Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
-
submitted
22-11-2024 19:39
General
-
Target
0caee27f352a68f9eaaea874441415300bf888984803f0a65117db25cac4c181.exe
-
Size
331KB
-
MD5
0338c99c86b68b6963301fb49170f14c
-
SHA1
a18f6c295f1aeb0c77bb5439d6c4a954fd73957e
-
SHA256
0caee27f352a68f9eaaea874441415300bf888984803f0a65117db25cac4c181
-
SHA512
13a1732b6fe58436abff3366cb369686f37150ffd3c0749a788376c2c6a29860c9217c4bda2cde90ccd4a8c85e6d2c966f808a219b84e9ea300ff6abfb3b0641
-
SSDEEP
6144:vcm4FmowdHoStJdJIjaRleL42bL37BoTPkhu9gX5yGsTshQc8R0nxA5ij8+RC7tI:94wFHoStJdSjylh2b77BoTMA9gX59sTg
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 35 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 64 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0caee27f352a68f9eaaea874441415300bf888984803f0a65117db25cac4c181.exe"C:\Users\Admin\AppData\Local\Temp\0caee27f352a68f9eaaea874441415300bf888984803f0a65117db25cac4c181.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\xrfflfl.exec:\xrfflfl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\484284.exec:\484284.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvpdj.exec:\vvpdj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\826802.exec:\826802.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\024806.exec:\024806.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rrxrlfl.exec:\rrxrlfl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvjjj.exec:\dvjjj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hhhtnh.exec:\hhhtnh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btbhnb.exec:\btbhnb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\622446.exec:\622446.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\2088846.exec:\2088846.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5xlfrxf.exec:\5xlfrxf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7vpdj.exec:\7vpdj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pvppj.exec:\pvppj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\0482600.exec:\0482600.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tthtbn.exec:\tthtbn.exe17⤵
- Executes dropped EXE
-
\??\c:\666044.exec:\666044.exe18⤵
- Executes dropped EXE
-
\??\c:\lrlllxf.exec:\lrlllxf.exe19⤵
- Executes dropped EXE
-
\??\c:\046862.exec:\046862.exe20⤵
- Executes dropped EXE
-
\??\c:\tbbhhn.exec:\tbbhhn.exe21⤵
- Executes dropped EXE
-
\??\c:\820684.exec:\820684.exe22⤵
- Executes dropped EXE
-
\??\c:\888086.exec:\888086.exe23⤵
- Executes dropped EXE
-
\??\c:\bhhbbb.exec:\bhhbbb.exe24⤵
- Executes dropped EXE
-
\??\c:\tbnhnb.exec:\tbnhnb.exe25⤵
- Executes dropped EXE
-
\??\c:\448646.exec:\448646.exe26⤵
- Executes dropped EXE
-
\??\c:\hbntbb.exec:\hbntbb.exe27⤵
- Executes dropped EXE
-
\??\c:\thtnnn.exec:\thtnnn.exe28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\vjpvv.exec:\vjpvv.exe29⤵
- Executes dropped EXE
-
\??\c:\vppjj.exec:\vppjj.exe30⤵
- Executes dropped EXE
-
\??\c:\9frrfrx.exec:\9frrfrx.exe31⤵
- Executes dropped EXE
-
\??\c:\42600.exec:\42600.exe32⤵
- Executes dropped EXE
-
\??\c:\vdvvv.exec:\vdvvv.exe33⤵
- Executes dropped EXE
-
\??\c:\bnhthn.exec:\bnhthn.exe34⤵
- Executes dropped EXE
-
\??\c:\608468.exec:\608468.exe35⤵
- Executes dropped EXE
-
\??\c:\2206824.exec:\2206824.exe36⤵
- Executes dropped EXE
-
\??\c:\dpjvj.exec:\dpjvj.exe37⤵
- Executes dropped EXE
-
\??\c:\fxrfrxl.exec:\fxrfrxl.exe38⤵
- Executes dropped EXE
-
\??\c:\42066.exec:\42066.exe39⤵
- Executes dropped EXE
-
\??\c:\1jppd.exec:\1jppd.exe40⤵
- Executes dropped EXE
-
\??\c:\260628.exec:\260628.exe41⤵
