Analysis
-
max time kernel
120s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
03/10/2024, 22:14
General
-
Target
290d8882682856e0ab53cb12040f43e1b9949f0d1b52ec8233b5879b983882a0N.exe
-
Size
72KB
-
MD5
2826e08041a32b748525d9550fea8040
-
SHA1
d9456ce36d5a1221df7cdcda0bc34dad1ca1aa7d
-
SHA256
290d8882682856e0ab53cb12040f43e1b9949f0d1b52ec8233b5879b983882a0
-
SHA512
652317746491eea82db296e86c6cbd97812ff3e2695c3b5a856341fee6c02384b5cfa55c9e852c81e712c6acff54c2a7a61d73bfecf9f457b43b6ba70a0893d6
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIb0z6MTSqfj8:ymb3NkkiQ3mdBjFI4Vs
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 21 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 27 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\290d8882682856e0ab53cb12040f43e1b9949f0d1b52ec8233b5879b983882a0N.exe"C:\Users\Admin\AppData\Local\Temp\290d8882682856e0ab53cb12040f43e1b9949f0d1b52ec8233b5879b983882a0N.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\dpvpd.exec:\dpvpd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lflrlxl.exec:\lflrlxl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1bhbnh.exec:\1bhbnh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btnnbb.exec:\btnnbb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dpdjd.exec:\dpdjd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxxllff.exec:\fxxllff.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bnbhbt.exec:\bnbhbt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjppp.exec:\pjppp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvppj.exec:\dvppj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frflllr.exec:\frflllr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3nnnbb.exec:\3nnnbb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thtnnt.exec:\thtnnt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddvdj.exec:\ddvdj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxrrffl.exec:\fxrrffl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxllxfl.exec:\lxllxfl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbtbhb.exec:\nbtbhb.exe17⤵
- Executes dropped EXE
-
\??\c:\7nhnnt.exec:\7nhnnt.exe18⤵
- Executes dropped EXE
-
\??\c:\5vjjj.exec:\5vjjj.exe19⤵
- Executes dropped EXE
-
\??\c:\5dpvj.exec:\5dpvj.exe20⤵
- Executes dropped EXE
-
\??\c:\ffxflxf.exec:\ffxflxf.exe21⤵
- Executes dropped EXE
-
\??\c:\rfrrxrx.exec:\rfrrxrx.exe22⤵
- Executes dropped EXE
-
\??\c:\bntthb.exec:\bntthb.exe23⤵
- Executes dropped EXE
-
\??\c:\tnthtb.exec:\tnthtb.exe24⤵
- Executes dropped EXE
-
\??\c:\pvdpj.exec:\pvdpj.exe25⤵
- Executes dropped EXE
-
\??\c:\llrxffr.exec:\llrxffr.exe26⤵
- Executes dropped EXE
-
\??\c:\lxllffl.exec:\lxllffl.exe27⤵
- Executes dropped EXE
-
\??\c:\tthbbt.exec:\tthbbt.exe28⤵
- Executes dropped EXE
-
\??\c:\jdvvd.exec:\jdvvd.exe29⤵
- Executes dropped EXE
-
\??\c:\vjdjp.exec:\vjdjp.exe30⤵
- Executes dropped EXE
-
\??\c:\lfxxrfr.exec:\lfxxrfr.exe31⤵
- Executes dropped EXE
-
\??\c:\xllxrfx.exec:\xllxrfx.exe32⤵
- Executes dropped EXE
-
\??\c:\tbhhhn.exec:\tbhhhn.exe33⤵
- Executes dropped EXE
-
\??\c:\7dvpd.exec:\7dvpd.exe34⤵
- Executes dropped EXE
-
\??\c:\jpjvj.exec:\jpjvj.exe35⤵
- Executes dropped EXE
-
\??\c:\7rflrxr.exec:\7rflrxr.exe36⤵
- Executes dropped EXE
-
\??\c:\3rrxxff.exec:\3rrxxff.exe37⤵
- Executes dropped EXE
-
\??\c:\bnttbh.exec:\bnttbh.exe38⤵
- Executes dropped EXE
-
\??\c:\3nhbhn.exec:\3nhbhn.exe39⤵
- Executes dropped EXE
-
\??\c:\9vjpp.exec:\9vjpp.exe40⤵
- Executes dropped EXE
-
\??\c:\vvjvj.exec:\vvjvj.exe41⤵
- Executes dropped EXE
