Analysis
-
max time kernel
120s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
05/10/2024, 12:11
General
-
Target
5b473ca2046c88e4c4dc071d106c403aeed6a41db2578cb55669d1e727ede51dN.exe
-
Size
70KB
-
MD5
8548bff631248a0a2d2ffd3b76d88c50
-
SHA1
acf97f0b02aa3d935e46eccbdd9cad97fe7fa7e0
-
SHA256
5b473ca2046c88e4c4dc071d106c403aeed6a41db2578cb55669d1e727ede51d
-
SHA512
71e3d29495ebc701403a354eace730ab6c477bafb027735d3cfeb8aa7eb093edd2bf6eda530a765207162d65a266b2d25d4b1d2b5babf297cbdbfb9606e0b8dc
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIb0z6MTSqfUcicZfU:ymb3NkkiQ3mdBjFI4V4ciX
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 22 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 30 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\5b473ca2046c88e4c4dc071d106c403aeed6a41db2578cb55669d1e727ede51dN.exe"C:\Users\Admin\AppData\Local\Temp\5b473ca2046c88e4c4dc071d106c403aeed6a41db2578cb55669d1e727ede51dN.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\bpxhh.exec:\bpxhh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bvhbv.exec:\bvhbv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frxntd.exec:\frxntd.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\rrvvtn.exec:\rrvvtn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tpdfd.exec:\tpdfd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lvxhrfx.exec:\lvxhrfx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xpvljn.exec:\xpvljn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\flhhx.exec:\flhhx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfjrn.exec:\lfjrn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bjxjfpp.exec:\bjxjfpp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rpdvfl.exec:\rpdvfl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tlhbphf.exec:\tlhbphf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\npdfv.exec:\npdfv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bxvddnf.exec:\bxvddnf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tddljjv.exec:\tddljjv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dfbld.exec:\dfbld.exe17⤵
- Executes dropped EXE
-
\??\c:\lhnftfx.exec:\lhnftfx.exe18⤵
- Executes dropped EXE
-
\??\c:\vpxpbrl.exec:\vpxpbrl.exe19⤵
- Executes dropped EXE
-
\??\c:\njrddn.exec:\njrddn.exe20⤵
- Executes dropped EXE
-
\??\c:\tbfhjf.exec:\tbfhjf.exe21⤵
- Executes dropped EXE
-
\??\c:\pfnltr.exec:\pfnltr.exe22⤵
- Executes dropped EXE
-
\??\c:\tlpjf.exec:\tlpjf.exe23⤵
- Executes dropped EXE
-
\??\c:\rnplnv.exec:\rnplnv.exe24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\xprlf.exec:\xprlf.exe25⤵
- Executes dropped EXE
-
\??\c:\lxdpxb.exec:\lxdpxb.exe26⤵
- Executes dropped EXE
-
\??\c:\ldnpb.exec:\ldnpb.exe27⤵
- Executes dropped EXE
-
\??\c:\hvxnxhp.exec:\hvxnxhp.exe28⤵
- Executes dropped EXE
-
\??\c:\prbxx.exec:\prbxx.exe29⤵
- Executes dropped EXE
-
\??\c:\jnhdjn.exec:\jnhdjn.exe30⤵
- Executes dropped EXE
-
\??\c:\rtdftl.exec:\rtdftl.exe31⤵
- Executes dropped EXE
-
\??\c:\rlpvh.exec:\rlpvh.exe32⤵
- Executes dropped EXE
-
\??\c:\bdnpj.exec:\bdnpj.exe33⤵
- Executes dropped EXE
-
\??\c:\jxxhh.exec:\jxxhh.exe34⤵
- Executes dropped EXE
-
\??\c:\jpdpjhb.exec:\jpdpjhb.exe35⤵
- Executes dropped EXE
-
\??\c:\tvvrrp.exec:\tvvrrp.exe36⤵
- Executes dropped EXE
-
\??\c:\dvvptn.exec:\dvvptn.exe37⤵
- Executes dropped EXE
-
\??\c:\tvpfvt.exec:\tvpfvt.exe38⤵
- Executes dropped EXE
-
\??\c:\fdttrjv.exec:\fdttrjv.exe39⤵
- Executes dropped EXE
-
\??\c:\lfptlv.exec:\lfptlv.exe40⤵
- Executes dropped EXE
-
\??\c:\ftptnv.exec:\ftptnv.exe41⤵
- Executes dropped EXE
-
\??\c:\lttrbl.exec:\lttrbl.exe42⤵
