Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
13/10/2024, 12:19
General
-
Target
138ca5d0d004bb9fe69a9e1421b9bf9808ccffcda6cfb35c5ac28a413bc907caN.exe
-
Size
71KB
-
MD5
a9a021d58ca4d986043a6f294e5c6540
-
SHA1
4c90fbd0e006777e408762a02da2adf0601a8f6d
-
SHA256
138ca5d0d004bb9fe69a9e1421b9bf9808ccffcda6cfb35c5ac28a413bc907ca
-
SHA512
ba73e7a01230c229039ae9c8bc9ce8ebf618cc2c84f59800c88e5238ab5f59024cc651b6f69eb3097906f684816e3a581a3c96fa4f03e672ed216b421a01e205
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIb0z6MTSqfjD:ymb3NkkiQ3mdBjFI4VT
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 18 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 26 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\138ca5d0d004bb9fe69a9e1421b9bf9808ccffcda6cfb35c5ac28a413bc907caN.exe"C:\Users\Admin\AppData\Local\Temp\138ca5d0d004bb9fe69a9e1421b9bf9808ccffcda6cfb35c5ac28a413bc907caN.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\1fflxlf.exec:\1fflxlf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nnhnhn.exec:\nnhnhn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ffrrxxx.exec:\ffrrxxx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nnbntb.exec:\nnbntb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1pjdp.exec:\1pjdp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxxrlxf.exec:\lxxrlxf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnhnbn.exec:\tnhnbn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjddd.exec:\jjddd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfrfrrf.exec:\lfrfrrf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\llxlfff.exec:\llxlfff.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhthbt.exec:\nhthbt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vppvd.exec:\vppvd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pdppv.exec:\pdppv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xlrrrrf.exec:\xlrrrrf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btnbnt.exec:\btnbnt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddvvp.exec:\ddvvp.exe17⤵
- Executes dropped EXE
-
\??\c:\lfxllrf.exec:\lfxllrf.exe18⤵
- Executes dropped EXE
-
\??\c:\1xlrrxf.exec:\1xlrrxf.exe19⤵
- Executes dropped EXE
-
\??\c:\thtthb.exec:\thtthb.exe20⤵
- Executes dropped EXE
-
\??\c:\dvpvd.exec:\dvpvd.exe21⤵
- Executes dropped EXE
-
\??\c:\1flxrrl.exec:\1flxrrl.exe22⤵
- Executes dropped EXE
-
\??\c:\1bnbtb.exec:\1bnbtb.exe23⤵
- Executes dropped EXE
-
\??\c:\dpdjp.exec:\dpdjp.exe24⤵
- Executes dropped EXE
-
\??\c:\dddjv.exec:\dddjv.exe25⤵
- Executes dropped EXE
-
\??\c:\xrxxxff.exec:\xrxxxff.exe26⤵
- Executes dropped EXE
-
\??\c:\tnhhnt.exec:\tnhhnt.exe27⤵
- Executes dropped EXE
-
\??\c:\rlfxxrf.exec:\rlfxxrf.exe28⤵
- Executes dropped EXE
-
\??\c:\rlfrrlr.exec:\rlfrrlr.exe29⤵
- Executes dropped EXE
-
\??\c:\hbttbb.exec:\hbttbb.exe30⤵
- Executes dropped EXE
-
\??\c:\dvppp.exec:\dvppp.exe31⤵
- Executes dropped EXE
-
\??\c:\vvvjv.exec:\vvvjv.exe32⤵
- Executes dropped EXE
-
\??\c:\lxrxflr.exec:\lxrxflr.exe33⤵
- Executes dropped EXE
-
\??\c:\5hnbth.exec:\5hnbth.exe34⤵
- Executes dropped EXE
-
\??\c:\pvjpj.exec:\pvjpj.exe35⤵
- Executes dropped EXE
-
\??\c:\jvvvj.exec:\jvvvj.exe36⤵
- Executes dropped EXE
-
\??\c:\lxlffxx.exec:\lxlffxx.exe37⤵
- Executes dropped EXE
-
\??\c:\7hbtbb.exec:\7hbtbb.exe38⤵
- Executes dropped EXE
-
\??\c:\7nhbhh.exec:\7nhbhh.exe39⤵
- Executes dropped EXE
-
\??\c:\pjddd.exec:\pjddd.exe40⤵
- Executes dropped EXE
-
\??\c:\dvjjj.exec:\dvjjj.exe41⤵
- Executes dropped EXE
