Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
04/10/2024, 14:33
General
-
Target
34cd672e54339a4a2c79262c5b0d5f24007c21f182bd9ced0156cf3769aab32aN.exe
-
Size
71KB
-
MD5
bba6b33503cf622e8ffe8b51811ee5e0
-
SHA1
55fd0c95382bce6c3fd2f8993034639d114a683f
-
SHA256
34cd672e54339a4a2c79262c5b0d5f24007c21f182bd9ced0156cf3769aab32a
-
SHA512
c5c428c02c6a3f29e91e4cff5a414440fa03d44413468a2ef148f25deb4fe1e7ad50bebb086a8f3571775f846cbab8cec93c23c98498d5697ab2acf5d6e2ca14
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIb0z6MTSqfjj:ymb3NkkiQ3mdBjFI4Vz
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 21 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 30 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\34cd672e54339a4a2c79262c5b0d5f24007c21f182bd9ced0156cf3769aab32aN.exe"C:\Users\Admin\AppData\Local\Temp\34cd672e54339a4a2c79262c5b0d5f24007c21f182bd9ced0156cf3769aab32aN.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\tnhbhh.exec:\tnhbhh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1dvvv.exec:\1dvvv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddjvp.exec:\ddjvp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rfxxxfr.exec:\rfxxxfr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thnnbb.exec:\thnnbb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5ppdj.exec:\5ppdj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frfffxf.exec:\frfffxf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thnntt.exec:\thnntt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjvvp.exec:\pjvvp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxllrlx.exec:\fxllrlx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9nntth.exec:\9nntth.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pdjjj.exec:\pdjjj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dpddj.exec:\dpddj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xlfffll.exec:\xlfffll.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrlrfxr.exec:\xrlrfxr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tbnnnh.exec:\tbnnnh.exe17⤵
- Executes dropped EXE
-
\??\c:\5hnnnb.exec:\5hnnnb.exe18⤵
- Executes dropped EXE
-
\??\c:\dpvpv.exec:\dpvpv.exe19⤵
- Executes dropped EXE
-
\??\c:\lfrfrlr.exec:\lfrfrlr.exe20⤵
- Executes dropped EXE
-
\??\c:\rfllxxx.exec:\rfllxxx.exe21⤵
- Executes dropped EXE
-
\??\c:\1hbtnh.exec:\1hbtnh.exe22⤵
- Executes dropped EXE
-
\??\c:\5pvdd.exec:\5pvdd.exe23⤵
- Executes dropped EXE
-
\??\c:\1jpjp.exec:\1jpjp.exe24⤵
- Executes dropped EXE
-
\??\c:\jvdvd.exec:\jvdvd.exe25⤵
- Executes dropped EXE
-
\??\c:\lfxrlll.exec:\lfxrlll.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\5nbbhh.exec:\5nbbhh.exe27⤵
- Executes dropped EXE
-
\??\c:\bnhtnn.exec:\bnhtnn.exe28⤵
- Executes dropped EXE
-
\??\c:\vpjvp.exec:\vpjvp.exe29⤵
- Executes dropped EXE
-
\??\c:\frxrfff.exec:\frxrfff.exe30⤵
- Executes dropped EXE
-
\??\c:\rxxxxxr.exec:\rxxxxxr.exe31⤵
- Executes dropped EXE
-
\??\c:\tbhnnh.exec:\tbhnnh.exe32⤵
- Executes dropped EXE
-
\??\c:\vjpdj.exec:\vjpdj.exe33⤵
- Executes dropped EXE
-
\??\c:\9pjpd.exec:\9pjpd.exe34⤵
- Executes dropped EXE
-
\??\c:\lrflfff.exec:\lrflfff.exe35⤵
- Executes dropped EXE
-
\??\c:\frxrrrf.exec:\frxrrrf.exe36⤵
- Executes dropped EXE
-
\??\c:\hthhnh.exec:\hthhnh.exe37⤵
- Executes dropped EXE
-
\??\c:\hbnnnh.exec:\hbnnnh.exe38⤵
- Executes dropped EXE
-
\??\c:\nbhtnb.exec:\nbhtnb.exe39⤵
- Executes dropped EXE
-
\??\c:\jvdvd.exec:\jvdvd.exe40⤵
- Executes dropped EXE
-
\??\c:\5pddp.exec:\5pddp.exe41⤵
- Executes dropped EXE
