Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
22-11-2024 14:37
General
-
Target
e410cd0189d8717eaceadd677ce79a8d8bdf68ae4ab865732858c677eac5f4ff.exe
-
Size
384KB
-
MD5
0ada576629d2a2c79ab1cafcf823718c
-
SHA1
6dde40cdbd6857ffc06569bdf9b9c8b5978c6046
-
SHA256
e410cd0189d8717eaceadd677ce79a8d8bdf68ae4ab865732858c677eac5f4ff
-
SHA512
9567227eb22f308cde4f42a5f6a271ea2ae314c4d6593fd436bd17a9039e9781041d68667eada4122431bff99364089c4efe0acfc4a662bc05d8476bdd763610
-
SSDEEP
3072:8hOm2sI93UufdC67cimD5t251UrRE9TTFw41/t49:8cm7ImGddXmNt251UriZFwkS
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 44 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 46 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e410cd0189d8717eaceadd677ce79a8d8bdf68ae4ab865732858c677eac5f4ff.exe"C:\Users\Admin\AppData\Local\Temp\e410cd0189d8717eaceadd677ce79a8d8bdf68ae4ab865732858c677eac5f4ff.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\ntbtbh.exec:\ntbtbh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\w86860.exec:\w86860.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\066060.exec:\066060.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\btthnh.exec:\btthnh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\420628.exec:\420628.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\6024662.exec:\6024662.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\w86682.exec:\w86682.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\0480280.exec:\0480280.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\a4286.exec:\a4286.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jvjjv.exec:\jvjjv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\48622.exec:\48622.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\08406.exec:\08406.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\k24404.exec:\k24404.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdpvd.exec:\jdpvd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\k48466.exec:\k48466.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\060680.exec:\060680.exe17⤵
- Executes dropped EXE
-
\??\c:\1xllrxl.exec:\1xllrxl.exe18⤵
- Executes dropped EXE
-
\??\c:\8802064.exec:\8802064.exe19⤵
- Executes dropped EXE
-
\??\c:\g8684.exec:\g8684.exe20⤵
- Executes dropped EXE
-
\??\c:\jjdpv.exec:\jjdpv.exe21⤵
- Executes dropped EXE
-
\??\c:\5llrfrx.exec:\5llrfrx.exe22⤵
- Executes dropped EXE
-
\??\c:\c864846.exec:\c864846.exe23⤵
- Executes dropped EXE
-
\??\c:\000064.exec:\000064.exe24⤵
- Executes dropped EXE
-
\??\c:\7rllxrx.exec:\7rllxrx.exe25⤵
- Executes dropped EXE
-
\??\c:\jjpjj.exec:\jjpjj.exe26⤵
- Executes dropped EXE
-
\??\c:\02028.exec:\02028.exe27⤵
- Executes dropped EXE
-
\??\c:\0862828.exec:\0862828.exe28⤵
- Executes dropped EXE
-
\??\c:\6404006.exec:\6404006.exe29⤵
- Executes dropped EXE
-
\??\c:\208466.exec:\208466.exe30⤵
- Executes dropped EXE
-
\??\c:\jjjdp.exec:\jjjdp.exe31⤵
- Executes dropped EXE
-
\??\c:\e26684.exec:\e26684.exe32⤵
- Executes dropped EXE
-
\??\c:\3jddp.exec:\3jddp.exe33⤵
- Executes dropped EXE
-
\??\c:\5bnhtn.exec:\5bnhtn.exe34⤵
- Executes dropped EXE
-
\??\c:\82288.exec:\82288.exe35⤵
- Executes dropped EXE
-
\??\c:\8606888.exec:\8606888.exe36⤵
- Executes dropped EXE
-
\??\c:\824082.exec:\824082.exe37⤵
- Executes dropped EXE
-
\??\c:\fxrxflf.exec:\fxrxflf.exe38⤵
- Executes dropped EXE
-
\??\c:\0424286.exec:\0424286.exe39⤵
- Executes dropped EXE
-
\??\c:\3jppv.exec:\3jppv.exe40⤵
- Executes dropped EXE
-
\??\c:\6044068.exec:\6044068.exe41⤵
- Executes dropped EXE
