Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
09/10/2024, 04:38
General
-
Target
ee94acfd24e0574600c8b73c088fd15b6ec9740eac3d5a3dd4de67cb1043569b.exe
-
Size
249KB
-
MD5
68ab2052237d995237fa27851619511b
-
SHA1
01e3f308d9cc1c47158730d39a445ec149f3a9dd
-
SHA256
ee94acfd24e0574600c8b73c088fd15b6ec9740eac3d5a3dd4de67cb1043569b
-
SHA512
45e0b28bf9ae053d8350ea891bd101d44e68008b2350112ac16558b8d0c10e27dc664c351cdb9a54c7d515b9d5addf097b2ac860527900171b399673df638479
-
SSDEEP
6144:n3C9BRo/AIX27NHWpU00VIxas1oa3YiFRlRg:n3C9uD6AUDCa4NYmRDg
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 21 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 31 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ee94acfd24e0574600c8b73c088fd15b6ec9740eac3d5a3dd4de67cb1043569b.exe"C:\Users\Admin\AppData\Local\Temp\ee94acfd24e0574600c8b73c088fd15b6ec9740eac3d5a3dd4de67cb1043569b.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\9lxrllr.exec:\9lxrllr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9pjpd.exec:\9pjpd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rffxfxl.exec:\rffxfxl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nnnnhn.exec:\nnnnhn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dpvvj.exec:\dpvvj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frxxxfl.exec:\frxxxfl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5tnnbb.exec:\5tnnbb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vjjpd.exec:\vjjpd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9httbb.exec:\9httbb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7thhtt.exec:\7thhtt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpvvd.exec:\vpvvd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9bnhhn.exec:\9bnhhn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddjjp.exec:\ddjjp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7djvv.exec:\7djvv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rrxllrl.exec:\rrxllrl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5dpvj.exec:\5dpvj.exe17⤵
- Executes dropped EXE
-
\??\c:\fxllrxf.exec:\fxllrxf.exe18⤵
- Executes dropped EXE
-
\??\c:\rlrrrxf.exec:\rlrrrxf.exe19⤵
- Executes dropped EXE
-
\??\c:\bbtbhn.exec:\bbtbhn.exe20⤵
- Executes dropped EXE
-
\??\c:\jvvvj.exec:\jvvvj.exe21⤵
- Executes dropped EXE
-
\??\c:\fxlxffl.exec:\fxlxffl.exe22⤵
- Executes dropped EXE
-
