Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
22-11-2024 02:04
General
-
Target
926847c64bbe37f6f2dd316ed6339a8dcebb78cbadb7a8828cb1ff068dc2f8e5.exe
-
Size
453KB
-
MD5
f0669a0ecc6efac4e3159d57b9ce7ee9
-
SHA1
6e9abbd2a5e52fb8dd8023332cc7f593c2bf6798
-
SHA256
926847c64bbe37f6f2dd316ed6339a8dcebb78cbadb7a8828cb1ff068dc2f8e5
-
SHA512
3b46cfe494247febf41d5d9edd315ab01e0081eb21a7d678e44378a10434eae33d53b35295d481cf9ccae7cd32fa497f9869be5dbc974339d88eb48e01bcdaf0
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeV:q7Tc2NYHUrAwfMp3CDV
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 54 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 54 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\926847c64bbe37f6f2dd316ed6339a8dcebb78cbadb7a8828cb1ff068dc2f8e5.exe"C:\Users\Admin\AppData\Local\Temp\926847c64bbe37f6f2dd316ed6339a8dcebb78cbadb7a8828cb1ff068dc2f8e5.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\46444.exec:\46444.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\862288.exec:\862288.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\a4220.exec:\a4220.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\202288.exec:\202288.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\42402.exec:\42402.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xlxxffx.exec:\xlxxffx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\c626040.exec:\c626040.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\2802642.exec:\2802642.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\20228.exec:\20228.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7tnnbh.exec:\7tnnbh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nnhnnn.exec:\nnhnnn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frxrxxf.exec:\frxrxxf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\08628.exec:\08628.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jvjdj.exec:\jvjdj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vjppv.exec:\vjppv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3ntttt.exec:\3ntttt.exe17⤵
- Executes dropped EXE
-
\??\c:\xflrrrx.exec:\xflrrrx.exe18⤵
- Executes dropped EXE
-
\??\c:\htnnhb.exec:\htnnhb.exe19⤵
- Executes dropped EXE
-
\??\c:\0804048.exec:\0804048.exe20⤵
- Executes dropped EXE
-
\??\c:\0284006.exec:\0284006.exe21⤵
- Executes dropped EXE
-
\??\c:\tthhhn.exec:\tthhhn.exe22⤵
- Executes dropped EXE
-
\??\c:\xrrfxrr.exec:\xrrfxrr.exe23⤵
- Executes dropped EXE
-
\??\c:\vpdpd.exec:\vpdpd.exe24⤵
- Executes dropped EXE
-
\??\c:\nbnthh.exec:\nbnthh.exe25⤵
- Executes dropped EXE
-
\??\c:\llxflrx.exec:\llxflrx.exe26⤵
- Executes dropped EXE
-
\??\c:\dpdpv.exec:\dpdpv.exe27⤵
- Executes dropped EXE
-
\??\c:\648282.exec:\648282.exe28⤵
- Executes dropped EXE
-
\??\c:\2088484.exec:\2088484.exe29⤵
- Executes dropped EXE
-
\??\c:\m0222.exec:\m0222.exe30⤵
- Executes dropped EXE
-
\??\c:\btnnth.exec:\btnnth.exe31⤵
- Executes dropped EXE
-
\??\c:\nhttbt.exec:\nhttbt.exe32⤵
- Executes dropped EXE
-
\??\c:\2066228.exec:\2066228.exe33⤵
- Executes dropped EXE
-
\??\c:\9xlxfxf.exec:\9xlxfxf.exe34⤵
- Executes dropped EXE
-
\??\c:\0800440.exec:\0800440.exe35⤵
- Executes dropped EXE
-
\??\c:\vvjpv.exec:\vvjpv.exe36⤵
- Executes dropped EXE
-
\??\c:\lfrrfxf.exec:\lfrrfxf.exe37⤵
- Executes dropped EXE
-
\??\c:\k64444.exec:\k64444.exe38⤵
- Executes dropped EXE
-
\??\c:\208844.exec:\208844.exe39⤵
- Executes dropped EXE
-
\??\c:\vvvpp.exec:\vvvpp.exe40⤵
- Executes dropped EXE
-
\??\c:\i200662.exec:\i200662.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\484066.exec:\484066.exe42⤵
