Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
22-11-2024 19:47
General
-
Target
695df4f9eb709628fbaff8fde466997c6373d3efd15bb683bc580d8d60421f15.exe
-
Size
49KB
-
MD5
3b9eedf4db998c4f18a0c7ce94a47e44
-
SHA1
8e68b50ae5c2f8b589727f0c9135da44646f03d8
-
SHA256
695df4f9eb709628fbaff8fde466997c6373d3efd15bb683bc580d8d60421f15
-
SHA512
173fc95204b3924949ee001675e653b40e8cafdc3ef0f9b7e5d9e870067eb55b01c6d62ec5b73ab1740733d0ba7d07a50a066fb636246c48b16ae9808e2dbcfc
-
SSDEEP
1536:mAocdpeVoBDulhzHMb7xNAa04Mcg5bx7DUa:0cdpeeBSHHMHLf9Rybx7D5
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 59 IoCs
-
Executes dropped EXE 64 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\695df4f9eb709628fbaff8fde466997c6373d3efd15bb683bc580d8d60421f15.exe"C:\Users\Admin\AppData\Local\Temp\695df4f9eb709628fbaff8fde466997c6373d3efd15bb683bc580d8d60421f15.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\ddpvd.exec:\ddpvd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bhhtht.exec:\bhhtht.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjjdd.exec:\jjjdd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrfrflx.exec:\xrfrflx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9fxxlrx.exec:\9fxxlrx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ntnhnb.exec:\ntnhnb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tthbtt.exec:\tthbtt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjdvd.exec:\jjdvd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdpvv.exec:\jdpvv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7xxxlrl.exec:\7xxxlrl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7htthn.exec:\7htthn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ppvdd.exec:\ppvdd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7xrxlxl.exec:\7xrxlxl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5tnttb.exec:\5tnttb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvjjp.exec:\dvjjp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3djdv.exec:\3djdv.exe17⤵
- Executes dropped EXE
-
\??\c:\ffrlxfl.exec:\ffrlxfl.exe18⤵
- Executes dropped EXE
-
\??\c:\9bbhnh.exec:\9bbhnh.exe19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\ttbhhh.exec:\ttbhhh.exe20⤵
- Executes dropped EXE
-
\??\c:\jjpvj.exec:\jjpvj.exe21⤵
- Executes dropped EXE
-
\??\c:\rfrffxx.exec:\rfrffxx.exe22⤵
- Executes dropped EXE
-
\??\c:\btbhbh.exec:\btbhbh.exe23⤵
- Executes dropped EXE
-
\??\c:\djvpp.exec:\djvpp.exe24⤵
- Executes dropped EXE
-
\??\c:\xflfrfr.exec:\xflfrfr.exe25⤵
- Executes dropped EXE
-
\??\c:\7xrrffl.exec:\7xrrffl.exe26⤵
- Executes dropped EXE
-
\??\c:\9nbhnt.exec:\9nbhnt.exe27⤵
- Executes dropped EXE
-
\??\c:\tbtbnh.exec:\tbtbnh.exe28⤵
- Executes dropped EXE
-
\??\c:\vppjp.exec:\vppjp.exe29⤵
- Executes dropped EXE
-
\??\c:\5xxxxff.exec:\5xxxxff.exe30⤵
- Executes dropped EXE
-
\??\c:\bbbtnt.exec:\bbbtnt.exe31⤵
- Executes dropped EXE
-
\??\c:\tbhnhn.exec:\tbhnhn.exe32⤵
- Executes dropped EXE
-
\??\c:\3dvpv.exec:\3dvpv.exe33⤵
- Executes dropped EXE
-
\??\c:\pjddj.exec:\pjddj.exe34⤵
- Executes dropped EXE
-
\??\c:\flxfrxf.exec:\flxfrxf.exe35⤵
- Executes dropped EXE
-
\??\c:\7lfrxxl.exec:\7lfrxxl.exe36⤵
- Executes dropped EXE
-
\??\c:\hbhhtt.exec:\hbhhtt.exe37⤵
- Executes dropped EXE
-
\??\c:\dddjp.exec:\dddjp.exe38⤵
- Executes dropped EXE
-
\??\c:\pjpvj.exec:\pjpvj.exe39⤵
- Executes dropped EXE
-
\??\c:\fxlflll.exec:\fxlflll.exe40⤵
- Executes dropped EXE
-
\??\c:\1rlrrlr.exec:\1rlrrlr.exe41⤵
- Executes dropped EXE
-