- Executes dropped EXE
-
\??\c:\a0622.exec:\a0622.exe42⤵
- Executes dropped EXE
-
\??\c:\1vpvd.exec:\1vpvd.exe43⤵
- Executes dropped EXE
-
\??\c:\602800.exec:\602800.exe44⤵
- Executes dropped EXE
-
\??\c:\1lrflxl.exec:\1lrflxl.exe45⤵
- Executes dropped EXE
-
\??\c:\486228.exec:\486228.exe46⤵
- Executes dropped EXE
-
\??\c:\e64424.exec:\e64424.exe47⤵
- Executes dropped EXE
-
\??\c:\jvvpj.exec:\jvvpj.exe48⤵
- Executes dropped EXE
-
\??\c:\ppjdj.exec:\ppjdj.exe49⤵
- Executes dropped EXE
-
\??\c:\flrrrxl.exec:\flrrrxl.exe50⤵
- Executes dropped EXE
-
\??\c:\tnhnhh.exec:\tnhnhh.exe51⤵
- Executes dropped EXE
-
\??\c:\62820.exec:\62820.exe52⤵
- Executes dropped EXE
-
\??\c:\0408246.exec:\0408246.exe53⤵
- Executes dropped EXE
-
\??\c:\86648.exec:\86648.exe54⤵
- Executes dropped EXE
-
\??\c:\pdvjp.exec:\pdvjp.exe55⤵
- Executes dropped EXE
-
\??\c:\w60240.exec:\w60240.exe56⤵
- Executes dropped EXE
-
\??\c:\62680.exec:\62680.exe57⤵
- Executes dropped EXE
-
\??\c:\1xrfffr.exec:\1xrfffr.exe58⤵
- Executes dropped EXE
-
\??\c:\djpvj.exec:\djpvj.exe59⤵
- Executes dropped EXE
-
\??\c:\0486480.exec:\0486480.exe60⤵
- Executes dropped EXE
-
\??\c:\9ddvj.exec:\9ddvj.exe61⤵
- Executes dropped EXE
-
\??\c:\xrfrxrf.exec:\xrfrxrf.exe62⤵
- Executes dropped EXE
-
\??\c:\bbhtnb.exec:\bbhtnb.exe63⤵
- Executes dropped EXE
-
\??\c:\7thhtt.exec:\7thhtt.exe64⤵
- Executes dropped EXE
-
\??\c:\fxfffrx.exec:\fxfffrx.exe65⤵
- Executes dropped EXE
-
\??\c:\00840.exec:\00840.exe66⤵
-
\??\c:\1tthnn.exec:\1tthnn.exe67⤵
-
\??\c:\hnhthh.exec:\hnhthh.exe68⤵
-
\??\c:\22624.exec:\22624.exe69⤵
-
\??\c:\3dvjj.exec:\3dvjj.exe70⤵
-
\??\c:\7dpjp.exec:\7dpjp.exe71⤵
-
\??\c:\622046.exec:\622046.exe72⤵
-
\??\c:\vjjvd.exec:\vjjvd.exe73⤵
-
\??\c:\vpdpd.exec:\vpdpd.exe74⤵
-
\??\c:\vddpp.exec:\vddpp.exe75⤵
-
\??\c:\822862.exec:\822862.exe76⤵
-
\??\c:\g4224.exec:\g4224.exe77⤵
-
\??\c:\i048448.exec:\i048448.exe78⤵
-
\??\c:\48068.exec:\48068.exe79⤵
-
\??\c:\6006468.exec:\6006468.exe80⤵
-
\??\c:\828028.exec:\828028.exe81⤵
-
\??\c:\648406.exec:\648406.exe82⤵
-
\??\c:\8206808.exec:\8206808.exe83⤵
-
\??\c:\428806.exec:\428806.exe84⤵
-
\??\c:\848466.exec:\848466.exe85⤵
-
\??\c:\24486.exec:\24486.exe86⤵
-
\??\c:\0442026.exec:\0442026.exe87⤵
-
\??\c:\a6020.exec:\a6020.exe88⤵
-
\??\c:\jjdvj.exec:\jjdvj.exe89⤵
-
\??\c:\ttnbbt.exec:\ttnbbt.exe90⤵
-
\??\c:\6840842.exec:\6840842.exe91⤵
-
\??\c:\pdppp.exec:\pdppp.exe92⤵
-
\??\c:\4802402.exec:\4802402.exe93⤵
-
\??\c:\lfxlrfl.exec:\lfxlrfl.exe94⤵
-
\??\c:\48246.exec:\48246.exe95⤵
-
\??\c:\u888844.exec:\u888844.exe96⤵
-
\??\c:\60408.exec:\60408.exe97⤵
-
\??\c:\8246024.exec:\8246024.exe98⤵
-
\??\c:\pjvdv.exec:\pjvdv.exe99⤵
-
\??\c:\lllxrlx.exec:\lllxrlx.exe100⤵
-
\??\c:\hbbthh.exec:\hbbthh.exe101⤵
-
\??\c:\66426.exec:\66426.exe102⤵
-
\??\c:\tthnhh.exec:\tthnhh.exe103⤵
-
\??\c:\4428660.exec:\4428660.exe104⤵
-
\??\c:\9fxllrl.exec:\9fxllrl.exe105⤵
-
\??\c:\rfllrfr.exec:\rfllrfr.exe106⤵
-
\??\c:\062664.exec:\062664.exe107⤵
-
\??\c:\tnhnhn.exec:\tnhnhn.exe108⤵
-
\??\c:\1bbtbh.exec:\1bbtbh.exe109⤵
-
\??\c:\xrxxlrf.exec:\xrxxlrf.exe110⤵
-
\??\c:\840288.exec:\840288.exe111⤵
-
\??\c:\4480802.exec:\4480802.exe112⤵
-
\??\c:\vvpvp.exec:\vvpvp.exe113⤵
-
\??\c:\5bntbh.exec:\5bntbh.exe114⤵
-
\??\c:\26402.exec:\26402.exe115⤵
-
\??\c:\260886.exec:\260886.exe116⤵
-
\??\c:\6822446.exec:\6822446.exe117⤵
-
\??\c:\xxxlfxl.exec:\xxxlfxl.exe118⤵
-
\??\c:\ddvdp.exec:\ddvdp.exe119⤵
-
\??\c:\6442442.exec:\6442442.exe120⤵
-
\??\c:\fxrxlxf.exec:\fxrxlxf.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-