Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
23-11-2024 11:44
General
-
Target
e0be8170a3234c32bbceefcf5d6dce800b0c40bcaea87240ea7db8ab9d4dd7cd.exe
-
Size
86KB
-
MD5
299858b8db7ae1ab751673b4953185ac
-
SHA1
8630935ba7c234df2fbd6c458e16e25973cd2ad7
-
SHA256
e0be8170a3234c32bbceefcf5d6dce800b0c40bcaea87240ea7db8ab9d4dd7cd
-
SHA512
d5fc972c2907dae8265aea95887d0747350a2f9367d6169043c8871aa671bf181e4aa3b2998a3b4ad7e311ac0961612c027df0a5cb1c9374dd3b5dfb8e3c4d8d
-
SSDEEP
1536:9vQBeOGtrYS3srx93UBWfwC6Ggnouy8yaVskCzYBbKd+XsWgADSNVQfKPgqA22GU:9hOmTsF93UYfwC6GIoutyaVszyKd+XYg
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 57 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 64 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e0be8170a3234c32bbceefcf5d6dce800b0c40bcaea87240ea7db8ab9d4dd7cd.exe"C:\Users\Admin\AppData\Local\Temp\e0be8170a3234c32bbceefcf5d6dce800b0c40bcaea87240ea7db8ab9d4dd7cd.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\g6842.exec:\g6842.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\86624.exec:\86624.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\tnhbht.exec:\tnhbht.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bttbhb.exec:\bttbhb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pdvpv.exec:\pdvpv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfflrxf.exec:\lfflrxf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbhntb.exec:\nbhntb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\g0082.exec:\g0082.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvdjp.exec:\dvdjp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\a8224.exec:\a8224.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\86288.exec:\86288.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\c868068.exec:\c868068.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\q24066.exec:\q24066.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3rfrrfr.exec:\3rfrrfr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\824088.exec:\824088.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\4862244.exec:\4862244.exe17⤵
- Executes dropped EXE
-
\??\c:\btbttt.exec:\btbttt.exe18⤵
- Executes dropped EXE
-
\??\c:\i642400.exec:\i642400.exe19⤵
- Executes dropped EXE
-
\??\c:\rrllrrx.exec:\rrllrrx.exe20⤵
- Executes dropped EXE
-
\??\c:\u688046.exec:\u688046.exe21⤵
- Executes dropped EXE
-
\??\c:\tnhbbb.exec:\tnhbbb.exe22⤵
- Executes dropped EXE
-
\??\c:\26464.exec:\26464.exe23⤵
- Executes dropped EXE
-
\??\c:\w82860.exec:\w82860.exe24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\xrflffr.exec:\xrflffr.exe25⤵
- Executes dropped EXE
-
\??\c:\86828.exec:\86828.exe26⤵
- Executes dropped EXE
-
\??\c:\s2600.exec:\s2600.exe27⤵
- Executes dropped EXE
-
\??\c:\820800.exec:\820800.exe28⤵
- Executes dropped EXE
-
\??\c:\lffrxfr.exec:\lffrxfr.exe29⤵
- Executes dropped EXE
-
\??\c:\46284.exec:\46284.exe30⤵
- Executes dropped EXE
-
\??\c:\046844.exec:\046844.exe31⤵
- Executes dropped EXE
-
\??\c:\jdjdp.exec:\jdjdp.exe32⤵
- Executes dropped EXE
-
\??\c:\jvppv.exec:\jvppv.exe33⤵
- Executes dropped EXE
-
\??\c:\a2246.exec:\a2246.exe34⤵
- Executes dropped EXE
-
\??\c:\26842.exec:\26842.exe35⤵
- Executes dropped EXE
-
\??\c:\5rffxff.exec:\5rffxff.exe36⤵
- Executes dropped EXE
-
\??\c:\tnbhhn.exec:\tnbhhn.exe37⤵
- Executes dropped EXE
-
\??\c:\5frrrrr.exec:\5frrrrr.exe38⤵
- Executes dropped EXE
-
\??\c:\vjddp.exec:\vjddp.exe39⤵
- Executes dropped EXE
-
\??\c:\xllfllr.exec:\xllfllr.exe40⤵
- Executes dropped EXE
-
\??\c:\82846.exec:\82846.exe41⤵
