Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
10-10-2024 03:11
General
-
Target
f05aff09e6fff027539c99ddd676b97d14f35105da33846b94ebb15982d5cd5f.exe
-
Size
72KB
-
MD5
b29035d91da4f594db99b20c5d7ae300
-
SHA1
3189860d6452d208233e0e31e9f3c31f22c18c3a
-
SHA256
f05aff09e6fff027539c99ddd676b97d14f35105da33846b94ebb15982d5cd5f
-
SHA512
647edeaeb0e9d61238cb4dc28b503caab806d9d7348b25ad4c9b854a65bb7d7d5198a1f889ad8c194663c2a1a40449e2f80d81037ed242056ee30560413e4da1
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIb0z6MTSqfjW3:ymb3NkkiQ3mdBjFI4Vi
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 22 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 25 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f05aff09e6fff027539c99ddd676b97d14f35105da33846b94ebb15982d5cd5f.exe"C:\Users\Admin\AppData\Local\Temp\f05aff09e6fff027539c99ddd676b97d14f35105da33846b94ebb15982d5cd5f.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\btthtt.exec:\btthtt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjvjp.exec:\jjvjp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvpjp.exec:\vvpjp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnhnbb.exec:\tnhnbb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjvvv.exec:\pjvvv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xlflrxf.exec:\xlflrxf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxrrlrx.exec:\fxrrlrx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7nhnbb.exec:\7nhnbb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9hbbht.exec:\9hbbht.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jpddj.exec:\jpddj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lrxxxfl.exec:\lrxxxfl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9htbbh.exec:\9htbbh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bnbbhn.exec:\bnbbhn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1vpdv.exec:\1vpdv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rllfllr.exec:\rllfllr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9hhntt.exec:\9hhntt.exe17⤵
- Executes dropped EXE
-
\??\c:\9bbnbb.exec:\9bbnbb.exe18⤵
- Executes dropped EXE
-
\??\c:\jjddp.exec:\jjddp.exe19⤵
- Executes dropped EXE
-
\??\c:\pjvvj.exec:\pjvvj.exe20⤵
- Executes dropped EXE
-
\??\c:\xxrlrxf.exec:\xxrlrxf.exe21⤵
- Executes dropped EXE
-
\??\c:\nhnnnt.exec:\nhnnnt.exe22⤵
- Executes dropped EXE
-
\??\c:\1thbbh.exec:\1thbbh.exe23⤵
- Executes dropped EXE
-
\??\c:\dvjpp.exec:\dvjpp.exe24⤵
- Executes dropped EXE
-
\??\c:\pdppd.exec:\pdppd.exe25⤵
- Executes dropped EXE
-
\??\c:\ffxxrrf.exec:\ffxxrrf.exe26⤵
- Executes dropped EXE
-
\??\c:\nhntnt.exec:\nhntnt.exe27⤵
- Executes dropped EXE
-
\??\c:\thtbnn.exec:\thtbnn.exe28⤵
- Executes dropped EXE
-
\??\c:\pdppp.exec:\pdppp.exe29⤵
- Executes dropped EXE
-
\??\c:\dvjpd.exec:\dvjpd.exe30⤵
- Executes dropped EXE
-
\??\c:\9fxlxxr.exec:\9fxlxxr.exe31⤵
- Executes dropped EXE
-
\??\c:\btnnnn.exec:\btnnnn.exe32⤵
- Executes dropped EXE
-
\??\c:\bthtbn.exec:\bthtbn.exe33⤵
- Executes dropped EXE
-
\??\c:\vvppj.exec:\vvppj.exe34⤵
- Executes dropped EXE
-
\??\c:\xrffflr.exec:\xrffflr.exe35⤵
- Executes dropped EXE
-
\??\c:\1llxllx.exec:\1llxllx.exe36⤵
- Executes dropped EXE
-
\??\c:\lxllrxx.exec:\lxllrxx.exe37⤵
- Executes dropped EXE
-
\??\c:\htbbbt.exec:\htbbbt.exe38⤵
- Executes dropped EXE
-
\??\c:\9bntbb.exec:\9bntbb.exe39⤵
- Executes dropped EXE
-
\??\c:\5vjjp.exec:\5vjjp.exe40⤵
- Executes dropped EXE
-
\??\c:\pjvdd.exec:\pjvdd.exe41⤵
- Executes dropped EXE
-
