Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
23-11-2024 04:44
General
-
Target
e712aef52d5c0ba5da286e5144cd053bf32c7cc324c0a1097490447674f67c5e.exe
-
Size
82KB
-
MD5
48a60f2e9b09bd24a19e7ce6dc415cf3
-
SHA1
60348bdcdf996e8dd035fdf23d459115d81e48f4
-
SHA256
e712aef52d5c0ba5da286e5144cd053bf32c7cc324c0a1097490447674f67c5e
-
SHA512
321db70d68349bbdeaafa4ad2bc1fa1fb37fc3281bf04256f2fb9b89167ae2926d033727661a10949e2b5c9102a57c89cbbe2bcd85d435f1e93c497c9d3e4112
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDo73tgygQwKjiawEmB5Gtb:ymb3NkkiQ3mdBjFo73thgQ/wEk0
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 24 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 27 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e712aef52d5c0ba5da286e5144cd053bf32c7cc324c0a1097490447674f67c5e.exe"C:\Users\Admin\AppData\Local\Temp\e712aef52d5c0ba5da286e5144cd053bf32c7cc324c0a1097490447674f67c5e.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\9xfrlrl.exec:\9xfrlrl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnbbbb.exec:\tnbbbb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbhhht.exec:\bbhhht.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vppdj.exec:\vppdj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnhbhh.exec:\tnhbhh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ppjvp.exec:\ppjvp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3ffrxxl.exec:\3ffrxxl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9ttnbh.exec:\9ttnbh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nttbhb.exec:\nttbhb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1rlrlrf.exec:\1rlrlrf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnhttb.exec:\tnhttb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvppj.exec:\vvppj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpjdp.exec:\vpjdp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xxrxfrx.exec:\xxrxfrx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3nnttn.exec:\3nnttn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ppdjd.exec:\ppdjd.exe17⤵
- Executes dropped EXE
-
\??\c:\rrlrlrf.exec:\rrlrlrf.exe18⤵
- Executes dropped EXE
-
\??\c:\1fxlxlx.exec:\1fxlxlx.exe19⤵
- Executes dropped EXE
-
\??\c:\7nhntn.exec:\7nhntn.exe20⤵
- Executes dropped EXE
-
\??\c:\ddjpd.exec:\ddjpd.exe21⤵
- Executes dropped EXE
-
\??\c:\vpjpd.exec:\vpjpd.exe22⤵
