Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
23-11-2024 16:25
General
-
Target
ee2cd552202dfeaf289b4135085782adab6e332c195284c32543f16a762a4ff3.exe
-
Size
245KB
-
MD5
bf2695c48bf77c994421e0592f2d2953
-
SHA1
71abe1c2be83a5402a3bdeb9f13c12475ac3f903
-
SHA256
ee2cd552202dfeaf289b4135085782adab6e332c195284c32543f16a762a4ff3
-
SHA512
b5c8d482dda726c8dee89bf8d14f975d6b046019684acc38870fab911a83451257027b239efc3bba22c18221cc8074933c63f9135deb13682818e41d9f741dc8
-
SSDEEP
6144:n3C9BRo7tvnJ9oEz2Eu9XgcVyDOoZU0wGiv/U:n3C9ytvnV2NQAo20wGivs
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 20 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 29 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ee2cd552202dfeaf289b4135085782adab6e332c195284c32543f16a762a4ff3.exe"C:\Users\Admin\AppData\Local\Temp\ee2cd552202dfeaf289b4135085782adab6e332c195284c32543f16a762a4ff3.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\204806.exec:\204806.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\268406.exec:\268406.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\480602.exec:\480602.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\g4286.exec:\g4286.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\60248.exec:\60248.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\2688024.exec:\2688024.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\llrxrxr.exec:\llrxrxr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnhhbh.exec:\tnhhbh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\k08068.exec:\k08068.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxrrxfr.exec:\fxrrxfr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5rlrffl.exec:\5rlrffl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\048400.exec:\048400.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\26024.exec:\26024.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\602288.exec:\602288.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\604088.exec:\604088.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\6002424.exec:\6002424.exe17⤵
- Executes dropped EXE
-
\??\c:\ddvpv.exec:\ddvpv.exe18⤵
- Executes dropped EXE
-
\??\c:\pjvdj.exec:\pjvdj.exe19⤵
- Executes dropped EXE
-
\??\c:\u428280.exec:\u428280.exe20⤵
- Executes dropped EXE
-
\??\c:\hhbtbh.exec:\hhbtbh.exe21⤵
- Executes dropped EXE
-
\??\c:\g8688.exec:\g8688.exe22⤵
- Executes dropped EXE
-
\??\c:\00608.exec:\00608.exe23⤵
- Executes dropped EXE
-
\??\c:\k86806.exec:\k86806.exe24⤵
- Executes dropped EXE
-
\??\c:\htbhhh.exec:\htbhhh.exe25⤵
- Executes dropped EXE
-
\??\c:\2202806.exec:\2202806.exe26⤵
- Executes dropped EXE
-
\??\c:\66462.exec:\66462.exe27⤵
- Executes dropped EXE
-
\??\c:\04624.exec:\04624.exe28⤵
- Executes dropped EXE
-
\??\c:\0428224.exec:\0428224.exe29⤵
- Executes dropped EXE
-
\??\c:\4868406.exec:\4868406.exe30⤵
- Executes dropped EXE
-
\??\c:\dpddv.exec:\dpddv.exe31⤵
- Executes dropped EXE
-
\??\c:\648426.exec:\648426.exe32⤵
- Executes dropped EXE
-
\??\c:\lfrxrxl.exec:\lfrxrxl.exe33⤵
- Executes dropped EXE
-
\??\c:\vpvvd.exec:\vpvvd.exe34⤵
- Executes dropped EXE
-
\??\c:\4202468.exec:\4202468.exe35⤵
- Executes dropped EXE
-
\??\c:\60882.exec:\60882.exe36⤵
- Executes dropped EXE
-
\??\c:\8680606.exec:\8680606.exe37⤵
- Executes dropped EXE
-
\??\c:\o228246.exec:\o228246.exe38⤵
- Executes dropped EXE
-
\??\c:\08006.exec:\08006.exe39⤵
- Executes dropped EXE
-
\??\c:\48602.exec:\48602.exe40⤵
- Executes dropped EXE
-
\??\c:\42068.exec:\42068.exe41⤵
- Executes dropped EXE
-
\??\c:\22682.exec:\22682.exe42⤵