\??\c:\ttnbnt.exec:\ttnbnt.exe42⤵
- Executes dropped EXE
-
\??\c:\bbnhtt.exec:\bbnhtt.exe43⤵
- Executes dropped EXE
-
\??\c:\5vvpp.exec:\5vvpp.exe44⤵
- Executes dropped EXE
-
\??\c:\lfrxxxx.exec:\lfrxxxx.exe45⤵
- Executes dropped EXE
-
\??\c:\5tttbb.exec:\5tttbb.exe46⤵
- Executes dropped EXE
-
\??\c:\1nhhht.exec:\1nhhht.exe47⤵
- Executes dropped EXE
-
\??\c:\jjdpv.exec:\jjdpv.exe48⤵
- Executes dropped EXE
-
\??\c:\1ffrlfx.exec:\1ffrlfx.exe49⤵
- Executes dropped EXE
-
\??\c:\9rrfrfr.exec:\9rrfrfr.exe50⤵
- Executes dropped EXE
-
\??\c:\xrlxrll.exec:\xrlxrll.exe51⤵
- Executes dropped EXE
-
\??\c:\bbnbhh.exec:\bbnbhh.exe52⤵
- Executes dropped EXE
-
\??\c:\jdppv.exec:\jdppv.exe53⤵
- Executes dropped EXE
-
\??\c:\jpdpd.exec:\jpdpd.exe54⤵
- Executes dropped EXE
-
\??\c:\ppjpp.exec:\ppjpp.exe55⤵
- Executes dropped EXE
-
\??\c:\1rrfrfl.exec:\1rrfrfl.exe56⤵
- Executes dropped EXE
-
\??\c:\btbhnh.exec:\btbhnh.exe57⤵
- Executes dropped EXE
-
\??\c:\tttbtb.exec:\tttbtb.exe58⤵
- Executes dropped EXE
-
\??\c:\vddpd.exec:\vddpd.exe59⤵
- Executes dropped EXE
-
\??\c:\ddpvd.exec:\ddpvd.exe60⤵
- Executes dropped EXE
-
\??\c:\ffxllrx.exec:\ffxllrx.exe61⤵
- Executes dropped EXE
-
\??\c:\frxxlxf.exec:\frxxlxf.exe62⤵
- Executes dropped EXE
-
\??\c:\hhtbhh.exec:\hhtbhh.exe63⤵
- Executes dropped EXE
-
\??\c:\hbtntt.exec:\hbtntt.exe64⤵
- Executes dropped EXE
-
\??\c:\jjdjp.exec:\jjdjp.exe65⤵
- Executes dropped EXE
-
\??\c:\9vdpv.exec:\9vdpv.exe66⤵
-
\??\c:\5lflxxx.exec:\5lflxxx.exe67⤵
-
\??\c:\5rxfxfx.exec:\5rxfxfx.exe68⤵
-
\??\c:\hnnbbt.exec:\hnnbbt.exe69⤵
-
\??\c:\pjpjp.exec:\pjpjp.exe70⤵
-
\??\c:\jdvvd.exec:\jdvvd.exe71⤵
-
\??\c:\1pddp.exec:\1pddp.exe72⤵
-
\??\c:\xllxxrl.exec:\xllxxrl.exe73⤵
-
\??\c:\xllxlfx.exec:\xllxlfx.exe74⤵
-
\??\c:\ttthtb.exec:\ttthtb.exe75⤵
-
\??\c:\nhbnnh.exec:\nhbnnh.exe76⤵
-
\??\c:\ppjpp.exec:\ppjpp.exe77⤵
-
\??\c:\dppjp.exec:\dppjp.exe78⤵
-
\??\c:\1rxxflr.exec:\1rxxflr.exe79⤵
-
\??\c:\3rlrxfl.exec:\3rlrxfl.exe80⤵
-
\??\c:\tthnbh.exec:\tthnbh.exe81⤵
-
\??\c:\ttnhnn.exec:\ttnhnn.exe82⤵
-
\??\c:\5ddjp.exec:\5ddjp.exe83⤵
-
\??\c:\jpvjv.exec:\jpvjv.exe84⤵
-
\??\c:\rxxflrf.exec:\rxxflrf.exe85⤵
-
\??\c:\fflrxff.exec:\fflrxff.exe86⤵
-
\??\c:\3btnbh.exec:\3btnbh.exe87⤵
-
\??\c:\nthhnt.exec:\nthhnt.exe88⤵
-
\??\c:\vvjjj.exec:\vvjjj.exe89⤵
-
\??\c:\ppjvp.exec:\ppjvp.exe90⤵
-
\??\c:\llxxflr.exec:\llxxflr.exe91⤵
-
\??\c:\ffxflxf.exec:\ffxflxf.exe92⤵
-
\??\c:\hnhbbh.exec:\hnhbbh.exe93⤵
-
\??\c:\nnhbtb.exec:\nnhbtb.exe94⤵
-
\??\c:\3jvjd.exec:\3jvjd.exe95⤵
-
\??\c:\dvjvp.exec:\dvjvp.exe96⤵
-
\??\c:\3rxffll.exec:\3rxffll.exe97⤵
-
\??\c:\xrxxlrx.exec:\xrxxlrx.exe98⤵
-
\??\c:\tbttbh.exec:\tbttbh.exe99⤵
-
\??\c:\1htbtn.exec:\1htbtn.exe100⤵
-
\??\c:\1vjjj.exec:\1vjjj.exe101⤵
-
\??\c:\ddpjp.exec:\ddpjp.exe102⤵
-
\??\c:\5frlrfl.exec:\5frlrfl.exe103⤵
-
\??\c:\llfflrf.exec:\llfflrf.exe104⤵
-
\??\c:\rxrfrfr.exec:\rxrfrfr.exe105⤵
-
\??\c:\bhthnn.exec:\bhthnn.exe106⤵
-
\??\c:\vvvvd.exec:\vvvvd.exe107⤵
-
\??\c:\ppvjp.exec:\ppvjp.exe108⤵
-
\??\c:\lfrlxxf.exec:\lfrlxxf.exe109⤵
-
\??\c:\nbhbhn.exec:\nbhbhn.exe110⤵
-
\??\c:\nntbbh.exec:\nntbbh.exe111⤵
-
\??\c:\jjvdp.exec:\jjvdp.exe112⤵
-
\??\c:\jdppv.exec:\jdppv.exe113⤵
-
\??\c:\rrfllrx.exec:\rrfllrx.exe114⤵
-
\??\c:\fflrxfr.exec:\fflrxfr.exe115⤵
-
\??\c:\bhbhbt.exec:\bhbhbt.exe116⤵
-
\??\c:\ttbhhn.exec:\ttbhhn.exe117⤵
-
\??\c:\3djpv.exec:\3djpv.exe118⤵
-
\??\c:\jjjjp.exec:\jjjjp.exe119⤵
-
\??\c:\lflfrrx.exec:\lflfrrx.exe120⤵
-
\??\c:\llxlxxf.exec:\llxlxxf.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-