- Executes dropped EXE
-
\??\c:\lfrrffl.exec:\lfrrffl.exe23⤵
- Executes dropped EXE
-
\??\c:\ttbntn.exec:\ttbntn.exe24⤵
- Executes dropped EXE
-
\??\c:\jdvvp.exec:\jdvvp.exe25⤵
- Executes dropped EXE
-
\??\c:\pjddp.exec:\pjddp.exe26⤵
- Executes dropped EXE
-
\??\c:\frlxxlr.exec:\frlxxlr.exe27⤵
- Executes dropped EXE
-
\??\c:\bnnbbh.exec:\bnnbbh.exe28⤵
- Executes dropped EXE
-
\??\c:\jjjvp.exec:\jjjvp.exe29⤵
- Executes dropped EXE
-
\??\c:\xxlrlrl.exec:\xxlrlrl.exe30⤵
- Executes dropped EXE
-
\??\c:\9nhnhn.exec:\9nhnhn.exe31⤵
- Executes dropped EXE
-
\??\c:\bbnnnn.exec:\bbnnnn.exe32⤵
- Executes dropped EXE
-
\??\c:\vpjvj.exec:\vpjvj.exe33⤵
- Executes dropped EXE
-
\??\c:\xxrrflx.exec:\xxrrflx.exe34⤵
- Executes dropped EXE
-
\??\c:\fflflxx.exec:\fflflxx.exe35⤵
- Executes dropped EXE
-
\??\c:\tnbnth.exec:\tnbnth.exe36⤵
- Executes dropped EXE
-
\??\c:\vddpd.exec:\vddpd.exe37⤵
- Executes dropped EXE
-
\??\c:\jdvjd.exec:\jdvjd.exe38⤵
- Executes dropped EXE
-
\??\c:\1xxxllx.exec:\1xxxllx.exe39⤵
- Executes dropped EXE
-
\??\c:\lfxlrfr.exec:\lfxlrfr.exe40⤵
- Executes dropped EXE
-
\??\c:\nnhnbb.exec:\nnhnbb.exe41⤵
- Executes dropped EXE
-
\??\c:\tthntb.exec:\tthntb.exe42⤵
- Executes dropped EXE
-
\??\c:\1pjpp.exec:\1pjpp.exe43⤵
- Executes dropped EXE
-
\??\c:\jvppj.exec:\jvppj.exe44⤵
- Executes dropped EXE
-
\??\c:\fffxrxr.exec:\fffxrxr.exe45⤵
- Executes dropped EXE
-
\??\c:\lfrrffr.exec:\lfrrffr.exe46⤵
- Executes dropped EXE
-
\??\c:\tnbhtt.exec:\tnbhtt.exe47⤵
- Executes dropped EXE
-
\??\c:\bthnhh.exec:\bthnhh.exe48⤵
- Executes dropped EXE
-
\??\c:\7jvpp.exec:\7jvpp.exe49⤵
- Executes dropped EXE
-
\??\c:\lfxlfrl.exec:\lfxlfrl.exe50⤵
- Executes dropped EXE
-
\??\c:\3fflrrr.exec:\3fflrrr.exe51⤵
- Executes dropped EXE
-
\??\c:\hnnnbh.exec:\hnnnbh.exe52⤵
- Executes dropped EXE
-
\??\c:\hhhnbn.exec:\hhhnbn.exe53⤵
- Executes dropped EXE
-
\??\c:\7dppv.exec:\7dppv.exe54⤵
- Executes dropped EXE
-
\??\c:\dddjd.exec:\dddjd.exe55⤵
- Executes dropped EXE
-
\??\c:\flrllll.exec:\flrllll.exe56⤵
- Executes dropped EXE
-
\??\c:\nbnhhh.exec:\nbnhhh.exe57⤵
- Executes dropped EXE
-
\??\c:\1nnnnt.exec:\1nnnnt.exe58⤵
- Executes dropped EXE
-
\??\c:\dvvdd.exec:\dvvdd.exe59⤵
- Executes dropped EXE
-
\??\c:\rrfrrfr.exec:\rrfrrfr.exe60⤵
- Executes dropped EXE
-
\??\c:\flffrrf.exec:\flffrrf.exe61⤵
- Executes dropped EXE
-
\??\c:\7nbtnb.exec:\7nbtnb.exe62⤵