-
\??\c:\frxxrrl.exec:\frxxrrl.exe42⤵
- Executes dropped EXE
-
\??\c:\bhthht.exec:\bhthht.exe43⤵
- Executes dropped EXE
-
\??\c:\hbnbhb.exec:\hbnbhb.exe44⤵
- Executes dropped EXE
-
\??\c:\pjpvv.exec:\pjpvv.exe45⤵
- Executes dropped EXE
-
\??\c:\ppjjp.exec:\ppjjp.exe46⤵
- Executes dropped EXE
-
\??\c:\9lflrxf.exec:\9lflrxf.exe47⤵
- Executes dropped EXE
-
\??\c:\3frrfxf.exec:\3frrfxf.exe48⤵
- Executes dropped EXE
-
\??\c:\nhntbt.exec:\nhntbt.exe49⤵
- Executes dropped EXE
-
\??\c:\tnbttn.exec:\tnbttn.exe50⤵
- Executes dropped EXE
-
\??\c:\dpddj.exec:\dpddj.exe51⤵
- Executes dropped EXE
-
\??\c:\dvpvj.exec:\dvpvj.exe52⤵
- Executes dropped EXE
-
\??\c:\xlxxxrr.exec:\xlxxxrr.exe53⤵
- Executes dropped EXE
-
\??\c:\bthtbb.exec:\bthtbb.exe54⤵
- Executes dropped EXE
-
\??\c:\hnnbnt.exec:\hnnbnt.exe55⤵
- Executes dropped EXE
-
\??\c:\1jjdp.exec:\1jjdp.exe56⤵
- Executes dropped EXE
-
\??\c:\jppjd.exec:\jppjd.exe57⤵
- Executes dropped EXE
-
\??\c:\7rflllf.exec:\7rflllf.exe58⤵
- Executes dropped EXE
-
\??\c:\hhbthn.exec:\hhbthn.exe59⤵
- Executes dropped EXE
-
\??\c:\thbbbh.exec:\thbbbh.exe60⤵
- Executes dropped EXE
-
\??\c:\httbhh.exec:\httbhh.exe61⤵
- Executes dropped EXE
-
\??\c:\pjvpv.exec:\pjvpv.exe62⤵
- Executes dropped EXE
-
\??\c:\dddjd.exec:\dddjd.exe63⤵
- Executes dropped EXE
-
\??\c:\rfxfllx.exec:\rfxfllx.exe64⤵
- Executes dropped EXE
-
\??\c:\xflrflx.exec:\xflrflx.exe65⤵
- Executes dropped EXE
-
\??\c:\thhbbt.exec:\thhbbt.exe66⤵
-
\??\c:\jdvdj.exec:\jdvdj.exe67⤵
-
\??\c:\vvvdp.exec:\vvvdp.exe68⤵
-
\??\c:\rfrrffl.exec:\rfrrffl.exe69⤵
-
\??\c:\hthhtb.exec:\hthhtb.exe70⤵
-
\??\c:\hbnntt.exec:\hbnntt.exe71⤵
-
\??\c:\1nntbt.exec:\1nntbt.exe72⤵
-
\??\c:\7dddj.exec:\7dddj.exe73⤵
-
\??\c:\xlxxffr.exec:\xlxxffr.exe74⤵
-
\??\c:\thtbbb.exec:\thtbbb.exe75⤵
-
\??\c:\tbtttb.exec:\tbtttb.exe76⤵
-
\??\c:\ddppp.exec:\ddppp.exe77⤵
-
\??\c:\5pjvp.exec:\5pjvp.exe78⤵
-
\??\c:\xxxlrxf.exec:\xxxlrxf.exe79⤵
-
\??\c:\9hnhhh.exec:\9hnhhh.exe80⤵
-
\??\c:\hbthtt.exec:\hbthtt.exe81⤵
-
\??\c:\vvpvd.exec:\vvpvd.exe82⤵
-
\??\c:\7vjdp.exec:\7vjdp.exe83⤵
-
\??\c:\lffffxf.exec:\lffffxf.exe84⤵
-
\??\c:\nnhttt.exec:\nnhttt.exe85⤵
-
\??\c:\tntbhh.exec:\tntbhh.exe86⤵
-
\??\c:\jjvvp.exec:\jjvvp.exe87⤵
-
\??\c:\jdpvv.exec:\jdpvv.exe88⤵
-
\??\c:\fxllrlr.exec:\fxllrlr.exe89⤵
-
\??\c:\nhbtbt.exec:\nhbtbt.exe90⤵
-
\??\c:\bthhbb.exec:\bthhbb.exe91⤵
-
\??\c:\5vjpp.exec:\5vjpp.exe92⤵
-
\??\c:\pdvpv.exec:\pdvpv.exe93⤵
-
\??\c:\ffxxllx.exec:\ffxxllx.exe94⤵
-
\??\c:\3xxflxf.exec:\3xxflxf.exe95⤵
-
\??\c:\hnbtnb.exec:\hnbtnb.exe96⤵
-
\??\c:\3djvd.exec:\3djvd.exe97⤵
-
\??\c:\djpjv.exec:\djpjv.exe98⤵
-
\??\c:\rflrxrx.exec:\rflrxrx.exe99⤵
-
\??\c:\hhtthn.exec:\hhtthn.exe100⤵
-
\??\c:\btbntt.exec:\btbntt.exe101⤵
-
\??\c:\7pvjp.exec:\7pvjp.exe102⤵
-
\??\c:\1vppv.exec:\1vppv.exe103⤵
-
\??\c:\fxllrxf.exec:\fxllrxf.exe104⤵
-
\??\c:\lrrffxl.exec:\lrrffxl.exe105⤵
-
\??\c:\nhbnth.exec:\nhbnth.exe106⤵
-
\??\c:\3jpvd.exec:\3jpvd.exe107⤵
-
\??\c:\jdvpd.exec:\jdvpd.exe108⤵
-
\??\c:\lfrlxrf.exec:\lfrlxrf.exe109⤵
-
\??\c:\fffflll.exec:\fffflll.exe110⤵
-
\??\c:\ttnntt.exec:\ttnntt.exe111⤵
-
\??\c:\ntnhbb.exec:\ntnhbb.exe112⤵
-
\??\c:\dvjpp.exec:\dvjpp.exe113⤵
-
\??\c:\7vpdj.exec:\7vpdj.exe114⤵
-
\??\c:\fxrxlrx.exec:\fxrxlrx.exe115⤵
-
\??\c:\bntbbh.exec:\bntbbh.exe116⤵
-
\??\c:\ttnhtb.exec:\ttnhtb.exe117⤵
-
\??\c:\vppjj.exec:\vppjj.exe118⤵
-
\??\c:\vjjvv.exec:\vjjvv.exe119⤵
-
\??\c:\1rfrrrr.exec:\1rfrrrr.exe120⤵
-
\??\c:\hnhbtn.exec:\hnhbtn.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-