Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
-
submitted
23-11-2024 00:28
General
-
Target
a3b3c3d7a03773bbfd1e95803b2b7773114f59ef943e984303b2fcabcbe288e1.exe
-
Size
107KB
-
MD5
2ac1116405c57fc335d23409febeb856
-
SHA1
1c542ff1dc9b1818279da414930364a692381bb1
-
SHA256
a3b3c3d7a03773bbfd1e95803b2b7773114f59ef943e984303b2fcabcbe288e1
-
SHA512
a212131585377b177a92400a2f50cbd436c4a6104618b9cc6bd6bcb61fb2929cadd17318cf21c0c87f26ad49f1b63f855fce91f34ceecd3e3ed0024280394cc8
-
SSDEEP
3072:ymb3NkkiQ3mdBjFo7LAIb+t7uybUvDoC5B:n3C9BRo/AI2ujc2
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 24 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 25 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a3b3c3d7a03773bbfd1e95803b2b7773114f59ef943e984303b2fcabcbe288e1.exe"C:\Users\Admin\AppData\Local\Temp\a3b3c3d7a03773bbfd1e95803b2b7773114f59ef943e984303b2fcabcbe288e1.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\s4840.exec:\s4840.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\4866446.exec:\4866446.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbttbb.exec:\hbttbb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdpvj.exec:\jdpvj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jddjd.exec:\jddjd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vjjjp.exec:\vjjjp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\6024062.exec:\6024062.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\i028406.exec:\i028406.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnhntb.exec:\tnhntb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\4800608.exec:\4800608.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\s4220.exec:\s4220.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrxxlrf.exec:\xrxxlrf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\6088002.exec:\6088002.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\62688.exec:\62688.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5tnnbb.exec:\5tnnbb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\2644028.exec:\2644028.exe17⤵
- Executes dropped EXE
-
\??\c:\82640.exec:\82640.exe18⤵
- Executes dropped EXE
-
\??\c:\0086804.exec:\0086804.exe19⤵
- Executes dropped EXE
-
\??\c:\frxllrr.exec:\frxllrr.exe20⤵
- Executes dropped EXE
-
\??\c:\0820880.exec:\0820880.exe21⤵
- Executes dropped EXE
-
\??\c:\42062.exec:\42062.exe22⤵
- Executes dropped EXE
-
\??\c:\220426.exec:\220426.exe23⤵
- Executes dropped EXE
-
\??\c:\3lxllxx.exec:\3lxllxx.exe24⤵
- Executes dropped EXE
-
\??\c:\w68282.exec:\w68282.exe25⤵
- Executes dropped EXE
-
\??\c:\btbbhb.exec:\btbbhb.exe26⤵
- Executes dropped EXE
-
\??\c:\vpdjp.exec:\vpdjp.exe27⤵
- Executes dropped EXE
-
\??\c:\8684606.exec:\8684606.exe28⤵
- Executes dropped EXE
-
\??\c:\282444.exec:\282444.exe29⤵
- Executes dropped EXE
-
\??\c:\jjjdj.exec:\jjjdj.exe30⤵
- Executes dropped EXE
-
\??\c:\9pdpp.exec:\9pdpp.exe31⤵
- Executes dropped EXE
-
\??\c:\2002868.exec:\2002868.exe32⤵
- Executes dropped EXE
-
\??\c:\fxfxxxf.exec:\fxfxxxf.exe33⤵
- Executes dropped EXE
-
\??\c:\g0464.exec:\g0464.exe34⤵
- Executes dropped EXE
-
\??\c:\48662.exec:\48662.exe35⤵
- Executes dropped EXE
-
\??\c:\8246806.exec:\8246806.exe36⤵
- Executes dropped EXE
-
\??\c:\3rflrfl.exec:\3rflrfl.exe37⤵
- Executes dropped EXE
-
\??\c:\64662.exec:\64662.exe38⤵
- Executes dropped EXE
-
\??\c:\o644440.exec:\o644440.exe39⤵
- Executes dropped EXE
-
\??\c:\pjpdv.exec:\pjpdv.exe40⤵
- Executes dropped EXE
-
\??\c:\2028440.exec:\2028440.exe41⤵
- Executes dropped EXE
-
\??\c:\vdvpj.exec:\vdvpj.exe42⤵
- Executes dropped EXE
-
