Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
03/10/2024, 20:52
General
-
Target
3dab17bc0bb02f5f9bc138c56d54f56031aa8a0c2b506fb4ba8c9488f20393aeN.exe
-
Size
83KB
-
MD5
b0ab1ee4cd818725627c95b1a0cab400
-
SHA1
a3d8462758368fa6999e1f3dd865b2501da52b7d
-
SHA256
3dab17bc0bb02f5f9bc138c56d54f56031aa8a0c2b506fb4ba8c9488f20393ae
-
SHA512
5163f2c9ba01f0d2db8576447e98c1f36a38c8c59040d4db468ac763835172ba083f88b2cd38f529a18e2f5fb5fb327c1a564cbd2ce3170b85e7a471e7b28137
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIIpIo60L9QrrA89QZ:ymb3NkkiQ3mdBjFIIp9L9QrrA8o
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 23 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 28 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\3dab17bc0bb02f5f9bc138c56d54f56031aa8a0c2b506fb4ba8c9488f20393aeN.exe"C:\Users\Admin\AppData\Local\Temp\3dab17bc0bb02f5f9bc138c56d54f56031aa8a0c2b506fb4ba8c9488f20393aeN.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\9tnntb.exec:\9tnntb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1ddpv.exec:\1ddpv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjdjd.exec:\pjdjd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfxxffl.exec:\lfxxffl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7dvjd.exec:\7dvjd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1frxllr.exec:\1frxllr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nnttnb.exec:\nnttnb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dpjpv.exec:\dpjpv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfxxffr.exec:\lfxxffr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tbbnnh.exec:\tbbnnh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpddd.exec:\vpddd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xxxlxxr.exec:\xxxlxxr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfxxllr.exec:\lfxxllr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thtbtb.exec:\thtbtb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3nhtnh.exec:\3nhtnh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3ppdj.exec:\3ppdj.exe17⤵
- Executes dropped EXE
-
\??\c:\ffxfllx.exec:\ffxfllx.exe18⤵
- Executes dropped EXE
-
\??\c:\5tnhnt.exec:\5tnhnt.exe19⤵
- Executes dropped EXE
-
\??\c:\nhthnn.exec:\nhthnn.exe20⤵
- Executes dropped EXE
-
\??\c:\ddvdv.exec:\ddvdv.exe21⤵
- Executes dropped EXE
-
\??\c:\7pddp.exec:\7pddp.exe22⤵
- Executes dropped EXE
-
\??\c:\flxflrf.exec:\flxflrf.exe23⤵
- Executes dropped EXE
-
\??\c:\1tnbhh.exec:\1tnbhh.exe24⤵
- Executes dropped EXE
-
\??\c:\jvddp.exec:\jvddp.exe25⤵
- Executes dropped EXE
-
\??\c:\vpvjd.exec:\vpvjd.exe26⤵
- Executes dropped EXE
-
\??\c:\rfxrrfl.exec:\rfxrrfl.exe27⤵
- Executes dropped EXE
-
\??\c:\hhhnhn.exec:\hhhnhn.exe28⤵
- Executes dropped EXE
-
\??\c:\ppvdj.exec:\ppvdj.exe29⤵
- Executes dropped EXE
-
\??\c:\1ddjd.exec:\1ddjd.exe30⤵
- Executes dropped EXE
-
\??\c:\lfxlxfr.exec:\lfxlxfr.exe31⤵
- Executes dropped EXE
-
\??\c:\xrlrxxr.exec:\xrlrxxr.exe32⤵
- Executes dropped EXE
-
\??\c:\tbbhtt.exec:\tbbhtt.exe33⤵
- Executes dropped EXE
-
\??\c:\ppdvj.exec:\ppdvj.exe34⤵
- Executes dropped EXE
-
\??\c:\vpjpp.exec:\vpjpp.exe35⤵
- Executes dropped EXE
-
\??\c:\llffflr.exec:\llffflr.exe36⤵
- Executes dropped EXE
-
\??\c:\rrxxffx.exec:\rrxxffx.exe37⤵
- Executes dropped EXE
-
\??\c:\3htbnn.exec:\3htbnn.exe38⤵
- Executes dropped EXE
-
\??\c:\nhnnnt.exec:\nhnnnt.exe39⤵
- Executes dropped EXE
-
\??\c:\ddvvj.exec:\ddvvj.exe40⤵
- Executes dropped EXE
-
\??\c:\jjdpj.exec:\jjdpj.exe41⤵
- Executes dropped EXE
-
