Analysis
-
max time kernel
120s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
-
submitted
04/10/2024, 02:01
General
-
Target
2cfa313a9ea62d51c562de2100bdfa7f30fda5c9c3adb8048b6ef1a01b8a1720N.exe
-
Size
67KB
-
MD5
8f5fb2f2a612d6da00c99116d1233d20
-
SHA1
1466354ad79d4c1920cc770b5c36b5353e512b27
-
SHA256
2cfa313a9ea62d51c562de2100bdfa7f30fda5c9c3adb8048b6ef1a01b8a1720
-
SHA512
98793ebe279c89cc1ad9630fe896dcf457f8b21eb625b5e57be8362d4581030e20523f00041278ac89c48b433e46517e4080c8f2697cc77bc5694ee0f14f903d
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDI9L27Bqfs:ymb3NkkiQ3mdBjFI9cqfs
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 24 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 27 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2cfa313a9ea62d51c562de2100bdfa7f30fda5c9c3adb8048b6ef1a01b8a1720N.exe"C:\Users\Admin\AppData\Local\Temp\2cfa313a9ea62d51c562de2100bdfa7f30fda5c9c3adb8048b6ef1a01b8a1720N.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\llxfrxr.exec:\llxfrxr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tthhtt.exec:\tthhtt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bthbhn.exec:\bthbhn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpvdp.exec:\vpvdp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlllxxl.exec:\rlllxxl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrffrlx.exec:\xrffrlx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9bbnbb.exec:\9bbnbb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjjpj.exec:\jjjpj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nnhhnb.exec:\nnhhnb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjvdp.exec:\pjvdp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvjpp.exec:\dvjpp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9lrflrx.exec:\9lrflrx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3xxlllx.exec:\3xxlllx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbnhth.exec:\hbnhth.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jvjvp.exec:\jvjvp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpddp.exec:\vpddp.exe17⤵
- Executes dropped EXE
-
\??\c:\frffffl.exec:\frffffl.exe18⤵
- Executes dropped EXE
-
\??\c:\1ttnhn.exec:\1ttnhn.exe19⤵
- Executes dropped EXE
-
\??\c:\1nthnn.exec:\1nthnn.exe20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\jdppd.exec:\jdppd.exe21⤵
- Executes dropped EXE
-
\??\c:\5vpvv.exec:\5vpvv.exe22⤵
- Executes dropped EXE
-
\??\c:\llflxlx.exec:\llflxlx.exe23⤵
- Executes dropped EXE
-
\??\c:\frllllr.exec:\frllllr.exe24⤵
- Executes dropped EXE
-
\??\c:\thbnht.exec:\thbnht.exe25⤵
- Executes dropped EXE
-
\??\c:\3bbnbh.exec:\3bbnbh.exe26⤵
- Executes dropped EXE
-
\??\c:\ddjpp.exec:\ddjpp.exe27⤵
- Executes dropped EXE
-
\??\c:\7ddjj.exec:\7ddjj.exe28⤵
- Executes dropped EXE
-
\??\c:\rlrlrfr.exec:\rlrlrfr.exe29⤵
- Executes dropped EXE
-
\??\c:\xffflxr.exec:\xffflxr.exe30⤵
- Executes dropped EXE
-
\??\c:\hhtthb.exec:\hhtthb.exe31⤵
- Executes dropped EXE
-
\??\c:\3btbhn.exec:\3btbhn.exe32⤵
- Executes dropped EXE
-
\??\c:\jjdjv.exec:\jjdjv.exe33⤵
- Executes dropped EXE
-
\??\c:\fxrrfrx.exec:\fxrrfrx.exe34⤵
- Executes dropped EXE
-
\??\c:\lxlxlrf.exec:\lxlxlrf.exe35⤵
- Executes dropped EXE
-
\??\c:\btnbtb.exec:\btnbtb.exe36⤵
- Executes dropped EXE
-
\??\c:\tthbbn.exec:\tthbbn.exe37⤵
- Executes dropped EXE
-
\??\c:\1dpjv.exec:\1dpjv.exe38⤵
- Executes dropped EXE
-
\??\c:\1dvvv.exec:\1dvvv.exe39⤵
- Executes dropped EXE
-
\??\c:\pdppv.exec:\pdppv.exe40⤵
- Executes dropped EXE
-
\??\c:\xxlrflr.exec:\xxlrflr.exe41⤵
