrrx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3nnbtt.exec:\3nnbtt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbhhbh.exec:\nbhhbh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dddpd.exec:\dddpd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlrfxfr.exec:\rlrfxfr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xxlxrfr.exec:\xxlxrfr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ntbtth.exec:\ntbtth.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jpvpj.exec:\jpvpj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1dpjv.exec:\1dpjv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nnnhbh.exec:\nnnhbh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbbnnt.exec:\hbbnnt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9pddp.exec:\9pddp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5fflrxf.exec:\5fflrxf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xxxllxl.exec:\xxxllxl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhtbhb.exec:\nhtbhb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jvvjv.exec:\jvvjv.exe17⤵
- Executes dropped EXE
-
\??\c:\pjddj.exec:\pjddj.exe18⤵
- Executes dropped EXE
-
\??\c:\lffrxfx.exec:\lffrxfx.exe19⤵
- Executes dropped EXE
-
\??\c:\rrfrrxr.exec:\rrfrrxr.exe20⤵
- Executes dropped EXE
-
\??\c:\1ttntt.exec:\1ttntt.exe21⤵
- Executes dropped EXE
-
\??\c:\jvpjj.exec:\jvpjj.exe22⤵
- Executes dropped EXE
-
\??\c:\dvppd.exec:\dvppd.exe23⤵
- Executes dropped EXE
-
\??\c:\fxllrrf.exec:\fxllrrf.exe24⤵
- Executes dropped EXE
-
\??\c:\lfxxlrx.exec:\lfxxlrx.exe25⤵
- Executes dropped EXE
-
\??\c:\thbbtb.exec:\thbbtb.exe26⤵
- Executes dropped EXE
-
\??\c:\7jvvp.exec:\7jvvp.exe27⤵
- Executes dropped EXE
-
\??\c:\9ddpv.exec:\9ddpv.exe28⤵
- Executes dropped EXE
-
\??\c:\rlxxfff.exec:\rlxxfff.exe29⤵
- Executes dropped EXE
-
\??\c:\tnhnnn.exec:\tnhnnn.exe30⤵
- Executes dropped EXE
-
\??\c:\nhbnhh.exec:\nhbnhh.exe31⤵
- Executes dropped EXE
-
\??\c:\3jjpd.exec:\3jjpd.exe32⤵
- Executes dropped EXE
-
\??\c:\fxlflrf.exec:\fxlflrf.exe33⤵
- Executes dropped EXE
-
\??\c:\frxrrll.exec:\frxrrll.exe34⤵
- Executes dropped EXE
-
\??\c:\5htbhn.exec:\5htbhn.exe35⤵
- Executes dropped EXE
-
\??\c:\tntnbn.exec:\tntnbn.exe36⤵
- Executes dropped EXE
-
\??\c:\tnhnhh.exec:\tnhnhh.exe37⤵
- Executes dropped EXE
-
\??\c:\9vjjp.exec:\9vjjp.exe38⤵
- Executes dropped EXE
-
\??\c:\jdjdj.exec:\jdjdj.exe39⤵
- Executes dropped EXE
-
\??\c:\3flfxxl.exec:\3flfxxl.exe40⤵
- Executes dropped EXE
-
\??\c:\lxxllxf.exec:\lxxllxf.exe41⤵
- Executes dropped EXE
-
\??\c:\nbnhnh.exec:\nbnhnh.exe42⤵
- Executes dropped EXE
-
\??\c:\thbtbt.exec:\thbtbt.exe43⤵
- Executes dropped EXE
-
\??\c:\ntbttn.exec:\ntbttn.exe44⤵
- Executes dropped EXE
-
\??\c:\pddpp.exec:\pddpp.exe45⤵
- Executes dropped EXE
-
\??\c:\jdjpp.exec:\jdjpp.exe46⤵
- Executes dropped EXE
-
\??\c:\5lxxrlr.exec:\5lxxrlr.exe47⤵
- Executes dropped EXE
-
\??\c:\lxfrllx.exec:\lxfrllx.exe48⤵
- Executes dropped EXE
-
\??\c:\thbbbt.exec:\thbbbt.exe49⤵
- Executes dropped EXE
-
