Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
08/10/2024, 23:04
General
-
Target
d8c8f990cd27c40557f1ce64d25953e71b2852fe989d05388eca5d90d758d75aN.exe
-
Size
69KB
-
MD5
fbfbda2474ee80121cc7b0eea7ddb270
-
SHA1
b784745c56916fb0104a904b96e071598d66243f
-
SHA256
d8c8f990cd27c40557f1ce64d25953e71b2852fe989d05388eca5d90d758d75a
-
SHA512
319fc54fb9458b85ce55f8ee5aeb5433021668c9c5492fefffb7936b12c3cf113469c930f3afb0f23860d64d5791ed1f478369d2df7447823bba32995f58e19b
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxND0yUuYp+5C8+LuvdLW:ymb3NkkiQ3mdBjF0yMlia
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 22 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 29 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d8c8f990cd27c40557f1ce64d25953e71b2852fe989d05388eca5d90d758d75aN.exe"C:\Users\Admin\AppData\Local\Temp\d8c8f990cd27c40557f1ce64d25953e71b2852fe989d05388eca5d90d758d75aN.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\djjvv.exec:\djjvv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5vjdd.exec:\5vjdd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbbtnb.exec:\bbbtnb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9jjdd.exec:\9jjdd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7pjjp.exec:\7pjjp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xxxflrl.exec:\xxxflrl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbtbtb.exec:\nbtbtb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dpjjd.exec:\dpjjd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5vpjp.exec:\5vpjp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rfrfrfr.exec:\rfrfrfr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bthhnn.exec:\bthhnn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jvdjd.exec:\jvdjd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdvpp.exec:\jdvpp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrfrflx.exec:\xrfrflx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhnbhh.exec:\nhnbhh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhbhhn.exec:\nhbhhn.exe17⤵
- Executes dropped EXE
-
\??\c:\1vdpp.exec:\1vdpp.exe18⤵
- Executes dropped EXE
-
\??\c:\lfrxllx.exec:\lfrxllx.exe19⤵
- Executes dropped EXE
-
\??\c:\rlxlrxl.exec:\rlxlrxl.exe20⤵
- Executes dropped EXE
-
\??\c:\nhttbh.exec:\nhttbh.exe21⤵
- Executes dropped EXE
-
\??\c:\3bnnhb.exec:\3bnnhb.exe22⤵
- Executes dropped EXE
-
\??\c:\ddvpd.exec:\ddvpd.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\lxrrrrx.exec:\lxrrrrx.exe24⤵
- Executes dropped EXE
-
\??\c:\5bnnbb.exec:\5bnnbb.exe25⤵
- Executes dropped EXE
-
\??\c:\hhntbt.exec:\hhntbt.exe26⤵
- Executes dropped EXE
-
\??\c:\vvddj.exec:\vvddj.exe27⤵
- Executes dropped EXE
-
\??\c:\vppjj.exec:\vppjj.exe28⤵
- Executes dropped EXE
-
\??\c:\9xxlxfr.exec:\9xxlxfr.exe29⤵
- Executes dropped EXE
-
\??\c:\nhbhbb.exec:\nhbhbb.exe30⤵
- Executes dropped EXE
-
\??\c:\vvjvj.exec:\vvjvj.exe31⤵
- Executes dropped EXE
-
\??\c:\9vjpd.exec:\9vjpd.exe32⤵
-
\??\c:\pjjjd.exec:\pjjjd.exe33⤵
- Executes dropped EXE
-
\??\c:\tnnttn.exec:\tnnttn.exe34⤵
- Executes dropped EXE
-
\??\c:\9hntbt.exec:\9hntbt.exe35⤵
- Executes dropped EXE
-
\??\c:\vjppp.exec:\vjppp.exe36⤵
- Executes dropped EXE
-
\??\c:\dvjjj.exec:\dvjjj.exe37⤵
- Executes dropped EXE
-
\??\c:\rflffxl.exec:\rflffxl.exe38⤵
- Executes dropped EXE
-
\??\c:\9nthhb.exec:\9nthhb.exe39⤵
- Executes dropped EXE
-
\??\c:\nttbhh.exec:\nttbhh.exe40⤵
- Executes dropped EXE
-
\??\c:\3vjpv.exec:\3vjpv.exe41⤵
- Executes dropped EXE
-
\??\c:\5dvdp.exec:\5dvdp.exe42⤵
- Executes dropped EXE
-