- Executes dropped EXE
-
\??\c:\xlxlrff.exec:\xlxlrff.exe42⤵
- Executes dropped EXE
-
\??\c:\tnhhtt.exec:\tnhhtt.exe43⤵
- Executes dropped EXE
-
\??\c:\hbnbbh.exec:\hbnbbh.exe44⤵
- Executes dropped EXE
-
\??\c:\jdpvp.exec:\jdpvp.exe45⤵
- Executes dropped EXE
-
\??\c:\3vpdp.exec:\3vpdp.exe46⤵
- Executes dropped EXE
-
\??\c:\7rrrlrx.exec:\7rrrlrx.exe47⤵
- Executes dropped EXE
-
\??\c:\fxlrflr.exec:\fxlrflr.exe48⤵
- Executes dropped EXE
-
\??\c:\xxlrxfx.exec:\xxlrxfx.exe49⤵
- Executes dropped EXE
-
\??\c:\hhbnbh.exec:\hhbnbh.exe50⤵
- Executes dropped EXE
-
\??\c:\hbthnt.exec:\hbthnt.exe51⤵
- Executes dropped EXE
-
\??\c:\vpdpv.exec:\vpdpv.exe52⤵
- Executes dropped EXE
-
\??\c:\vjddj.exec:\vjddj.exe53⤵
- Executes dropped EXE
-
\??\c:\frllxfr.exec:\frllxfr.exe54⤵
- Executes dropped EXE
-
\??\c:\llrlllx.exec:\llrlllx.exe55⤵
- Executes dropped EXE
-
\??\c:\3hhhhb.exec:\3hhhhb.exe56⤵
- Executes dropped EXE
-
\??\c:\7ttnnn.exec:\7ttnnn.exe57⤵
- Executes dropped EXE
-
\??\c:\dpddd.exec:\dpddd.exe58⤵
- Executes dropped EXE
-
\??\c:\dvjpv.exec:\dvjpv.exe59⤵
- Executes dropped EXE
-
\??\c:\jdjjp.exec:\jdjjp.exe60⤵
- Executes dropped EXE
-
\??\c:\llflfxf.exec:\llflfxf.exe61⤵
- Executes dropped EXE
-
\??\c:\lfxffrf.exec:\lfxffrf.exe62⤵
- Executes dropped EXE
-
\??\c:\tnbtbb.exec:\tnbtbb.exe63⤵
- Executes dropped EXE
-
\??\c:\9nhnnn.exec:\9nhnnn.exe64⤵
- Executes dropped EXE
-
\??\c:\jvjpv.exec:\jvjpv.exe65⤵
- Executes dropped EXE
-
\??\c:\jdjpp.exec:\jdjpp.exe66⤵
-
\??\c:\rxlfxxx.exec:\rxlfxxx.exe67⤵
-
\??\c:\rlxrfrf.exec:\rlxrfrf.exe68⤵
-
\??\c:\5nhnnn.exec:\5nhnnn.exe69⤵
-
\??\c:\bthnbb.exec:\bthnbb.exe70⤵
-
\??\c:\vpvdp.exec:\vpvdp.exe71⤵
-
\??\c:\1pvvd.exec:\1pvvd.exe72⤵
-
\??\c:\3vjjd.exec:\3vjjd.exe73⤵
-
\??\c:\9lxlxlr.exec:\9lxlxlr.exe74⤵
-
\??\c:\xlllrrr.exec:\xlllrrr.exe75⤵
-
\??\c:\9dppd.exec:\9dppd.exe76⤵
-
\??\c:\pjjdj.exec:\pjjdj.exe77⤵
-
\??\c:\xrflxff.exec:\xrflxff.exe78⤵
-
\??\c:\rrxflfl.exec:\rrxflfl.exe79⤵
-
\??\c:\htbhnt.exec:\htbhnt.exe80⤵
-
\??\c:\tbhtht.exec:\tbhtht.exe81⤵
-
\??\c:\dpjjj.exec:\dpjjj.exe82⤵
-
\??\c:\pjpdp.exec:\pjpdp.exe83⤵
-
\??\c:\rrllrrf.exec:\rrllrrf.exe84⤵
-
\??\c:\xxrrxfr.exec:\xxrrxfr.exe85⤵
-
\??\c:\nhtbhn.exec:\nhtbhn.exe86⤵
-
\??\c:\nhhttn.exec:\nhhttn.exe87⤵
-
\??\c:\pjpjv.exec:\pjpjv.exe88⤵
-
\??\c:\3dvvj.exec:\3dvvj.exe89⤵
-
\??\c:\9vdjp.exec:\9vdjp.exe90⤵
-
\??\c:\xrfflfl.exec:\xrfflfl.exe91⤵
-
\??\c:\lfrfrxf.exec:\lfrfrxf.exe92⤵
-
\??\c:\tntthb.exec:\tntthb.exe93⤵
-
\??\c:\5hhhth.exec:\5hhhth.exe94⤵
-
\??\c:\7djjd.exec:\7djjd.exe95⤵
-
\??\c:\9pjdp.exec:\9pjdp.exe96⤵
-
\??\c:\pdpvv.exec:\pdpvv.exe97⤵
-
\??\c:\xrrrxlx.exec:\xrrrxlx.exe98⤵
-
\??\c:\5lrrxrx.exec:\5lrrxrx.exe99⤵
-
\??\c:\ttnbnt.exec:\ttnbnt.exe100⤵
-
\??\c:\hbbbhh.exec:\hbbbhh.exe101⤵
-
\??\c:\ppppj.exec:\ppppj.exe102⤵
-
\??\c:\jjvdv.exec:\jjvdv.exe103⤵
-
\??\c:\rffflfx.exec:\rffflfx.exe104⤵
-
\??\c:\7fxxffl.exec:\7fxxffl.exe105⤵
-
\??\c:\tnhthh.exec:\tnhthh.exe106⤵
-
\??\c:\nnbbhb.exec:\nnbbhb.exe107⤵
-
\??\c:\7nbhbn.exec:\7nbhbn.exe108⤵
-
\??\c:\pjvdj.exec:\pjvdj.exe109⤵
-
\??\c:\9dpvv.exec:\9dpvv.exe110⤵
-
\??\c:\9rxxllx.exec:\9rxxllx.exe111⤵
-
\??\c:\rlxlflr.exec:\rlxlflr.exe112⤵
-
\??\c:\bbhbhn.exec:\bbhbhn.exe113⤵
-
\??\c:\bbnnnn.exec:\bbnnnn.exe114⤵
-
\??\c:\3jjjp.exec:\3jjjp.exe115⤵
-
\??\c:\vpdvj.exec:\vpdvj.exe116⤵
-
\??\c:\xrfrrrx.exec:\xrfrrrx.exe117⤵
-
\??\c:\rrfrrrf.exec:\rrfrrrf.exe118⤵
-
\??\c:\rfrfffr.exec:\rfrfffr.exe119⤵
-
\??\c:\bbtnbh.exec:\bbtnbh.exe120⤵
-
\??\c:\tnhbhh.exec:\tnhbhh.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-