\??\c:\thhhnt.exec:\thhhnt.exe50⤵
- Executes dropped EXE
-
\??\c:\hthtbn.exec:\hthtbn.exe51⤵
- Executes dropped EXE
-
\??\c:\1vpvj.exec:\1vpvj.exe52⤵
- Executes dropped EXE
-
\??\c:\ddpvd.exec:\ddpvd.exe53⤵
- Executes dropped EXE
-
\??\c:\xrfffrf.exec:\xrfffrf.exe54⤵
- Executes dropped EXE
-
\??\c:\lfxfxlr.exec:\lfxfxlr.exe55⤵
- Executes dropped EXE
-
\??\c:\lflrrrf.exec:\lflrrrf.exe56⤵
- Executes dropped EXE
-
\??\c:\nnnhhh.exec:\nnnhhh.exe57⤵
- Executes dropped EXE
-
\??\c:\lxrxrrx.exec:\lxrxrrx.exe58⤵
- Executes dropped EXE
-
\??\c:\3lxlllr.exec:\3lxlllr.exe59⤵
- Executes dropped EXE
-
\??\c:\thhbtb.exec:\thhbtb.exe60⤵
- Executes dropped EXE
-
\??\c:\nhnbhn.exec:\nhnbhn.exe61⤵
- Executes dropped EXE
-
\??\c:\tthnth.exec:\tthnth.exe62⤵
- Executes dropped EXE
-
\??\c:\1pddp.exec:\1pddp.exe63⤵
- Executes dropped EXE
-
\??\c:\3pdjv.exec:\3pdjv.exe64⤵
- Executes dropped EXE
-
\??\c:\1lrflfx.exec:\1lrflfx.exe65⤵
- Executes dropped EXE
-
\??\c:\lfrrxlr.exec:\lfrrxlr.exe66⤵
-
\??\c:\9hbhtb.exec:\9hbhtb.exe67⤵
-
\??\c:\hhbhtt.exec:\hhbhtt.exe68⤵
-
\??\c:\hhbhnn.exec:\hhbhnn.exe69⤵
-
\??\c:\vpppd.exec:\vpppd.exe70⤵
-
\??\c:\5pjjp.exec:\5pjjp.exe71⤵
-
\??\c:\9xrrrrx.exec:\9xrrrrx.exe72⤵
-
\??\c:\3lflxxx.exec:\3lflxxx.exe73⤵
-
\??\c:\hhhthh.exec:\hhhthh.exe74⤵
-
\??\c:\thtnbb.exec:\thtnbb.exe75⤵
-
\??\c:\nbthtt.exec:\nbthtt.exe76⤵
-
\??\c:\5pjpd.exec:\5pjpd.exe77⤵
-
\??\c:\jdjpj.exec:\jdjpj.exe78⤵
-
\??\c:\9ddpv.exec:\9ddpv.exe79⤵
-
\??\c:\lfrxlrx.exec:\lfrxlrx.exe80⤵
-
\??\c:\xrrfrfr.exec:\xrrfrfr.exe81⤵
-
\??\c:\hbhnth.exec:\hbhnth.exe82⤵
-
\??\c:\5bhhbn.exec:\5bhhbn.exe83⤵
-
\??\c:\dvpvj.exec:\dvpvj.exe84⤵
-
\??\c:\dvjpp.exec:\dvjpp.exe85⤵
-
\??\c:\pdvdp.exec:\pdvdp.exe86⤵
-
\??\c:\fxfrxrf.exec:\fxfrxrf.exe87⤵
-
\??\c:\lflfffl.exec:\lflfffl.exe88⤵
-
\??\c:\thhthn.exec:\thhthn.exe89⤵
-
\??\c:\bhthbh.exec:\bhthbh.exe90⤵
-
\??\c:\hbnhbn.exec:\hbnhbn.exe91⤵
-
\??\c:\1jdjd.exec:\1jdjd.exe92⤵
-
\??\c:\pppvp.exec:\pppvp.exe93⤵
-
\??\c:\lfflrxl.exec:\lfflrxl.exe94⤵
-
\??\c:\1lrxxxf.exec:\1lrxxxf.exe95⤵
-
\??\c:\ttthnt.exec:\ttthnt.exe96⤵
-
\??\c:\nnhnbn.exec:\nnhnbn.exe97⤵
-
\??\c:\dvddp.exec:\dvddp.exe98⤵
-
\??\c:\pjvdd.exec:\pjvdd.exe99⤵
-
\??\c:\9vpvd.exec:\9vpvd.exe100⤵
-
\??\c:\lfflrlf.exec:\lfflrlf.exe101⤵
-
\??\c:\xxrrxxl.exec:\xxrrxxl.exe102⤵
-
\??\c:\nnhtnt.exec:\nnhtnt.exe103⤵
-
\??\c:\5nhhhn.exec:\5nhhhn.exe104⤵
-
\??\c:\tbbhtt.exec:\tbbhtt.exe105⤵
-
\??\c:\1jdpp.exec:\1jdpp.exe106⤵
-
\??\c:\dddjv.exec:\dddjv.exe107⤵
-
\??\c:\7xxfrrr.exec:\7xxfrrr.exe108⤵
-
\??\c:\rlxlrxl.exec:\rlxlrxl.exe109⤵
-
\??\c:\7tntnh.exec:\7tntnh.exe110⤵
-
\??\c:\bbnbhh.exec:\bbnbhh.exe111⤵
-
\??\c:\9jdjj.exec:\9jdjj.exe112⤵
-
\??\c:\vjjdd.exec:\vjjdd.exe113⤵
-
\??\c:\1xrrrrl.exec:\1xrrrrl.exe114⤵
-
\??\c:\rlfrrxf.exec:\rlfrrxf.exe115⤵
-
\??\c:\nnhbnn.exec:\nnhbnn.exe116⤵
-
\??\c:\tnnbht.exec:\tnnbht.exe117⤵
-
\??\c:\dvpvv.exec:\dvpvv.exe118⤵
-
\??\c:\3jdvj.exec:\3jdvj.exe119⤵
-
\??\c:\1fxffrf.exec:\1fxffrf.exe120⤵
-
\??\c:\ffrrrrx.exec:\ffrrrrx.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-