Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
21-11-2024 11:18
General
-
Target
ef9d4d868825ddc61895a1af8d86e3dd638a036e6c4326c6318c0ef5052f0ce7.exe
-
Size
75KB
-
MD5
f0985b9122826e1f02a9b5c048e6eee4
-
SHA1
78296346200467974c34120e7d6ea37842c079c1
-
SHA256
ef9d4d868825ddc61895a1af8d86e3dd638a036e6c4326c6318c0ef5052f0ce7
-
SHA512
148b7583855d3c68365ecbd98499f2c6c4fe4959eace5111bb07a2894d81b8e57d2dfade487418bb0abc2fd96a6125556bd2a86273fef7eab01a82a4c76bd51c
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIvuzk358nLA89OGvrFVHmsL:ymb3NkkiQ3mdBjFIvl358nLA89OMFVH1
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 18 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 31 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ef9d4d868825ddc61895a1af8d86e3dd638a036e6c4326c6318c0ef5052f0ce7.exe"C:\Users\Admin\AppData\Local\Temp\ef9d4d868825ddc61895a1af8d86e3dd638a036e6c4326c6318c0ef5052f0ce7.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\rlfrlxf.exec:\rlfrlxf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bhtbht.exec:\bhtbht.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ppdjd.exec:\ppdjd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfxfrxl.exec:\lfxfrxl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nnnhtt.exec:\nnnhtt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhntbh.exec:\nhntbh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vjppv.exec:\vjppv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frrxlxf.exec:\frrxlxf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbhhtt.exec:\bbhhtt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9jddp.exec:\9jddp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxrxllx.exec:\fxrxllx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1xxrxxf.exec:\1xxrxxf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhttbt.exec:\nhttbt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ttbhbn.exec:\ttbhbn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1pppv.exec:\1pppv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vdjdp.exec:\vdjdp.exe17⤵
- Executes dropped EXE
-
\??\c:\rrxfrxf.exec:\rrxfrxf.exe18⤵
- Executes dropped EXE
-
\??\c:\tnbhnn.exec:\tnbhnn.exe19⤵
- Executes dropped EXE
-
\??\c:\3htbhn.exec:\3htbhn.exe20⤵
- Executes dropped EXE
-
\??\c:\jvjpd.exec:\jvjpd.exe21⤵
- Executes dropped EXE
-
\??\c:\dpjjd.exec:\dpjjd.exe22⤵
- Executes dropped EXE
-
\??\c:\lfffllr.exec:\lfffllr.exe23⤵
- Executes dropped EXE
-
\??\c:\hhhthb.exec:\hhhthb.exe24⤵
- Executes dropped EXE
-
\??\c:\3bhttn.exec:\3bhttn.exe25⤵
- Executes dropped EXE
-
\??\c:\htbhtn.exec:\htbhtn.exe26⤵
- Executes dropped EXE
-
\??\c:\vjvvp.exec:\vjvvp.exe27⤵
- Executes dropped EXE
-
\??\c:\vpjjj.exec:\vpjjj.exe28⤵
- Executes dropped EXE
-
\??\c:\lfllrrf.exec:\lfllrrf.exe29⤵
- Executes dropped EXE
-
\??\c:\ttnbhh.exec:\ttnbhh.exe30⤵
- Executes dropped EXE
-
\??\c:\pjvvj.exec:\pjvvj.exe31⤵
- Executes dropped EXE
-
\??\c:\jdpvj.exec:\jdpvj.exe32⤵
- Executes dropped EXE
-
\??\c:\1lffrxf.exec:\1lffrxf.exe33⤵
- Executes dropped EXE
-
\??\c:\xffrfxr.exec:\xffrfxr.exe34⤵
- Executes dropped EXE
-
\??\c:\bthtbn.exec:\bthtbn.exe35⤵
- Executes dropped EXE
-
\??\c:\bthhnt.exec:\bthhnt.exe36⤵
- Executes dropped EXE
-
\??\c:\1pvdp.exec:\1pvdp.exe37⤵
- Executes dropped EXE
-
\??\c:\pvjjp.exec:\pvjjp.exe38⤵
- Executes dropped EXE
-
\??\c:\rlxlffl.exec:\rlxlffl.exe39⤵
- Executes dropped EXE
-
\??\c:\btbbbh.exec:\btbbbh.exe40⤵
- Executes dropped EXE
-
\??\c:\9btttb.exec:\9btttb.exe41⤵
- Executes dropped EXE
