Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
23-11-2024 05:40
General
-
Target
df324d02b40aef84514fb392461371048629d46ecf7c670f4580c4dca866f2c4.exe
-
Size
71KB
-
MD5
1e4ab4d42921fb71305c3bc0e966f7bf
-
SHA1
8759e87fbd6a17ed2c4ced288e48842d28213b38
-
SHA256
df324d02b40aef84514fb392461371048629d46ecf7c670f4580c4dca866f2c4
-
SHA512
d55b46061f9fbc56ee4c5e17c4998ff222dc4ce1e1f60568c11b97bbab44ac1ca877580c7a90b402feb51f713dfe8ea72668c8232daf81d8ae2db11b3202312a
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIkpi+q8l45CmK:ymb3NkkiQ3mdBjFIj+q8lL
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 22 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 31 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\df324d02b40aef84514fb392461371048629d46ecf7c670f4580c4dca866f2c4.exe"C:\Users\Admin\AppData\Local\Temp\df324d02b40aef84514fb392461371048629d46ecf7c670f4580c4dca866f2c4.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\hbnbbh.exec:\hbnbbh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\4866240.exec:\4866240.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbnnbh.exec:\nbnnbh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\864024.exec:\864024.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\6842204.exec:\6842204.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hntnnn.exec:\hntnnn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\00082.exec:\00082.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\8266602.exec:\8266602.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\a2066.exec:\a2066.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhbtnh.exec:\nhbtnh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\djppp.exec:\djppp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xxlxllr.exec:\xxlxllr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\w04260.exec:\w04260.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jpvpd.exec:\jpvpd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxllrlx.exec:\fxllrlx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3djjj.exec:\3djjj.exe17⤵
- Executes dropped EXE
-
\??\c:\nhnntn.exec:\nhnntn.exe18⤵
- Executes dropped EXE
-
\??\c:\hthnnn.exec:\hthnnn.exe19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\a0060.exec:\a0060.exe20⤵
- Executes dropped EXE
-
\??\c:\606206.exec:\606206.exe21⤵
- Executes dropped EXE
-
\??\c:\60444.exec:\60444.exe22⤵
- Executes dropped EXE
-
\??\c:\e02622.exec:\e02622.exe23⤵
- Executes dropped EXE
-
\??\c:\420684.exec:\420684.exe24⤵
- Executes dropped EXE
-
\??\c:\g6284.exec:\g6284.exe25⤵
- Executes dropped EXE
-
\??\c:\5flfllr.exec:\5flfllr.exe26⤵
- Executes dropped EXE
-
\??\c:\nbhnbt.exec:\nbhnbt.exe27⤵
- Executes dropped EXE
-
\??\c:\ffxlllf.exec:\ffxlllf.exe28⤵
- Executes dropped EXE
-
\??\c:\xrxlxfl.exec:\xrxlxfl.exe29⤵
- Executes dropped EXE
-
\??\c:\6642064.exec:\6642064.exe30⤵
- Executes dropped EXE
-
\??\c:\42224.exec:\42224.exe31⤵
- Executes dropped EXE
-
\??\c:\thnnnt.exec:\thnnnt.exe32⤵
- Executes dropped EXE
-
\??\c:\22686.exec:\22686.exe33⤵
- Executes dropped EXE
-
\??\c:\8622884.exec:\8622884.exe34⤵
- Executes dropped EXE
-
\??\c:\7ddjj.exec:\7ddjj.exe35⤵
- Executes dropped EXE
-
\??\c:\bnnntb.exec:\bnnntb.exe36⤵
- Executes dropped EXE
-
\??\c:\nnntbt.exec:\nnntbt.exe37⤵
- Executes dropped EXE
-
\??\c:\8200464.exec:\8200464.exe38⤵
- Executes dropped EXE
-
\??\c:\lxxxxxf.exec:\lxxxxxf.exe39⤵
- Executes dropped EXE
-
\??\c:\dvppd.exec:\dvppd.exe40⤵
- Executes dropped EXE
-
\??\c:\nhtbht.exec:\nhtbht.exe41⤵
- Executes dropped EXE
