Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
21-11-2024 11:22
General
-
Target
ef9d4d868825ddc61895a1af8d86e3dd638a036e6c4326c6318c0ef5052f0ce7.exe
-
Size
75KB
-
MD5
f0985b9122826e1f02a9b5c048e6eee4
-
SHA1
78296346200467974c34120e7d6ea37842c079c1
-
SHA256
ef9d4d868825ddc61895a1af8d86e3dd638a036e6c4326c6318c0ef5052f0ce7
-
SHA512
148b7583855d3c68365ecbd98499f2c6c4fe4959eace5111bb07a2894d81b8e57d2dfade487418bb0abc2fd96a6125556bd2a86273fef7eab01a82a4c76bd51c
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIvuzk358nLA89OGvrFVHmsL:ymb3NkkiQ3mdBjFIvl358nLA89OMFVH1
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 21 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 25 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ef9d4d868825ddc61895a1af8d86e3dd638a036e6c4326c6318c0ef5052f0ce7.exe"C:\Users\Admin\AppData\Local\Temp\ef9d4d868825ddc61895a1af8d86e3dd638a036e6c4326c6318c0ef5052f0ce7.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\jjdpv.exec:\jjdpv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbhtbt.exec:\nbhtbt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vdvpv.exec:\vdvpv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3rxlxrr.exec:\3rxlxrr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hntttt.exec:\hntttt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bhnbht.exec:\bhnbht.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jpjdp.exec:\jpjdp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\flxrrrx.exec:\flxrrrx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnnbhh.exec:\tnnbhh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1jpvd.exec:\1jpvd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xfrlxrx.exec:\xfrlxrx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xxfrxxx.exec:\xxfrxxx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hntbhh.exec:\hntbhh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ppvjd.exec:\ppvjd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ppjdv.exec:\ppjdv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xfrllfx.exec:\xfrllfx.exe17⤵
- Executes dropped EXE
-
\??\c:\ttthbb.exec:\ttthbb.exe18⤵
- Executes dropped EXE
-
\??\c:\nbntht.exec:\nbntht.exe19⤵
- Executes dropped EXE
-
\??\c:\7vdvv.exec:\7vdvv.exe20⤵
- Executes dropped EXE
-
\??\c:\3rrxrlr.exec:\3rrxrlr.exe21⤵
- Executes dropped EXE
-
\??\c:\xlflxlf.exec:\xlflxlf.exe22⤵
- Executes dropped EXE
-
\??\c:\htthth.exec:\htthth.exe23⤵
- Executes dropped EXE
-
\??\c:\tbbnbt.exec:\tbbnbt.exe24⤵
- Executes dropped EXE
-
\??\c:\jppvp.exec:\jppvp.exe25⤵
- Executes dropped EXE
-
\??\c:\rxlffxf.exec:\rxlffxf.exe26⤵
- Executes dropped EXE
-
\??\c:\tbtbnt.exec:\tbtbnt.exe27⤵
- Executes dropped EXE
-
\??\c:\djvjp.exec:\djvjp.exe28⤵
- Executes dropped EXE
-
\??\c:\pvjdj.exec:\pvjdj.exe29⤵
- Executes dropped EXE
-
\??\c:\flxxxrx.exec:\flxxxrx.exe30⤵
- Executes dropped EXE
-
\??\c:\1ntnhb.exec:\1ntnhb.exe31⤵
- Executes dropped EXE
-
\??\c:\ntbtbb.exec:\ntbtbb.exe32⤵
- Executes dropped EXE
-
\??\c:\9dpdd.exec:\9dpdd.exe33⤵
- Executes dropped EXE
-
\??\c:\rxxrffl.exec:\rxxrffl.exe34⤵
- Executes dropped EXE
-
\??\c:\rlfflrx.exec:\rlfflrx.exe35⤵
- Executes dropped EXE
-
\??\c:\hhttnb.exec:\hhttnb.exe36⤵
- Executes dropped EXE
-
\??\c:\ttnhhn.exec:\ttnhhn.exe37⤵
- Executes dropped EXE
-
\??\c:\jpvpp.exec:\jpvpp.exe38⤵
- Executes dropped EXE
-
\??\c:\vvvjp.exec:\vvvjp.exe39⤵
- Executes dropped EXE
-
\??\c:\llflxfr.exec:\llflxfr.exe40⤵
- Executes dropped EXE
-
\??\c:\bbtttn.exec:\bbtttn.exe41⤵
- Executes dropped EXE
