Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
22-11-2024 05:08
General
-
Target
e30b03c0caf290608292b13d88bf3aab69418785706912a376327ac14ff0b3eb.exe
-
Size
82KB
-
MD5
e3a9a82f7c138c77e2b1716a5a6164b3
-
SHA1
c78a2245fb1d97d0cbfd5fdd415fe467e623a900
-
SHA256
e30b03c0caf290608292b13d88bf3aab69418785706912a376327ac14ff0b3eb
-
SHA512
0456800a2a89493e2db62f3d3c6f1f2e13a00af64190f2d12cf17e6cad0d7ff9daf44a507e3aea221cef0dab6fbac6e9d6b70beba9ce8407e6fd1d7a830a6fae
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDo73tgygQwKjiawEmB5Gt9:ymb3NkkiQ3mdBjFo73thgQ/wEkc
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 20 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 28 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e30b03c0caf290608292b13d88bf3aab69418785706912a376327ac14ff0b3eb.exe"C:\Users\Admin\AppData\Local\Temp\e30b03c0caf290608292b13d88bf3aab69418785706912a376327ac14ff0b3eb.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\jpjjd.exec:\jpjjd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrfxfxr.exec:\xrfxfxr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bthntt.exec:\bthntt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jvjjd.exec:\jvjjd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3rfxfff.exec:\3rfxfff.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbbntb.exec:\hbbntb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvjpd.exec:\dvjpd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvjpv.exec:\dvjpv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rllrlxl.exec:\rllrlxl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9rxfrxx.exec:\9rxfrxx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hhtnnh.exec:\hhtnnh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvpvj.exec:\dvpvj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvddd.exec:\dvddd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5rlfxff.exec:\5rlfxff.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xlxfrlx.exec:\xlxfrlx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9thnbh.exec:\9thnbh.exe17⤵
- Executes dropped EXE
-
\??\c:\7nbtbt.exec:\7nbtbt.exe18⤵
- Executes dropped EXE
-
\??\c:\9vddd.exec:\9vddd.exe19⤵
- Executes dropped EXE
-
\??\c:\7pjvp.exec:\7pjvp.exe20⤵
- Executes dropped EXE
-
\??\c:\lfrrffx.exec:\lfrrffx.exe21⤵
- Executes dropped EXE
-
\??\c:\lfrrffr.exec:\lfrrffr.exe22⤵
- Executes dropped EXE
-
\??\c:\thttbh.exec:\thttbh.exe23⤵
- Executes dropped EXE
-
\??\c:\bthnbh.exec:\bthnbh.exe24⤵
- Executes dropped EXE
-
\??\c:\vpjpd.exec:\vpjpd.exe25⤵
- Executes dropped EXE
-
\??\c:\vpddp.exec:\vpddp.exe26⤵
- Executes dropped EXE
-
\??\c:\xrlrrrr.exec:\xrlrrrr.exe27⤵
- Executes dropped EXE
-
\??\c:\btntbb.exec:\btntbb.exe28⤵
- Executes dropped EXE
-
\??\c:\thttbb.exec:\thttbb.exe29⤵
- Executes dropped EXE
-
\??\c:\1jpdp.exec:\1jpdp.exe30⤵
- Executes dropped EXE
-
\??\c:\lfxxffl.exec:\lfxxffl.exe31⤵
- Executes dropped EXE
-
\??\c:\lxlllrr.exec:\lxlllrr.exe32⤵
- Executes dropped EXE
-
\??\c:\htbbhh.exec:\htbbhh.exe33⤵
- Executes dropped EXE
-
\??\c:\hbntbb.exec:\hbntbb.exe34⤵
- Executes dropped EXE
-
\??\c:\vvvvp.exec:\vvvvp.exe35⤵
- Executes dropped EXE
-
\??\c:\1jvvv.exec:\1jvvv.exe36⤵
- Executes dropped EXE
-
\??\c:\frxxxff.exec:\frxxxff.exe37⤵
- Executes dropped EXE
-
\??\c:\lxlfflx.exec:\lxlfflx.exe38⤵
- Executes dropped EXE
-
\??\c:\9nbhhh.exec:\9nbhhh.exe39⤵
- Executes dropped EXE
-
\??\c:\bbnhbh.exec:\bbnhbh.exe40⤵
- Executes dropped EXE
-
\??\c:\hhhhhn.exec:\hhhhhn.exe41⤵
- Executes dropped EXE
