Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
22/11/2024, 21:05
General
-
Target
2d2c68f0dc80b7bfee06d626148f8ac97746723a3d23bf4030cea0a4f6b5f6da.exe
-
Size
49KB
-
MD5
64ab0cd8df9d6d027937e65c52b2e498
-
SHA1
52f075d3aed88341b4f4d941eb7e1becdef42f7f
-
SHA256
2d2c68f0dc80b7bfee06d626148f8ac97746723a3d23bf4030cea0a4f6b5f6da
-
SHA512
093123d714d2987b28d79cee810c810988c5e2291182707e18cfae48ed69503d75b17b340b900c1be431c307746d4e1871cb7dcba8c301dbac054d2a40046a74
-
SSDEEP
1536:mAocdpeVoBDulhzHMb7xNAa04Mcg5IKvlU:0cdpeeBSHHMHLf9RyIT
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 64 IoCs
-
Executes dropped EXE 64 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2d2c68f0dc80b7bfee06d626148f8ac97746723a3d23bf4030cea0a4f6b5f6da.exe"C:\Users\Admin\AppData\Local\Temp\2d2c68f0dc80b7bfee06d626148f8ac97746723a3d23bf4030cea0a4f6b5f6da.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\680066.exec:\680066.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\e84406.exec:\e84406.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbbbhh.exec:\hbbbhh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btbhnn.exec:\btbhnn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\480404.exec:\480404.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\m6840.exec:\m6840.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rllfrrf.exec:\rllfrrf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\e24406.exec:\e24406.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\42840.exec:\42840.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\806666.exec:\806666.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5tbttb.exec:\5tbttb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\20222.exec:\20222.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\0406822.exec:\0406822.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\0062488.exec:\0062488.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\s6028.exec:\s6028.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\u242266.exec:\u242266.exe17⤵
- Executes dropped EXE
-
\??\c:\0080284.exec:\0080284.exe18⤵
- Executes dropped EXE
-
\??\c:\3djdj.exec:\3djdj.exe19⤵
- Executes dropped EXE
-
\??\c:\w28222.exec:\w28222.exe20⤵
- Executes dropped EXE
-
\??\c:\hhtttb.exec:\hhtttb.exe21⤵
- Executes dropped EXE
-
\??\c:\rfllrrr.exec:\rfllrrr.exe22⤵
- Executes dropped EXE
-
\??\c:\xlrlxxf.exec:\xlrlxxf.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\fxxxrrr.exec:\fxxxrrr.exe24⤵
- Executes dropped EXE
-
\??\c:\08002.exec:\08002.exe25⤵
- Executes dropped EXE
-
\??\c:\04888.exec:\04888.exe26⤵
- Executes dropped EXE
-
\??\c:\ppvpj.exec:\ppvpj.exe27⤵
- Executes dropped EXE
-
\??\c:\dvpvd.exec:\dvpvd.exe28⤵
- Executes dropped EXE
-
\??\c:\4264044.exec:\4264044.exe29⤵
- Executes dropped EXE
-
\??\c:\jdddp.exec:\jdddp.exe30⤵
- Executes dropped EXE
-
\??\c:\ppdjd.exec:\ppdjd.exe31⤵
- Executes dropped EXE
-
\??\c:\w02622.exec:\w02622.exe32⤵
- Executes dropped EXE
-
\??\c:\nhbbhh.exec:\nhbbhh.exe33⤵
- Executes dropped EXE
-
\??\c:\bbhhhn.exec:\bbhhhn.exe34⤵
- Executes dropped EXE
-
\??\c:\9xxrxxx.exec:\9xxrxxx.exe35⤵
- Executes dropped EXE
-
\??\c:\60262.exec:\60262.exe36⤵
- Executes dropped EXE
-
\??\c:\208466.exec:\208466.exe37⤵
- Executes dropped EXE
-
\??\c:\thnntn.exec:\thnntn.exe38⤵
- Executes dropped EXE
-
\??\c:\4866266.exec:\4866266.exe39⤵
- Executes dropped EXE
-
\??\c:\9nhnnn.exec:\9nhnnn.exe40⤵
- Executes dropped EXE
-
\??\c:\fflllxf.exec:\fflllxf.exe41⤵
- Executes dropped EXE
-
