Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
22-11-2024 09:04
General
-
Target
c6c4c9e56c0e4c526e57e9229474e1a231b4037971cebb38440a0e286dd75379.exe
-
Size
91KB
-
MD5
f66665e8915c3d3682adc114cd97f658
-
SHA1
790d90a518b13d1abd9356b21b34d84257ff9b30
-
SHA256
c6c4c9e56c0e4c526e57e9229474e1a231b4037971cebb38440a0e286dd75379
-
SHA512
433dff41a794073667047e34048dd625f0f2cab5757f43d17e98b65a5b188ce83cd1e94e11deaa2210c08f0187e1c9b96bb23b8f28bfedadf3d57a7b4cbbf90b
-
SSDEEP
1536:9vQBeOGtrYS3srx93UBWfwC6Ggnouy8yaVskCzYBbKd+XsWgADUOj2YUW+S436CS:9hOmTsF93UYfwC6GIoutyaVszyKd+XYM
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 60 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 64 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c6c4c9e56c0e4c526e57e9229474e1a231b4037971cebb38440a0e286dd75379.exe"C:\Users\Admin\AppData\Local\Temp\c6c4c9e56c0e4c526e57e9229474e1a231b4037971cebb38440a0e286dd75379.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\fxllxfl.exec:\fxllxfl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvjdj.exec:\dvjdj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjjjd.exec:\jjjjd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ffllrrf.exec:\ffllrrf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9btthh.exec:\9btthh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nnnttb.exec:\nnnttb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddpjp.exec:\ddpjp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ppjjv.exec:\ppjjv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlflrxl.exec:\rlflrxl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nnbhbn.exec:\nnbhbn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvvpv.exec:\vvvpv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjdjp.exec:\pjdjp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xxrrxxf.exec:\xxrrxxf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9fxrxrf.exec:\9fxrxrf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rrffllr.exec:\rrffllr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hhthnt.exec:\hhthnt.exe17⤵
- Executes dropped EXE
-
\??\c:\7nhnnt.exec:\7nhnnt.exe18⤵
- Executes dropped EXE
-
\??\c:\jjpvd.exec:\jjpvd.exe19⤵
- Executes dropped EXE
-
\??\c:\ffxfxfr.exec:\ffxfxfr.exe20⤵
- Executes dropped EXE
-
\??\c:\3bbthb.exec:\3bbthb.exe21⤵
- Executes dropped EXE
-
\??\c:\jpppd.exec:\jpppd.exe22⤵
