Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
09-10-2024 01:56
General
-
Target
a7861517756489f45119cd9f4969ba3bb5b2e28dfbbc81e0d16d7dfed1e7ef81.exe
-
Size
69KB
-
MD5
b1feb290557e45a4d35598c75282706a
-
SHA1
1734e81a47e0c29d45b591421551625c0c46e3c4
-
SHA256
a7861517756489f45119cd9f4969ba3bb5b2e28dfbbc81e0d16d7dfed1e7ef81
-
SHA512
73b9b15319d762ac3a0237cb4b561d9a256da751e695c2e6bdbc694650a3878f03eabec164aeb5b2d04a7407e33fd7b3a49829ad67d52927ece25b7d6606cc26
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIsIoAcPD:ymb3NkkiQ3mdBjFIsIVcL
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 23 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 36 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a7861517756489f45119cd9f4969ba3bb5b2e28dfbbc81e0d16d7dfed1e7ef81.exe"C:\Users\Admin\AppData\Local\Temp\a7861517756489f45119cd9f4969ba3bb5b2e28dfbbc81e0d16d7dfed1e7ef81.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\5dppj.exec:\5dppj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1bnhnh.exec:\1bnhnh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlxfffr.exec:\rlxfffr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrfflll.exec:\xrfflll.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tbbtnh.exec:\tbbtnh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pdppv.exec:\pdppv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpvdj.exec:\vpvdj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frxxxfr.exec:\frxxxfr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5hhbhb.exec:\5hhbhb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjvjp.exec:\pjvjp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5vpjp.exec:\5vpjp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xlrxxxx.exec:\xlrxxxx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxrlllr.exec:\fxrlllr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1hthtb.exec:\1hthtb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7vvpd.exec:\7vvpd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvjjp.exec:\vvjjp.exe17⤵
- Executes dropped EXE
-
\??\c:\xrxrxrx.exec:\xrxrxrx.exe18⤵
- Executes dropped EXE
-
\??\c:\bbnnhh.exec:\bbnnhh.exe19⤵
- Executes dropped EXE
-
\??\c:\nhnttb.exec:\nhnttb.exe20⤵
- Executes dropped EXE
-
\??\c:\jdvpj.exec:\jdvpj.exe21⤵
- Executes dropped EXE
-
\??\c:\7xrfrrf.exec:\7xrfrrf.exe22⤵
- Executes dropped EXE
-
\??\c:\lxrrrxx.exec:\lxrrrxx.exe23⤵
- Executes dropped EXE
-
\??\c:\hbnbht.exec:\hbnbht.exe24⤵
- Executes dropped EXE
-
\??\c:\3nnhnh.exec:\3nnhnh.exe25⤵
- Executes dropped EXE
-
\??\c:\vjdjp.exec:\vjdjp.exe26⤵
- Executes dropped EXE
-
\??\c:\5pdvd.exec:\5pdvd.exe27⤵
- Executes dropped EXE
-
\??\c:\fxfxfxx.exec:\fxfxfxx.exe28⤵
- Executes dropped EXE
-
\??\c:\fffflrx.exec:\fffflrx.exe29⤵
- Executes dropped EXE
-
\??\c:\9nhnbb.exec:\9nhnbb.exe30⤵
- Executes dropped EXE
-
\??\c:\pppvv.exec:\pppvv.exe31⤵
- Executes dropped EXE
-
\??\c:\pjdvv.exec:\pjdvv.exe32⤵
- Executes dropped EXE
-
\??\c:\lxlffrr.exec:\lxlffrr.exe33⤵
- Executes dropped EXE
-
\??\c:\7xrxlfl.exec:\7xrxlfl.exe34⤵
- Executes dropped EXE
-
\??\c:\7nhhnt.exec:\7nhhnt.exe35⤵
- Executes dropped EXE
-
\??\c:\9nbhhh.exec:\9nbhhh.exe36⤵
- Executes dropped EXE
-
\??\c:\jdvdd.exec:\jdvdd.exe37⤵
- Executes dropped EXE
-
\??\c:\9fxrrlx.exec:\9fxrrlx.exe38⤵
- Executes dropped EXE
-
\??\c:\xrxfllx.exec:\xrxfllx.exe39⤵
- Executes dropped EXE
-
\??\c:\hbnttb.exec:\hbnttb.exe40⤵
- Executes dropped EXE
-
\??\c:\7dvvd.exec:\7dvvd.exe41⤵
- Executes dropped EXE
-
\??\c:\dvddj.exec:\dvddj.exe42⤵