-
\??\c:\xlxlrlr.exec:\xlxlrlr.exe42⤵
- Executes dropped EXE
-
\??\c:\xlxxxxl.exec:\xlxxxxl.exe43⤵
- Executes dropped EXE
-
\??\c:\1bttbb.exec:\1bttbb.exe44⤵
- Executes dropped EXE
-
\??\c:\7bnnhb.exec:\7bnnhb.exe45⤵
- Executes dropped EXE
-
\??\c:\vpddd.exec:\vpddd.exe46⤵
- Executes dropped EXE
-
\??\c:\9dvpp.exec:\9dvpp.exe47⤵
- Executes dropped EXE
-
\??\c:\3lxxxxf.exec:\3lxxxxf.exe48⤵
- Executes dropped EXE
-
\??\c:\frllxxf.exec:\frllxxf.exe49⤵
- Executes dropped EXE
-
\??\c:\nbhthh.exec:\nbhthh.exe50⤵
- Executes dropped EXE
-
\??\c:\nbhnhh.exec:\nbhnhh.exe51⤵
- Executes dropped EXE
-
\??\c:\7nnttn.exec:\7nnttn.exe52⤵
- Executes dropped EXE
-
\??\c:\5pddd.exec:\5pddd.exe53⤵
- Executes dropped EXE
-
\??\c:\vjvjd.exec:\vjvjd.exe54⤵
- Executes dropped EXE
-
\??\c:\xflfffx.exec:\xflfffx.exe55⤵
- Executes dropped EXE
-
\??\c:\5flxffl.exec:\5flxffl.exe56⤵
- Executes dropped EXE
-
\??\c:\nhnhtt.exec:\nhnhtt.exe57⤵
- Executes dropped EXE
-
\??\c:\thnnhh.exec:\thnnhh.exe58⤵
- Executes dropped EXE
-
\??\c:\dpvvd.exec:\dpvvd.exe59⤵
- Executes dropped EXE
-
\??\c:\jdjjj.exec:\jdjjj.exe60⤵
- Executes dropped EXE
-
\??\c:\7xffllx.exec:\7xffllx.exe61⤵
- Executes dropped EXE
-
\??\c:\xlrllfl.exec:\xlrllfl.exe62⤵
- Executes dropped EXE
-
\??\c:\1tbttn.exec:\1tbttn.exe63⤵
- Executes dropped EXE
-
\??\c:\thnhnn.exec:\thnhnn.exe64⤵
- Executes dropped EXE
-
\??\c:\5pvvj.exec:\5pvvj.exe65⤵
- Executes dropped EXE
-
\??\c:\pdvvd.exec:\pdvvd.exe66⤵
-
\??\c:\dvjjv.exec:\dvjjv.exe67⤵
-
\??\c:\lffxlll.exec:\lffxlll.exe68⤵
-
\??\c:\jdddd.exec:\jdddd.exe69⤵
-
\??\c:\pjddj.exec:\pjddj.exe70⤵
-
\??\c:\5pddj.exec:\5pddj.exe71⤵
-
\??\c:\5lrrxrx.exec:\5lrrxrx.exe72⤵
-
\??\c:\rfxflrf.exec:\rfxflrf.exe73⤵
-
\??\c:\nhhbhh.exec:\nhhbhh.exe74⤵
-
\??\c:\9bnhnb.exec:\9bnhnb.exe75⤵
-
\??\c:\7vjjp.exec:\7vjjp.exe76⤵
-
\??\c:\vpddj.exec:\vpddj.exe77⤵
-
\??\c:\jvpjj.exec:\jvpjj.exe78⤵
-
\??\c:\xrxrfll.exec:\xrxrfll.exe79⤵
-
\??\c:\xlxffrx.exec:\xlxffrx.exe80⤵
-
\??\c:\tnhhbb.exec:\tnhhbb.exe81⤵
-
\??\c:\htttbt.exec:\htttbt.exe82⤵
-
\??\c:\pjppp.exec:\pjppp.exe83⤵
-
\??\c:\1jpdd.exec:\1jpdd.exe84⤵
-
\??\c:\frxffxf.exec:\frxffxf.exe85⤵
-
\??\c:\7rxfxrr.exec:\7rxfxrr.exe86⤵
-
\??\c:\hbnntb.exec:\hbnntb.exe87⤵
-
\??\c:\tthhnh.exec:\tthhnh.exe88⤵
-
\??\c:\thhhnn.exec:\thhhnn.exe89⤵
-
\??\c:\vpdjp.exec:\vpdjp.exe90⤵
-
\??\c:\5dvdj.exec:\5dvdj.exe91⤵
-
\??\c:\ffflrrx.exec:\ffflrrx.exe92⤵
-
\??\c:\1lfxrxx.exec:\1lfxrxx.exe93⤵
-
\??\c:\nbbbbh.exec:\nbbbbh.exe94⤵
-
\??\c:\5tnbht.exec:\5tnbht.exe95⤵
-
\??\c:\pdvvv.exec:\pdvvv.exe96⤵
-
\??\c:\jdppp.exec:\jdppp.exe97⤵
-
\??\c:\frfxxrx.exec:\frfxxrx.exe98⤵
-
\??\c:\bnntbh.exec:\bnntbh.exe99⤵
-
\??\c:\tnnntt.exec:\tnnntt.exe100⤵
-
\??\c:\1jjjj.exec:\1jjjj.exe101⤵
-
\??\c:\jdddp.exec:\jdddp.exe102⤵
-
\??\c:\7rllllx.exec:\7rllllx.exe103⤵
-
\??\c:\5lfxllr.exec:\5lfxllr.exe104⤵
-
\??\c:\ntnhnt.exec:\ntnhnt.exe105⤵
-
\??\c:\htbhbh.exec:\htbhbh.exe106⤵
-
\??\c:\jpppd.exec:\jpppd.exe107⤵
-
\??\c:\rlxxflr.exec:\rlxxflr.exe108⤵
-
\??\c:\hbtttb.exec:\hbtttb.exe109⤵
-
\??\c:\7jvdd.exec:\7jvdd.exe110⤵
-
\??\c:\5rxxxlx.exec:\5rxxxlx.exe111⤵
-
\??\c:\bbbnbn.exec:\bbbnbn.exe112⤵
-
\??\c:\1tntnb.exec:\1tntnb.exe113⤵
-
\??\c:\3jdjp.exec:\3jdjp.exe114⤵
-
\??\c:\rxrlxrr.exec:\rxrlxrr.exe115⤵
-
\??\c:\5btthn.exec:\5btthn.exe116⤵
-
\??\c:\jpvjd.exec:\jpvjd.exe117⤵
-
\??\c:\jdjjj.exec:\jdjjj.exe118⤵
-
\??\c:\xrrrlfl.exec:\xrrrlfl.exe119⤵
-
\??\c:\hhnbbn.exec:\hhnbbn.exe120⤵
-
\??\c:\jjpdd.exec:\jjpdd.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-