Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
18/10/2024, 03:28
General
-
Target
d904a9b6b206b9b8949053788c189ba13b1b615706de859fd5c2f70092ce7348N.exe
-
Size
60KB
-
MD5
31df9368bcaad524c0d9467a56a78450
-
SHA1
2cdbeb9c0ccfb102f1b1e81b53ffb0fe0c9cbd9f
-
SHA256
d904a9b6b206b9b8949053788c189ba13b1b615706de859fd5c2f70092ce7348
-
SHA512
29f12a8a24551e1ba51fad1fdb1ea59f13442d8c1c657050e771dce3462ad383688003828739cabb22e7dd5888a462c693b0832ec259fca27c3e0adf28975ea8
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIvuSwFaEul:ymb3NkkiQ3mdBjFIvIFaEu
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 26 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 28 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d904a9b6b206b9b8949053788c189ba13b1b615706de859fd5c2f70092ce7348N.exe"C:\Users\Admin\AppData\Local\Temp\d904a9b6b206b9b8949053788c189ba13b1b615706de859fd5c2f70092ce7348N.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\0244488.exec:\0244488.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\m4664.exec:\m4664.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rxlxllf.exec:\rxlxllf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\08884.exec:\08884.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\s8028.exec:\s8028.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\02826.exec:\02826.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvjjd.exec:\vvjjd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5ntttn.exec:\5ntttn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frrflff.exec:\frrflff.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\68600.exec:\68600.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\208802.exec:\208802.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\i806224.exec:\i806224.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\8688822.exec:\8688822.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjdjv.exec:\jjdjv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pdpdv.exec:\pdpdv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pdppd.exec:\pdppd.exe17⤵
- Executes dropped EXE
-
\??\c:\7pdpv.exec:\7pdpv.exe18⤵
- Executes dropped EXE
-
\??\c:\pdjpv.exec:\pdjpv.exe19⤵
- Executes dropped EXE
-
\??\c:\6462822.exec:\6462822.exe20⤵
- Executes dropped EXE
-
\??\c:\pjvjp.exec:\pjvjp.exe21⤵
- Executes dropped EXE
-
\??\c:\9rflfrr.exec:\9rflfrr.exe22⤵
- Executes dropped EXE
-
\??\c:\202888.exec:\202888.exe23⤵
- Executes dropped EXE
-
\??\c:\rffxrxr.exec:\rffxrxr.exe24⤵
- Executes dropped EXE
-
\??\c:\80222.exec:\80222.exe25⤵
- Executes dropped EXE
-
\??\c:\thhhnh.exec:\thhhnh.exe26⤵
- Executes dropped EXE
-
\??\c:\nbtbbb.exec:\nbtbbb.exe27⤵
- Executes dropped EXE
-
\??\c:\lxfllrr.exec:\lxfllrr.exe28⤵
- Executes dropped EXE
-
\??\c:\6008880.exec:\6008880.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\666220.exec:\666220.exe30⤵
- Executes dropped EXE
-
\??\c:\rllrrxf.exec:\rllrrxf.exe31⤵
- Executes dropped EXE
-
\??\c:\pjpjv.exec:\pjpjv.exe32⤵
- Executes dropped EXE
-
\??\c:\5lffrrf.exec:\5lffrrf.exe33⤵
- Executes dropped EXE
-
\??\c:\02444.exec:\02444.exe34⤵
- Executes dropped EXE
-
\??\c:\4206262.exec:\4206262.exe35⤵
- Executes dropped EXE
-
\??\c:\868448.exec:\868448.exe36⤵
- Executes dropped EXE
-
\??\c:\lfxfflf.exec:\lfxfflf.exe37⤵
- Executes dropped EXE
-
\??\c:\04068.exec:\04068.exe38⤵
- Executes dropped EXE
-
\??\c:\7lfffxx.exec:\7lfffxx.exe39⤵
- Executes dropped EXE
-
\??\c:\6080222.exec:\6080222.exe40⤵
- Executes dropped EXE
-
\??\c:\080420.exec:\080420.exe41⤵
- Executes dropped EXE
-
\??\c:\6444006.exec:\6444006.exe42⤵