- Executes dropped EXE
-
\??\c:\xrfllrr.exec:\xrfllrr.exe43⤵
- Executes dropped EXE
-
\??\c:\xlfffrx.exec:\xlfffrx.exe44⤵
- Executes dropped EXE
-
\??\c:\5bttbn.exec:\5bttbn.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\hhbbht.exec:\hhbbht.exe46⤵
- Executes dropped EXE
-
\??\c:\9jdpv.exec:\9jdpv.exe47⤵
- Executes dropped EXE
-
\??\c:\vdvdd.exec:\vdvdd.exe48⤵
- Executes dropped EXE
-
\??\c:\rlxfxlr.exec:\rlxfxlr.exe49⤵
- Executes dropped EXE
-
\??\c:\3lflrrr.exec:\3lflrrr.exe50⤵
- Executes dropped EXE
-
\??\c:\nnbbbh.exec:\nnbbbh.exe51⤵
- Executes dropped EXE
-
\??\c:\tnbnhn.exec:\tnbnhn.exe52⤵
- Executes dropped EXE
-
\??\c:\dddpv.exec:\dddpv.exe53⤵
- Executes dropped EXE
-
\??\c:\rlxxxxf.exec:\rlxxxxf.exe54⤵
- Executes dropped EXE
-
\??\c:\7rfrxfl.exec:\7rfrxfl.exe55⤵
- Executes dropped EXE
-
\??\c:\llxxllr.exec:\llxxllr.exe56⤵
- Executes dropped EXE
-
\??\c:\5hbbbh.exec:\5hbbbh.exe57⤵
- Executes dropped EXE
-
\??\c:\nbhhnh.exec:\nbhhnh.exe58⤵
- Executes dropped EXE
-
\??\c:\ppjjj.exec:\ppjjj.exe59⤵
- Executes dropped EXE
-
\??\c:\vpvjp.exec:\vpvjp.exe60⤵
- Executes dropped EXE
-
\??\c:\1xrlxxf.exec:\1xrlxxf.exe61⤵
- Executes dropped EXE
-
\??\c:\3xllllr.exec:\3xllllr.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\hhbnhn.exec:\hhbnhn.exe63⤵
- Executes dropped EXE
-
\??\c:\3nbttb.exec:\3nbttb.exe64⤵
- Executes dropped EXE
-
\??\c:\djpvj.exec:\djpvj.exe65⤵
- Executes dropped EXE
-
\??\c:\ddjjp.exec:\ddjjp.exe66⤵
-
\??\c:\lrfxxxr.exec:\lrfxxxr.exe67⤵
-
\??\c:\7xrfflx.exec:\7xrfflx.exe68⤵
-
\??\c:\7rllrrf.exec:\7rllrrf.exe69⤵
-
\??\c:\1bnthh.exec:\1bnthh.exe70⤵
-
\??\c:\pdpvv.exec:\pdpvv.exe71⤵
-
\??\c:\lfrrxfr.exec:\lfrrxfr.exe72⤵
-
\??\c:\bttntn.exec:\bttntn.exe73⤵
-
\??\c:\bntttt.exec:\bntttt.exe74⤵
-
\??\c:\vpddv.exec:\vpddv.exe75⤵
-
\??\c:\3vjdj.exec:\3vjdj.exe76⤵
-
\??\c:\xrrrfxr.exec:\xrrrfxr.exe77⤵
-
\??\c:\rfxxffr.exec:\rfxxffr.exe78⤵
-
\??\c:\hbhnnh.exec:\hbhnnh.exe79⤵
-
\??\c:\htttnt.exec:\htttnt.exe80⤵
-
\??\c:\3pdpv.exec:\3pdpv.exe81⤵
-
\??\c:\rxxlxff.exec:\rxxlxff.exe82⤵
-
\??\c:\1fxlxxf.exec:\1fxlxxf.exe83⤵
-
\??\c:\ttbnnt.exec:\ttbnnt.exe84⤵
-
\??\c:\3thbbb.exec:\3thbbb.exe85⤵
-
\??\c:\ppdvp.exec:\ppdvp.exe86⤵
-
\??\c:\jvvdd.exec:\jvvdd.exe87⤵
-
\??\c:\7xlllrx.exec:\7xlllrx.exe88⤵
-
\??\c:\7nntbt.exec:\7nntbt.exe89⤵
-
\??\c:\1nbttt.exec:\1nbttt.exe90⤵
-
\??\c:\7thhnn.exec:\7thhnn.exe91⤵
-
\??\c:\1jvjd.exec:\1jvjd.exe92⤵
-
\??\c:\dpjjv.exec:\dpjjv.exe93⤵
-
\??\c:\7rflrxf.exec:\7rflrxf.exe94⤵
-
\??\c:\rllrxxf.exec:\rllrxxf.exe95⤵
-
\??\c:\1nbnbb.exec:\1nbnbb.exe96⤵
-
\??\c:\3jpvd.exec:\3jpvd.exe97⤵
-
\??\c:\dpdjj.exec:\dpdjj.exe98⤵
-
\??\c:\3rrfrrx.exec:\3rrfrrx.exe99⤵
-
\??\c:\rlrxlrx.exec:\rlrxlrx.exe100⤵
-
\??\c:\tthnbb.exec:\tthnbb.exe101⤵
-
\??\c:\btbhtb.exec:\btbhtb.exe102⤵
-
\??\c:\dvddj.exec:\dvddj.exe103⤵
-
\??\c:\lfxrrrx.exec:\lfxrrrx.exe104⤵
-
\??\c:\lxffllr.exec:\lxffllr.exe105⤵
-
\??\c:\9lxrflr.exec:\9lxrflr.exe106⤵
-
\??\c:\hthnnh.exec:\hthnnh.exe107⤵
-
\??\c:\bnhnnn.exec:\bnhnnn.exe108⤵
-
\??\c:\dvpvp.exec:\dvpvp.exe109⤵
-
\??\c:\dvppd.exec:\dvppd.exe110⤵
-
\??\c:\5frxllr.exec:\5frxllr.exe111⤵
-
\??\c:\frxlrll.exec:\frxlrll.exe112⤵
-
\??\c:\5nbntt.exec:\5nbntt.exe113⤵
-
\??\c:\nhtnbt.exec:\nhtnbt.exe114⤵
-
\??\c:\pjppp.exec:\pjppp.exe115⤵
-
\??\c:\3flxlrx.exec:\3flxlrx.exe116⤵
-
\??\c:\rfrxlll.exec:\rfrxlll.exe117⤵
-
\??\c:\9tthnt.exec:\9tthnt.exe118⤵
-
\??\c:\7hnhbt.exec:\7hnhbt.exe119⤵
-
\??\c:\pdjjj.exec:\pdjjj.exe120⤵
-
\??\c:\1vjdj.exec:\1vjdj.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-