\??\c:\htbtbt.exec:\htbtbt.exe23⤵
- Executes dropped EXE
-
\??\c:\1vpvd.exec:\1vpvd.exe24⤵
- Executes dropped EXE
-
\??\c:\xrxxfxf.exec:\xrxxfxf.exe25⤵
- Executes dropped EXE
-
\??\c:\ttbbnn.exec:\ttbbnn.exe26⤵
- Executes dropped EXE
-
\??\c:\dvjpv.exec:\dvjpv.exe27⤵
- Executes dropped EXE
-
\??\c:\rfrlxxx.exec:\rfrlxxx.exe28⤵
- Executes dropped EXE
-
\??\c:\xrfrxrx.exec:\xrfrxrx.exe29⤵
- Executes dropped EXE
-
\??\c:\jdppv.exec:\jdppv.exe30⤵
- Executes dropped EXE
-
\??\c:\rfrlxxl.exec:\rfrlxxl.exe31⤵
- Executes dropped EXE
-
\??\c:\xrrllrf.exec:\xrrllrf.exe32⤵
- Executes dropped EXE
-
\??\c:\7bnnnt.exec:\7bnnnt.exe33⤵
- Executes dropped EXE
-
\??\c:\ddjdd.exec:\ddjdd.exe34⤵
- Executes dropped EXE
-
\??\c:\5frlrll.exec:\5frlrll.exe35⤵
- Executes dropped EXE
-
\??\c:\xlrllfl.exec:\xlrllfl.exe36⤵
- Executes dropped EXE
-
\??\c:\1nnhnt.exec:\1nnhnt.exe37⤵
- Executes dropped EXE
-
\??\c:\thnhhb.exec:\thnhhb.exe38⤵
- Executes dropped EXE
-
\??\c:\ppjjd.exec:\ppjjd.exe39⤵
- Executes dropped EXE
-
\??\c:\pddvv.exec:\pddvv.exe40⤵
- Executes dropped EXE
-
\??\c:\7frfffl.exec:\7frfffl.exe41⤵
- Executes dropped EXE
-
\??\c:\llrrrrr.exec:\llrrrrr.exe42⤵
- Executes dropped EXE
-
\??\c:\tbnbbb.exec:\tbnbbb.exe43⤵
- Executes dropped EXE
-
\??\c:\3ntnhn.exec:\3ntnhn.exe44⤵
- Executes dropped EXE
-
\??\c:\3jvjj.exec:\3jvjj.exe45⤵
- Executes dropped EXE
-
\??\c:\9pvpv.exec:\9pvpv.exe46⤵
- Executes dropped EXE
-
\??\c:\7rffxxx.exec:\7rffxxx.exe47⤵
- Executes dropped EXE
-
\??\c:\9rrrrlx.exec:\9rrrrlx.exe48⤵
- Executes dropped EXE
-
\??\c:\bhnnhh.exec:\bhnnhh.exe49⤵
- Executes dropped EXE
-
\??\c:\jvvdd.exec:\jvvdd.exe50⤵
- Executes dropped EXE
-
\??\c:\ddjdj.exec:\ddjdj.exe51⤵
- Executes dropped EXE
-
\??\c:\7rxrxrx.exec:\7rxrxrx.exe52⤵
- Executes dropped EXE
-
\??\c:\1fllllx.exec:\1fllllx.exe53⤵
- Executes dropped EXE
-
\??\c:\nbnhnh.exec:\nbnhnh.exe54⤵
- Executes dropped EXE
-
\??\c:\bthhnh.exec:\bthhnh.exe55⤵
- Executes dropped EXE
-
\??\c:\pjvdj.exec:\pjvdj.exe56⤵
- Executes dropped EXE
-
\??\c:\dpvpp.exec:\dpvpp.exe57⤵
- Executes dropped EXE
-
\??\c:\frxlfxx.exec:\frxlfxx.exe58⤵
- Executes dropped EXE
-
\??\c:\xlfrrrf.exec:\xlfrrrf.exe59⤵
- Executes dropped EXE
-
\??\c:\thnttt.exec:\thnttt.exe60⤵
- Executes dropped EXE
-
\??\c:\dpvvv.exec:\dpvvv.exe61⤵
- Executes dropped EXE
-
\??\c:\9vdpp.exec:\9vdpp.exe62⤵
- Executes dropped EXE
-