-
\??\c:\tnbbhh.exec:\tnbbhh.exe42⤵
- Executes dropped EXE
-
\??\c:\lrfxlfl.exec:\lrfxlfl.exe43⤵
- Executes dropped EXE
-
\??\c:\lxllrlr.exec:\lxllrlr.exe44⤵
- Executes dropped EXE
-
\??\c:\nbhhnh.exec:\nbhhnh.exe45⤵
- Executes dropped EXE
-
\??\c:\hbnbtn.exec:\hbnbtn.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\ddvpv.exec:\ddvpv.exe47⤵
- Executes dropped EXE
-
\??\c:\pjpjp.exec:\pjpjp.exe48⤵
- Executes dropped EXE
-
\??\c:\flrflll.exec:\flrflll.exe49⤵
- Executes dropped EXE
-
\??\c:\tbnhhb.exec:\tbnhhb.exe50⤵
- Executes dropped EXE
-
\??\c:\ttthbt.exec:\ttthbt.exe51⤵
- Executes dropped EXE
-
\??\c:\1tbntn.exec:\1tbntn.exe52⤵
- Executes dropped EXE
-
\??\c:\5jpjv.exec:\5jpjv.exe53⤵
- Executes dropped EXE
-
\??\c:\pjdvd.exec:\pjdvd.exe54⤵
- Executes dropped EXE
-
\??\c:\xfrfllr.exec:\xfrfllr.exe55⤵
- Executes dropped EXE
-
\??\c:\rrrfffx.exec:\rrrfffx.exe56⤵
- Executes dropped EXE
-
\??\c:\3hbhtb.exec:\3hbhtb.exe57⤵
- Executes dropped EXE
-
\??\c:\nntbnt.exec:\nntbnt.exe58⤵
- Executes dropped EXE
-
\??\c:\hhhhbh.exec:\hhhhbh.exe59⤵
- Executes dropped EXE
-
\??\c:\vjvvd.exec:\vjvvd.exe60⤵
- Executes dropped EXE
-
\??\c:\djvpd.exec:\djvpd.exe61⤵
- Executes dropped EXE
-
\??\c:\xrrfxxf.exec:\xrrfxxf.exe62⤵
- Executes dropped EXE
-
\??\c:\lfflrxr.exec:\lfflrxr.exe63⤵
- Executes dropped EXE
-
\??\c:\9tbbtb.exec:\9tbbtb.exe64⤵
- Executes dropped EXE
-
\??\c:\9jvjv.exec:\9jvjv.exe65⤵
- Executes dropped EXE
-
\??\c:\pjddd.exec:\pjddd.exe66⤵
-
\??\c:\9flxfxr.exec:\9flxfxr.exe67⤵
-
\??\c:\lfxfxlf.exec:\lfxfxlf.exe68⤵
-
\??\c:\nnhthb.exec:\nnhthb.exe69⤵
-
\??\c:\tttbth.exec:\tttbth.exe70⤵
-
\??\c:\dvjjp.exec:\dvjjp.exe71⤵
-
\??\c:\vvjvd.exec:\vvjvd.exe72⤵
-
\??\c:\xrffrrf.exec:\xrffrrf.exe73⤵
-
\??\c:\fllxrxl.exec:\fllxrxl.exe74⤵
-
\??\c:\nttnnn.exec:\nttnnn.exe75⤵
-
\??\c:\djpjp.exec:\djpjp.exe76⤵
-
\??\c:\ddvdj.exec:\ddvdj.exe77⤵
-
\??\c:\rlxlflx.exec:\rlxlflx.exe78⤵
-
\??\c:\ffrflrf.exec:\ffrflrf.exe79⤵
-
\??\c:\1nnntb.exec:\1nnntb.exe80⤵
-
\??\c:\nntbhn.exec:\nntbhn.exe81⤵
-
\??\c:\3jpjp.exec:\3jpjp.exe82⤵
-
\??\c:\9pppp.exec:\9pppp.exe83⤵
-
\??\c:\xrrxlxr.exec:\xrrxlxr.exe84⤵
-
\??\c:\flrlrll.exec:\flrlrll.exe85⤵
-
\??\c:\hntntn.exec:\hntntn.exe86⤵
-
\??\c:\tbttnn.exec:\tbttnn.exe87⤵
-
\??\c:\djpdp.exec:\djpdp.exe88⤵
-
\??\c:\jdjpj.exec:\jdjpj.exe89⤵
-
\??\c:\xlxlflf.exec:\xlxlflf.exe90⤵
-
\??\c:\rflffxf.exec:\rflffxf.exe91⤵
-
\??\c:\nnbtbt.exec:\nnbtbt.exe92⤵
-
\??\c:\tttbbh.exec:\tttbbh.exe93⤵
-
\??\c:\dppjv.exec:\dppjv.exe94⤵
-
\??\c:\vjpdd.exec:\vjpdd.exe95⤵
-
\??\c:\3lrrrxr.exec:\3lrrrxr.exe96⤵
-
\??\c:\1lrfrxl.exec:\1lrfrxl.exe97⤵
-
\??\c:\bnhhbt.exec:\bnhhbt.exe98⤵
-
\??\c:\hbttbn.exec:\hbttbn.exe99⤵
-
\??\c:\ppjvd.exec:\ppjvd.exe100⤵
-
\??\c:\jjvpp.exec:\jjvpp.exe101⤵
-
\??\c:\rffxfxf.exec:\rffxfxf.exe102⤵
-
\??\c:\lxxlfxl.exec:\lxxlfxl.exe103⤵
-
\??\c:\bnbbhb.exec:\bnbbhb.exe104⤵
-
\??\c:\pvjpd.exec:\pvjpd.exe105⤵
-
\??\c:\djvpv.exec:\djvpv.exe106⤵
-
\??\c:\xrlrlll.exec:\xrlrlll.exe107⤵
-
\??\c:\xfrrrrx.exec:\xfrrrrx.exe108⤵
-
\??\c:\tbhhhn.exec:\tbhhhn.exe109⤵
-
\??\c:\vdvjv.exec:\vdvjv.exe110⤵
-
\??\c:\ppvpp.exec:\ppvpp.exe111⤵
-
\??\c:\1rfrrll.exec:\1rfrrll.exe112⤵
-
\??\c:\hntnnn.exec:\hntnnn.exe113⤵
-
\??\c:\7ntnbh.exec:\7ntnbh.exe114⤵
-
\??\c:\ppvdd.exec:\ppvdd.exe115⤵
-
\??\c:\5jddp.exec:\5jddp.exe116⤵
-
\??\c:\llrffrr.exec:\llrffrr.exe117⤵
-
\??\c:\xlfffrx.exec:\xlfffrx.exe118⤵
-
\??\c:\7bbntn.exec:\7bbntn.exe119⤵
-
\??\c:\djvjd.exec:\djvjd.exe120⤵
-
\??\c:\jjjjj.exec:\jjjjj.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-