Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
22-11-2024 05:33
General
-
Target
efd50b3a0fd41475d23ff86d24be6efeeb422ce0100cfa6190804df49197d66e.exe
-
Size
453KB
-
MD5
c5d9399bdf4980b8ad641ab5d17d8a98
-
SHA1
50035fa797db18a83cabb3911c7394f0ca052c36
-
SHA256
efd50b3a0fd41475d23ff86d24be6efeeb422ce0100cfa6190804df49197d66e
-
SHA512
30347dd145554dd1aed8a09b584542ea8b06e94ca8c7ef36fadd4793531f1fcbb95318e7a9974445e951b068e9b8e0eaf7393a6dad00c78da7b40edb9c77383a
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbetX:q7Tc2NYHUrAwfMp3CDtX
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 44 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 42 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\efd50b3a0fd41475d23ff86d24be6efeeb422ce0100cfa6190804df49197d66e.exe"C:\Users\Admin\AppData\Local\Temp\efd50b3a0fd41475d23ff86d24be6efeeb422ce0100cfa6190804df49197d66e.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\84688.exec:\84688.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\602466.exec:\602466.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbnhnh.exec:\nbnhnh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\e26206.exec:\e26206.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btnthh.exec:\btnthh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btnbtb.exec:\btnbtb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\082244.exec:\082244.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\646688.exec:\646688.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvpvv.exec:\dvpvv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\6026228.exec:\6026228.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hhthnb.exec:\hhthnb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3jpdj.exec:\3jpdj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjdjj.exec:\jjdjj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\8262402.exec:\8262402.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\llxfxfr.exec:\llxfxfr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ttnntt.exec:\ttnntt.exe17⤵
- Executes dropped EXE
-
\??\c:\rfflffl.exec:\rfflffl.exe18⤵
- Executes dropped EXE
-
\??\c:\7bthbh.exec:\7bthbh.exe19⤵
- Executes dropped EXE
-
\??\c:\pvvpd.exec:\pvvpd.exe20⤵
- Executes dropped EXE
-
\??\c:\4862402.exec:\4862402.exe21⤵
- Executes dropped EXE
-
\??\c:\dvpvj.exec:\dvpvj.exe22⤵
- Executes dropped EXE
-
\??\c:\q60284.exec:\q60284.exe23⤵
- Executes dropped EXE
-
\??\c:\vpjpv.exec:\vpjpv.exe24⤵
- Executes dropped EXE
-
\??\c:\xxlrxxl.exec:\xxlrxxl.exe25⤵
- Executes dropped EXE
-
\??\c:\fxrxflx.exec:\fxrxflx.exe26⤵
- Executes dropped EXE
-
\??\c:\fffrflx.exec:\fffrflx.exe27⤵
- Executes dropped EXE
-
\??\c:\ppjjp.exec:\ppjjp.exe28⤵
- Executes dropped EXE
-
\??\c:\nnbbnt.exec:\nnbbnt.exe29⤵
- Executes dropped EXE
-
\??\c:\u840246.exec:\u840246.exe30⤵
- Executes dropped EXE
-
\??\c:\8202068.exec:\8202068.exe31⤵
- Executes dropped EXE
-
\??\c:\rrrrffr.exec:\rrrrffr.exe32⤵
- Executes dropped EXE
-
\??\c:\rrrlflr.exec:\rrrlflr.exe33⤵
- Executes dropped EXE
-
\??\c:\pdddj.exec:\pdddj.exe34⤵
- Executes dropped EXE
-
\??\c:\hnhnbn.exec:\hnhnbn.exe35⤵
- Executes dropped EXE
-
\??\c:\9pjvv.exec:\9pjvv.exe36⤵
- Executes dropped EXE
-
\??\c:\thttbn.exec:\thttbn.exe37⤵
- Executes dropped EXE
-
\??\c:\0624024.exec:\0624024.exe38⤵
- Executes dropped EXE
-
\??\c:\jjppd.exec:\jjppd.exe39⤵
- Executes dropped EXE
-
\??\c:\vjjjv.exec:\vjjjv.exe40⤵
- Executes dropped EXE
-
\??\c:\64260.exec:\64260.exe41⤵
- Executes dropped EXE
-
\??\c:\4266440.exec:\4266440.exe42⤵
