Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
-
submitted
08/10/2024, 23:08
General
-
Target
702ec49cd9a4e3cbcee4c60d531470670530e416333088443512380895f1b7f9.exe
-
Size
70KB
-
MD5
7156245e761778f632cb48a97f7079cf
-
SHA1
80ca133818d903ecaec718b42ba6cc8c92163384
-
SHA256
702ec49cd9a4e3cbcee4c60d531470670530e416333088443512380895f1b7f9
-
SHA512
0602d47234d4323e28992506fb074ac1dc64eefa6fb9e11bc70334afab370862a89b3c479fbe9a205b24353a01d5b04bd43d63dfe96b11bfb32b11d23700e86c
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxND0yUPqrDZ5RxfB:ymb3NkkiQ3mdBjF0yUmrfB
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 19 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 28 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\702ec49cd9a4e3cbcee4c60d531470670530e416333088443512380895f1b7f9.exe"C:\Users\Admin\AppData\Local\Temp\702ec49cd9a4e3cbcee4c60d531470670530e416333088443512380895f1b7f9.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\008080.exec:\008080.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbbhhh.exec:\hbbhhh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\c268062.exec:\c268062.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\2606440.exec:\2606440.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\420026.exec:\420026.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\084462.exec:\084462.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rxllffl.exec:\rxllffl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\04286.exec:\04286.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjddp.exec:\jjddp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\82440.exec:\82440.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rrxxxlf.exec:\rrxxxlf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvpjd.exec:\vvpjd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnbbht.exec:\tnbbht.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tbnbbb.exec:\tbnbbb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxflrrf.exec:\fxflrrf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\042060.exec:\042060.exe17⤵
- Executes dropped EXE
-
\??\c:\08028.exec:\08028.exe18⤵
- Executes dropped EXE
-
\??\c:\pdpvv.exec:\pdpvv.exe19⤵
- Executes dropped EXE
-
\??\c:\dvjjv.exec:\dvjjv.exe20⤵
- Executes dropped EXE
-
\??\c:\604026.exec:\604026.exe21⤵
- Executes dropped EXE
-
\??\c:\jvpvj.exec:\jvpvj.exe22⤵
- Executes dropped EXE
-
\??\c:\202288.exec:\202288.exe23⤵
- Executes dropped EXE
-
\??\c:\pjdjv.exec:\pjdjv.exe24⤵
- Executes dropped EXE
-
\??\c:\xrrxffl.exec:\xrrxffl.exe25⤵
- Executes dropped EXE
-
\??\c:\pdjvd.exec:\pdjvd.exe26⤵
- Executes dropped EXE
-
\??\c:\w08406.exec:\w08406.exe27⤵
- Executes dropped EXE
-
\??\c:\pvpvp.exec:\pvpvp.exe28⤵
- Executes dropped EXE
-
\??\c:\vpjpp.exec:\vpjpp.exe29⤵
- Executes dropped EXE
-
\??\c:\1flxlxf.exec:\1flxlxf.exe30⤵
- Executes dropped EXE
-
\??\c:\22868.exec:\22868.exe31⤵
- Executes dropped EXE
-
\??\c:\s8286.exec:\s8286.exe32⤵
- Executes dropped EXE
-
\??\c:\nbnnnn.exec:\nbnnnn.exe33⤵
- Executes dropped EXE
-
\??\c:\9pjjd.exec:\9pjjd.exe34⤵
- Executes dropped EXE
-
\??\c:\hthhtb.exec:\hthhtb.exe35⤵
- Executes dropped EXE
-
\??\c:\0486484.exec:\0486484.exe36⤵
- Executes dropped EXE
-
\??\c:\0468402.exec:\0468402.exe37⤵
- Executes dropped EXE
-
\??\c:\jdpvd.exec:\jdpvd.exe38⤵
- Executes dropped EXE
-
\??\c:\pjppd.exec:\pjppd.exe39⤵
- Executes dropped EXE
-
\??\c:\rlllflx.exec:\rlllflx.exe40⤵
- Executes dropped EXE
-
\??\c:\m4624.exec:\m4624.exe41⤵
- Executes dropped EXE
-
\??\c:\64668.exec:\64668.exe42⤵