\??\c:\rlxxflr.exec:\rlxxflr.exe42⤵
- Executes dropped EXE
-
\??\c:\9rlrrll.exec:\9rlrrll.exe43⤵
- Executes dropped EXE
-
\??\c:\tnbhtb.exec:\tnbhtb.exe44⤵
- Executes dropped EXE
-
\??\c:\nhnnbb.exec:\nhnnbb.exe45⤵
- Executes dropped EXE
-
\??\c:\jdpvd.exec:\jdpvd.exe46⤵
- Executes dropped EXE
-
\??\c:\vpjpp.exec:\vpjpp.exe47⤵
- Executes dropped EXE
-
\??\c:\xxxfrlf.exec:\xxxfrlf.exe48⤵
- Executes dropped EXE
-
\??\c:\rrflxxf.exec:\rrflxxf.exe49⤵
- Executes dropped EXE
-
\??\c:\tntbnt.exec:\tntbnt.exe50⤵
- Executes dropped EXE
-
\??\c:\3bhtbh.exec:\3bhtbh.exe51⤵
- Executes dropped EXE
-
\??\c:\3jjpv.exec:\3jjpv.exe52⤵
- Executes dropped EXE
-
\??\c:\vvdjp.exec:\vvdjp.exe53⤵
- Executes dropped EXE
-
\??\c:\1rfrxxl.exec:\1rfrxxl.exe54⤵
- Executes dropped EXE
-
\??\c:\nnbhnn.exec:\nnbhnn.exe55⤵
- Executes dropped EXE
-
\??\c:\hbnntb.exec:\hbnntb.exe56⤵
- Executes dropped EXE
-
\??\c:\1dppp.exec:\1dppp.exe57⤵
- Executes dropped EXE
-
\??\c:\5jdjp.exec:\5jdjp.exe58⤵
- Executes dropped EXE
-
\??\c:\xrfxllx.exec:\xrfxllx.exe59⤵
- Executes dropped EXE
-
\??\c:\xxrlxfl.exec:\xxrlxfl.exe60⤵
- Executes dropped EXE
-
\??\c:\tntthn.exec:\tntthn.exe61⤵
- Executes dropped EXE
-
\??\c:\ttnttt.exec:\ttnttt.exe62⤵
- Executes dropped EXE
-
\??\c:\3pjpv.exec:\3pjpv.exe63⤵
- Executes dropped EXE
-
\??\c:\ddvjv.exec:\ddvjv.exe64⤵
- Executes dropped EXE
-
\??\c:\fxlfrxl.exec:\fxlfrxl.exe65⤵
- Executes dropped EXE
-
\??\c:\xrrlxxf.exec:\xrrlxxf.exe66⤵
-
\??\c:\7hbhhn.exec:\7hbhhn.exe67⤵
-
\??\c:\5btbnb.exec:\5btbnb.exe68⤵
-
\??\c:\djdvp.exec:\djdvp.exe69⤵
-
\??\c:\rlrrxxl.exec:\rlrrxxl.exe70⤵
-
\??\c:\3rrfllr.exec:\3rrfllr.exe71⤵
-
\??\c:\1hbhtt.exec:\1hbhtt.exe72⤵
-
\??\c:\ttnbhh.exec:\ttnbhh.exe73⤵
-
\??\c:\ddvvd.exec:\ddvvd.exe74⤵
-
\??\c:\9jdjv.exec:\9jdjv.exe75⤵
-
\??\c:\lflrlrf.exec:\lflrlrf.exe76⤵
-
\??\c:\llfxflr.exec:\llfxflr.exe77⤵
-
\??\c:\1nnbnt.exec:\1nnbnt.exe78⤵
-
\??\c:\btnthh.exec:\btnthh.exe79⤵
-
\??\c:\hhbnbh.exec:\hhbnbh.exe80⤵
-
\??\c:\dpddv.exec:\dpddv.exe81⤵
-
\??\c:\7ppjp.exec:\7ppjp.exe82⤵
-
\??\c:\lfrrflr.exec:\lfrrflr.exe83⤵
-
\??\c:\fxlrffl.exec:\fxlrffl.exe84⤵
-
\??\c:\1nhtnn.exec:\1nhtnn.exe85⤵
-
\??\c:\bthnth.exec:\bthnth.exe86⤵
-
\??\c:\vvpvj.exec:\vvpvj.exe87⤵
-
\??\c:\5jddj.exec:\5jddj.exe88⤵
-
\??\c:\5xxxffl.exec:\5xxxffl.exe89⤵
-
\??\c:\1xffrrf.exec:\1xffrrf.exe90⤵
-
\??\c:\5hbnbh.exec:\5hbnbh.exe91⤵
-
\??\c:\hhthhh.exec:\hhthhh.exe92⤵
-
\??\c:\9pjdj.exec:\9pjdj.exe93⤵
-
\??\c:\dvjjp.exec:\dvjjp.exe94⤵
-
\??\c:\llffxfr.exec:\llffxfr.exe95⤵
-
\??\c:\rrlrxfl.exec:\rrlrxfl.exe96⤵
-
\??\c:\rrfrxlr.exec:\rrfrxlr.exe97⤵
-
\??\c:\bbtbtt.exec:\bbtbtt.exe98⤵
-
\??\c:\5vdvd.exec:\5vdvd.exe99⤵
-
\??\c:\vdjdd.exec:\vdjdd.exe100⤵
-
\??\c:\fffrfrl.exec:\fffrfrl.exe101⤵
-
\??\c:\lflfllf.exec:\lflfllf.exe102⤵
-
\??\c:\fxlrxfr.exec:\fxlrxfr.exe103⤵
-
\??\c:\nnhthh.exec:\nnhthh.exe104⤵
-
\??\c:\nbhhnh.exec:\nbhhnh.exe105⤵
-
\??\c:\jvvjd.exec:\jvvjd.exe106⤵
-
\??\c:\vpppv.exec:\vpppv.exe107⤵
-
\??\c:\lllxfrx.exec:\lllxfrx.exe108⤵
-
\??\c:\9lxlfxx.exec:\9lxlfxx.exe109⤵
-
\??\c:\3thntb.exec:\3thntb.exe110⤵
-
\??\c:\5pjpv.exec:\5pjpv.exe111⤵
-
\??\c:\vddvv.exec:\vddvv.exe112⤵
-
\??\c:\xrxrrxf.exec:\xrxrrxf.exe113⤵
-
\??\c:\5rllxxl.exec:\5rllxxl.exe114⤵
-
\??\c:\tbnhht.exec:\tbnhht.exe115⤵
-
\??\c:\7hbhnt.exec:\7hbhnt.exe116⤵
-
\??\c:\jjpjp.exec:\jjpjp.exe117⤵
-
\??\c:\jjvvd.exec:\jjvvd.exe118⤵
-
\??\c:\7rlrrrf.exec:\7rlrrrf.exe119⤵
-
\??\c:\llrxlfr.exec:\llrxlfr.exe120⤵
-
\??\c:\bttbht.exec:\bttbht.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-