\??\c:\vpvjj.exec:\vpvjj.exe42⤵
- Executes dropped EXE
-
\??\c:\880688.exec:\880688.exe43⤵
- Executes dropped EXE
-
\??\c:\hbhhtt.exec:\hbhhtt.exe44⤵
- Executes dropped EXE
-
\??\c:\ddjpj.exec:\ddjpj.exe45⤵
- Executes dropped EXE
-
\??\c:\2688888.exec:\2688888.exe46⤵
- Executes dropped EXE
-
\??\c:\jvjdj.exec:\jvjdj.exe47⤵
- Executes dropped EXE
-
\??\c:\6062444.exec:\6062444.exe48⤵
- Executes dropped EXE
-
\??\c:\xllffxl.exec:\xllffxl.exe49⤵
- Executes dropped EXE
-
\??\c:\frxllfl.exec:\frxllfl.exe50⤵
- Executes dropped EXE
-
\??\c:\420066.exec:\420066.exe51⤵
- Executes dropped EXE
-
\??\c:\5vdvp.exec:\5vdvp.exe52⤵
- Executes dropped EXE
-
\??\c:\c428000.exec:\c428000.exe53⤵
- Executes dropped EXE
-
\??\c:\ppdvv.exec:\ppdvv.exe54⤵
- Executes dropped EXE
-
\??\c:\dpvvv.exec:\dpvvv.exe55⤵
- Executes dropped EXE
-
\??\c:\64626.exec:\64626.exe56⤵
- Executes dropped EXE
-
\??\c:\thnnhh.exec:\thnnhh.exe57⤵
- Executes dropped EXE
-
\??\c:\3nhbbt.exec:\3nhbbt.exe58⤵
- Executes dropped EXE
-
\??\c:\828048.exec:\828048.exe59⤵
- Executes dropped EXE
-
\??\c:\3tnnbb.exec:\3tnnbb.exe60⤵
- Executes dropped EXE
-
\??\c:\7vjdp.exec:\7vjdp.exe61⤵
- Executes dropped EXE
-
\??\c:\e68288.exec:\e68288.exe62⤵
- Executes dropped EXE
-
\??\c:\nhhbbh.exec:\nhhbbh.exe63⤵
- Executes dropped EXE
-
\??\c:\vvppd.exec:\vvppd.exe64⤵
- Executes dropped EXE
-
\??\c:\9rlfrrx.exec:\9rlfrrx.exe65⤵
- Executes dropped EXE
-
\??\c:\0826262.exec:\0826262.exe66⤵
-
\??\c:\0462040.exec:\0462040.exe67⤵
-
\??\c:\22488.exec:\22488.exe68⤵
-
\??\c:\080060.exec:\080060.exe69⤵
-
\??\c:\m8664.exec:\m8664.exe70⤵
-
\??\c:\flrxflr.exec:\flrxflr.exe71⤵
-
\??\c:\420688.exec:\420688.exe72⤵
-
\??\c:\0440062.exec:\0440062.exe73⤵
-
\??\c:\1jpjp.exec:\1jpjp.exe74⤵
-
\??\c:\82866.exec:\82866.exe75⤵
-
\??\c:\a2440.exec:\a2440.exe76⤵
-
\??\c:\btbtbt.exec:\btbtbt.exe77⤵
-
\??\c:\82828.exec:\82828.exe78⤵
-
\??\c:\btnntn.exec:\btnntn.exe79⤵
-
\??\c:\7hnbbb.exec:\7hnbbb.exe80⤵
-
\??\c:\lfffffl.exec:\lfffffl.exe81⤵
-
\??\c:\7nbhtn.exec:\7nbhtn.exe82⤵
-
\??\c:\5pjdd.exec:\5pjdd.exe83⤵
-
\??\c:\tnnnhh.exec:\tnnnhh.exe84⤵
-
\??\c:\822626.exec:\822626.exe85⤵
-
\??\c:\5lxxflf.exec:\5lxxflf.exe86⤵
-
\??\c:\s6406.exec:\s6406.exe87⤵
-
\??\c:\k64282.exec:\k64282.exe88⤵
-
\??\c:\640624.exec:\640624.exe89⤵
-
\??\c:\480060.exec:\480060.exe90⤵
-
\??\c:\4802440.exec:\4802440.exe91⤵
-
\??\c:\pjvpd.exec:\pjvpd.exe92⤵
-
\??\c:\ppdvp.exec:\ppdvp.exe93⤵
-
\??\c:\824066.exec:\824066.exe94⤵
-
\??\c:\486688.exec:\486688.exe95⤵
-
\??\c:\824082.exec:\824082.exe96⤵
-
\??\c:\0468844.exec:\0468844.exe97⤵
-
\??\c:\llrrxrx.exec:\llrrxrx.exe98⤵
-
\??\c:\rlxlrrx.exec:\rlxlrrx.exe99⤵
-
\??\c:\2200002.exec:\2200002.exe100⤵
-
\??\c:\a6466.exec:\a6466.exe101⤵
-
\??\c:\dpvpd.exec:\dpvpd.exe102⤵
-
\??\c:\64024.exec:\64024.exe103⤵
-
\??\c:\202660.exec:\202660.exe104⤵
-
\??\c:\82484.exec:\82484.exe105⤵
-
\??\c:\206628.exec:\206628.exe106⤵
-
\??\c:\pjpjd.exec:\pjpjd.exe107⤵
-
\??\c:\602244.exec:\602244.exe108⤵
-
\??\c:\48440.exec:\48440.exe109⤵
-
\??\c:\8840662.exec:\8840662.exe110⤵
-
\??\c:\rlllrrf.exec:\rlllrrf.exe111⤵
-
\??\c:\e40066.exec:\e40066.exe112⤵
-
\??\c:\3lrrxrx.exec:\3lrrxrx.exe113⤵
-
\??\c:\3pjjj.exec:\3pjjj.exe114⤵
-
\??\c:\fffllrr.exec:\fffllrr.exe115⤵
-
\??\c:\4822262.exec:\4822262.exe116⤵
-
\??\c:\q86408.exec:\q86408.exe117⤵
-
\??\c:\7lrllrr.exec:\7lrllrr.exe118⤵
-
\??\c:\k68888.exec:\k68888.exe119⤵
-
\??\c:\608282.exec:\608282.exe120⤵
-
\??\c:\djppv.exec:\djppv.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-