- Executes dropped EXE
-
\??\c:\vvpdv.exec:\vvpdv.exe63⤵
- Executes dropped EXE
-
\??\c:\pvjdj.exec:\pvjdj.exe64⤵
- Executes dropped EXE
-
\??\c:\1lrxffr.exec:\1lrxffr.exe65⤵
- Executes dropped EXE
-
\??\c:\rrfffxf.exec:\rrfffxf.exe66⤵
-
\??\c:\nntbnb.exec:\nntbnb.exe67⤵
-
\??\c:\1htbhh.exec:\1htbhh.exe68⤵
-
\??\c:\vjvvp.exec:\vjvvp.exe69⤵
-
\??\c:\xxrxxxl.exec:\xxrxxxl.exe70⤵
-
\??\c:\9xfrflx.exec:\9xfrflx.exe71⤵
-
\??\c:\btntbh.exec:\btntbh.exe72⤵
- System Location Discovery: System Language Discovery
-
\??\c:\nhhnhh.exec:\nhhnhh.exe73⤵
-
\??\c:\jvjpv.exec:\jvjpv.exe74⤵
-
\??\c:\9xxfxfr.exec:\9xxfxfr.exe75⤵
-
\??\c:\1ffxlxr.exec:\1ffxlxr.exe76⤵
-
\??\c:\nnthbh.exec:\nnthbh.exe77⤵
-
\??\c:\9bnhth.exec:\9bnhth.exe78⤵
-
\??\c:\1vdvd.exec:\1vdvd.exe79⤵
-
\??\c:\frlfllr.exec:\frlfllr.exe80⤵
-
\??\c:\5rlrxxr.exec:\5rlrxxr.exe81⤵
-
\??\c:\ntbhhh.exec:\ntbhhh.exe82⤵
-
\??\c:\bththt.exec:\bththt.exe83⤵
-
\??\c:\ppdjp.exec:\ppdjp.exe84⤵
-
\??\c:\xlxlfxl.exec:\xlxlfxl.exe85⤵
-
\??\c:\ffxrfrf.exec:\ffxrfrf.exe86⤵
-
\??\c:\bbbhtn.exec:\bbbhtn.exe87⤵
-
\??\c:\9dpvv.exec:\9dpvv.exe88⤵
-
\??\c:\1pvjp.exec:\1pvjp.exe89⤵
-
\??\c:\rxfflff.exec:\rxfflff.exe90⤵
-
\??\c:\rrrrflf.exec:\rrrrflf.exe91⤵
-
\??\c:\hbttnn.exec:\hbttnn.exe92⤵
-
\??\c:\bbbhht.exec:\bbbhht.exe93⤵
-
\??\c:\1ppvp.exec:\1ppvp.exe94⤵
-
\??\c:\llfrrfr.exec:\llfrrfr.exe95⤵
-
\??\c:\lrffflx.exec:\lrffflx.exe96⤵
-
\??\c:\bhbhnh.exec:\bhbhnh.exe97⤵
-
\??\c:\pvpjv.exec:\pvpjv.exe98⤵
-
\??\c:\rfflllf.exec:\rfflllf.exe99⤵
-
\??\c:\xflxlrl.exec:\xflxlrl.exe100⤵
-
\??\c:\bhbbbb.exec:\bhbbbb.exe101⤵
-
\??\c:\nnbhnn.exec:\nnbhnn.exe102⤵
-
\??\c:\vpjjv.exec:\vpjjv.exe103⤵
-
\??\c:\frfrrlf.exec:\frfrrlf.exe104⤵
-
\??\c:\xffxxrf.exec:\xffxxrf.exe105⤵
-
\??\c:\tntbnt.exec:\tntbnt.exe106⤵
-
\??\c:\nnbhnn.exec:\nnbhnn.exe107⤵
-
\??\c:\vvpvp.exec:\vvpvp.exe108⤵
-
\??\c:\7flxffr.exec:\7flxffr.exe109⤵
-
\??\c:\rrlfllx.exec:\rrlfllx.exe110⤵
-
\??\c:\bttbhn.exec:\bttbhn.exe111⤵
-
\??\c:\3bnhnn.exec:\3bnhnn.exe112⤵
-
\??\c:\9vpdj.exec:\9vpdj.exe113⤵
-
\??\c:\vpddp.exec:\vpddp.exe114⤵
-
\??\c:\xxxfxfx.exec:\xxxfxfx.exe115⤵
-
\??\c:\btbbnn.exec:\btbbnn.exe116⤵
-
\??\c:\hhbtht.exec:\hhbtht.exe117⤵
-
\??\c:\vdvdp.exec:\vdvdp.exe118⤵
-
\??\c:\jdpjj.exec:\jdpjj.exe119⤵
-
\??\c:\xrlrllx.exec:\xrlrllx.exe120⤵
-
\??\c:\rrxflrf.exec:\rrxflrf.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-