-
\??\c:\tnhnnh.exec:\tnhnnh.exe42⤵
- Executes dropped EXE
-
\??\c:\pddvd.exec:\pddvd.exe43⤵
- Executes dropped EXE
-
\??\c:\5frrrxf.exec:\5frrrxf.exe44⤵
- Executes dropped EXE
-
\??\c:\llxfrrf.exec:\llxfrrf.exe45⤵
- Executes dropped EXE
-
\??\c:\9tnttt.exec:\9tnttt.exe46⤵
- Executes dropped EXE
-
\??\c:\nhnthh.exec:\nhnthh.exe47⤵
- Executes dropped EXE
-
\??\c:\hbhhnt.exec:\hbhhnt.exe48⤵
- Executes dropped EXE
-
\??\c:\1djjj.exec:\1djjj.exe49⤵
- Executes dropped EXE
-
\??\c:\9pddd.exec:\9pddd.exe50⤵
- Executes dropped EXE
-
\??\c:\9xllllr.exec:\9xllllr.exe51⤵
- Executes dropped EXE
-
\??\c:\3ffllrf.exec:\3ffllrf.exe52⤵
- Executes dropped EXE
-
\??\c:\nhnthn.exec:\nhnthn.exe53⤵
- Executes dropped EXE
-
\??\c:\hhhbbh.exec:\hhhbbh.exe54⤵
- Executes dropped EXE
-
\??\c:\jdvdj.exec:\jdvdj.exe55⤵
- Executes dropped EXE
-
\??\c:\7dvdj.exec:\7dvdj.exe56⤵
- Executes dropped EXE
-
\??\c:\pjdjv.exec:\pjdjv.exe57⤵
- Executes dropped EXE
-
\??\c:\fxrrflr.exec:\fxrrflr.exe58⤵
- Executes dropped EXE
-
\??\c:\lfrxrxf.exec:\lfrxrxf.exe59⤵
- Executes dropped EXE
-
\??\c:\hbntbh.exec:\hbntbh.exe60⤵
- Executes dropped EXE
-
\??\c:\1nhnnn.exec:\1nhnnn.exe61⤵
- Executes dropped EXE
-
\??\c:\ppvdp.exec:\ppvdp.exe62⤵
- Executes dropped EXE
-
\??\c:\7jppp.exec:\7jppp.exe63⤵
- Executes dropped EXE
-
\??\c:\fxflllr.exec:\fxflllr.exe64⤵
- Executes dropped EXE
-
\??\c:\rrlxlrr.exec:\rrlxlrr.exe65⤵
- Executes dropped EXE
-
\??\c:\nnnbht.exec:\nnnbht.exe66⤵
-
\??\c:\dvjjp.exec:\dvjjp.exe67⤵
-
\??\c:\lfxlrfr.exec:\lfxlrfr.exe68⤵
-
\??\c:\ffxxrxl.exec:\ffxxrxl.exe69⤵
-
\??\c:\btnbhn.exec:\btnbhn.exe70⤵
-
\??\c:\3bbhnn.exec:\3bbhnn.exe71⤵
-
\??\c:\5vpdj.exec:\5vpdj.exe72⤵
-
\??\c:\ppddj.exec:\ppddj.exe73⤵
-
\??\c:\rfxlfxl.exec:\rfxlfxl.exe74⤵
-
\??\c:\1xrflrl.exec:\1xrflrl.exe75⤵
-
\??\c:\nnhnth.exec:\nnhnth.exe76⤵
-
\??\c:\nbhtbb.exec:\nbhtbb.exe77⤵
-
\??\c:\7ppvj.exec:\7ppvj.exe78⤵
-
\??\c:\7pjpv.exec:\7pjpv.exe79⤵
-
\??\c:\1xxlxlx.exec:\1xxlxlx.exe80⤵
-
\??\c:\tnttbb.exec:\tnttbb.exe81⤵
-
\??\c:\tnnntb.exec:\tnnntb.exe82⤵
-
\??\c:\dvdjp.exec:\dvdjp.exe83⤵
-
\??\c:\djvdp.exec:\djvdp.exe84⤵
-
\??\c:\3lxflrx.exec:\3lxflrx.exe85⤵
-
\??\c:\llxlflr.exec:\llxlflr.exe86⤵
-
\??\c:\5nhbht.exec:\5nhbht.exe87⤵
-
\??\c:\nhbnbb.exec:\nhbnbb.exe88⤵
-
\??\c:\3jpvd.exec:\3jpvd.exe89⤵
-
\??\c:\pdpvv.exec:\pdpvv.exe90⤵
-
\??\c:\lllrrxf.exec:\lllrrxf.exe91⤵
-
\??\c:\rrflxll.exec:\rrflxll.exe92⤵
-
\??\c:\hbnntt.exec:\hbnntt.exe93⤵
-
\??\c:\bhtnbn.exec:\bhtnbn.exe94⤵
-
\??\c:\dpddd.exec:\dpddd.exe95⤵
-
\??\c:\jdjjv.exec:\jdjjv.exe96⤵
-
\??\c:\lfrrflx.exec:\lfrrflx.exe97⤵
-
\??\c:\9rlrxfx.exec:\9rlrxfx.exe98⤵
-
\??\c:\hthnbh.exec:\hthnbh.exe99⤵
-
\??\c:\bthntb.exec:\bthntb.exe100⤵
-
\??\c:\ddvpp.exec:\ddvpp.exe101⤵
-
\??\c:\pjdjp.exec:\pjdjp.exe102⤵
-
\??\c:\pjppv.exec:\pjppv.exe103⤵
-
\??\c:\lflrrlr.exec:\lflrrlr.exe104⤵
-
\??\c:\xrlxrxr.exec:\xrlxrxr.exe105⤵
-
\??\c:\httbhb.exec:\httbhb.exe106⤵
-
\??\c:\vjvpp.exec:\vjvpp.exe107⤵
-
\??\c:\ppjpd.exec:\ppjpd.exe108⤵
-
\??\c:\3dpjj.exec:\3dpjj.exe109⤵
-
\??\c:\rrffrrf.exec:\rrffrrf.exe110⤵
-
\??\c:\rrxllxf.exec:\rrxllxf.exe111⤵
-
\??\c:\hhbnhb.exec:\hhbnhb.exe112⤵
-
\??\c:\tntnnh.exec:\tntnnh.exe113⤵
-
\??\c:\5jjjv.exec:\5jjjv.exe114⤵
-
\??\c:\pjppv.exec:\pjppv.exe115⤵
-
\??\c:\frffffl.exec:\frffffl.exe116⤵
-
\??\c:\xfrxlxl.exec:\xfrxlxl.exe117⤵
-
\??\c:\ttthhb.exec:\ttthhb.exe118⤵
-
\??\c:\ppdjp.exec:\ppdjp.exe119⤵
-
\??\c:\jdjjv.exec:\jdjjv.exe120⤵
-
\??\c:\1frrfff.exec:\1frrfff.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-