Analysis
-
max time kernel
150s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
22-11-2024 21:20
General
-
Target
34086b7ad3ef2425bfad0eca29a8b05a71d615115aaaa31498ea4ce9e47ca0e7.exe
-
Size
105KB
-
MD5
d8b1eb5847774742429d5578ed0e8b57
-
SHA1
8dd1723c339a881b22899a3c9a6f0e7ea743e2f4
-
SHA256
34086b7ad3ef2425bfad0eca29a8b05a71d615115aaaa31498ea4ce9e47ca0e7
-
SHA512
2b0eab56c7677175e38e424baa4c23356e52b170dd47ee18d225aa44d078a930b83c6e0df4146d4118a4e8a85e56cc9f8212b762265074e566d98baba506179c
-
SSDEEP
3072:ymb3NkkiQ3mdBjFo73tvn+Yp99zm+/KZBHq82PCK:n3C9BRo7tvnJ99T/KZE89K
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 22 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 30 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\34086b7ad3ef2425bfad0eca29a8b05a71d615115aaaa31498ea4ce9e47ca0e7.exe"C:\Users\Admin\AppData\Local\Temp\34086b7ad3ef2425bfad0eca29a8b05a71d615115aaaa31498ea4ce9e47ca0e7.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\npnnlr.exec:\npnnlr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jnfxxlr.exec:\jnfxxlr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfbfvrt.exec:\lfbfvrt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ttdxth.exec:\ttdxth.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xtrxxxl.exec:\xtrxxxl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ppnldl.exec:\ppnldl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rbhpt.exec:\rbhpt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvpbfj.exec:\vvpbfj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vnxbllv.exec:\vnxbllv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rnhnlx.exec:\rnhnlx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\phnpn.exec:\phnpn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vtlbjj.exec:\vtlbjj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hhdjn.exec:\hhdjn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xtrrxrp.exec:\xtrrxrp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lpjjdrf.exec:\lpjjdrf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xlnpvl.exec:\xlnpvl.exe17⤵
- Executes dropped EXE
-
\??\c:\ddpnd.exec:\ddpnd.exe18⤵
- Executes dropped EXE
-
\??\c:\llhjnnv.exec:\llhjnnv.exe19⤵
- Executes dropped EXE
-
\??\c:\ltfbrx.exec:\ltfbrx.exe20⤵
- Executes dropped EXE
-
\??\c:\jdhnb.exec:\jdhnb.exe21⤵
- Executes dropped EXE
-
