Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
03/10/2024, 03:48
General
-
Target
be8c9a7f869aa36e2e182c6d95ab7e08cbfe93f4904ea0a3dea7db036ccae3c5N.exe
-
Size
106KB
-
MD5
2242ae4a33111e3f17801b2528169300
-
SHA1
3a16c47aeac70b4170ef5fc6e08e140bd3786bc7
-
SHA256
be8c9a7f869aa36e2e182c6d95ab7e08cbfe93f4904ea0a3dea7db036ccae3c5
-
SHA512
4608184fd314f226d52eb84d6eac49cf8cf943e29ef9dd698b95cb488d90b67a139021f565438c0945624d002c843a04cf9da0883dbe0bec9c23220fcbffbcd8
-
SSDEEP
3072:ymb3NkkiQ3mdBjFo73PYP1lri3KVT+buwUGu3P3CAZ:n3C9BRo7MlrWKVT+buBGu3Pl
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 23 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 24 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\be8c9a7f869aa36e2e182c6d95ab7e08cbfe93f4904ea0a3dea7db036ccae3c5N.exe"C:\Users\Admin\AppData\Local\Temp\be8c9a7f869aa36e2e182c6d95ab7e08cbfe93f4904ea0a3dea7db036ccae3c5N.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\7nnthh.exec:\7nnthh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dpdvd.exec:\dpdvd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vppjj.exec:\vppjj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxflxfr.exec:\fxflxfr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rllrlrr.exec:\rllrlrr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbtbtt.exec:\bbtbtt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vjppp.exec:\vjppp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hthbhh.exec:\hthbhh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7htttt.exec:\7htttt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpjvd.exec:\vpjvd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlxfllr.exec:\rlxfllr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbhbhb.exec:\nbhbhb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btbhnb.exec:\btbhnb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjdjj.exec:\pjdjj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrflrxf.exec:\xrflrxf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrxfllx.exec:\xrxfllx.exe17⤵
- Executes dropped EXE
-
\??\c:\hbbbnh.exec:\hbbbnh.exe18⤵
- Executes dropped EXE
-
\??\c:\jjdjv.exec:\jjdjv.exe19⤵
- Executes dropped EXE
-
\??\c:\xrlrxxf.exec:\xrlrxxf.exe20⤵
- Executes dropped EXE
-
\??\c:\3lfflrf.exec:\3lfflrf.exe21⤵
- Executes dropped EXE
-
\??\c:\bnbbbb.exec:\bnbbbb.exe22⤵