-
\??\c:\llfflrx.exec:\llfflrx.exe42⤵
- Executes dropped EXE
-
\??\c:\4246626.exec:\4246626.exe43⤵
- Executes dropped EXE
-
\??\c:\4284444.exec:\4284444.exe44⤵
- Executes dropped EXE
-
\??\c:\5tnttb.exec:\5tnttb.exe45⤵
- Executes dropped EXE
-
\??\c:\q82028.exec:\q82028.exe46⤵
- Executes dropped EXE
-
\??\c:\208062.exec:\208062.exe47⤵
- Executes dropped EXE
-
\??\c:\q68466.exec:\q68466.exe48⤵
- Executes dropped EXE
-
\??\c:\646248.exec:\646248.exe49⤵
- Executes dropped EXE
-
\??\c:\7xrrlxr.exec:\7xrrlxr.exe50⤵
- Executes dropped EXE
-
\??\c:\1pvvv.exec:\1pvvv.exe51⤵
- Executes dropped EXE
-
\??\c:\k64400.exec:\k64400.exe52⤵
- Executes dropped EXE
-
\??\c:\7thhhn.exec:\7thhhn.exe53⤵
- Executes dropped EXE
-
\??\c:\rlxrfll.exec:\rlxrfll.exe54⤵
- Executes dropped EXE
-
\??\c:\884428.exec:\884428.exe55⤵
- Executes dropped EXE
-
\??\c:\86266.exec:\86266.exe56⤵
- Executes dropped EXE
-
\??\c:\3hhbhb.exec:\3hhbhb.exe57⤵
- Executes dropped EXE
-
\??\c:\208406.exec:\208406.exe58⤵
- Executes dropped EXE
-
\??\c:\vpdpv.exec:\vpdpv.exe59⤵
- Executes dropped EXE
-
\??\c:\vpdjj.exec:\vpdjj.exe60⤵
- Executes dropped EXE
-
\??\c:\vjppv.exec:\vjppv.exe61⤵
- Executes dropped EXE
-
\??\c:\pdddj.exec:\pdddj.exe62⤵
- Executes dropped EXE
-
\??\c:\e24022.exec:\e24022.exe63⤵
- Executes dropped EXE
-
\??\c:\048468.exec:\048468.exe64⤵
- Executes dropped EXE
-
\??\c:\9flflfl.exec:\9flflfl.exe65⤵
- Executes dropped EXE
-
\??\c:\64224.exec:\64224.exe66⤵
-
\??\c:\086840.exec:\086840.exe67⤵
-
\??\c:\vpjpp.exec:\vpjpp.exe68⤵
-
\??\c:\rrffxxl.exec:\rrffxxl.exe69⤵
-
\??\c:\608088.exec:\608088.exe70⤵
-
\??\c:\7bhhnt.exec:\7bhhnt.exe71⤵
-
\??\c:\nnnttb.exec:\nnnttb.exe72⤵
-
\??\c:\hbtnhn.exec:\hbtnhn.exe73⤵
-
\??\c:\486240.exec:\486240.exe74⤵
-
\??\c:\8282224.exec:\8282224.exe75⤵
-
\??\c:\080684.exec:\080684.exe76⤵
-
\??\c:\dvjpd.exec:\dvjpd.exe77⤵
-
\??\c:\jdvvj.exec:\jdvvj.exe78⤵
-
\??\c:\5btbhb.exec:\5btbhb.exe79⤵
-
\??\c:\vvpjj.exec:\vvpjj.exe80⤵
-
\??\c:\60240.exec:\60240.exe81⤵
-
\??\c:\4800228.exec:\4800228.exe82⤵
-
\??\c:\20262.exec:\20262.exe83⤵
-
\??\c:\1frxxxf.exec:\1frxxxf.exe84⤵
-
\??\c:\480062.exec:\480062.exe85⤵
-
\??\c:\thhbnn.exec:\thhbnn.exe86⤵
-
\??\c:\fllrffl.exec:\fllrffl.exe87⤵
-
\??\c:\9lffllr.exec:\9lffllr.exe88⤵
-
\??\c:\rlfffrx.exec:\rlfffrx.exe89⤵
-
\??\c:\ppdjj.exec:\ppdjj.exe90⤵
-
\??\c:\ttbhhn.exec:\ttbhhn.exe91⤵
-
\??\c:\ffrxrfr.exec:\ffrxrfr.exe92⤵
-
\??\c:\88628.exec:\88628.exe93⤵
-
\??\c:\a6024.exec:\a6024.exe94⤵
-
\??\c:\9vvdp.exec:\9vvdp.exe95⤵
-
\??\c:\bbtbtb.exec:\bbtbtb.exe96⤵
-
\??\c:\60824.exec:\60824.exe97⤵
-
\??\c:\e26200.exec:\e26200.exe98⤵
-
\??\c:\rxxxrxr.exec:\rxxxrxr.exe99⤵
-
\??\c:\rfrxllf.exec:\rfrxllf.exe100⤵
-
\??\c:\442868.exec:\442868.exe101⤵
-
\??\c:\tththn.exec:\tththn.exe102⤵
-
\??\c:\m8624.exec:\m8624.exe103⤵
-
\??\c:\9vpdp.exec:\9vpdp.exe104⤵
-
\??\c:\3frxflr.exec:\3frxflr.exe105⤵
-
\??\c:\608040.exec:\608040.exe106⤵
-
\??\c:\xxxlxxl.exec:\xxxlxxl.exe107⤵
-
\??\c:\ddvdj.exec:\ddvdj.exe108⤵
-
\??\c:\jvjpp.exec:\jvjpp.exe109⤵
-
\??\c:\ttnhth.exec:\ttnhth.exe110⤵
-
\??\c:\w60684.exec:\w60684.exe111⤵
-
\??\c:\g6402.exec:\g6402.exe112⤵
-
\??\c:\860622.exec:\860622.exe113⤵
-
\??\c:\m6064.exec:\m6064.exe114⤵
-
\??\c:\008806.exec:\008806.exe115⤵
-
\??\c:\4426882.exec:\4426882.exe116⤵
-
\??\c:\04686.exec:\04686.exe117⤵
-
\??\c:\882406.exec:\882406.exe118⤵
-
\??\c:\480206.exec:\480206.exe119⤵
-
\??\c:\224644.exec:\224644.exe120⤵
-
\??\c:\28488.exec:\28488.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-