- Executes dropped EXE
-
\??\c:\5vvvd.exec:\5vvvd.exe42⤵
- Executes dropped EXE
-
\??\c:\htnbnn.exec:\htnbnn.exe43⤵
- Executes dropped EXE
-
\??\c:\642848.exec:\642848.exe44⤵
- Executes dropped EXE
-
\??\c:\w08404.exec:\w08404.exe45⤵
- Executes dropped EXE
-
\??\c:\6024062.exec:\6024062.exe46⤵
- Executes dropped EXE
-
\??\c:\o640828.exec:\o640828.exe47⤵
- Executes dropped EXE
-
\??\c:\2628800.exec:\2628800.exe48⤵
- Executes dropped EXE
-
\??\c:\480688.exec:\480688.exe49⤵
- Executes dropped EXE
-
\??\c:\3jppp.exec:\3jppp.exe50⤵
- Executes dropped EXE
-
\??\c:\a8004.exec:\a8004.exe51⤵
- Executes dropped EXE
-
\??\c:\q20448.exec:\q20448.exe52⤵
- Executes dropped EXE
-
\??\c:\dvpdj.exec:\dvpdj.exe53⤵
- Executes dropped EXE
-
\??\c:\206062.exec:\206062.exe54⤵
- Executes dropped EXE
-
\??\c:\jpjjj.exec:\jpjjj.exe55⤵
- Executes dropped EXE
-
\??\c:\2022828.exec:\2022828.exe56⤵
- Executes dropped EXE
-
\??\c:\1btntt.exec:\1btntt.exe57⤵
- Executes dropped EXE
-
\??\c:\xrflrll.exec:\xrflrll.exe58⤵
- Executes dropped EXE
-
\??\c:\htttbt.exec:\htttbt.exe59⤵
- Executes dropped EXE
-
\??\c:\6080684.exec:\6080684.exe60⤵
- Executes dropped EXE
-
\??\c:\frflxrx.exec:\frflxrx.exe61⤵
- Executes dropped EXE
-
\??\c:\tnbhnn.exec:\tnbhnn.exe62⤵
- Executes dropped EXE
-
\??\c:\3tntbh.exec:\3tntbh.exe63⤵
- Executes dropped EXE
-
\??\c:\bntttb.exec:\bntttb.exe64⤵
- Executes dropped EXE
-
\??\c:\868840.exec:\868840.exe65⤵
- Executes dropped EXE
-
\??\c:\64206.exec:\64206.exe66⤵
-
\??\c:\264628.exec:\264628.exe67⤵
-
\??\c:\m4228.exec:\m4228.exe68⤵
-
\??\c:\20840.exec:\20840.exe69⤵
-
\??\c:\m4666.exec:\m4666.exe70⤵
-
\??\c:\2066662.exec:\2066662.exe71⤵
-
\??\c:\frfrxxf.exec:\frfrxxf.exe72⤵
-
\??\c:\82468.exec:\82468.exe73⤵
-
\??\c:\vjpvj.exec:\vjpvj.exe74⤵
-
\??\c:\0884602.exec:\0884602.exe75⤵
-
\??\c:\428848.exec:\428848.exe76⤵
-
\??\c:\426666.exec:\426666.exe77⤵
-
\??\c:\9lxfllf.exec:\9lxfllf.exe78⤵
-
\??\c:\5fxxffl.exec:\5fxxffl.exe79⤵
-
\??\c:\08464.exec:\08464.exe80⤵
-
\??\c:\s8222.exec:\s8222.exe81⤵
-
\??\c:\w28888.exec:\w28888.exe82⤵
-
\??\c:\i200228.exec:\i200228.exe83⤵
-
\??\c:\3flfrlr.exec:\3flfrlr.exe84⤵
-
\??\c:\dvdjp.exec:\dvdjp.exe85⤵
-
\??\c:\828406.exec:\828406.exe86⤵
-
\??\c:\602844.exec:\602844.exe87⤵
-
\??\c:\5hbhnh.exec:\5hbhnh.exe88⤵
-
\??\c:\9vpdj.exec:\9vpdj.exe89⤵
-
\??\c:\g8062.exec:\g8062.exe90⤵
-
\??\c:\5btnbt.exec:\5btnbt.exe91⤵
-
\??\c:\o800040.exec:\o800040.exe92⤵
-
\??\c:\5nhnnb.exec:\5nhnnb.exe93⤵
-
\??\c:\o806626.exec:\o806626.exe94⤵
-
\??\c:\s6402.exec:\s6402.exe95⤵
-
\??\c:\9xllrrl.exec:\9xllrrl.exe96⤵
-
\??\c:\4868880.exec:\4868880.exe97⤵
-
\??\c:\hntbnh.exec:\hntbnh.exe98⤵
-
\??\c:\c080284.exec:\c080284.exe99⤵
-
\??\c:\xlxllff.exec:\xlxllff.exe100⤵
-
\??\c:\04628.exec:\04628.exe101⤵
-
\??\c:\pdjjd.exec:\pdjjd.exe102⤵
-
\??\c:\dpvdp.exec:\dpvdp.exe103⤵
-
\??\c:\nbnbhh.exec:\nbnbhh.exe104⤵
-
\??\c:\httbhb.exec:\httbhb.exe105⤵
-
\??\c:\1dppj.exec:\1dppj.exe106⤵
-
\??\c:\86284.exec:\86284.exe107⤵
-
\??\c:\0866288.exec:\0866288.exe108⤵
-
\??\c:\frxlrxf.exec:\frxlrxf.exe109⤵
-
\??\c:\lfrxxxf.exec:\lfrxxxf.exe110⤵
-
\??\c:\64624.exec:\64624.exe111⤵
-
\??\c:\thtttt.exec:\thtttt.exe112⤵
-
\??\c:\bnttbb.exec:\bnttbb.exe113⤵
-
\??\c:\ntnnnn.exec:\ntnnnn.exe114⤵
-
\??\c:\hthnnn.exec:\hthnnn.exe115⤵
-
\??\c:\9jpjj.exec:\9jpjj.exe116⤵
-
\??\c:\42446.exec:\42446.exe117⤵
-
\??\c:\60800.exec:\60800.exe118⤵
-
\??\c:\pdddj.exec:\pdddj.exe119⤵
-
\??\c:\o200600.exec:\o200600.exe120⤵
-
\??\c:\8684628.exec:\8684628.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-