- Executes dropped EXE
-
\??\c:\xrxfrxf.exec:\xrxfrxf.exe43⤵
- Executes dropped EXE
-
\??\c:\nhbnhh.exec:\nhbnhh.exe44⤵
- Executes dropped EXE
-
\??\c:\666840.exec:\666840.exe45⤵
- Executes dropped EXE
-
\??\c:\bbnnht.exec:\bbnnht.exe46⤵
- Executes dropped EXE
-
\??\c:\4064444.exec:\4064444.exe47⤵
- Executes dropped EXE
-
\??\c:\ppdjp.exec:\ppdjp.exe48⤵
- Executes dropped EXE
-
\??\c:\1lflrrl.exec:\1lflrrl.exe49⤵
- Executes dropped EXE
-
\??\c:\0828008.exec:\0828008.exe50⤵
- Executes dropped EXE
-
\??\c:\1vpdj.exec:\1vpdj.exe51⤵
- Executes dropped EXE
-
\??\c:\hhhnbb.exec:\hhhnbb.exe52⤵
- Executes dropped EXE
-
\??\c:\i428686.exec:\i428686.exe53⤵
- Executes dropped EXE
-
\??\c:\48246.exec:\48246.exe54⤵
- Executes dropped EXE
-
\??\c:\2606842.exec:\2606842.exe55⤵
- Executes dropped EXE
-
\??\c:\3jvvd.exec:\3jvvd.exe56⤵
- Executes dropped EXE
-
\??\c:\tnhbhn.exec:\tnhbhn.exe57⤵
- Executes dropped EXE
-
\??\c:\m8262.exec:\m8262.exe58⤵
- Executes dropped EXE
-
\??\c:\1hbnbh.exec:\1hbnbh.exe59⤵
- Executes dropped EXE
-
\??\c:\440862.exec:\440862.exe60⤵
- Executes dropped EXE
-
\??\c:\8822062.exec:\8822062.exe61⤵
- Executes dropped EXE
-
\??\c:\dvjpv.exec:\dvjpv.exe62⤵
- Executes dropped EXE
-
\??\c:\660684.exec:\660684.exe63⤵
- Executes dropped EXE
-
\??\c:\486262.exec:\486262.exe64⤵
- Executes dropped EXE
-
\??\c:\620688.exec:\620688.exe65⤵
- Executes dropped EXE
-
\??\c:\6640820.exec:\6640820.exe66⤵
-
\??\c:\426206.exec:\426206.exe67⤵
-
\??\c:\826202.exec:\826202.exe68⤵
-
\??\c:\dpjpp.exec:\dpjpp.exe69⤵
- System Location Discovery: System Language Discovery
-
\??\c:\ttbtbt.exec:\ttbtbt.exe70⤵
-
\??\c:\vvvpv.exec:\vvvpv.exe71⤵
-
\??\c:\8628624.exec:\8628624.exe72⤵
-
\??\c:\600862.exec:\600862.exe73⤵
-
\??\c:\9rfrlxl.exec:\9rfrlxl.exe74⤵
-
\??\c:\660428.exec:\660428.exe75⤵
-
\??\c:\42046.exec:\42046.exe76⤵
-
\??\c:\xxxlxfx.exec:\xxxlxfx.exe77⤵
-
\??\c:\c602680.exec:\c602680.exe78⤵
-
\??\c:\flxrxrf.exec:\flxrxrf.exe79⤵
-
\??\c:\9rxfrxr.exec:\9rxfrxr.exe80⤵
-
\??\c:\rxxfxfr.exec:\rxxfxfr.exe81⤵
-
\??\c:\2866402.exec:\2866402.exe82⤵
-
\??\c:\824684.exec:\824684.exe83⤵
-
\??\c:\hhhnbh.exec:\hhhnbh.exe84⤵
-
\??\c:\04626.exec:\04626.exe85⤵
-
\??\c:\rrxxfrf.exec:\rrxxfrf.exe86⤵
-
\??\c:\c606408.exec:\c606408.exe87⤵
-
\??\c:\0828068.exec:\0828068.exe88⤵
-
\??\c:\42664.exec:\42664.exe89⤵
-
\??\c:\xrlflxl.exec:\xrlflxl.exe90⤵
-
\??\c:\44284.exec:\44284.exe91⤵
-
\??\c:\jddjv.exec:\jddjv.exe92⤵
-
\??\c:\lrrrfrl.exec:\lrrrfrl.exe93⤵
-
\??\c:\0040408.exec:\0040408.exe94⤵
-
\??\c:\o828064.exec:\o828064.exe95⤵
-
\??\c:\2602680.exec:\2602680.exe96⤵
-
\??\c:\1ddpd.exec:\1ddpd.exe97⤵
-
\??\c:\pjvjv.exec:\pjvjv.exe98⤵
-
\??\c:\60884.exec:\60884.exe99⤵
-
\??\c:\e42806.exec:\e42806.exe100⤵
-
\??\c:\208400.exec:\208400.exe101⤵
-
\??\c:\64620.exec:\64620.exe102⤵
-
\??\c:\bthtbh.exec:\bthtbh.exe103⤵
-
\??\c:\a2068.exec:\a2068.exe104⤵
-
\??\c:\04804.exec:\04804.exe105⤵
-
\??\c:\pjdpd.exec:\pjdpd.exe106⤵
-
\??\c:\6088668.exec:\6088668.exe107⤵
-
\??\c:\848602.exec:\848602.exe108⤵
-
\??\c:\48286.exec:\48286.exe109⤵
-
\??\c:\9rrfxfr.exec:\9rrfxfr.exe110⤵
-
\??\c:\02266.exec:\02266.exe111⤵
-
\??\c:\lxrfllx.exec:\lxrfllx.exe112⤵
-
\??\c:\04442.exec:\04442.exe113⤵
-
\??\c:\rrrxlxx.exec:\rrrxlxx.exe114⤵
-
\??\c:\608424.exec:\608424.exe115⤵
-
\??\c:\vvjjp.exec:\vvjjp.exe116⤵
-
\??\c:\662080.exec:\662080.exe117⤵
-
\??\c:\06600.exec:\06600.exe118⤵
-
\??\c:\7fxfllx.exec:\7fxfllx.exe119⤵
-
\??\c:\264462.exec:\264462.exe120⤵
-
\??\c:\0428446.exec:\0428446.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-