- Executes dropped EXE
-
\??\c:\thhlf.exec:\thhlf.exe43⤵
- Executes dropped EXE
-
\??\c:\hphlt.exec:\hphlt.exe44⤵
- Executes dropped EXE
-
\??\c:\tjxthtp.exec:\tjxthtp.exe45⤵
- Executes dropped EXE
-
\??\c:\jhdjh.exec:\jhdjh.exe46⤵
- Executes dropped EXE
-
\??\c:\lxrplbl.exec:\lxrplbl.exe47⤵
- Executes dropped EXE
-
\??\c:\xfnjnxr.exec:\xfnjnxr.exe48⤵
- Executes dropped EXE
-
\??\c:\bnpfjnf.exec:\bnpfjnf.exe49⤵
- Executes dropped EXE
-
\??\c:\fxxnvh.exec:\fxxnvh.exe50⤵
- Executes dropped EXE
-
\??\c:\ldtpb.exec:\ldtpb.exe51⤵
- Executes dropped EXE
-
\??\c:\tvxvnbx.exec:\tvxvnbx.exe52⤵
- Executes dropped EXE
-
\??\c:\btplfjn.exec:\btplfjn.exe53⤵
- Executes dropped EXE
-
\??\c:\vldtjx.exec:\vldtjx.exe54⤵
- Executes dropped EXE
-
\??\c:\ljjnhh.exec:\ljjnhh.exe55⤵
- Executes dropped EXE
-
\??\c:\ldfjbn.exec:\ldfjbn.exe56⤵
- Executes dropped EXE
-
\??\c:\njrrl.exec:\njrrl.exe57⤵
- Executes dropped EXE
-
\??\c:\hdjpvth.exec:\hdjpvth.exe58⤵
- Executes dropped EXE
-
\??\c:\rjlrxv.exec:\rjlrxv.exe59⤵
- Executes dropped EXE
-
\??\c:\jltlrv.exec:\jltlrv.exe60⤵
- Executes dropped EXE
-
\??\c:\nlnrlrh.exec:\nlnrlrh.exe61⤵
- Executes dropped EXE
-
\??\c:\phxhp.exec:\phxhp.exe62⤵
- Executes dropped EXE
-
\??\c:\jxrjdx.exec:\jxrjdx.exe63⤵
- Executes dropped EXE
-
\??\c:\hftbr.exec:\hftbr.exe64⤵
- Executes dropped EXE
-
\??\c:\jrfdtd.exec:\jrfdtd.exe65⤵
- Executes dropped EXE
-
\??\c:\hbdjljp.exec:\hbdjljp.exe66⤵
-
\??\c:\xbnxb.exec:\xbnxb.exe67⤵
-
\??\c:\nddxpfj.exec:\nddxpfj.exe68⤵
-
\??\c:\hrbrllr.exec:\hrbrllr.exe69⤵
-
\??\c:\ldfdrfn.exec:\ldfdrfn.exe70⤵
-
\??\c:\nphvrrf.exec:\nphvrrf.exe71⤵
-
\??\c:\vdjpxtr.exec:\vdjpxtr.exe72⤵
-
\??\c:\rrnthrt.exec:\rrnthrt.exe73⤵
- System Location Discovery: System Language Discovery
-
\??\c:\tdvdr.exec:\tdvdr.exe74⤵
-
\??\c:\tvtbf.exec:\tvtbf.exe75⤵
- System Location Discovery: System Language Discovery
-
\??\c:\ppxdv.exec:\ppxdv.exe76⤵
-
\??\c:\xttbfpx.exec:\xttbfpx.exe77⤵
-
\??\c:\lplth.exec:\lplth.exe78⤵
-
\??\c:\jphbb.exec:\jphbb.exe79⤵
-
\??\c:\ndhvxf.exec:\ndhvxf.exe80⤵
-
\??\c:\hhvld.exec:\hhvld.exe81⤵
-
\??\c:\rbxrh.exec:\rbxrh.exe82⤵
-
\??\c:\blrlxb.exec:\blrlxb.exe83⤵
-
\??\c:\xnpnlj.exec:\xnpnlj.exe84⤵
-
\??\c:\rthvh.exec:\rthvh.exe85⤵
-
\??\c:\lllbvph.exec:\lllbvph.exe86⤵
-
\??\c:\xdtht.exec:\xdtht.exe87⤵
-
\??\c:\bvdrf.exec:\bvdrf.exe88⤵
-
\??\c:\frdrfh.exec:\frdrfh.exe89⤵
-
\??\c:\xbpjhjl.exec:\xbpjhjl.exe90⤵
-
\??\c:\xppfhjb.exec:\xppfhjb.exe91⤵
-
\??\c:\rlbfjr.exec:\rlbfjr.exe92⤵
-
\??\c:\plvjtld.exec:\plvjtld.exe93⤵
-
\??\c:\ftthbj.exec:\ftthbj.exe94⤵
-
\??\c:\rlpnbb.exec:\rlpnbb.exe95⤵
-
\??\c:\tlhfvt.exec:\tlhfvt.exe96⤵
-
\??\c:\nffthjt.exec:\nffthjt.exe97⤵
-
\??\c:\rlnjbp.exec:\rlnjbp.exe98⤵
-
\??\c:\tfndvfx.exec:\tfndvfx.exe99⤵
-
\??\c:\xtpphl.exec:\xtpphl.exe100⤵
-
\??\c:\brtpnx.exec:\brtpnx.exe101⤵
-
\??\c:\xrtfh.exec:\xrtfh.exe102⤵
-
\??\c:\vvppp.exec:\vvppp.exe103⤵
-
\??\c:\tthhb.exec:\tthhb.exe104⤵
-
\??\c:\hrldp.exec:\hrldp.exe105⤵
-
\??\c:\ltrvthd.exec:\ltrvthd.exe106⤵
-
\??\c:\fbfxnxp.exec:\fbfxnxp.exe107⤵
-
\??\c:\fxbpf.exec:\fxbpf.exe108⤵
-
\??\c:\rtxdp.exec:\rtxdp.exe109⤵
-
\??\c:\rvndhl.exec:\rvndhl.exe110⤵
-
\??\c:\rrhvrd.exec:\rrhvrd.exe111⤵
-
\??\c:\hnrrd.exec:\hnrrd.exe112⤵
-
\??\c:\jlfhxt.exec:\jlfhxt.exe113⤵
-
\??\c:\rvbffp.exec:\rvbffp.exe114⤵
-
\??\c:\rpvfbt.exec:\rpvfbt.exe115⤵
-
\??\c:\ttjphhd.exec:\ttjphhd.exe116⤵
-
\??\c:\htbfbxf.exec:\htbfbxf.exe117⤵
-
\??\c:\vxbvlt.exec:\vxbvlt.exe118⤵
-
\??\c:\pbtlfpv.exec:\pbtlfpv.exe119⤵
-
\??\c:\rrhbfr.exec:\rrhbfr.exe120⤵
-
\??\c:\bpvnvx.exec:\bpvnvx.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-