-
\??\c:\fxxfrfl.exec:\fxxfrfl.exe42⤵
- Executes dropped EXE
-
\??\c:\xrfrxfr.exec:\xrfrxfr.exe43⤵
- Executes dropped EXE
-
\??\c:\hbhhtn.exec:\hbhhtn.exe44⤵
- Executes dropped EXE
-
\??\c:\nbnthn.exec:\nbnthn.exe45⤵
- Executes dropped EXE
-
\??\c:\vpjdp.exec:\vpjdp.exe46⤵
- Executes dropped EXE
-
\??\c:\jvjpp.exec:\jvjpp.exe47⤵
- Executes dropped EXE
-
\??\c:\rxlxxrx.exec:\rxlxxrx.exe48⤵
- Executes dropped EXE
-
\??\c:\frflfxl.exec:\frflfxl.exe49⤵
- Executes dropped EXE
-
\??\c:\3bhhtt.exec:\3bhhtt.exe50⤵
- Executes dropped EXE
-
\??\c:\hbhhbt.exec:\hbhhbt.exe51⤵
- Executes dropped EXE
-
\??\c:\ddvdd.exec:\ddvdd.exe52⤵
- Executes dropped EXE
-
\??\c:\pjjdp.exec:\pjjdp.exe53⤵
- Executes dropped EXE
-
\??\c:\lxfxrrr.exec:\lxfxrrr.exe54⤵
- Executes dropped EXE
-
\??\c:\frrflfr.exec:\frrflfr.exe55⤵
- Executes dropped EXE
-
\??\c:\nhnnbt.exec:\nhnnbt.exe56⤵
- Executes dropped EXE
-
\??\c:\tnnntt.exec:\tnnntt.exe57⤵
- Executes dropped EXE
-
\??\c:\pjvvp.exec:\pjvvp.exe58⤵
- Executes dropped EXE
-
\??\c:\dpddd.exec:\dpddd.exe59⤵
- Executes dropped EXE
-
\??\c:\xxlrflf.exec:\xxlrflf.exe60⤵
- Executes dropped EXE
-
\??\c:\9lffrxl.exec:\9lffrxl.exe61⤵
- Executes dropped EXE
-
\??\c:\rlrxfll.exec:\rlrxfll.exe62⤵
- Executes dropped EXE
-
\??\c:\nhtbhh.exec:\nhtbhh.exe63⤵
- Executes dropped EXE
-
\??\c:\thntbb.exec:\thntbb.exe64⤵
- Executes dropped EXE
-
\??\c:\jjdvd.exec:\jjdvd.exe65⤵
- Executes dropped EXE
-
\??\c:\pjvjv.exec:\pjvjv.exe66⤵
-
\??\c:\jjpjj.exec:\jjpjj.exe67⤵
-
\??\c:\9fxxxfl.exec:\9fxxxfl.exe68⤵
-
\??\c:\rlrfxrr.exec:\rlrfxrr.exe69⤵
-
\??\c:\bbthnb.exec:\bbthnb.exe70⤵
-
\??\c:\1nhttb.exec:\1nhttb.exe71⤵
-
\??\c:\nthnhn.exec:\nthnhn.exe72⤵
-
\??\c:\jppjd.exec:\jppjd.exe73⤵
-
\??\c:\jjpdp.exec:\jjpdp.exe74⤵
-
\??\c:\3ffxlrr.exec:\3ffxlrr.exe75⤵
-
\??\c:\lflrlrf.exec:\lflrlrf.exe76⤵
-
\??\c:\bbhthh.exec:\bbhthh.exe77⤵
-
\??\c:\nnbntt.exec:\nnbntt.exe78⤵
-
\??\c:\5vvdd.exec:\5vvdd.exe79⤵
-
\??\c:\pjvdp.exec:\pjvdp.exe80⤵
-
\??\c:\frflxfl.exec:\frflxfl.exe81⤵
-
\??\c:\fxrrfxf.exec:\fxrrfxf.exe82⤵
-
\??\c:\3lxfrxx.exec:\3lxfrxx.exe83⤵
-
\??\c:\nbhnbh.exec:\nbhnbh.exe84⤵
-
\??\c:\nhbtbh.exec:\nhbtbh.exe85⤵
-
\??\c:\5ddjj.exec:\5ddjj.exe86⤵
-
\??\c:\3dvdp.exec:\3dvdp.exe87⤵
-
\??\c:\fxflrxl.exec:\fxflrxl.exe88⤵
-
\??\c:\flxrrff.exec:\flxrrff.exe89⤵
-
\??\c:\tnhnhn.exec:\tnhnhn.exe90⤵
-
\??\c:\5hbthh.exec:\5hbthh.exe91⤵
-
\??\c:\nnbnhh.exec:\nnbnhh.exe92⤵
-
\??\c:\vvpjp.exec:\vvpjp.exe93⤵
-
\??\c:\1flxxlf.exec:\1flxxlf.exe94⤵
-
\??\c:\1frxfff.exec:\1frxfff.exe95⤵
-
\??\c:\1thhnn.exec:\1thhnn.exe96⤵
-
\??\c:\tntbbh.exec:\tntbbh.exe97⤵
-
\??\c:\pjjdp.exec:\pjjdp.exe98⤵
-
\??\c:\dvdjp.exec:\dvdjp.exe99⤵
-
\??\c:\1flrxxf.exec:\1flrxxf.exe100⤵
-
\??\c:\fxrfrrx.exec:\fxrfrrx.exe101⤵
-
\??\c:\7thtbb.exec:\7thtbb.exe102⤵
-
\??\c:\nnhtnn.exec:\nnhtnn.exe103⤵
-
\??\c:\dvppd.exec:\dvppd.exe104⤵
-
\??\c:\xrffllr.exec:\xrffllr.exe105⤵
-
\??\c:\xxxfxfr.exec:\xxxfxfr.exe106⤵
-
\??\c:\1rxfllr.exec:\1rxfllr.exe107⤵
-
\??\c:\5hhnbb.exec:\5hhnbb.exe108⤵
-
\??\c:\1hhnht.exec:\1hhnht.exe109⤵
-
\??\c:\jdvpv.exec:\jdvpv.exe110⤵
-
\??\c:\vppdd.exec:\vppdd.exe111⤵
-
\??\c:\7llxffl.exec:\7llxffl.exe112⤵
-
\??\c:\fflrlrf.exec:\fflrlrf.exe113⤵
-
\??\c:\7hhnhn.exec:\7hhnhn.exe114⤵
-
\??\c:\tntnnn.exec:\tntnnn.exe115⤵
-
\??\c:\vpjvv.exec:\vpjvv.exe116⤵
-
\??\c:\vpddj.exec:\vpddj.exe117⤵
-
\??\c:\1xlrxxr.exec:\1xlrxxr.exe118⤵
-
\??\c:\ffxrxlr.exec:\ffxrxlr.exe119⤵
-
\??\c:\1hnnnh.exec:\1hnnnh.exe120⤵
-
\??\c:\hbbhtb.exec:\hbbhtb.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-