\??\c:\frxxffr.exec:\frxxffr.exe42⤵
- Executes dropped EXE
-
\??\c:\rfrrxxx.exec:\rfrrxxx.exe43⤵
- Executes dropped EXE
-
\??\c:\bththh.exec:\bththh.exe44⤵
- Executes dropped EXE
-
\??\c:\nnhthn.exec:\nnhthn.exe45⤵
- Executes dropped EXE
-
\??\c:\7djpj.exec:\7djpj.exe46⤵
- Executes dropped EXE
-
\??\c:\rlxfflr.exec:\rlxfflr.exe47⤵
- Executes dropped EXE
-
\??\c:\nhtbnb.exec:\nhtbnb.exe48⤵
- Executes dropped EXE
-
\??\c:\5jvvd.exec:\5jvvd.exe49⤵
- Executes dropped EXE
-
\??\c:\9ppdp.exec:\9ppdp.exe50⤵
- Executes dropped EXE
-
\??\c:\dvjpd.exec:\dvjpd.exe51⤵
- Executes dropped EXE
-
\??\c:\9rxllrl.exec:\9rxllrl.exe52⤵
- Executes dropped EXE
-
\??\c:\7lfrlfl.exec:\7lfrlfl.exe53⤵
- Executes dropped EXE
-
\??\c:\bththh.exec:\bththh.exe54⤵
- Executes dropped EXE
-
\??\c:\tntbnh.exec:\tntbnh.exe55⤵
- Executes dropped EXE
-
\??\c:\jdjjd.exec:\jdjjd.exe56⤵
- Executes dropped EXE
-
\??\c:\5jddd.exec:\5jddd.exe57⤵
- Executes dropped EXE
-
\??\c:\rlfrxfr.exec:\rlfrxfr.exe58⤵
- Executes dropped EXE
-
\??\c:\rrrxflx.exec:\rrrxflx.exe59⤵
- Executes dropped EXE
-
\??\c:\lxlfllr.exec:\lxlfllr.exe60⤵
- Executes dropped EXE
-
\??\c:\nnnbtb.exec:\nnnbtb.exe61⤵
- Executes dropped EXE
-
\??\c:\bnbbtb.exec:\bnbbtb.exe62⤵
- Executes dropped EXE
-
\??\c:\jvdpj.exec:\jvdpj.exe63⤵
- Executes dropped EXE
-
\??\c:\vpddj.exec:\vpddj.exe64⤵
- Executes dropped EXE
-
\??\c:\xrfrffx.exec:\xrfrffx.exe65⤵
- Executes dropped EXE
-
\??\c:\xfrxfff.exec:\xfrxfff.exe66⤵
-
\??\c:\hbbhnb.exec:\hbbhnb.exe67⤵
-
\??\c:\5pdjj.exec:\5pdjj.exe68⤵
-
\??\c:\jvjdd.exec:\jvjdd.exe69⤵
-
\??\c:\pjdjp.exec:\pjdjp.exe70⤵
-
\??\c:\rllrllx.exec:\rllrllx.exe71⤵
-
\??\c:\xrxxxxf.exec:\xrxxxxf.exe72⤵
-
\??\c:\ttnhtb.exec:\ttnhtb.exe73⤵
-
\??\c:\bbnntt.exec:\bbnntt.exe74⤵
-
\??\c:\dvjpd.exec:\dvjpd.exe75⤵
-
\??\c:\vpdjv.exec:\vpdjv.exe76⤵
-
\??\c:\xrrxxfr.exec:\xrrxxfr.exe77⤵
-
\??\c:\rlrrfxl.exec:\rlrrfxl.exe78⤵
-
\??\c:\ttnbtb.exec:\ttnbtb.exe79⤵
-
\??\c:\nhttnh.exec:\nhttnh.exe80⤵
-
\??\c:\dpvdj.exec:\dpvdj.exe81⤵
-
\??\c:\jdjjp.exec:\jdjjp.exe82⤵
-
\??\c:\fxllxxr.exec:\fxllxxr.exe83⤵
-
\??\c:\3rrfrrf.exec:\3rrfrrf.exe84⤵
-
\??\c:\5tntbh.exec:\5tntbh.exe85⤵
-
\??\c:\tntbnn.exec:\tntbnn.exe86⤵
-
\??\c:\vpjpv.exec:\vpjpv.exe87⤵
-
\??\c:\vpjdj.exec:\vpjdj.exe88⤵
-
\??\c:\xrflflr.exec:\xrflflr.exe89⤵
-
\??\c:\rlxflrx.exec:\rlxflrx.exe90⤵
-
\??\c:\nnhntt.exec:\nnhntt.exe91⤵
-
\??\c:\5nnntt.exec:\5nnntt.exe92⤵
-
\??\c:\pjppp.exec:\pjppp.exe93⤵
-
\??\c:\5dpjv.exec:\5dpjv.exe94⤵
-
\??\c:\3jddv.exec:\3jddv.exe95⤵
-
\??\c:\fxrfllr.exec:\fxrfllr.exe96⤵
-
\??\c:\hbhnth.exec:\hbhnth.exe97⤵
-
\??\c:\9nnnnh.exec:\9nnnnh.exe98⤵
-
\??\c:\9btnnt.exec:\9btnnt.exe99⤵
-
\??\c:\jdvpv.exec:\jdvpv.exe100⤵
-
\??\c:\ppjpd.exec:\ppjpd.exe101⤵
-
\??\c:\5frrffx.exec:\5frrffx.exe102⤵
-
\??\c:\fxfrfxx.exec:\fxfrfxx.exe103⤵
-
\??\c:\tnhbnb.exec:\tnhbnb.exe104⤵
-
\??\c:\tnttbt.exec:\tnttbt.exe105⤵
-
\??\c:\nnhhtb.exec:\nnhhtb.exe106⤵
-
\??\c:\pjdpv.exec:\pjdpv.exe107⤵
-
\??\c:\ddppj.exec:\ddppj.exe108⤵
-
\??\c:\rllxxfr.exec:\rllxxfr.exe109⤵
-
\??\c:\rlflxrf.exec:\rlflxrf.exe110⤵
-
\??\c:\btnbnb.exec:\btnbnb.exe111⤵
-
\??\c:\thtntb.exec:\thtntb.exe112⤵
-
\??\c:\vpdpv.exec:\vpdpv.exe113⤵
-
\??\c:\dvppj.exec:\dvppj.exe114⤵
-
\??\c:\pjvdp.exec:\pjvdp.exe115⤵
-
\??\c:\9llfffr.exec:\9llfffr.exe116⤵
-
\??\c:\rlffflr.exec:\rlffflr.exe117⤵
-
\??\c:\7nnttb.exec:\7nnttb.exe118⤵
-
\??\c:\bthtbh.exec:\bthtbh.exe119⤵
-
\??\c:\vpddd.exec:\vpddd.exe120⤵
-
\??\c:\vpddj.exec:\vpddj.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-