Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
09/10/2024, 18:45
General
-
Target
1459458a4278014c86d635f1f259dc9e37c08e8417c2a89a45e8527a956b7a4d.exe
-
Size
68KB
-
MD5
db485556bfa88b743ded11de0bb80807
-
SHA1
1e235382e05074c24134516999a4d06d4ee35eeb
-
SHA256
1459458a4278014c86d635f1f259dc9e37c08e8417c2a89a45e8527a956b7a4d
-
SHA512
2c88c455fb51d2582a82983db802fd6ad273a282aa8b9b9f6e1d51285bb4686c65a194b4b73be59ce60fdc50e427e62cc539028157b059944555c9a2ad2bd2ca
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIug6bL6Nl1B:ymb3NkkiQ3mdBjFIugptB
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 20 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 30 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1459458a4278014c86d635f1f259dc9e37c08e8417c2a89a45e8527a956b7a4d.exe"C:\Users\Admin\AppData\Local\Temp\1459458a4278014c86d635f1f259dc9e37c08e8417c2a89a45e8527a956b7a4d.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\bhtntb.exec:\bhtntb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dpdvd.exec:\dpdvd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3llrxxx.exec:\3llrxxx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9nhhnn.exec:\9nhhnn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3vppv.exec:\3vppv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pdppp.exec:\pdppp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrlllfl.exec:\xrlllfl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1flxfxx.exec:\1flxfxx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jvppv.exec:\jvppv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddjjj.exec:\ddjjj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ffrllxx.exec:\ffrllxx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlxxllx.exec:\rlxxllx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hthhnn.exec:\hthhnn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpjdv.exec:\vpjdv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3xlrxxf.exec:\3xlrxxf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frlrxxf.exec:\frlrxxf.exe17⤵
- Executes dropped EXE
-
\??\c:\hbnbnn.exec:\hbnbnn.exe18⤵
- Executes dropped EXE
-
\??\c:\jvdpv.exec:\jvdpv.exe19⤵
- Executes dropped EXE
-
\??\c:\jjvjv.exec:\jjvjv.exe20⤵
- Executes dropped EXE
-
\??\c:\5lxrxfr.exec:\5lxrxfr.exe21⤵
- Executes dropped EXE
-
\??\c:\lfllrxf.exec:\lfllrxf.exe22⤵
- Executes dropped EXE
-
\??\c:\tnnthn.exec:\tnnthn.exe23⤵
- Executes dropped EXE
-
\??\c:\7nnbtt.exec:\7nnbtt.exe24⤵
- Executes dropped EXE
-
\??\c:\vpddd.exec:\vpddd.exe25⤵
- Executes dropped EXE
-
\??\c:\lxlrxfr.exec:\lxlrxfr.exe26⤵
- Executes dropped EXE
-
\??\c:\5thhhb.exec:\5thhhb.exe27⤵
- Executes dropped EXE
-
\??\c:\bthnnb.exec:\bthnnb.exe28⤵
- Executes dropped EXE
-
\??\c:\1vvdj.exec:\1vvdj.exe29⤵
- Executes dropped EXE
-
\??\c:\jvpvd.exec:\jvpvd.exe30⤵
- Executes dropped EXE
-
\??\c:\frllxxl.exec:\frllxxl.exe31⤵
- Executes dropped EXE
-
\??\c:\hbbhtb.exec:\hbbhtb.exe32⤵
- Executes dropped EXE
-
\??\c:\5tnthh.exec:\5tnthh.exe33⤵
-
\??\c:\tthhtt.exec:\tthhtt.exe34⤵
- Executes dropped EXE
-
\??\c:\pjvvp.exec:\pjvvp.exe35⤵
- Executes dropped EXE
-
\??\c:\dpjdj.exec:\dpjdj.exe36⤵
- Executes dropped EXE
-
\??\c:\xxlfxff.exec:\xxlfxff.exe37⤵
- Executes dropped EXE
-
\??\c:\ffrxllr.exec:\ffrxllr.exe38⤵
- Executes dropped EXE
-
\??\c:\hthnbt.exec:\hthnbt.exe39⤵
- Executes dropped EXE
-
\??\c:\tnbhhb.exec:\tnbhhb.exe40⤵
- Executes dropped EXE
-
\??\c:\1vpvp.exec:\1vpvp.exe41⤵
- Executes dropped EXE
-
\??\c:\pjpjp.exec:\pjpjp.exe42⤵
- Executes dropped EXE
-
\??\c:\7rrrxff.exec:\7rrrxff.exe43⤵