\??\c:\frfffrr.exec:\frfffrr.exe43⤵
- Executes dropped EXE
-
\??\c:\3rrfrfl.exec:\3rrfrfl.exe44⤵
- Executes dropped EXE
-
\??\c:\jjpvd.exec:\jjpvd.exe45⤵
- Executes dropped EXE
-
\??\c:\7xrxxfl.exec:\7xrxxfl.exe46⤵
- Executes dropped EXE
-
\??\c:\826840.exec:\826840.exe47⤵
- Executes dropped EXE
-
\??\c:\vpvpd.exec:\vpvpd.exe48⤵
- Executes dropped EXE
-
\??\c:\btnnhn.exec:\btnnhn.exe49⤵
- Executes dropped EXE
-
\??\c:\0428008.exec:\0428008.exe50⤵
- Executes dropped EXE
-
\??\c:\488460.exec:\488460.exe51⤵
- Executes dropped EXE
-
\??\c:\tntbnh.exec:\tntbnh.exe52⤵
- Executes dropped EXE
-
\??\c:\rlxxffr.exec:\rlxxffr.exe53⤵
- Executes dropped EXE
-
\??\c:\862844.exec:\862844.exe54⤵
- Executes dropped EXE
-
\??\c:\a2402.exec:\a2402.exe55⤵
- Executes dropped EXE
-
\??\c:\4248400.exec:\4248400.exe56⤵
- Executes dropped EXE
-
\??\c:\86826.exec:\86826.exe57⤵
- Executes dropped EXE
-
\??\c:\dpdjj.exec:\dpdjj.exe58⤵
- Executes dropped EXE
-
\??\c:\pjpvd.exec:\pjpvd.exe59⤵
- Executes dropped EXE
-
\??\c:\2022288.exec:\2022288.exe60⤵
- Executes dropped EXE
-
\??\c:\3btbhn.exec:\3btbhn.exe61⤵
- Executes dropped EXE
-
\??\c:\0462402.exec:\0462402.exe62⤵
- Executes dropped EXE
-
\??\c:\5vpjj.exec:\5vpjj.exe63⤵
- Executes dropped EXE
-
\??\c:\6426284.exec:\6426284.exe64⤵
- Executes dropped EXE
-
\??\c:\bnntbb.exec:\bnntbb.exe65⤵
- Executes dropped EXE
-
\??\c:\80664.exec:\80664.exe66⤵
-
\??\c:\62684.exec:\62684.exe67⤵
-
\??\c:\xlxrrll.exec:\xlxrrll.exe68⤵
-
\??\c:\4266828.exec:\4266828.exe69⤵
-
\??\c:\thhbbn.exec:\thhbbn.exe70⤵
-
\??\c:\k68066.exec:\k68066.exe71⤵
-
\??\c:\frlrxxf.exec:\frlrxxf.exe72⤵
-
\??\c:\64022.exec:\64022.exe73⤵
-
\??\c:\5lxxlrx.exec:\5lxxlrx.exe74⤵
-
\??\c:\o200808.exec:\o200808.exe75⤵
-
\??\c:\u602624.exec:\u602624.exe76⤵
-
\??\c:\3rflxrf.exec:\3rflxrf.exe77⤵
-
\??\c:\842460.exec:\842460.exe78⤵
-
\??\c:\ffxflfl.exec:\ffxflfl.exe79⤵
-
\??\c:\hbhnnh.exec:\hbhnnh.exe80⤵
-
\??\c:\42066.exec:\42066.exe81⤵
-
\??\c:\dvdpp.exec:\dvdpp.exe82⤵
-
\??\c:\o804662.exec:\o804662.exe83⤵
-
\??\c:\dvvpd.exec:\dvvpd.exe84⤵
-
\??\c:\m0228.exec:\m0228.exe85⤵
- System Location Discovery: System Language Discovery
-
\??\c:\g6406.exec:\g6406.exe86⤵
- System Location Discovery: System Language Discovery
-
\??\c:\dpvdd.exec:\dpvdd.exe87⤵
-
\??\c:\frrlrrr.exec:\frrlrrr.exe88⤵
-
\??\c:\428800.exec:\428800.exe89⤵
-
\??\c:\m6844.exec:\m6844.exe90⤵
-
\??\c:\4262000.exec:\4262000.exe91⤵
-
\??\c:\264606.exec:\264606.exe92⤵
-
\??\c:\260622.exec:\260622.exe93⤵
-
\??\c:\btnthn.exec:\btnthn.exe94⤵
-
\??\c:\s4602.exec:\s4602.exe95⤵
-
\??\c:\3hnhtn.exec:\3hnhtn.exe96⤵
-
\??\c:\dvvpp.exec:\dvvpp.exe97⤵
-
\??\c:\hbbntt.exec:\hbbntt.exe98⤵
-
\??\c:\tbnnnn.exec:\tbnnnn.exe99⤵
-
\??\c:\6488406.exec:\6488406.exe100⤵
-
\??\c:\lrrrlll.exec:\lrrrlll.exe101⤵
-
\??\c:\0428008.exec:\0428008.exe102⤵
-
\??\c:\7nnntn.exec:\7nnntn.exe103⤵
-
\??\c:\208406.exec:\208406.exe104⤵
-
\??\c:\42006.exec:\42006.exe105⤵
-
\??\c:\w86648.exec:\w86648.exe106⤵
-
\??\c:\084004.exec:\084004.exe107⤵
-
\??\c:\9pdvv.exec:\9pdvv.exe108⤵
-
\??\c:\8244486.exec:\8244486.exe109⤵
-
\??\c:\222080.exec:\222080.exe110⤵
-
\??\c:\xlxrxlr.exec:\xlxrxlr.exe111⤵
-
\??\c:\o026206.exec:\o026206.exe112⤵
-
\??\c:\vpddj.exec:\vpddj.exe113⤵
-
\??\c:\rflxfff.exec:\rflxfff.exe114⤵
-
\??\c:\vpvvd.exec:\vpvvd.exe115⤵
-
\??\c:\46446.exec:\46446.exe116⤵
-
\??\c:\u088488.exec:\u088488.exe117⤵
-
\??\c:\pjpdj.exec:\pjpdj.exe118⤵
-
\??\c:\6022884.exec:\6022884.exe119⤵
-
\??\c:\btbnbh.exec:\btbnbh.exe120⤵
-
\??\c:\426284.exec:\426284.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-