\??\c:\xjnlnb.exec:\xjnlnb.exe22⤵
- Executes dropped EXE
-
\??\c:\ltbfrl.exec:\ltbfrl.exe23⤵
- Executes dropped EXE
-
\??\c:\xxbhr.exec:\xxbhr.exe24⤵
- Executes dropped EXE
-
\??\c:\hxtxdnb.exec:\hxtxdnb.exe25⤵
- Executes dropped EXE
-
\??\c:\vtxfpv.exec:\vtxfpv.exe26⤵
- Executes dropped EXE
-
\??\c:\jplnpv.exec:\jplnpv.exe27⤵
- Executes dropped EXE
-
\??\c:\rnbtnjd.exec:\rnbtnjd.exe28⤵
- Executes dropped EXE
-
\??\c:\vrfbt.exec:\vrfbt.exe29⤵
- Executes dropped EXE
-
\??\c:\nbhbt.exec:\nbhbt.exe30⤵
- Executes dropped EXE
-
\??\c:\vfpfl.exec:\vfpfl.exe31⤵
- Executes dropped EXE
-
\??\c:\flrdfbl.exec:\flrdfbl.exe32⤵
- Executes dropped EXE
-
\??\c:\jjvntx.exec:\jjvntx.exe33⤵
- Executes dropped EXE
-
\??\c:\lvphht.exec:\lvphht.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\ddvrv.exec:\ddvrv.exe35⤵
- Executes dropped EXE
-
\??\c:\ndbhhx.exec:\ndbhhx.exe36⤵
- Executes dropped EXE
-
\??\c:\rbjbr.exec:\rbjbr.exe37⤵
- Executes dropped EXE
-
\??\c:\tvvppr.exec:\tvvppr.exe38⤵
- Executes dropped EXE
-
\??\c:\djrlld.exec:\djrlld.exe39⤵
- Executes dropped EXE
-
\??\c:\rtfxvn.exec:\rtfxvn.exe40⤵
- Executes dropped EXE
-
\??\c:\xthbnb.exec:\xthbnb.exe41⤵
- Executes dropped EXE
-
\??\c:\rdppdbh.exec:\rdppdbh.exe42⤵
- Executes dropped EXE
-
\??\c:\vldldx.exec:\vldldx.exe43⤵
- Executes dropped EXE
-
\??\c:\xrrxltb.exec:\xrrxltb.exe44⤵
- Executes dropped EXE
-
\??\c:\vrfvvt.exec:\vrfvvt.exe45⤵
- Executes dropped EXE
-
\??\c:\jfjpbx.exec:\jfjpbx.exe46⤵
- Executes dropped EXE
-
\??\c:\jnrrdx.exec:\jnrrdx.exe47⤵
- Executes dropped EXE
-
\??\c:\fltdl.exec:\fltdl.exe48⤵
- Executes dropped EXE
-
\??\c:\pjvddvf.exec:\pjvddvf.exe49⤵
- Executes dropped EXE
-
\??\c:\pxltlb.exec:\pxltlb.exe50⤵
- Executes dropped EXE
-
\??\c:\xvprp.exec:\xvprp.exe51⤵
- Executes dropped EXE
-
\??\c:\vdpdfv.exec:\vdpdfv.exe52⤵
- Executes dropped EXE
-
\??\c:\lprpl.exec:\lprpl.exe53⤵
- Executes dropped EXE
-
\??\c:\tptjvrv.exec:\tptjvrv.exe54⤵
- Executes dropped EXE
-
\??\c:\vlxbvd.exec:\vlxbvd.exe55⤵
- Executes dropped EXE
-
\??\c:\jntpdrv.exec:\jntpdrv.exe56⤵
- Executes dropped EXE
-
\??\c:\jdttxhx.exec:\jdttxhx.exe57⤵
- Executes dropped EXE
-
\??\c:\ftrdnfl.exec:\ftrdnfl.exe58⤵
- Executes dropped EXE
-
\??\c:\hlxdbd.exec:\hlxdbd.exe59⤵
- Executes dropped EXE
-
\??\c:\vjrpnh.exec:\vjrpnh.exe60⤵
- Executes dropped EXE
-
\??\c:\bbtvb.exec:\bbtvb.exe61⤵
- Executes dropped EXE