-
\??\c:\vpddj.exec:\vpddj.exe42⤵
- Executes dropped EXE
-
\??\c:\jvvpp.exec:\jvvpp.exe43⤵
- Executes dropped EXE
-
\??\c:\1rflffl.exec:\1rflffl.exe44⤵
- Executes dropped EXE
-
\??\c:\7frfflr.exec:\7frfflr.exe45⤵
- Executes dropped EXE
-
\??\c:\7hthnn.exec:\7hthnn.exe46⤵
- Executes dropped EXE
-
\??\c:\tttnbt.exec:\tttnbt.exe47⤵
- Executes dropped EXE
-
\??\c:\7hbhhh.exec:\7hbhhh.exe48⤵
- Executes dropped EXE
-
\??\c:\9djdd.exec:\9djdd.exe49⤵
- Executes dropped EXE
-
\??\c:\pdjdd.exec:\pdjdd.exe50⤵
- Executes dropped EXE
-
\??\c:\3flrflr.exec:\3flrflr.exe51⤵
- Executes dropped EXE
-
\??\c:\btthnn.exec:\btthnn.exe52⤵
- Executes dropped EXE
-
\??\c:\thnnbb.exec:\thnnbb.exe53⤵
- Executes dropped EXE
-
\??\c:\5pvdv.exec:\5pvdv.exe54⤵
- Executes dropped EXE
-
\??\c:\djpjj.exec:\djpjj.exe55⤵
- Executes dropped EXE
-
\??\c:\lxlxrxl.exec:\lxlxrxl.exe56⤵
- Executes dropped EXE
-
\??\c:\tnbbhh.exec:\tnbbhh.exe57⤵
- Executes dropped EXE
-
\??\c:\hhnnth.exec:\hhnnth.exe58⤵
- Executes dropped EXE
-
\??\c:\djvjd.exec:\djvjd.exe59⤵
- Executes dropped EXE
-
\??\c:\pdppp.exec:\pdppp.exe60⤵
- Executes dropped EXE
-
\??\c:\rfxfxfl.exec:\rfxfxfl.exe61⤵
- Executes dropped EXE
-
\??\c:\hbhbhh.exec:\hbhbhh.exe62⤵
- Executes dropped EXE
-
\??\c:\nthhhn.exec:\nthhhn.exe63⤵
- Executes dropped EXE
-
\??\c:\dppjp.exec:\dppjp.exe64⤵
- Executes dropped EXE
-
\??\c:\7jvdd.exec:\7jvdd.exe65⤵
- Executes dropped EXE
-
\??\c:\xlxxflr.exec:\xlxxflr.exe66⤵
-
\??\c:\1frxflf.exec:\1frxflf.exe67⤵
-
\??\c:\nbhhnn.exec:\nbhhnn.exe68⤵
-
\??\c:\thttbh.exec:\thttbh.exe69⤵
-
\??\c:\9pjpp.exec:\9pjpp.exe70⤵
-
\??\c:\vjpjj.exec:\vjpjj.exe71⤵
-
\??\c:\rflfxrx.exec:\rflfxrx.exe72⤵
-
\??\c:\xrxxfff.exec:\xrxxfff.exe73⤵
-
\??\c:\9nhhnn.exec:\9nhhnn.exe74⤵
-
\??\c:\9vjdp.exec:\9vjdp.exe75⤵
-
\??\c:\7jpjp.exec:\7jpjp.exe76⤵
-
\??\c:\vvdvv.exec:\vvdvv.exe77⤵
-
\??\c:\3fllfxf.exec:\3fllfxf.exe78⤵
-
\??\c:\rlfrrfr.exec:\rlfrrfr.exe79⤵
-
\??\c:\3thnnb.exec:\3thnnb.exe80⤵
-
\??\c:\bnnnhb.exec:\bnnnhb.exe81⤵
-
\??\c:\vjvdd.exec:\vjvdd.exe82⤵
-
\??\c:\pjjjj.exec:\pjjjj.exe83⤵
-
\??\c:\fxrfrlx.exec:\fxrfrlx.exe84⤵
-
\??\c:\ffxxxrl.exec:\ffxxxrl.exe85⤵
-
\??\c:\htbhhn.exec:\htbhhn.exe86⤵
-
\??\c:\7tntnn.exec:\7tntnn.exe87⤵
-
\??\c:\pjvpv.exec:\pjvpv.exe88⤵
-
\??\c:\vpdvv.exec:\vpdvv.exe89⤵
-
\??\c:\rfxrrrl.exec:\rfxrrrl.exe90⤵
-
\??\c:\lffxllr.exec:\lffxllr.exe91⤵
-
\??\c:\bthbnn.exec:\bthbnn.exe92⤵
-
\??\c:\tnbnnn.exec:\tnbnnn.exe93⤵
-
\??\c:\jvdjj.exec:\jvdjj.exe94⤵
-
\??\c:\ffxxffl.exec:\ffxxffl.exe95⤵
-
\??\c:\lfflffl.exec:\lfflffl.exe96⤵
-
\??\c:\bttttb.exec:\bttttb.exe97⤵
-
\??\c:\bthtbh.exec:\bthtbh.exe98⤵
-
\??\c:\pjjjv.exec:\pjjjv.exe99⤵
-
\??\c:\dvpjp.exec:\dvpjp.exe100⤵
-
\??\c:\xlxxxxf.exec:\xlxxxxf.exe101⤵
-
\??\c:\9fxflxl.exec:\9fxflxl.exe102⤵
-
\??\c:\btthhn.exec:\btthhn.exe103⤵
-
\??\c:\7ttbnh.exec:\7ttbnh.exe104⤵
-
\??\c:\ppdpd.exec:\ppdpd.exe105⤵
-
\??\c:\djjjj.exec:\djjjj.exe106⤵
-
\??\c:\5flllll.exec:\5flllll.exe107⤵
-
\??\c:\httttn.exec:\httttn.exe108⤵
-
\??\c:\btbhhh.exec:\btbhhh.exe109⤵
-
\??\c:\jdpjp.exec:\jdpjp.exe110⤵
-
\??\c:\9dvdj.exec:\9dvdj.exe111⤵
-
\??\c:\xrrlxxx.exec:\xrrlxxx.exe112⤵
-
\??\c:\tnttbt.exec:\tnttbt.exe113⤵
-
\??\c:\tthttt.exec:\tthttt.exe114⤵
-
\??\c:\vjppv.exec:\vjppv.exe115⤵
-
\??\c:\djpvp.exec:\djpvp.exe116⤵
-
\??\c:\lxxrxfl.exec:\lxxrxfl.exe117⤵
-
\??\c:\rllfxxf.exec:\rllfxxf.exe118⤵
-
\??\c:\thbhhn.exec:\thbhhn.exe119⤵
-
\??\c:\tnhnhh.exec:\tnhnhh.exe120⤵
-
\??\c:\btttbh.exec:\btttbh.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-