- Executes dropped EXE
-
\??\c:\hbtthb.exec:\hbtthb.exe43⤵
- Executes dropped EXE
-
\??\c:\4244666.exec:\4244666.exe44⤵
- Executes dropped EXE
-
\??\c:\jdpvd.exec:\jdpvd.exe45⤵
- Executes dropped EXE
-
\??\c:\64228.exec:\64228.exe46⤵
- Executes dropped EXE
-
\??\c:\048806.exec:\048806.exe47⤵
- Executes dropped EXE
-
\??\c:\480068.exec:\480068.exe48⤵
- Executes dropped EXE
-
\??\c:\hhbbbh.exec:\hhbbbh.exe49⤵
- Executes dropped EXE
-
\??\c:\4800284.exec:\4800284.exe50⤵
- Executes dropped EXE
-
\??\c:\bhbnbn.exec:\bhbnbn.exe51⤵
- Executes dropped EXE
-
\??\c:\608462.exec:\608462.exe52⤵
- Executes dropped EXE
-
\??\c:\bbtbbn.exec:\bbtbbn.exe53⤵
- Executes dropped EXE
-
\??\c:\o044262.exec:\o044262.exe54⤵
- Executes dropped EXE
-
\??\c:\048084.exec:\048084.exe55⤵
- Executes dropped EXE
-
\??\c:\6486628.exec:\6486628.exe56⤵
- Executes dropped EXE
-
\??\c:\9xllxxf.exec:\9xllxxf.exe57⤵
- Executes dropped EXE
-
\??\c:\c422664.exec:\c422664.exe58⤵
- Executes dropped EXE
-
\??\c:\g8024.exec:\g8024.exe59⤵
- Executes dropped EXE
-
\??\c:\fxlrflr.exec:\fxlrflr.exe60⤵
- Executes dropped EXE
-
\??\c:\08202.exec:\08202.exe61⤵
- Executes dropped EXE
-
\??\c:\ppdjd.exec:\ppdjd.exe62⤵
- Executes dropped EXE
-
\??\c:\xrxxllr.exec:\xrxxllr.exe63⤵
- Executes dropped EXE
-
\??\c:\82064.exec:\82064.exe64⤵
- Executes dropped EXE
-
\??\c:\pdpjv.exec:\pdpjv.exe65⤵
- Executes dropped EXE
-
\??\c:\jvppd.exec:\jvppd.exe66⤵
-
\??\c:\dvjpp.exec:\dvjpp.exe67⤵
-
\??\c:\206024.exec:\206024.exe68⤵
-
\??\c:\thtbtb.exec:\thtbtb.exe69⤵
-
\??\c:\202282.exec:\202282.exe70⤵
-
\??\c:\3frflrf.exec:\3frflrf.exe71⤵
-
\??\c:\2628666.exec:\2628666.exe72⤵
-
\??\c:\g2062.exec:\g2062.exe73⤵
- System Location Discovery: System Language Discovery
-
\??\c:\46488.exec:\46488.exe74⤵
-
\??\c:\640028.exec:\640028.exe75⤵
-
\??\c:\64688.exec:\64688.exe76⤵
-
\??\c:\68648.exec:\68648.exe77⤵
-
\??\c:\a4288.exec:\a4288.exe78⤵
-
\??\c:\nbbbhb.exec:\nbbbhb.exe79⤵
-
\??\c:\frfxrlr.exec:\frfxrlr.exe80⤵
-
\??\c:\jvdpd.exec:\jvdpd.exe81⤵
-
\??\c:\4622828.exec:\4622828.exe82⤵
-
\??\c:\5vvpp.exec:\5vvpp.exe83⤵
-
\??\c:\g2446.exec:\g2446.exe84⤵
-
\??\c:\5nnnnh.exec:\5nnnnh.exe85⤵
-
\??\c:\bhhttn.exec:\bhhttn.exe86⤵
-
\??\c:\s6628.exec:\s6628.exe87⤵
-
\??\c:\vpvvp.exec:\vpvvp.exe88⤵
-
\??\c:\5ppvd.exec:\5ppvd.exe89⤵
-
\??\c:\xrrlxxf.exec:\xrrlxxf.exe90⤵
-
\??\c:\w44000.exec:\w44000.exe91⤵
-
\??\c:\680404.exec:\680404.exe92⤵
-
\??\c:\hntbtn.exec:\hntbtn.exe93⤵
-
\??\c:\nbhnth.exec:\nbhnth.exe94⤵
-
\??\c:\2466604.exec:\2466604.exe95⤵
-
\??\c:\lxrrxrr.exec:\lxrrxrr.exe96⤵
-
\??\c:\c688422.exec:\c688422.exe97⤵
-
\??\c:\nhttnb.exec:\nhttnb.exe98⤵
-
\??\c:\lrrlxlr.exec:\lrrlxlr.exe99⤵
-
\??\c:\vjpvv.exec:\vjpvv.exe100⤵
-
\??\c:\8022666.exec:\8022666.exe101⤵
-
\??\c:\3jppv.exec:\3jppv.exe102⤵
-
\??\c:\084466.exec:\084466.exe103⤵
-
\??\c:\9bnntn.exec:\9bnntn.exe104⤵
-
\??\c:\c206644.exec:\c206644.exe105⤵
-
\??\c:\dpdjp.exec:\dpdjp.exe106⤵
-
\??\c:\1vddj.exec:\1vddj.exe107⤵
-
\??\c:\s8488.exec:\s8488.exe108⤵
-
\??\c:\htbhhh.exec:\htbhhh.exe109⤵
-
\??\c:\0866002.exec:\0866002.exe110⤵
-
\??\c:\httnbb.exec:\httnbb.exe111⤵
-
\??\c:\086282.exec:\086282.exe112⤵
-
\??\c:\htbnhh.exec:\htbnhh.exe113⤵
-
\??\c:\rlflxxl.exec:\rlflxxl.exe114⤵
-
\??\c:\c022000.exec:\c022000.exe115⤵
-
\??\c:\ffxfrxx.exec:\ffxfrxx.exe116⤵
-
\??\c:\086026.exec:\086026.exe117⤵
-
\??\c:\u406606.exec:\u406606.exe118⤵
-
\??\c:\hhhhtn.exec:\hhhhtn.exe119⤵
-
\??\c:\vpdpv.exec:\vpdpv.exe120⤵
-
\??\c:\w48004.exec:\w48004.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-