- Executes dropped EXE
-
\??\c:\a8044.exec:\a8044.exe43⤵
- Executes dropped EXE
-
\??\c:\3jvvv.exec:\3jvvv.exe44⤵
- Executes dropped EXE
-
\??\c:\i646824.exec:\i646824.exe45⤵
- Executes dropped EXE
-
\??\c:\428848.exec:\428848.exe46⤵
- Executes dropped EXE
-
\??\c:\202284.exec:\202284.exe47⤵
- Executes dropped EXE
-
\??\c:\0604220.exec:\0604220.exe48⤵
- Executes dropped EXE
-
\??\c:\s6446.exec:\s6446.exe49⤵
- Executes dropped EXE
-
\??\c:\ffxfxrr.exec:\ffxfxrr.exe50⤵
- Executes dropped EXE
-
\??\c:\084882.exec:\084882.exe51⤵
- Executes dropped EXE
-
\??\c:\2688406.exec:\2688406.exe52⤵
- Executes dropped EXE
-
\??\c:\fxxllrr.exec:\fxxllrr.exe53⤵
- Executes dropped EXE
-
\??\c:\bnbhhh.exec:\bnbhhh.exe54⤵
- Executes dropped EXE
-
\??\c:\frfxffl.exec:\frfxffl.exe55⤵
- Executes dropped EXE
-
\??\c:\028222.exec:\028222.exe56⤵
- Executes dropped EXE
-
\??\c:\26880.exec:\26880.exe57⤵
- Executes dropped EXE
-
\??\c:\1lrlllr.exec:\1lrlllr.exe58⤵
- Executes dropped EXE
-
\??\c:\c088446.exec:\c088446.exe59⤵
- Executes dropped EXE
-
\??\c:\4248484.exec:\4248484.exe60⤵
- Executes dropped EXE
-
\??\c:\hntthb.exec:\hntthb.exe61⤵
- Executes dropped EXE
-
\??\c:\04680.exec:\04680.exe62⤵
- Executes dropped EXE
-
\??\c:\08662.exec:\08662.exe63⤵
- Executes dropped EXE
-
\??\c:\08482.exec:\08482.exe64⤵
- Executes dropped EXE
-
\??\c:\646626.exec:\646626.exe65⤵
- Executes dropped EXE
-
\??\c:\vvvjj.exec:\vvvjj.exe66⤵
-
\??\c:\rlxrlrx.exec:\rlxrlrx.exe67⤵
-
\??\c:\rlxfrrf.exec:\rlxfrrf.exe68⤵
-
\??\c:\426066.exec:\426066.exe69⤵
-
\??\c:\8262624.exec:\8262624.exe70⤵
-
\??\c:\dvjvd.exec:\dvjvd.exe71⤵
-
\??\c:\rrxflxf.exec:\rrxflxf.exe72⤵
-
\??\c:\864442.exec:\864442.exe73⤵
-
\??\c:\i484402.exec:\i484402.exe74⤵
-
\??\c:\s2486.exec:\s2486.exe75⤵
-
\??\c:\086800.exec:\086800.exe76⤵
-
\??\c:\5pdpp.exec:\5pdpp.exe77⤵
-
\??\c:\2268608.exec:\2268608.exe78⤵
-
\??\c:\k26284.exec:\k26284.exe79⤵
-
\??\c:\q26840.exec:\q26840.exe80⤵
-
\??\c:\nnhtnn.exec:\nnhtnn.exe81⤵
-
\??\c:\824022.exec:\824022.exe82⤵
-
\??\c:\64002.exec:\64002.exe83⤵
-
\??\c:\66028.exec:\66028.exe84⤵
-
\??\c:\2026846.exec:\2026846.exe85⤵
-
\??\c:\48284.exec:\48284.exe86⤵
-
\??\c:\3ddpj.exec:\3ddpj.exe87⤵
-
\??\c:\e60088.exec:\e60088.exe88⤵
-
\??\c:\m6062.exec:\m6062.exe89⤵
-
\??\c:\jppdd.exec:\jppdd.exe90⤵
-
\??\c:\42026.exec:\42026.exe91⤵
-
\??\c:\7hbnth.exec:\7hbnth.exe92⤵
-
\??\c:\82002.exec:\82002.exe93⤵
-
\??\c:\4868008.exec:\4868008.exe94⤵
-
\??\c:\04246.exec:\04246.exe95⤵
-
\??\c:\6006024.exec:\6006024.exe96⤵
-
\??\c:\hthbnt.exec:\hthbnt.exe97⤵
-
\??\c:\5rlxlrl.exec:\5rlxlrl.exe98⤵
-
\??\c:\m6062.exec:\m6062.exe99⤵
-
\??\c:\260666.exec:\260666.exe100⤵
-
\??\c:\64828.exec:\64828.exe101⤵
-
\??\c:\3rffrrl.exec:\3rffrrl.exe102⤵
-
\??\c:\8206886.exec:\8206886.exe103⤵
-
\??\c:\i268684.exec:\i268684.exe104⤵
-
\??\c:\64280.exec:\64280.exe105⤵
-
\??\c:\jjdvp.exec:\jjdvp.exe106⤵
-
\??\c:\nththh.exec:\nththh.exe107⤵
-
\??\c:\08246.exec:\08246.exe108⤵
-
\??\c:\1lffffl.exec:\1lffffl.exe109⤵
-
\??\c:\q84066.exec:\q84066.exe110⤵
-
\??\c:\04280.exec:\04280.exe111⤵
-
\??\c:\2080884.exec:\2080884.exe112⤵
-
\??\c:\3jvjd.exec:\3jvjd.exe113⤵
-
\??\c:\s4240.exec:\s4240.exe114⤵
-
\??\c:\3xrfllx.exec:\3xrfllx.exe115⤵
-
\??\c:\xrlxllf.exec:\xrlxllf.exe116⤵
-
\??\c:\xxllrxf.exec:\xxllrxf.exe117⤵
-
\??\c:\nnhhtb.exec:\nnhhtb.exe118⤵
-
\??\c:\pjvpv.exec:\pjvpv.exe119⤵
-
\??\c:\vpdjv.exec:\vpdjv.exe120⤵
-
\??\c:\thnntt.exec:\thnntt.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-