Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
-
submitted
23-11-2024 05:32
General
-
Target
df324d02b40aef84514fb392461371048629d46ecf7c670f4580c4dca866f2c4.exe
-
Size
71KB
-
MD5
1e4ab4d42921fb71305c3bc0e966f7bf
-
SHA1
8759e87fbd6a17ed2c4ced288e48842d28213b38
-
SHA256
df324d02b40aef84514fb392461371048629d46ecf7c670f4580c4dca866f2c4
-
SHA512
d55b46061f9fbc56ee4c5e17c4998ff222dc4ce1e1f60568c11b97bbab44ac1ca877580c7a90b402feb51f713dfe8ea72668c8232daf81d8ae2db11b3202312a
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIkpi+q8l45CmK:ymb3NkkiQ3mdBjFIj+q8lL
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 19 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 19 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\df324d02b40aef84514fb392461371048629d46ecf7c670f4580c4dca866f2c4.exe"C:\Users\Admin\AppData\Local\Temp\df324d02b40aef84514fb392461371048629d46ecf7c670f4580c4dca866f2c4.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\lfrxxxf.exec:\lfrxxxf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\flxffrf.exec:\flxffrf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ttthhh.exec:\ttthhh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ppdjp.exec:\ppdjp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5ntbhn.exec:\5ntbhn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vdjjv.exec:\vdjjv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lrfxxll.exec:\lrfxxll.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlxfxfl.exec:\rlxfxfl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9tbhth.exec:\9tbhth.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vjppd.exec:\vjppd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\llllllx.exec:\llllllx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlxlxll.exec:\rlxlxll.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7htnth.exec:\7htnth.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3vjpv.exec:\3vjpv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\llfflff.exec:\llfflff.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ttbtbt.exec:\ttbtbt.exe17⤵
- Executes dropped EXE
-
\??\c:\5bthbn.exec:\5bthbn.exe18⤵
- Executes dropped EXE
-
\??\c:\vvdvd.exec:\vvdvd.exe19⤵
- Executes dropped EXE
-
\??\c:\lxlfffl.exec:\lxlfffl.exe20⤵
- Executes dropped EXE
-
\??\c:\nnbbhn.exec:\nnbbhn.exe21⤵
- Executes dropped EXE
-
\??\c:\tthnht.exec:\tthnht.exe22⤵
- Executes dropped EXE
-
\??\c:\ddppd.exec:\ddppd.exe23⤵
- Executes dropped EXE
-
\??\c:\flllfrf.exec:\flllfrf.exe24⤵
- Executes dropped EXE
-
\??\c:\xxlxrfx.exec:\xxlxrfx.exe25⤵
- Executes dropped EXE
-
\??\c:\nbhntn.exec:\nbhntn.exe26⤵
- Executes dropped EXE
-
\??\c:\nbnhnn.exec:\nbnhnn.exe27⤵
- Executes dropped EXE
-
\??\c:\dppjj.exec:\dppjj.exe28⤵
- Executes dropped EXE
-
\??\c:\3btbht.exec:\3btbht.exe29⤵
- Executes dropped EXE
-
\??\c:\bbthbh.exec:\bbthbh.exe30⤵
- Executes dropped EXE
-
\??\c:\5jpvd.exec:\5jpvd.exe31⤵
- Executes dropped EXE
-
\??\c:\pdvpv.exec:\pdvpv.exe32⤵
- Executes dropped EXE
-
\??\c:\flfrflf.exec:\flfrflf.exe33⤵
- Executes dropped EXE
-
\??\c:\tbnnbt.exec:\tbnnbt.exe34⤵
- Executes dropped EXE
-
\??\c:\vdpvj.exec:\vdpvj.exe35⤵
- Executes dropped EXE
-
\??\c:\9vpvp.exec:\9vpvp.exe36⤵
- Executes dropped EXE
-
\??\c:\rrxxllr.exec:\rrxxllr.exe37⤵
- Executes dropped EXE
-
\??\c:\ttntnt.exec:\ttntnt.exe38⤵
- Executes dropped EXE
-
\??\c:\hnbttn.exec:\hnbttn.exe39⤵
- Executes dropped EXE
-
\??\c:\ddpvj.exec:\ddpvj.exe40⤵
- Executes dropped EXE
-
\??\c:\pjjpd.exec:\pjjpd.exe41⤵
- Executes dropped EXE
-
\??\c:\rrfrffr.exec:\rrfrffr.exe42⤵