- Executes dropped EXE
-
\??\c:\frxxffl.exec:\frxxffl.exe43⤵
- Executes dropped EXE
-
\??\c:\frrlrll.exec:\frrlrll.exe44⤵
- Executes dropped EXE
-
\??\c:\4242828.exec:\4242828.exe45⤵
- Executes dropped EXE
-
\??\c:\m4044.exec:\m4044.exe46⤵
- Executes dropped EXE
-
\??\c:\208866.exec:\208866.exe47⤵
- Executes dropped EXE
-
\??\c:\dpvpv.exec:\dpvpv.exe48⤵
- Executes dropped EXE
-
\??\c:\6686402.exec:\6686402.exe49⤵
- Executes dropped EXE
-
\??\c:\xlxlxrx.exec:\xlxlxrx.exe50⤵
- Executes dropped EXE
-
\??\c:\1hbhtt.exec:\1hbhtt.exe51⤵
- Executes dropped EXE
-
\??\c:\202840.exec:\202840.exe52⤵
- Executes dropped EXE
-
\??\c:\206222.exec:\206222.exe53⤵
- Executes dropped EXE
-
\??\c:\1flfxrr.exec:\1flfxrr.exe54⤵
- Executes dropped EXE
-
\??\c:\q02484.exec:\q02484.exe55⤵
- Executes dropped EXE
-
\??\c:\bntbbh.exec:\bntbbh.exe56⤵
- Executes dropped EXE
-
\??\c:\nhnnht.exec:\nhnnht.exe57⤵
- Executes dropped EXE
-
\??\c:\htnnnh.exec:\htnnnh.exe58⤵
- Executes dropped EXE
-
\??\c:\xlffxfl.exec:\xlffxfl.exe59⤵
- Executes dropped EXE
-
\??\c:\xrfrxfl.exec:\xrfrxfl.exe60⤵
- Executes dropped EXE
-
\??\c:\7nhhtb.exec:\7nhhtb.exe61⤵
- Executes dropped EXE
-
\??\c:\c266662.exec:\c266662.exe62⤵
- Executes dropped EXE
-
\??\c:\8022222.exec:\8022222.exe63⤵
- Executes dropped EXE
-
\??\c:\08068.exec:\08068.exe64⤵
- Executes dropped EXE
-
\??\c:\nnhntb.exec:\nnhntb.exe65⤵
- Executes dropped EXE
-
\??\c:\nhtnnt.exec:\nhtnnt.exe66⤵
-
\??\c:\nhttbn.exec:\nhttbn.exe67⤵
-
\??\c:\vjpvv.exec:\vjpvv.exe68⤵
-
\??\c:\486240.exec:\486240.exe69⤵
-
\??\c:\nbnbhh.exec:\nbnbhh.exe70⤵
-
\??\c:\s2462.exec:\s2462.exe71⤵
-
\??\c:\c800222.exec:\c800222.exe72⤵
-
\??\c:\ppjjv.exec:\ppjjv.exe73⤵
-
\??\c:\0424640.exec:\0424640.exe74⤵
-
\??\c:\xxllrrr.exec:\xxllrrr.exe75⤵
-
\??\c:\5bnbtt.exec:\5bnbtt.exe76⤵
-
\??\c:\pdvvd.exec:\pdvvd.exe77⤵
-
\??\c:\xrxxllr.exec:\xrxxllr.exe78⤵
-
\??\c:\w86240.exec:\w86240.exe79⤵
-
\??\c:\lxflfxx.exec:\lxflfxx.exe80⤵
- System Location Discovery: System Language Discovery
-
\??\c:\66406.exec:\66406.exe81⤵
-
\??\c:\tnbhhh.exec:\tnbhhh.exe82⤵
-
\??\c:\hhhtht.exec:\hhhtht.exe83⤵
-
\??\c:\428404.exec:\428404.exe84⤵
-
\??\c:\k08028.exec:\k08028.exe85⤵
-
\??\c:\m0228.exec:\m0228.exe86⤵
-
\??\c:\26442.exec:\26442.exe87⤵
-
\??\c:\088464.exec:\088464.exe88⤵
-
\??\c:\6464668.exec:\6464668.exe89⤵
-
\??\c:\g4464.exec:\g4464.exe90⤵
-
\??\c:\g2440.exec:\g2440.exe91⤵
-
\??\c:\o082824.exec:\o082824.exe92⤵
-
\??\c:\268088.exec:\268088.exe93⤵
-
\??\c:\rrrxffr.exec:\rrrxffr.exe94⤵
-
\??\c:\ttnbnt.exec:\ttnbnt.exe95⤵
-
\??\c:\djppv.exec:\djppv.exe96⤵
-
\??\c:\0449bt.exec:\0449bt.exe97⤵
-
\??\c:\64840.exec:\64840.exe98⤵
-
\??\c:\004640.exec:\004640.exe99⤵
-
\??\c:\8680228.exec:\8680228.exe100⤵
-
\??\c:\608068.exec:\608068.exe101⤵
-
\??\c:\80220.exec:\80220.exe102⤵
-
\??\c:\tnhnnt.exec:\tnhnnt.exe103⤵
-
\??\c:\xlrrrxx.exec:\xlrrrxx.exe104⤵
-
\??\c:\k60206.exec:\k60206.exe105⤵
-
\??\c:\xlxrfff.exec:\xlxrfff.exe106⤵
-
\??\c:\hbbhnt.exec:\hbbhnt.exe107⤵
-
\??\c:\7jvvj.exec:\7jvvj.exe108⤵
-
\??\c:\o462000.exec:\o462000.exe109⤵
-
\??\c:\vpppv.exec:\vpppv.exe110⤵
-
\??\c:\866622.exec:\866622.exe111⤵
-
\??\c:\9dvdp.exec:\9dvdp.exe112⤵
-
\??\c:\s0662.exec:\s0662.exe113⤵
-
\??\c:\6028846.exec:\6028846.exe114⤵
-
\??\c:\vjvpv.exec:\vjvpv.exe115⤵
-
\??\c:\6406002.exec:\6406002.exe116⤵
-
\??\c:\84668.exec:\84668.exe117⤵
-
\??\c:\8222468.exec:\8222468.exe118⤵
-
\??\c:\s2068.exec:\s2068.exe119⤵
-
\??\c:\llflrfr.exec:\llflrfr.exe120⤵
-
\??\c:\08064.exec:\08064.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-