- Executes dropped EXE
-
\??\c:\djdvv.exec:\djdvv.exe23⤵
- Executes dropped EXE
-
\??\c:\rlxlffl.exec:\rlxlffl.exe24⤵
- Executes dropped EXE
-
\??\c:\nhbhtb.exec:\nhbhtb.exe25⤵
- Executes dropped EXE
-
\??\c:\5jdvv.exec:\5jdvv.exe26⤵
- Executes dropped EXE
-
\??\c:\9rflrrx.exec:\9rflrrx.exe27⤵
- Executes dropped EXE
-
\??\c:\nbhbhb.exec:\nbhbhb.exe28⤵
- Executes dropped EXE
-
\??\c:\7djpp.exec:\7djpp.exe29⤵
- Executes dropped EXE
-
\??\c:\vjvvv.exec:\vjvvv.exe30⤵
- Executes dropped EXE
-
\??\c:\9rlflll.exec:\9rlflll.exe31⤵
- Executes dropped EXE
-
\??\c:\1btbbh.exec:\1btbbh.exe32⤵
- Executes dropped EXE
-
\??\c:\9nnbbb.exec:\9nnbbb.exe33⤵
- Executes dropped EXE
-
\??\c:\ppjvd.exec:\ppjvd.exe34⤵
- Executes dropped EXE
-
\??\c:\xrfxrrr.exec:\xrfxrrr.exe35⤵
- Executes dropped EXE
-
\??\c:\xlrlllr.exec:\xlrlllr.exe36⤵
- Executes dropped EXE
-
\??\c:\tnttbb.exec:\tnttbb.exe37⤵
- Executes dropped EXE
-
\??\c:\jvdjj.exec:\jvdjj.exe38⤵
- Executes dropped EXE
-
\??\c:\ddpjp.exec:\ddpjp.exe39⤵
- Executes dropped EXE
-
\??\c:\xrlrffr.exec:\xrlrffr.exe40⤵
- Executes dropped EXE
-
\??\c:\3lrxfll.exec:\3lrxfll.exe41⤵
- Executes dropped EXE
-
\??\c:\nhnbnn.exec:\nhnbnn.exe42⤵
- Executes dropped EXE
-
\??\c:\pvjpd.exec:\pvjpd.exe43⤵
- Executes dropped EXE
-
\??\c:\llffflr.exec:\llffflr.exe44⤵
- Executes dropped EXE
-
\??\c:\lfxxfll.exec:\lfxxfll.exe45⤵
- Executes dropped EXE
-
\??\c:\1tttbb.exec:\1tttbb.exe46⤵
- Executes dropped EXE
-
\??\c:\pddvv.exec:\pddvv.exe47⤵
- Executes dropped EXE
-
\??\c:\9frffxl.exec:\9frffxl.exe48⤵
- Executes dropped EXE
-
\??\c:\rffflfr.exec:\rffflfr.exe49⤵
- Executes dropped EXE
-
\??\c:\nbnnnn.exec:\nbnnnn.exe50⤵
- Executes dropped EXE
-
\??\c:\btbthn.exec:\btbthn.exe51⤵
- Executes dropped EXE
-
\??\c:\pdpvj.exec:\pdpvj.exe52⤵
- Executes dropped EXE
-
\??\c:\vdpjp.exec:\vdpjp.exe53⤵
- Executes dropped EXE
-
\??\c:\lxfflrl.exec:\lxfflrl.exe54⤵
- Executes dropped EXE
-
\??\c:\3hbhnn.exec:\3hbhnn.exe55⤵
- Executes dropped EXE
-
\??\c:\3thnnt.exec:\3thnnt.exe56⤵
- Executes dropped EXE
-
\??\c:\jvpjj.exec:\jvpjj.exe57⤵
- Executes dropped EXE
-
\??\c:\9rffrxf.exec:\9rffrxf.exe58⤵
- Executes dropped EXE
-
\??\c:\rffffll.exec:\rffffll.exe59⤵
- Executes dropped EXE
-
\??\c:\9xllxfl.exec:\9xllxfl.exe60⤵
- Executes dropped EXE
-
\??\c:\nbhnnn.exec:\nbhnnn.exe61⤵
- Executes dropped EXE
-
\??\c:\vpvjd.exec:\vpvjd.exe62⤵
- Executes dropped EXE