- Executes dropped EXE
-
\??\c:\5frfrfl.exec:\5frfrfl.exe43⤵
- Executes dropped EXE
-
\??\c:\nnbnhn.exec:\nnbnhn.exe44⤵
- Executes dropped EXE
-
\??\c:\hhbbth.exec:\hhbbth.exe45⤵
- Executes dropped EXE
-
\??\c:\5vjpd.exec:\5vjpd.exe46⤵
- Executes dropped EXE
-
\??\c:\1xxflrl.exec:\1xxflrl.exe47⤵
- Executes dropped EXE
-
\??\c:\9ffrrxl.exec:\9ffrrxl.exe48⤵
- Executes dropped EXE
-
\??\c:\nnhbbh.exec:\nnhbbh.exe49⤵
- Executes dropped EXE
-
\??\c:\3nhntt.exec:\3nhntt.exe50⤵
- Executes dropped EXE
-
\??\c:\vvpdd.exec:\vvpdd.exe51⤵
- Executes dropped EXE
-
\??\c:\lrrfllr.exec:\lrrfllr.exe52⤵
- Executes dropped EXE
-
\??\c:\rxflfxr.exec:\rxflfxr.exe53⤵
- Executes dropped EXE
-
\??\c:\hnttht.exec:\hnttht.exe54⤵
- Executes dropped EXE
-
\??\c:\nhhtnh.exec:\nhhtnh.exe55⤵
- Executes dropped EXE
-
\??\c:\ddpvj.exec:\ddpvj.exe56⤵
- Executes dropped EXE
-
\??\c:\jppdj.exec:\jppdj.exe57⤵
- Executes dropped EXE
-
\??\c:\fxfrxfr.exec:\fxfrxfr.exe58⤵
- Executes dropped EXE
-
\??\c:\hnthnb.exec:\hnthnb.exe59⤵
- Executes dropped EXE
-
\??\c:\1ttbnt.exec:\1ttbnt.exe60⤵
- Executes dropped EXE
-
\??\c:\9vdjj.exec:\9vdjj.exe61⤵
- Executes dropped EXE
-
\??\c:\dvdjp.exec:\dvdjp.exe62⤵
- Executes dropped EXE
-
\??\c:\rrfxfrx.exec:\rrfxfrx.exe63⤵
- Executes dropped EXE
-
\??\c:\lrfrxlr.exec:\lrfrxlr.exe64⤵
- Executes dropped EXE
-
\??\c:\5nbtnh.exec:\5nbtnh.exe65⤵
- Executes dropped EXE
-
\??\c:\jvpvj.exec:\jvpvj.exe66⤵
-
\??\c:\jdjvd.exec:\jdjvd.exe67⤵
-
\??\c:\djpdp.exec:\djpdp.exe68⤵
-
\??\c:\llxlrfr.exec:\llxlrfr.exe69⤵
-
\??\c:\ffrfrxl.exec:\ffrfrxl.exe70⤵
-
\??\c:\bhbhbh.exec:\bhbhbh.exe71⤵
-
\??\c:\3tttnt.exec:\3tttnt.exe72⤵
-
\??\c:\jvdjd.exec:\jvdjd.exe73⤵
-
\??\c:\7pjpd.exec:\7pjpd.exe74⤵
-
\??\c:\xlxflrx.exec:\xlxflrx.exe75⤵
-
\??\c:\3nnnnh.exec:\3nnnnh.exe76⤵
-
\??\c:\3nnttb.exec:\3nnttb.exe77⤵
-
\??\c:\jvppd.exec:\jvppd.exe78⤵
-
\??\c:\jvpjv.exec:\jvpjv.exe79⤵
-
\??\c:\9jdjd.exec:\9jdjd.exe80⤵
-
\??\c:\1fxfllr.exec:\1fxfllr.exe81⤵
-
\??\c:\rxrxrfr.exec:\rxrxrfr.exe82⤵
-
\??\c:\htnbhh.exec:\htnbhh.exe83⤵
-
\??\c:\hnthbn.exec:\hnthbn.exe84⤵
-
\??\c:\vvppd.exec:\vvppd.exe85⤵
-
\??\c:\djvdp.exec:\djvdp.exe86⤵
-
\??\c:\rxllxfr.exec:\rxllxfr.exe87⤵
-
\??\c:\rxxrflx.exec:\rxxrflx.exe88⤵
- System Location Discovery: System Language Discovery
-
\??\c:\nbnnth.exec:\nbnnth.exe89⤵
-
\??\c:\5jvjd.exec:\5jvjd.exe90⤵
-
\??\c:\vdvpv.exec:\vdvpv.exe91⤵
-
\??\c:\djpvj.exec:\djpvj.exe92⤵
-
\??\c:\5rlrlxl.exec:\5rlrlxl.exe93⤵
-
\??\c:\rrxlfrf.exec:\rrxlfrf.exe94⤵
-
\??\c:\tththt.exec:\tththt.exe95⤵
-
\??\c:\bbntbh.exec:\bbntbh.exe96⤵
-
\??\c:\5jpjp.exec:\5jpjp.exe97⤵
-
\??\c:\rxfrxlx.exec:\rxfrxlx.exe98⤵
-
\??\c:\rlrxlrr.exec:\rlrxlrr.exe99⤵
-
\??\c:\bbhhnt.exec:\bbhhnt.exe100⤵
-
\??\c:\ttnbhn.exec:\ttnbhn.exe101⤵
-
\??\c:\vddjv.exec:\vddjv.exe102⤵
-
\??\c:\jvvvp.exec:\jvvvp.exe103⤵
-
\??\c:\rxlrlxf.exec:\rxlrlxf.exe104⤵
-
\??\c:\ffflfrf.exec:\ffflfrf.exe105⤵
-
\??\c:\tntntt.exec:\tntntt.exe106⤵
-
\??\c:\bhnthh.exec:\bhnthh.exe107⤵
-
\??\c:\jpjpd.exec:\jpjpd.exe108⤵
-
\??\c:\djvvd.exec:\djvvd.exe109⤵
-
\??\c:\xxrfrlx.exec:\xxrfrlx.exe110⤵
-
\??\c:\1rflfxl.exec:\1rflfxl.exe111⤵
-
\??\c:\bnbhnb.exec:\bnbhnb.exe112⤵
-
\??\c:\htthth.exec:\htthth.exe113⤵
-
\??\c:\5jjdd.exec:\5jjdd.exe114⤵
-
\??\c:\ppjpj.exec:\ppjpj.exe115⤵
-
\??\c:\rfxflxl.exec:\rfxflxl.exe116⤵
-
\??\c:\ntbntn.exec:\ntbntn.exe117⤵
-
\??\c:\nnbnhn.exec:\nnbnhn.exe118⤵
-
\??\c:\ppjvj.exec:\ppjvj.exe119⤵
-
\??\c:\djjdv.exec:\djjdv.exe120⤵
-
\??\c:\xrffrrx.exec:\xrffrrx.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-