\??\c:\9dpjj.exec:\9dpjj.exe63⤵
- Executes dropped EXE
-
\??\c:\xllllfr.exec:\xllllfr.exe64⤵
- Executes dropped EXE
-
\??\c:\xflxxrl.exec:\xflxxrl.exe65⤵
- Executes dropped EXE
-
\??\c:\hthhnt.exec:\hthhnt.exe66⤵
-
\??\c:\bnthnh.exec:\bnthnh.exe67⤵
-
\??\c:\1jddj.exec:\1jddj.exe68⤵
-
\??\c:\1xlfxrr.exec:\1xlfxrr.exe69⤵
-
\??\c:\rlrxxfl.exec:\rlrxxfl.exe70⤵
-
\??\c:\3bhbbb.exec:\3bhbbb.exe71⤵
-
\??\c:\5nbthh.exec:\5nbthh.exe72⤵
-
\??\c:\dvdvj.exec:\dvdvj.exe73⤵
-
\??\c:\pjpdv.exec:\pjpdv.exe74⤵
-
\??\c:\1fxfrxf.exec:\1fxfrxf.exe75⤵
-
\??\c:\xfxlfxr.exec:\xfxlfxr.exe76⤵
-
\??\c:\nbhhnn.exec:\nbhhnn.exe77⤵
-
\??\c:\nbnthh.exec:\nbnthh.exe78⤵
-
\??\c:\1djjj.exec:\1djjj.exe79⤵
-
\??\c:\vjddv.exec:\vjddv.exe80⤵
-
\??\c:\lfllfxx.exec:\lfllfxx.exe81⤵
-
\??\c:\nbhnnn.exec:\nbhnnn.exe82⤵
-
\??\c:\7nbbtt.exec:\7nbbtt.exe83⤵
-
\??\c:\9bnhtn.exec:\9bnhtn.exe84⤵
-
\??\c:\vjjjd.exec:\vjjjd.exe85⤵
-
\??\c:\3rrrrlr.exec:\3rrrrlr.exe86⤵
- System Location Discovery: System Language Discovery
-
\??\c:\5rllxxf.exec:\5rllxxf.exe87⤵
-
\??\c:\3nbhnn.exec:\3nbhnn.exe88⤵
-
\??\c:\bbhntb.exec:\bbhntb.exe89⤵
-
\??\c:\ppdjp.exec:\ppdjp.exe90⤵
-
\??\c:\pjvvd.exec:\pjvvd.exe91⤵
-
\??\c:\jppdd.exec:\jppdd.exe92⤵
-
\??\c:\lffrxrr.exec:\lffrxrr.exe93⤵
-
\??\c:\lflxfxx.exec:\lflxfxx.exe94⤵
-
\??\c:\bnnhbb.exec:\bnnhbb.exe95⤵
-
\??\c:\thnnhb.exec:\thnnhb.exe96⤵
-
\??\c:\jjpdv.exec:\jjpdv.exe97⤵
-
\??\c:\1dpjd.exec:\1dpjd.exe98⤵
-
\??\c:\lxlfrrr.exec:\lxlfrrr.exe99⤵
-
\??\c:\rfrxfxx.exec:\rfrxfxx.exe100⤵
-
\??\c:\htnnnn.exec:\htnnnn.exe101⤵
-
\??\c:\hbnbnh.exec:\hbnbnh.exe102⤵
- System Location Discovery: System Language Discovery
-
\??\c:\jjdjd.exec:\jjdjd.exe103⤵
-
\??\c:\jpvpp.exec:\jpvpp.exe104⤵
-
\??\c:\3ffrlff.exec:\3ffrlff.exe105⤵
-
\??\c:\1frrrfl.exec:\1frrrfl.exe106⤵
-
\??\c:\9btbnn.exec:\9btbnn.exe107⤵
-
\??\c:\jpdvv.exec:\jpdvv.exe108⤵
-
\??\c:\jdpjv.exec:\jdpjv.exe109⤵
-
\??\c:\1dpdd.exec:\1dpdd.exe110⤵
-
\??\c:\xxfxfxx.exec:\xxfxfxx.exe111⤵
-
\??\c:\lfllllf.exec:\lfllllf.exe112⤵
-
\??\c:\ntbnhb.exec:\ntbnhb.exe113⤵
-
\??\c:\1vdpp.exec:\1vdpp.exe114⤵
-
\??\c:\1vjjj.exec:\1vjjj.exe115⤵
-
\??\c:\rflllff.exec:\rflllff.exe116⤵
-
\??\c:\xrxflrr.exec:\xrxflrr.exe117⤵
-
\??\c:\xlfxlll.exec:\xlfxlll.exe118⤵
-
\??\c:\bbbtnh.exec:\bbbtnh.exe119⤵
-
\??\c:\jdpjj.exec:\jdpjj.exe120⤵
-
\??\c:\7jpjd.exec:\7jpjd.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-