\??\c:\xlfflrx.exec:\xlfflrx.exe43⤵
- Executes dropped EXE
-
\??\c:\xrfflfr.exec:\xrfflfr.exe44⤵
- Executes dropped EXE
-
\??\c:\nhtthn.exec:\nhtthn.exe45⤵
- Executes dropped EXE
-
\??\c:\3tnhnn.exec:\3tnhnn.exe46⤵
- Executes dropped EXE
-
\??\c:\jddjj.exec:\jddjj.exe47⤵
- Executes dropped EXE
-
\??\c:\5lrflxl.exec:\5lrflxl.exe48⤵
- Executes dropped EXE
-
\??\c:\7rrxxfl.exec:\7rrxxfl.exe49⤵
- Executes dropped EXE
-
\??\c:\nbnnnh.exec:\nbnnnh.exe50⤵
- Executes dropped EXE
-
\??\c:\nbhhhb.exec:\nbhhhb.exe51⤵
- Executes dropped EXE
-
\??\c:\pjdpp.exec:\pjdpp.exe52⤵
- Executes dropped EXE
-
\??\c:\frffrll.exec:\frffrll.exe53⤵
- Executes dropped EXE
-
\??\c:\7xflrrr.exec:\7xflrrr.exe54⤵
- Executes dropped EXE
-
\??\c:\9rfxxrr.exec:\9rfxxrr.exe55⤵
- Executes dropped EXE
-
\??\c:\bthbhh.exec:\bthbhh.exe56⤵
- Executes dropped EXE
-
\??\c:\btnnhb.exec:\btnnhb.exe57⤵
- Executes dropped EXE
-
\??\c:\3jpjd.exec:\3jpjd.exe58⤵
- Executes dropped EXE
-
\??\c:\dvjdd.exec:\dvjdd.exe59⤵
- Executes dropped EXE
-
\??\c:\3xlrxxf.exec:\3xlrxxf.exe60⤵
- Executes dropped EXE
-
\??\c:\1hhbtt.exec:\1hhbtt.exe61⤵
- Executes dropped EXE
-
\??\c:\bnbbbt.exec:\bnbbbt.exe62⤵
- Executes dropped EXE
-
\??\c:\pjvdd.exec:\pjvdd.exe63⤵
- Executes dropped EXE
-
\??\c:\vjjdj.exec:\vjjdj.exe64⤵
- Executes dropped EXE
-
\??\c:\vjjjp.exec:\vjjjp.exe65⤵
- Executes dropped EXE
-
\??\c:\frfxxlr.exec:\frfxxlr.exe66⤵
- Executes dropped EXE
-
\??\c:\fxxxlll.exec:\fxxxlll.exe67⤵
-
\??\c:\nhtttt.exec:\nhtttt.exe68⤵
-
\??\c:\7nhhnh.exec:\7nhhnh.exe69⤵
-
\??\c:\7dvvv.exec:\7dvvv.exe70⤵
-
\??\c:\jdpdv.exec:\jdpdv.exe71⤵
-
\??\c:\lllrlrf.exec:\lllrlrf.exe72⤵
-
\??\c:\3frxxrx.exec:\3frxxrx.exe73⤵
-
\??\c:\fxxxllr.exec:\fxxxllr.exe74⤵
-
\??\c:\tnbthn.exec:\tnbthn.exe75⤵
-
\??\c:\bbnthn.exec:\bbnthn.exe76⤵
-
\??\c:\9jjvv.exec:\9jjvv.exe77⤵
-
\??\c:\pddpp.exec:\pddpp.exe78⤵
-
\??\c:\7xfxxrl.exec:\7xfxxrl.exe79⤵
-
\??\c:\7lrxxrx.exec:\7lrxxrx.exe80⤵
-
\??\c:\thnntn.exec:\thnntn.exe81⤵
-
\??\c:\tnbttb.exec:\tnbttb.exe82⤵
-
\??\c:\jvdjj.exec:\jvdjj.exe83⤵
-
\??\c:\jdjvj.exec:\jdjvj.exe84⤵
-
\??\c:\rflffxf.exec:\rflffxf.exe85⤵
-
\??\c:\rrrxrxl.exec:\rrrxrxl.exe86⤵
-
\??\c:\bnbttt.exec:\bnbttt.exe87⤵
-
\??\c:\hhtbhh.exec:\hhtbhh.exe88⤵
-
\??\c:\vjvdj.exec:\vjvdj.exe89⤵
-
\??\c:\vpdjd.exec:\vpdjd.exe90⤵
-
\??\c:\rlrrxxf.exec:\rlrrxxf.exe91⤵
-
\??\c:\frflfll.exec:\frflfll.exe92⤵
-
\??\c:\bttbtt.exec:\bttbtt.exe93⤵
-
\??\c:\tnnhnt.exec:\tnnhnt.exe94⤵
-
\??\c:\dvpdj.exec:\dvpdj.exe95⤵
-
\??\c:\vjdjp.exec:\vjdjp.exe96⤵
-
\??\c:\lfrxflr.exec:\lfrxflr.exe97⤵
-
\??\c:\lrxrlxr.exec:\lrxrlxr.exe98⤵
-
\??\c:\3tntth.exec:\3tntth.exe99⤵
-
\??\c:\nhnnnn.exec:\nhnnnn.exe100⤵
- System Location Discovery: System Language Discovery
-
\??\c:\vpdpd.exec:\vpdpd.exe101⤵
-
\??\c:\jvddp.exec:\jvddp.exe102⤵
-
\??\c:\rlrxffl.exec:\rlrxffl.exe103⤵
-
\??\c:\rllffxl.exec:\rllffxl.exe104⤵
-
\??\c:\hbtntt.exec:\hbtntt.exe105⤵
-
\??\c:\9nnbhb.exec:\9nnbhb.exe106⤵
-
\??\c:\jvjjv.exec:\jvjjv.exe107⤵
-
\??\c:\jdvvv.exec:\jdvvv.exe108⤵
-
\??\c:\xlrxrfl.exec:\xlrxrfl.exe109⤵
-
\??\c:\lffflrx.exec:\lffflrx.exe110⤵
-
\??\c:\1tbbbh.exec:\1tbbbh.exe111⤵
-
\??\c:\tnbbbb.exec:\tnbbbb.exe112⤵
-
\??\c:\9jppj.exec:\9jppj.exe113⤵
-
\??\c:\7fxlllr.exec:\7fxlllr.exe114⤵
-
\??\c:\lxfffff.exec:\lxfffff.exe115⤵
-
\??\c:\1fxflfl.exec:\1fxflfl.exe116⤵
-
\??\c:\5bnbhh.exec:\5bnbhh.exe117⤵
-
\??\c:\1bnttn.exec:\1bnttn.exe118⤵
-
\??\c:\vppvd.exec:\vppvd.exe119⤵
-
\??\c:\xlrxfxf.exec:\xlrxfxf.exe120⤵
-
\??\c:\rlrlxfl.exec:\rlrlxfl.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-