- Executes dropped EXE
-
\??\c:\64624.exec:\64624.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\0242266.exec:\0242266.exe44⤵
- Executes dropped EXE
-
\??\c:\604028.exec:\604028.exe45⤵
- Executes dropped EXE
-
\??\c:\rffxfxx.exec:\rffxfxx.exe46⤵
- Executes dropped EXE
-
\??\c:\5pjjp.exec:\5pjjp.exe47⤵
- Executes dropped EXE
-
\??\c:\20660.exec:\20660.exe48⤵
- Executes dropped EXE
-
\??\c:\vjvpv.exec:\vjvpv.exe49⤵
- Executes dropped EXE
-
\??\c:\k84882.exec:\k84882.exe50⤵
- Executes dropped EXE
-
\??\c:\nbbtth.exec:\nbbtth.exe51⤵
- Executes dropped EXE
-
\??\c:\rffflfl.exec:\rffflfl.exe52⤵
- Executes dropped EXE
-
\??\c:\xlxrxxf.exec:\xlxrxxf.exe53⤵
- Executes dropped EXE
-
\??\c:\xlrxffr.exec:\xlrxffr.exe54⤵
- Executes dropped EXE
-
\??\c:\m4204.exec:\m4204.exe55⤵
- Executes dropped EXE
-
\??\c:\u060066.exec:\u060066.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\42462.exec:\42462.exe57⤵
- Executes dropped EXE
-
\??\c:\80222.exec:\80222.exe58⤵
- Executes dropped EXE
-
\??\c:\6428440.exec:\6428440.exe59⤵
- Executes dropped EXE
-
\??\c:\640444.exec:\640444.exe60⤵
- Executes dropped EXE
-
\??\c:\080448.exec:\080448.exe61⤵
- Executes dropped EXE
-
\??\c:\o806440.exec:\o806440.exe62⤵
- Executes dropped EXE
-
\??\c:\7hnbbh.exec:\7hnbbh.exe63⤵
- Executes dropped EXE
-
\??\c:\lxllxxx.exec:\lxllxxx.exe64⤵
- Executes dropped EXE
-
\??\c:\frxfxrr.exec:\frxfxrr.exe65⤵
- Executes dropped EXE
-
\??\c:\nbhhnh.exec:\nbhhnh.exe66⤵
-
\??\c:\022882.exec:\022882.exe67⤵
-
\??\c:\462220.exec:\462220.exe68⤵
-
\??\c:\1bbbtt.exec:\1bbbtt.exe69⤵
-
\??\c:\dvddv.exec:\dvddv.exe70⤵
-
\??\c:\8688882.exec:\8688882.exe71⤵
-
\??\c:\48206.exec:\48206.exe72⤵
-
\??\c:\86440.exec:\86440.exe73⤵
-
\??\c:\20262.exec:\20262.exe74⤵
-
\??\c:\xrfxxxl.exec:\xrfxxxl.exe75⤵
-
\??\c:\frlflff.exec:\frlflff.exe76⤵
-
\??\c:\vjvvd.exec:\vjvvd.exe77⤵
-
\??\c:\46644.exec:\46644.exe78⤵
-
\??\c:\62224.exec:\62224.exe79⤵
-
\??\c:\g6824.exec:\g6824.exe80⤵
-
\??\c:\lrfrlfl.exec:\lrfrlfl.exe81⤵
-
\??\c:\vjjjp.exec:\vjjjp.exe82⤵
-
\??\c:\nbbnnh.exec:\nbbnnh.exe83⤵
-
\??\c:\24228.exec:\24228.exe84⤵
-
\??\c:\m8400.exec:\m8400.exe85⤵
-
\??\c:\e24882.exec:\e24882.exe86⤵
-
\??\c:\i868888.exec:\i868888.exe87⤵
-
\??\c:\tnnnnh.exec:\tnnnnh.exe88⤵
-
\??\c:\24800.exec:\24800.exe89⤵
-
\??\c:\vjpjp.exec:\vjpjp.exe90⤵
-
\??\c:\w08882.exec:\w08882.exe91⤵
-
\??\c:\86884.exec:\86884.exe92⤵
-
\??\c:\9lrlllr.exec:\9lrlllr.exe93⤵
-
\??\c:\86264.exec:\86264.exe94⤵
-
\??\c:\0804624.exec:\0804624.exe95⤵
-
\??\c:\20622.exec:\20622.exe96⤵
-
\??\c:\6800228.exec:\6800228.exe97⤵
-
\??\c:\lrxxflr.exec:\lrxxflr.exe98⤵
-
\??\c:\rffxxxf.exec:\rffxxxf.exe99⤵
-
\??\c:\w08400.exec:\w08400.exe100⤵
-
\??\c:\dpdjj.exec:\dpdjj.exe101⤵
-
\??\c:\rllfrxx.exec:\rllfrxx.exe102⤵
-
\??\c:\o402440.exec:\o402440.exe103⤵
-
\??\c:\5llrxxr.exec:\5llrxxr.exe104⤵
-
\??\c:\82400.exec:\82400.exe105⤵
-
\??\c:\08428.exec:\08428.exe106⤵
-
\??\c:\26082.exec:\26082.exe107⤵
-
\??\c:\7xlxrlr.exec:\7xlxrlr.exe108⤵
-
\??\c:\nhhhnn.exec:\nhhhnn.exe109⤵
-
\??\c:\k88886.exec:\k88886.exe110⤵
-
\??\c:\rrfxrxx.exec:\rrfxrxx.exe111⤵
-
\??\c:\jdpjv.exec:\jdpjv.exe112⤵
-
\??\c:\042440.exec:\042440.exe113⤵
-
\??\c:\9jdvv.exec:\9jdvv.exe114⤵
- System Location Discovery: System Language Discovery
-
\??\c:\s6224.exec:\s6224.exe115⤵
-
\??\c:\k64444.exec:\k64444.exe116⤵
-
\??\c:\xllfxxx.exec:\xllfxxx.exe117⤵
-
\??\c:\22468.exec:\22468.exe118⤵
-
\??\c:\g4006.exec:\g4006.exe119⤵
-
\??\c:\64284.exec:\64284.exe120⤵
-
\??\c:\7tbthn.exec:\7tbthn.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-