Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
22-11-2024 21:28
General
-
Target
34086b7ad3ef2425bfad0eca29a8b05a71d615115aaaa31498ea4ce9e47ca0e7.exe
-
Size
105KB
-
MD5
d8b1eb5847774742429d5578ed0e8b57
-
SHA1
8dd1723c339a881b22899a3c9a6f0e7ea743e2f4
-
SHA256
34086b7ad3ef2425bfad0eca29a8b05a71d615115aaaa31498ea4ce9e47ca0e7
-
SHA512
2b0eab56c7677175e38e424baa4c23356e52b170dd47ee18d225aa44d078a930b83c6e0df4146d4118a4e8a85e56cc9f8212b762265074e566d98baba506179c
-
SSDEEP
3072:ymb3NkkiQ3mdBjFo73tvn+Yp99zm+/KZBHq82PCK:n3C9BRo7tvnJ99T/KZE89K
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 20 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 28 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\34086b7ad3ef2425bfad0eca29a8b05a71d615115aaaa31498ea4ce9e47ca0e7.exe"C:\Users\Admin\AppData\Local\Temp\34086b7ad3ef2425bfad0eca29a8b05a71d615115aaaa31498ea4ce9e47ca0e7.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\jjdpv.exec:\jjdpv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xxrxlrf.exec:\xxrxlrf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\00426.exec:\00426.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\066828.exec:\066828.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\6208804.exec:\6208804.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tttbnb.exec:\tttbnb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1rlrllx.exec:\1rlrllx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5fxxlxf.exec:\5fxxlxf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\k86842.exec:\k86842.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\w26246.exec:\w26246.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxlrxxr.exec:\fxlrxxr.exe12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\00842.exec:\00842.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xlxflff.exec:\xlxflff.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\600280.exec:\600280.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjdjd.exec:\jjdjd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ffflxfr.exec:\ffflxfr.exe17⤵
- Executes dropped EXE
-
\??\c:\822240.exec:\822240.exe18⤵
- Executes dropped EXE
-
\??\c:\jpvpv.exec:\jpvpv.exe19⤵
- Executes dropped EXE
-
\??\c:\9hbhbb.exec:\9hbhbb.exe20⤵
- Executes dropped EXE
-
\??\c:\bnbhhn.exec:\bnbhhn.exe21⤵
- Executes dropped EXE
-
\??\c:\e04466.exec:\e04466.exe22⤵
- Executes dropped EXE
-
\??\c:\1fxflrf.exec:\1fxflrf.exe23⤵
- Executes dropped EXE
-
\??\c:\jpdvd.exec:\jpdvd.exe24⤵
- Executes dropped EXE
-
\??\c:\9rrxxlf.exec:\9rrxxlf.exe25⤵
- Executes dropped EXE
-
\??\c:\dvppd.exec:\dvppd.exe26⤵
- Executes dropped EXE
-
\??\c:\480442.exec:\480442.exe27⤵
- Executes dropped EXE
-
\??\c:\btnnbh.exec:\btnnbh.exe28⤵
- Executes dropped EXE
-
\??\c:\5nntbh.exec:\5nntbh.exe29⤵
- Executes dropped EXE
-
\??\c:\4288866.exec:\4288866.exe30⤵
- Executes dropped EXE
-
\??\c:\0806240.exec:\0806240.exe31⤵
- Executes dropped EXE
-
\??\c:\6088668.exec:\6088668.exe32⤵
- Executes dropped EXE
-
\??\c:\nnbhth.exec:\nnbhth.exe33⤵
- Executes dropped EXE
-
\??\c:\fxxlxxl.exec:\fxxlxxl.exe34⤵
- Executes dropped EXE
-
\??\c:\o644280.exec:\o644280.exe35⤵
- Executes dropped EXE
-
\??\c:\5vpdj.exec:\5vpdj.exe36⤵
- Executes dropped EXE
-
\??\c:\tnntbt.exec:\tnntbt.exe37⤵
- Executes dropped EXE
-
\??\c:\9btthh.exec:\9btthh.exe38⤵
- Executes dropped EXE
-
\??\c:\k08644.exec:\k08644.exe39⤵
- Executes dropped EXE
-
\??\c:\jdjjj.exec:\jdjjj.exe40⤵
- Executes dropped EXE
-
\??\c:\ddpvj.exec:\ddpvj.exe41⤵
- Executes dropped EXE