- Executes dropped EXE
-
\??\c:\7vpdj.exec:\7vpdj.exe23⤵
- Executes dropped EXE
-
\??\c:\9xrrxrf.exec:\9xrrxrf.exe24⤵
- Executes dropped EXE
-
\??\c:\5xxrxfl.exec:\5xxrxfl.exe25⤵
- Executes dropped EXE
-
\??\c:\7nbnhh.exec:\7nbnhh.exe26⤵
- Executes dropped EXE
-
\??\c:\hnbnbb.exec:\hnbnbb.exe27⤵
- Executes dropped EXE
-
\??\c:\ddppv.exec:\ddppv.exe28⤵
- Executes dropped EXE
-
\??\c:\ffxllrx.exec:\ffxllrx.exe29⤵
- Executes dropped EXE
-
\??\c:\nhthnt.exec:\nhthnt.exe30⤵
- Executes dropped EXE
-
\??\c:\3nbtnn.exec:\3nbtnn.exe31⤵
- Executes dropped EXE
-
\??\c:\jdpvp.exec:\jdpvp.exe32⤵
- Executes dropped EXE
-
\??\c:\dpdpd.exec:\dpdpd.exe33⤵
- Executes dropped EXE
-
\??\c:\9flrfrx.exec:\9flrfrx.exe34⤵
- Executes dropped EXE
-
\??\c:\hnnhhh.exec:\hnnhhh.exe35⤵
- Executes dropped EXE
-
\??\c:\btbbhn.exec:\btbbhn.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\hbnntb.exec:\hbnntb.exe37⤵
- Executes dropped EXE
-
\??\c:\ddvjp.exec:\ddvjp.exe38⤵
- Executes dropped EXE
-
\??\c:\pjpdj.exec:\pjpdj.exe39⤵
- Executes dropped EXE
-
\??\c:\fxrfllx.exec:\fxrfllx.exe40⤵
- Executes dropped EXE
-
\??\c:\fxllrrx.exec:\fxllrrx.exe41⤵
- Executes dropped EXE
-
\??\c:\7hthhh.exec:\7hthhh.exe42⤵
- Executes dropped EXE
-
\??\c:\hhtbnh.exec:\hhtbnh.exe43⤵
- Executes dropped EXE
-
\??\c:\vvjvd.exec:\vvjvd.exe44⤵
- Executes dropped EXE
-
\??\c:\1pdjp.exec:\1pdjp.exe45⤵
- Executes dropped EXE
-
\??\c:\5rlxllr.exec:\5rlxllr.exe46⤵
- Executes dropped EXE
-
\??\c:\fxrlxxl.exec:\fxrlxxl.exe47⤵
- Executes dropped EXE
-
\??\c:\nnhtbh.exec:\nnhtbh.exe48⤵
- Executes dropped EXE
-
\??\c:\tnbhnn.exec:\tnbhnn.exe49⤵
- Executes dropped EXE
-
\??\c:\tnhhnt.exec:\tnhhnt.exe50⤵
- Executes dropped EXE
-
\??\c:\1jpdp.exec:\1jpdp.exe51⤵
- Executes dropped EXE
-
\??\c:\5jddp.exec:\5jddp.exe52⤵
- Executes dropped EXE
-
\??\c:\fxrrxfl.exec:\fxrrxfl.exe53⤵
- Executes dropped EXE
-
\??\c:\7xfxrfr.exec:\7xfxrfr.exe54⤵
- Executes dropped EXE
-
\??\c:\3rxlxfl.exec:\3rxlxfl.exe55⤵
- Executes dropped EXE
-
\??\c:\nnhtbb.exec:\nnhtbb.exe56⤵
- Executes dropped EXE
-
\??\c:\btbhhh.exec:\btbhhh.exe57⤵
- Executes dropped EXE
-
\??\c:\1vppp.exec:\1vppp.exe58⤵
- Executes dropped EXE
-
\??\c:\vpjvv.exec:\vpjvv.exe59⤵
- Executes dropped EXE
-
\??\c:\lfrrxxr.exec:\lfrrxxr.exe60⤵
- Executes dropped EXE
-
\??\c:\fxrflrl.exec:\fxrflrl.exe61⤵