-
\??\c:\lxlllrx.exec:\lxlllrx.exe63⤵
- Executes dropped EXE
-
\??\c:\nhhnhb.exec:\nhhnhb.exe64⤵
- Executes dropped EXE
-
\??\c:\nbnnhn.exec:\nbnnhn.exe65⤵
- Executes dropped EXE
-
\??\c:\pjdjj.exec:\pjdjj.exe66⤵
-
\??\c:\llffxrl.exec:\llffxrl.exe67⤵
-
\??\c:\rfllxff.exec:\rfllxff.exe68⤵
-
\??\c:\hntbbb.exec:\hntbbb.exe69⤵
-
\??\c:\vpjpd.exec:\vpjpd.exe70⤵
-
\??\c:\3lrfflr.exec:\3lrfflr.exe71⤵
-
\??\c:\7rrfxfl.exec:\7rrfxfl.exe72⤵
-
\??\c:\7bhnbb.exec:\7bhnbb.exe73⤵
-
\??\c:\hhbhnn.exec:\hhbhnn.exe74⤵
-
\??\c:\pdpvv.exec:\pdpvv.exe75⤵
-
\??\c:\rllrlfx.exec:\rllrlfx.exe76⤵
-
\??\c:\7rrlfxx.exec:\7rrlfxx.exe77⤵
-
\??\c:\bbnhhb.exec:\bbnhhb.exe78⤵
-
\??\c:\9vpvp.exec:\9vpvp.exe79⤵
-
\??\c:\1ddjd.exec:\1ddjd.exe80⤵
-
\??\c:\ffflxrr.exec:\ffflxrr.exe81⤵
-
\??\c:\hbttbt.exec:\hbttbt.exe82⤵
-
\??\c:\httthb.exec:\httthb.exe83⤵
-
\??\c:\9vvjd.exec:\9vvjd.exe84⤵
-
\??\c:\pjdpj.exec:\pjdpj.exe85⤵
- System Location Discovery: System Language Discovery
-
\??\c:\xrlrrlr.exec:\xrlrrlr.exe86⤵
-
\??\c:\fxlflll.exec:\fxlflll.exe87⤵
-
\??\c:\nbhbhh.exec:\nbhbhh.exe88⤵
-
\??\c:\nnhthb.exec:\nnhthb.exe89⤵
-
\??\c:\vpddj.exec:\vpddj.exe90⤵
-
\??\c:\1pvvv.exec:\1pvvv.exe91⤵
-
\??\c:\llxxffl.exec:\llxxffl.exe92⤵
-
\??\c:\xlrrffl.exec:\xlrrffl.exe93⤵
-
\??\c:\nbnthb.exec:\nbnthb.exe94⤵
-
\??\c:\7nttbb.exec:\7nttbb.exe95⤵
-
\??\c:\hhbhtb.exec:\hhbhtb.exe96⤵
-
\??\c:\jpdjd.exec:\jpdjd.exe97⤵
-
\??\c:\djvvd.exec:\djvvd.exe98⤵
-
\??\c:\frflxfl.exec:\frflxfl.exe99⤵
-
\??\c:\rlxlxxl.exec:\rlxlxxl.exe100⤵
-
\??\c:\3bhnnt.exec:\3bhnnt.exe101⤵
-
\??\c:\1vdvv.exec:\1vdvv.exe102⤵
-
\??\c:\pdjdj.exec:\pdjdj.exe103⤵
-
\??\c:\frfllrx.exec:\frfllrx.exe104⤵
- System Location Discovery: System Language Discovery
-
\??\c:\lfrxrlr.exec:\lfrxrlr.exe105⤵
-
\??\c:\tnbhnt.exec:\tnbhnt.exe106⤵
-
\??\c:\vpjpv.exec:\vpjpv.exe107⤵
-
\??\c:\jvpdd.exec:\jvpdd.exe108⤵
-
\??\c:\lxllrlr.exec:\lxllrlr.exe109⤵
-
\??\c:\bhthbb.exec:\bhthbb.exe110⤵
-
\??\c:\5ntntb.exec:\5ntntb.exe111⤵
-
\??\c:\ddvpp.exec:\ddvpp.exe112⤵
-
\??\c:\pdpdj.exec:\pdpdj.exe113⤵
-
\??\c:\ffffllx.exec:\ffffllx.exe114⤵
-
\??\c:\5xfxxxf.exec:\5xfxxxf.exe115⤵
-
\??\c:\3tbhtb.exec:\3tbhtb.exe116⤵
-
\??\c:\tnbbnn.exec:\tnbbnn.exe117⤵
-
\??\c:\pvjpv.exec:\pvjpv.exe118⤵
-
\??\c:\vpdvd.exec:\vpdvd.exe119⤵
-
\??\c:\lfrrxfx.exec:\lfrrxfx.exe120⤵
-
\??\c:\5xrxxxx.exec:\5xrxxxx.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-