Analysis
-
max time kernel
120s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
-
submitted
22-11-2024 13:06
General
-
Target
7e29ae72be0d6b0ecfa2f32417015932bca32ce2807fc95b2d151b24e2d27e54N.exe
-
Size
88KB
-
MD5
3ba83c9a96a914bb6030d2b7f50a6e00
-
SHA1
4f60f6cfaa9edaecaeb89c64d9e436fc51b07526
-
SHA256
7e29ae72be0d6b0ecfa2f32417015932bca32ce2807fc95b2d151b24e2d27e54
-
SHA512
294a924bedbac134017992666f3da414fe7dfcf1d09200df55bdcc9126691a6933d4481f8009ff4ba6c6acd5531b92dca2edca4fdaf5a232d42afe1aef51cd92
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDoAXPfgr2hKmdbcPi2vhdWl:ymb3NkkiQ3mdBjFo6Pfgy3dbc/hdWl
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 18 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 29 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\7e29ae72be0d6b0ecfa2f32417015932bca32ce2807fc95b2d151b24e2d27e54N.exe"C:\Users\Admin\AppData\Local\Temp\7e29ae72be0d6b0ecfa2f32417015932bca32ce2807fc95b2d151b24e2d27e54N.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\bnbn04.exec:\bnbn04.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\o468680.exec:\o468680.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\2289lfx.exec:\2289lfx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pdddp.exec:\pdddp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\6428480.exec:\6428480.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\608024.exec:\608024.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\842640.exec:\842640.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\464240.exec:\464240.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrrxxfx.exec:\xrrxxfx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\0006020.exec:\0006020.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\8840886.exec:\8840886.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\864062.exec:\864062.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xflxxlr.exec:\xflxxlr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5tbthb.exec:\5tbthb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\864066.exec:\864066.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpdjp.exec:\vpdjp.exe17⤵
- Executes dropped EXE
-
\??\c:\224060.exec:\224060.exe18⤵
- Executes dropped EXE
-
\??\c:\htbnbn.exec:\htbnbn.exe19⤵
- Executes dropped EXE
-
\??\c:\5pddp.exec:\5pddp.exe20⤵
- Executes dropped EXE
-
\??\c:\5lxrrxf.exec:\5lxrrxf.exe21⤵
- Executes dropped EXE
-
\??\c:\bnbbbt.exec:\bnbbbt.exe22⤵
- Executes dropped EXE
-
\??\c:\nhnttb.exec:\nhnttb.exe23⤵
- Executes dropped EXE
-
\??\c:\7xxlxfr.exec:\7xxlxfr.exe24⤵
- Executes dropped EXE
-
\??\c:\1vpjp.exec:\1vpjp.exe25⤵
- Executes dropped EXE
-
\??\c:\1rxlxfr.exec:\1rxlxfr.exe26⤵
- Executes dropped EXE
-
\??\c:\420008.exec:\420008.exe27⤵
- Executes dropped EXE
-
\??\c:\86662.exec:\86662.exe28⤵
- Executes dropped EXE
-
\??\c:\w84288.exec:\w84288.exe29⤵
- Executes dropped EXE
-
\??\c:\bnhtbh.exec:\bnhtbh.exe30⤵
- Executes dropped EXE
-
\??\c:\hhtthh.exec:\hhtthh.exe31⤵
- Executes dropped EXE
-
\??\c:\4286044.exec:\4286044.exe32⤵
- Executes dropped EXE
-
\??\c:\2404402.exec:\2404402.exe33⤵
- Executes dropped EXE
-
\??\c:\480628.exec:\480628.exe34⤵
- Executes dropped EXE
-
\??\c:\9xxfxll.exec:\9xxfxll.exe35⤵
- Executes dropped EXE
-
\??\c:\7pjpp.exec:\7pjpp.exe36⤵
- Executes dropped EXE
-
\??\c:\604204.exec:\604204.exe37⤵
- Executes dropped EXE
-
\??\c:\o480224.exec:\o480224.exe38⤵
- Executes dropped EXE
-
\??\c:\80282.exec:\80282.exe39⤵
- Executes dropped EXE
-
\??\c:\g2062.exec:\g2062.exe40⤵
- Executes dropped EXE
-
\??\c:\q86406.exec:\q86406.exe41⤵