- Executes dropped EXE
-
\??\c:\1nnhbn.exec:\1nnhbn.exe62⤵
- Executes dropped EXE
-
\??\c:\dvddp.exec:\dvddp.exe63⤵
- Executes dropped EXE
-
\??\c:\7jddd.exec:\7jddd.exe64⤵
- Executes dropped EXE
-
\??\c:\rfxlfll.exec:\rfxlfll.exe65⤵
- Executes dropped EXE
-
\??\c:\fxrfrxx.exec:\fxrfrxx.exe66⤵
-
\??\c:\3bnbbh.exec:\3bnbbh.exe67⤵
-
\??\c:\5hnbnb.exec:\5hnbnb.exe68⤵
-
\??\c:\vpvvv.exec:\vpvvv.exe69⤵
-
\??\c:\lfllrlx.exec:\lfllrlx.exe70⤵
-
\??\c:\1rxlrrf.exec:\1rxlrrf.exe71⤵
-
\??\c:\7tnntn.exec:\7tnntn.exe72⤵
-
\??\c:\nhtntt.exec:\nhtntt.exe73⤵
-
\??\c:\vpvdj.exec:\vpvdj.exe74⤵
-
\??\c:\vpvvd.exec:\vpvvd.exe75⤵
-
\??\c:\vpjpp.exec:\vpjpp.exe76⤵
-
\??\c:\fxrfflx.exec:\fxrfflx.exe77⤵
-
\??\c:\ffxxrrr.exec:\ffxxrrr.exe78⤵
-
\??\c:\nhbntt.exec:\nhbntt.exe79⤵
-
\??\c:\tntthh.exec:\tntthh.exe80⤵
-
\??\c:\pjdpp.exec:\pjdpp.exe81⤵
-
\??\c:\jdpvv.exec:\jdpvv.exe82⤵
-
\??\c:\5xlrxfx.exec:\5xlrxfx.exe83⤵
-
\??\c:\5llrxfl.exec:\5llrxfl.exe84⤵
-
\??\c:\ffxfrxl.exec:\ffxfrxl.exe85⤵
-
\??\c:\thtbhh.exec:\thtbhh.exe86⤵
-
\??\c:\tntbht.exec:\tntbht.exe87⤵
-
\??\c:\dddvv.exec:\dddvv.exe88⤵
-
\??\c:\5ppdj.exec:\5ppdj.exe89⤵
-
\??\c:\1fxfllr.exec:\1fxfllr.exe90⤵
-
\??\c:\lfllxxl.exec:\lfllxxl.exe91⤵
-
\??\c:\5tntbb.exec:\5tntbb.exe92⤵
-
\??\c:\tthnbh.exec:\tthnbh.exe93⤵
-
\??\c:\5vdvj.exec:\5vdvj.exe94⤵
-
\??\c:\vpddj.exec:\vpddj.exe95⤵
-
\??\c:\fxrfffl.exec:\fxrfffl.exe96⤵
-
\??\c:\rrxfxll.exec:\rrxfxll.exe97⤵
-
\??\c:\lfffxfr.exec:\lfffxfr.exe98⤵
-
\??\c:\ttnnbb.exec:\ttnnbb.exe99⤵
-
\??\c:\nhbntb.exec:\nhbntb.exe100⤵
-
\??\c:\tnbbbb.exec:\tnbbbb.exe101⤵
-
\??\c:\dvddj.exec:\dvddj.exe102⤵
-
\??\c:\ppddv.exec:\ppddv.exe103⤵
-
\??\c:\xrfllfl.exec:\xrfllfl.exe104⤵
-
\??\c:\lxllrrx.exec:\lxllrrx.exe105⤵
-
\??\c:\nnhtbh.exec:\nnhtbh.exe106⤵
-
\??\c:\1bhbhh.exec:\1bhbhh.exe107⤵
-
\??\c:\vpdpp.exec:\vpdpp.exe108⤵
-
\??\c:\pvdjv.exec:\pvdjv.exe109⤵
-
\??\c:\5ddvd.exec:\5ddvd.exe110⤵
-
\??\c:\rlxlxxl.exec:\rlxlxxl.exe111⤵
-
\??\c:\xlxfrrr.exec:\xlxfrrr.exe112⤵
-
\??\c:\7thbhh.exec:\7thbhh.exe113⤵
-
\??\c:\bbthnh.exec:\bbthnh.exe114⤵
-
\??\c:\jdppv.exec:\jdppv.exe115⤵
-
\??\c:\3dvdp.exec:\3dvdp.exe116⤵
-
\??\c:\ffxxflf.exec:\ffxxflf.exe117⤵
-
\??\c:\fxfllxl.exec:\fxfllxl.exe118⤵
-
\??\c:\3nthnt.exec:\3nthnt.exe119⤵
-
\??\c:\tthbhn.exec:\tthbhn.exe120⤵
-
\??\c:\5nbnnn.exec:\5nbnnn.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-