-
\??\c:\nnbttt.exec:\nnbttt.exe42⤵
- Executes dropped EXE
-
\??\c:\488042.exec:\488042.exe43⤵
- Executes dropped EXE
-
\??\c:\620446.exec:\620446.exe44⤵
- Executes dropped EXE
-
\??\c:\9tnnnh.exec:\9tnnnh.exe45⤵
- Executes dropped EXE
-
\??\c:\20042.exec:\20042.exe46⤵
- Executes dropped EXE
-
\??\c:\6062400.exec:\6062400.exe47⤵
- Executes dropped EXE
-
\??\c:\082020.exec:\082020.exe48⤵
- Executes dropped EXE
-
\??\c:\840640.exec:\840640.exe49⤵
- Executes dropped EXE
-
\??\c:\0428028.exec:\0428028.exe50⤵
- Executes dropped EXE
-
\??\c:\lfrlxlr.exec:\lfrlxlr.exe51⤵
- Executes dropped EXE
-
\??\c:\1rxfrxx.exec:\1rxfrxx.exe52⤵
- Executes dropped EXE
-
\??\c:\042088.exec:\042088.exe53⤵
- Executes dropped EXE
-
\??\c:\pvdvv.exec:\pvdvv.exe54⤵
- Executes dropped EXE
-
\??\c:\xrllxfx.exec:\xrllxfx.exe55⤵
- Executes dropped EXE
-
\??\c:\xxrxrlf.exec:\xxrxrlf.exe56⤵
- Executes dropped EXE
-
\??\c:\5jjpd.exec:\5jjpd.exe57⤵
- Executes dropped EXE
-
\??\c:\642066.exec:\642066.exe58⤵
- Executes dropped EXE
-
\??\c:\4620206.exec:\4620206.exe59⤵
- Executes dropped EXE
-
\??\c:\6226686.exec:\6226686.exe60⤵
- Executes dropped EXE
-
\??\c:\7lflxfl.exec:\7lflxfl.exe61⤵
- Executes dropped EXE
-
\??\c:\8462406.exec:\8462406.exe62⤵
- Executes dropped EXE
-
\??\c:\ddpdp.exec:\ddpdp.exe63⤵
- Executes dropped EXE
-
\??\c:\022620.exec:\022620.exe64⤵
- Executes dropped EXE
-
\??\c:\880840.exec:\880840.exe65⤵
- Executes dropped EXE
-
\??\c:\a8808.exec:\a8808.exe66⤵
-
\??\c:\648006.exec:\648006.exe67⤵
-
\??\c:\668424.exec:\668424.exe68⤵
-
\??\c:\pjjdv.exec:\pjjdv.exe69⤵
-
\??\c:\26846.exec:\26846.exe70⤵
-
\??\c:\8242628.exec:\8242628.exe71⤵
-
\??\c:\60806.exec:\60806.exe72⤵
-
\??\c:\4482862.exec:\4482862.exe73⤵
-
\??\c:\xxlrxxf.exec:\xxlrxxf.exe74⤵
-
\??\c:\66642.exec:\66642.exe75⤵
-
\??\c:\rfrrxxf.exec:\rfrrxxf.exe76⤵
-
\??\c:\flfrfll.exec:\flfrfll.exe77⤵
-
\??\c:\tnbbbh.exec:\tnbbbh.exe78⤵
-
\??\c:\8202840.exec:\8202840.exe79⤵
-
\??\c:\bhhbnb.exec:\bhhbnb.exe80⤵
-
\??\c:\2644208.exec:\2644208.exe81⤵
-
\??\c:\vjjjd.exec:\vjjjd.exe82⤵
-
\??\c:\lxrfrxl.exec:\lxrfrxl.exe83⤵
-
\??\c:\88648.exec:\88648.exe84⤵
-
\??\c:\llrrrrf.exec:\llrrrrf.exe85⤵
-
\??\c:\tttntt.exec:\tttntt.exe86⤵
-
\??\c:\tntttb.exec:\tntttb.exe87⤵
-
\??\c:\jdjjv.exec:\jdjjv.exe88⤵
-
\??\c:\nttnnh.exec:\nttnnh.exe89⤵
-
\??\c:\xllrfrf.exec:\xllrfrf.exe90⤵
-
\??\c:\xfxlflf.exec:\xfxlflf.exe91⤵
-
\??\c:\jpjvp.exec:\jpjvp.exe92⤵
-
\??\c:\s6688.exec:\s6688.exe93⤵
-
\??\c:\q20684.exec:\q20684.exe94⤵
-
\??\c:\5nhhth.exec:\5nhhth.exe95⤵
-
\??\c:\rflfrrr.exec:\rflfrrr.exe96⤵
-
\??\c:\668224.exec:\668224.exe97⤵
-
\??\c:\ttbhbh.exec:\ttbhbh.exe98⤵
-
\??\c:\m0868.exec:\m0868.exe99⤵
-
\??\c:\0888244.exec:\0888244.exe100⤵
-
\??\c:\nhttht.exec:\nhttht.exe101⤵
-
\??\c:\806228.exec:\806228.exe102⤵
-
\??\c:\ppjjd.exec:\ppjjd.exe103⤵
-
\??\c:\nntbht.exec:\nntbht.exe104⤵
-
\??\c:\i628000.exec:\i628000.exe105⤵
-
\??\c:\pppdd.exec:\pppdd.exe106⤵
-
\??\c:\m4640.exec:\m4640.exe107⤵
-
\??\c:\xrxfrrf.exec:\xrxfrrf.exe108⤵
-
\??\c:\02268.exec:\02268.exe109⤵
-
\??\c:\7thhbn.exec:\7thhbn.exe110⤵
-
\??\c:\g0806.exec:\g0806.exe111⤵
-
\??\c:\o846406.exec:\o846406.exe112⤵
-
\??\c:\vjdjp.exec:\vjdjp.exe113⤵
-
\??\c:\nnhbbn.exec:\nnhbbn.exe114⤵
-
\??\c:\46680.exec:\46680.exe115⤵
-
\??\c:\e06240.exec:\e06240.exe116⤵
-
\??\c:\nnhhtb.exec:\nnhhtb.exe117⤵
-
\??\c:\llfxfrf.exec:\llfxfrf.exe118⤵
-
\??\c:\llflrxr.exec:\llflrxr.exe119⤵
-
\??\c:\llxlxlr.exec:\llxlxlr.exe120⤵
-
\??\c:\jddvv.exec:\jddvv.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-