- Executes dropped EXE
-
\??\c:\3rlfffl.exec:\3rlfffl.exe44⤵
- Executes dropped EXE
-
\??\c:\bnbhhn.exec:\bnbhhn.exe45⤵
- Executes dropped EXE
-
\??\c:\tnbtbh.exec:\tnbtbh.exe46⤵
- Executes dropped EXE
-
\??\c:\1dvdp.exec:\1dvdp.exe47⤵
- Executes dropped EXE
-
\??\c:\dvppv.exec:\dvppv.exe48⤵
- Executes dropped EXE
-
\??\c:\xlrxllr.exec:\xlrxllr.exe49⤵
- Executes dropped EXE
-
\??\c:\xrflxfr.exec:\xrflxfr.exe50⤵
- Executes dropped EXE
-
\??\c:\5tbtbt.exec:\5tbtbt.exe51⤵
- Executes dropped EXE
-
\??\c:\3hbbbh.exec:\3hbbbh.exe52⤵
- Executes dropped EXE
-
\??\c:\pjvvj.exec:\pjvvj.exe53⤵
- Executes dropped EXE
-
\??\c:\jvdvj.exec:\jvdvj.exe54⤵
- Executes dropped EXE
-
\??\c:\rfllrrx.exec:\rfllrrx.exe55⤵
- Executes dropped EXE
-
\??\c:\rlxfrrl.exec:\rlxfrrl.exe56⤵
- Executes dropped EXE
-
\??\c:\hbhhnh.exec:\hbhhnh.exe57⤵
- Executes dropped EXE
-
\??\c:\tbbhbh.exec:\tbbhbh.exe58⤵
- Executes dropped EXE
-
\??\c:\pjddp.exec:\pjddp.exe59⤵
- Executes dropped EXE
-
\??\c:\5dvpp.exec:\5dvpp.exe60⤵
- Executes dropped EXE
-
\??\c:\xrxxrrx.exec:\xrxxrrx.exe61⤵
- Executes dropped EXE
-
\??\c:\rlxlrfl.exec:\rlxlrfl.exe62⤵
- Executes dropped EXE
-
\??\c:\hbttbh.exec:\hbttbh.exe63⤵
- Executes dropped EXE
-
\??\c:\bnbbhh.exec:\bnbbhh.exe64⤵
- Executes dropped EXE
-
\??\c:\vpdjj.exec:\vpdjj.exe65⤵
- Executes dropped EXE
-
\??\c:\1jvpp.exec:\1jvpp.exe66⤵
- Executes dropped EXE
-
\??\c:\lxffllr.exec:\lxffllr.exe67⤵
-
\??\c:\9rlrxxf.exec:\9rlrxxf.exe68⤵
-
\??\c:\thtbhh.exec:\thtbhh.exe69⤵
-
\??\c:\nnbnbh.exec:\nnbnbh.exe70⤵
-
\??\c:\vvpjp.exec:\vvpjp.exe71⤵
-
\??\c:\vppvj.exec:\vppvj.exe72⤵
-
\??\c:\rlfxllr.exec:\rlfxllr.exe73⤵
-
\??\c:\fxxxfxx.exec:\fxxxfxx.exe74⤵
-
\??\c:\thbbhh.exec:\thbbhh.exe75⤵
-
\??\c:\9nnntb.exec:\9nnntb.exe76⤵
-
\??\c:\ddvdv.exec:\ddvdv.exe77⤵
-
\??\c:\jvddd.exec:\jvddd.exe78⤵
-
\??\c:\dvjjd.exec:\dvjjd.exe79⤵
-
\??\c:\fxrlxrx.exec:\fxrlxrx.exe80⤵
- System Location Discovery: System Language Discovery
-
\??\c:\rlrxlxl.exec:\rlrxlxl.exe81⤵
-
\??\c:\bttbhh.exec:\bttbhh.exe82⤵
-
\??\c:\9nhnnn.exec:\9nhnnn.exe83⤵
-
\??\c:\vpvjj.exec:\vpvjj.exe84⤵
-
\??\c:\vjppp.exec:\vjppp.exe85⤵
-
\??\c:\9pjdd.exec:\9pjdd.exe86⤵
-
\??\c:\7vjjj.exec:\7vjjj.exe87⤵
- System Location Discovery: System Language Discovery
-
\??\c:\3lllllx.exec:\3lllllx.exe88⤵
-
\??\c:\1xxfflr.exec:\1xxfflr.exe89⤵
-
\??\c:\xllllll.exec:\xllllll.exe90⤵
-
\??\c:\nhbhhn.exec:\nhbhhn.exe91⤵
-
\??\c:\9jdvv.exec:\9jdvv.exe92⤵
-
\??\c:\7jdpv.exec:\7jdpv.exe93⤵
-
\??\c:\5xlflfr.exec:\5xlflfr.exe94⤵
-
\??\c:\3xfxlfr.exec:\3xfxlfr.exe95⤵
-
\??\c:\thhnnn.exec:\thhnnn.exe96⤵
-
\??\c:\ntbtbb.exec:\ntbtbb.exe97⤵
-
\??\c:\vpddd.exec:\vpddd.exe98⤵
-
\??\c:\jjjpd.exec:\jjjpd.exe99⤵
-
\??\c:\rfrlrlr.exec:\rfrlrlr.exe100⤵
-
\??\c:\lxllrlr.exec:\lxllrlr.exe101⤵
-
\??\c:\hbnntt.exec:\hbnntt.exe102⤵
-
\??\c:\nhtbnt.exec:\nhtbnt.exe103⤵
-
\??\c:\5dpvj.exec:\5dpvj.exe104⤵
-
\??\c:\jdjjp.exec:\jdjjp.exe105⤵
-
\??\c:\frfxxrx.exec:\frfxxrx.exe106⤵
-
\??\c:\lrlxxrr.exec:\lrlxxrr.exe107⤵
-
\??\c:\bnbbbt.exec:\bnbbbt.exe108⤵
-
\??\c:\7thnhh.exec:\7thnhh.exe109⤵
-
\??\c:\vvdvv.exec:\vvdvv.exe110⤵
-
\??\c:\jvddd.exec:\jvddd.exe111⤵
-
\??\c:\1xrxxfr.exec:\1xrxxfr.exe112⤵
-
\??\c:\5llrffl.exec:\5llrffl.exe113⤵
-
\??\c:\bthnnt.exec:\bthnnt.exe114⤵
-
\??\c:\nhhnnn.exec:\nhhnnn.exe115⤵
-
\??\c:\tnhthb.exec:\tnhthb.exe116⤵
-
\??\c:\1pppp.exec:\1pppp.exe117⤵
-
\??\c:\jdvdj.exec:\jdvdj.exe118⤵
-
\??\c:\frxrrrx.exec:\frxrrrx.exe119⤵
-
\??\c:\rlxrflx.exec:\rlxrflx.exe120⤵
-
\??\c:\httthh.exec:\httthh.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-