-
\??\c:\hbbpxf.exec:\hbbpxf.exe62⤵
- Executes dropped EXE
-
\??\c:\bljbpnx.exec:\bljbpnx.exe63⤵
- Executes dropped EXE
-
\??\c:\flplxdl.exec:\flplxdl.exe64⤵
- Executes dropped EXE
-
\??\c:\hbvlrnv.exec:\hbvlrnv.exe65⤵
- Executes dropped EXE
-
\??\c:\jjfnfbb.exec:\jjfnfbb.exe66⤵
-
\??\c:\pxtblp.exec:\pxtblp.exe67⤵
-
\??\c:\xjrpp.exec:\xjrpp.exe68⤵
-
\??\c:\dnblj.exec:\dnblj.exe69⤵
-
\??\c:\xllvn.exec:\xllvn.exe70⤵
-
\??\c:\drnrvhj.exec:\drnrvhj.exe71⤵
-
\??\c:\llpxtd.exec:\llpxtd.exe72⤵
-
\??\c:\dnhvdvr.exec:\dnhvdvr.exe73⤵
-
\??\c:\vnvdn.exec:\vnvdn.exe74⤵
-
\??\c:\jxjhlfn.exec:\jxjhlfn.exe75⤵
-
\??\c:\tbhxnbv.exec:\tbhxnbv.exe76⤵
-
\??\c:\lrprfj.exec:\lrprfj.exe77⤵
-
\??\c:\vlvhnvr.exec:\vlvhnvr.exe78⤵
-
\??\c:\hrxfnhx.exec:\hrxfnhx.exe79⤵
-
\??\c:\dvlvhl.exec:\dvlvhl.exe80⤵
-
\??\c:\lnbhhnd.exec:\lnbhhnd.exe81⤵
-
\??\c:\rfrfr.exec:\rfrfr.exe82⤵
-
\??\c:\hrrjp.exec:\hrrjp.exe83⤵
-
\??\c:\xvrbt.exec:\xvrbt.exe84⤵
-
\??\c:\ttlpxh.exec:\ttlpxh.exe85⤵
-
\??\c:\xtrrj.exec:\xtrrj.exe86⤵
-
\??\c:\btpnn.exec:\btpnn.exe87⤵
-
\??\c:\vrrjp.exec:\vrrjp.exe88⤵
-
\??\c:\hljlp.exec:\hljlp.exe89⤵
-
\??\c:\prtjpt.exec:\prtjpt.exe90⤵
-
\??\c:\hrdrtfl.exec:\hrdrtfl.exe91⤵
-
\??\c:\ddppp.exec:\ddppp.exe92⤵
-
\??\c:\lfntt.exec:\lfntt.exe93⤵
-
\??\c:\jntjb.exec:\jntjb.exe94⤵
-
\??\c:\jbbfp.exec:\jbbfp.exe95⤵
-
\??\c:\bnjfl.exec:\bnjfl.exe96⤵
-
\??\c:\jttrr.exec:\jttrr.exe97⤵
-
\??\c:\lrdbphb.exec:\lrdbphb.exe98⤵
-
\??\c:\dxhjvr.exec:\dxhjvr.exe99⤵
-
\??\c:\tbblf.exec:\tbblf.exe100⤵
-
\??\c:\prtnl.exec:\prtnl.exe101⤵
-
\??\c:\dnldvr.exec:\dnldvr.exe102⤵
-
\??\c:\dnxjn.exec:\dnxjn.exe103⤵
-
\??\c:\npvdr.exec:\npvdr.exe104⤵
-
\??\c:\lnxrl.exec:\lnxrl.exe105⤵
-
\??\c:\btbvhbh.exec:\btbvhbh.exe106⤵
-
\??\c:\vdxdht.exec:\vdxdht.exe107⤵
-
\??\c:\pvlprdp.exec:\pvlprdp.exe108⤵
-
\??\c:\vvrnr.exec:\vvrnr.exe109⤵
- System Location Discovery: System Language Discovery
-
\??\c:\dvnpd.exec:\dvnpd.exe110⤵
-
\??\c:\pvfnnh.exec:\pvfnnh.exe111⤵
-
\??\c:\bnbhv.exec:\bnbhv.exe112⤵
-
\??\c:\vlfpxt.exec:\vlfpxt.exe113⤵
-
\??\c:\jpdjvr.exec:\jpdjvr.exe114⤵
-
\??\c:\bjtvfhb.exec:\bjtvfhb.exe115⤵
-
\??\c:\rtjdv.exec:\rtjdv.exe116⤵
-
\??\c:\vvrbjp.exec:\vvrbjp.exe117⤵
-
\??\c:\nvpnt.exec:\nvpnt.exe118⤵
-
\??\c:\ndljpn.exec:\ndljpn.exe119⤵
-
\??\c:\rbhvn.exec:\rbhvn.exe120⤵
-
\??\c:\jrvlrd.exec:\jrvlrd.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-