-
\??\c:\2684668.exec:\2684668.exe42⤵
- Executes dropped EXE
-
\??\c:\tbtntn.exec:\tbtntn.exe43⤵
- Executes dropped EXE
-
\??\c:\9htbtt.exec:\9htbtt.exe44⤵
- Executes dropped EXE
-
\??\c:\42462.exec:\42462.exe45⤵
- Executes dropped EXE
-
\??\c:\rlxfrrl.exec:\rlxfrrl.exe46⤵
- Executes dropped EXE
-
\??\c:\60806.exec:\60806.exe47⤵
- Executes dropped EXE
-
\??\c:\1lllxxf.exec:\1lllxxf.exe48⤵
- Executes dropped EXE
-
\??\c:\480680.exec:\480680.exe49⤵
- Executes dropped EXE
-
\??\c:\420206.exec:\420206.exe50⤵
- Executes dropped EXE
-
\??\c:\5vpjd.exec:\5vpjd.exe51⤵
- Executes dropped EXE
-
\??\c:\fxrxlrl.exec:\fxrxlrl.exe52⤵
- Executes dropped EXE
-
\??\c:\xxrlrlx.exec:\xxrlrlx.exe53⤵
- Executes dropped EXE
-
\??\c:\60868.exec:\60868.exe54⤵
- Executes dropped EXE
-
\??\c:\3dpdd.exec:\3dpdd.exe55⤵
- Executes dropped EXE
-
\??\c:\48680.exec:\48680.exe56⤵
- Executes dropped EXE
-
\??\c:\22646.exec:\22646.exe57⤵
- Executes dropped EXE
-
\??\c:\llxxxfr.exec:\llxxxfr.exe58⤵
- Executes dropped EXE
-
\??\c:\fxllflx.exec:\fxllflx.exe59⤵
- Executes dropped EXE
-
\??\c:\nbnnnh.exec:\nbnnnh.exe60⤵
- Executes dropped EXE
-
\??\c:\3rlfrxf.exec:\3rlfrxf.exe61⤵
- Executes dropped EXE
-
\??\c:\7xxfrxx.exec:\7xxfrxx.exe62⤵
- Executes dropped EXE
-
\??\c:\ffxrllr.exec:\ffxrllr.exe63⤵
- Executes dropped EXE
-
\??\c:\1bthtt.exec:\1bthtt.exe64⤵
- Executes dropped EXE
-
\??\c:\bhttnb.exec:\bhttnb.exe65⤵
- Executes dropped EXE
-
\??\c:\q68640.exec:\q68640.exe66⤵
-
\??\c:\2262440.exec:\2262440.exe67⤵
-
\??\c:\1tthtb.exec:\1tthtb.exe68⤵
-
\??\c:\lfllfxx.exec:\lfllfxx.exe69⤵
-
\??\c:\rlllxrf.exec:\rlllxrf.exe70⤵
-
\??\c:\ppvjv.exec:\ppvjv.exe71⤵
-
\??\c:\6080842.exec:\6080842.exe72⤵
-
\??\c:\fxrxlll.exec:\fxrxlll.exe73⤵
-
\??\c:\bbhnhb.exec:\bbhnhb.exe74⤵
-
\??\c:\pjpvj.exec:\pjpvj.exe75⤵
-
\??\c:\868428.exec:\868428.exe76⤵
-
\??\c:\9pvpj.exec:\9pvpj.exe77⤵
-
\??\c:\822406.exec:\822406.exe78⤵
-
\??\c:\482862.exec:\482862.exe79⤵
-
\??\c:\0648862.exec:\0648862.exe80⤵
-
\??\c:\60280.exec:\60280.exe81⤵
-
\??\c:\s0864.exec:\s0864.exe82⤵
-
\??\c:\q48800.exec:\q48800.exe83⤵
-
\??\c:\lrrflxf.exec:\lrrflxf.exe84⤵
-
\??\c:\k40266.exec:\k40266.exe85⤵
-
\??\c:\868428.exec:\868428.exe86⤵
-
\??\c:\60608.exec:\60608.exe87⤵
-
\??\c:\64040.exec:\64040.exe88⤵
-
\??\c:\ddppj.exec:\ddppj.exe89⤵
-
\??\c:\7btnnh.exec:\7btnnh.exe90⤵
-
\??\c:\fxlxlxl.exec:\fxlxlxl.exe91⤵
-
\??\c:\pjddv.exec:\pjddv.exe92⤵
-
\??\c:\u422486.exec:\u422486.exe93⤵
-
\??\c:\7rlxfll.exec:\7rlxfll.exe94⤵
-
\??\c:\206288.exec:\206288.exe95⤵
-
\??\c:\1lfrflx.exec:\1lfrflx.exe96⤵
-
\??\c:\lflxffl.exec:\lflxffl.exe97⤵
-
\??\c:\86026.exec:\86026.exe98⤵
-
\??\c:\dppvj.exec:\dppvj.exe99⤵
-
\??\c:\pjddj.exec:\pjddj.exe100⤵
-
\??\c:\jvvpp.exec:\jvvpp.exe101⤵
-
\??\c:\k86682.exec:\k86682.exe102⤵
-
\??\c:\480846.exec:\480846.exe103⤵
-
\??\c:\7jjdj.exec:\7jjdj.exe104⤵
-
\??\c:\028888.exec:\028888.exe105⤵
-
\??\c:\jvvpd.exec:\jvvpd.exe106⤵
-
\??\c:\8622880.exec:\8622880.exe107⤵
-
\??\c:\vpvvd.exec:\vpvvd.exe108⤵
-
\??\c:\rfxrlfl.exec:\rfxrlfl.exe109⤵
-
\??\c:\xlfflfl.exec:\xlfflfl.exe110⤵
-
\??\c:\i024662.exec:\i024662.exe111⤵
-
\??\c:\q40246.exec:\q40246.exe112⤵
-
\??\c:\5tnhhh.exec:\5tnhhh.exe113⤵
-
\??\c:\1jjvj.exec:\1jjvj.exe114⤵
-
\??\c:\o422266.exec:\o422266.exe115⤵
-
\??\c:\hbhtnn.exec:\hbhtnn.exe116⤵
-
\??\c:\jdpvd.exec:\jdpvd.exe117⤵
-
\??\c:\7xrrffl.exec:\7xrrffl.exe118⤵
-
\??\c:\646206.exec:\646206.exe119⤵
-
\??\c:\ppjpv.exec:\ppjpv.exe120⤵
-
\??\c:\llfrrxr.exec:\llfrrxr.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-