- Executes dropped EXE
-
\??\c:\pjpjv.exec:\pjpjv.exe42⤵
- Executes dropped EXE
-
\??\c:\486884.exec:\486884.exe43⤵
- Executes dropped EXE
-
\??\c:\7pjjp.exec:\7pjjp.exe44⤵
- Executes dropped EXE
-
\??\c:\860284.exec:\860284.exe45⤵
- Executes dropped EXE
-
\??\c:\m8664.exec:\m8664.exe46⤵
- Executes dropped EXE
-
\??\c:\2224460.exec:\2224460.exe47⤵
- Executes dropped EXE
-
\??\c:\3frxrlx.exec:\3frxrlx.exe48⤵
- Executes dropped EXE
-
\??\c:\6624246.exec:\6624246.exe49⤵
- Executes dropped EXE
-
\??\c:\042084.exec:\042084.exe50⤵
- Executes dropped EXE
-
\??\c:\60846.exec:\60846.exe51⤵
- Executes dropped EXE
-
\??\c:\2640884.exec:\2640884.exe52⤵
- Executes dropped EXE
-
\??\c:\7jjdj.exec:\7jjdj.exe53⤵
- Executes dropped EXE
-
\??\c:\7dpdp.exec:\7dpdp.exe54⤵
- Executes dropped EXE
-
\??\c:\20840.exec:\20840.exe55⤵
- Executes dropped EXE
-
\??\c:\vjdpp.exec:\vjdpp.exe56⤵
- Executes dropped EXE
-
\??\c:\frrllxf.exec:\frrllxf.exe57⤵
- Executes dropped EXE
-
\??\c:\00222.exec:\00222.exe58⤵
- Executes dropped EXE
-
\??\c:\bnthtn.exec:\bnthtn.exe59⤵
- Executes dropped EXE
-
\??\c:\pdppv.exec:\pdppv.exe60⤵
- Executes dropped EXE
-
\??\c:\dvjjj.exec:\dvjjj.exe61⤵
- Executes dropped EXE
-
\??\c:\1bbthb.exec:\1bbthb.exe62⤵
- Executes dropped EXE
-
\??\c:\dvvjj.exec:\dvvjj.exe63⤵
- Executes dropped EXE
-
\??\c:\lrffllr.exec:\lrffllr.exe64⤵
- Executes dropped EXE
-
\??\c:\28080.exec:\28080.exe65⤵
- Executes dropped EXE
-
\??\c:\06424.exec:\06424.exe66⤵
-
\??\c:\664022.exec:\664022.exe67⤵
-
\??\c:\u060280.exec:\u060280.exe68⤵
-
\??\c:\xrfrlrf.exec:\xrfrlrf.exe69⤵
-
\??\c:\5vvdj.exec:\5vvdj.exe70⤵
-
\??\c:\fxrrlrf.exec:\fxrrlrf.exe71⤵
-
\??\c:\dvdpv.exec:\dvdpv.exe72⤵
-
\??\c:\6048884.exec:\6048884.exe73⤵
-
\??\c:\8248800.exec:\8248800.exe74⤵
-
\??\c:\fxxlxrx.exec:\fxxlxrx.exe75⤵
-
\??\c:\864640.exec:\864640.exe76⤵
-
\??\c:\6860862.exec:\6860862.exe77⤵
-
\??\c:\0004866.exec:\0004866.exe78⤵
-
\??\c:\djpvd.exec:\djpvd.exe79⤵
-
\??\c:\rfrflfl.exec:\rfrflfl.exe80⤵
-
\??\c:\6022846.exec:\6022846.exe81⤵
-
\??\c:\ffxrlrx.exec:\ffxrlrx.exe82⤵
-
\??\c:\hbnnbh.exec:\hbnnbh.exe83⤵
-
\??\c:\82686.exec:\82686.exe84⤵
-
\??\c:\48662.exec:\48662.exe85⤵
-
\??\c:\420200.exec:\420200.exe86⤵
-
\??\c:\bhbhht.exec:\bhbhht.exe87⤵
-
\??\c:\26464.exec:\26464.exe88⤵
-
\??\c:\pdjjj.exec:\pdjjj.exe89⤵
-
\??\c:\82400.exec:\82400.exe90⤵
-
\??\c:\266848.exec:\266848.exe91⤵
-
\??\c:\jvjjp.exec:\jvjjp.exe92⤵
-
\??\c:\ddppd.exec:\ddppd.exe93⤵
-
\??\c:\frfrxrf.exec:\frfrxrf.exe94⤵
-
\??\c:\4822802.exec:\4822802.exe95⤵
-
\??\c:\jjdjd.exec:\jjdjd.exe96⤵
-
\??\c:\9vpvd.exec:\9vpvd.exe97⤵
-
\??\c:\ppppp.exec:\ppppp.exe98⤵
-
\??\c:\pddjp.exec:\pddjp.exe99⤵
-
\??\c:\26668.exec:\26668.exe100⤵
-
\??\c:\ffrflll.exec:\ffrflll.exe101⤵
-
\??\c:\dpvdp.exec:\dpvdp.exe102⤵
-
\??\c:\5nhhbb.exec:\5nhhbb.exe103⤵
-
\??\c:\86480.exec:\86480.exe104⤵
-
\??\c:\208606.exec:\208606.exe105⤵
-
\??\c:\1pdvd.exec:\1pdvd.exe106⤵
-
\??\c:\5llxfff.exec:\5llxfff.exe107⤵
-
\??\c:\vjpvd.exec:\vjpvd.exe108⤵
-
\??\c:\8022222.exec:\8022222.exe109⤵
-
\??\c:\vppjj.exec:\vppjj.exe110⤵
-
\??\c:\lxllxfl.exec:\lxllxfl.exe111⤵
-
\??\c:\6086428.exec:\6086428.exe112⤵
-
\??\c:\042406.exec:\042406.exe113⤵
-
\??\c:\648866.exec:\648866.exe114⤵
-
\??\c:\5lrrxxx.exec:\5lrrxxx.exe115⤵
- System Location Discovery: System Language Discovery
-
\??\c:\jdvjv.exec:\jdvjv.exe116⤵
-
\??\c:\o800062.exec:\o800062.exe117⤵
-
\??\c:\xrlrlxr.exec:\xrlrlxr.exe118⤵
-
\??\c:\82068.exec:\82068.exe119⤵
-
\??\c:\bhhnhb.exec:\bhhnhb.exe120⤵
-
\??\c:\vpvjv.exec:\vpvjv.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-