Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
23-11-2024 17:22
General
-
Target
f63c1573e9607c6635c9adfbcb79d4918e1fe502946222de8d06c59b1fb4a995.exe
-
Size
89KB
-
MD5
f891b4e0104d419684830cfb7653df6e
-
SHA1
0558b2f23024e30754c82a8ea2450a9a923f5ba8
-
SHA256
f63c1573e9607c6635c9adfbcb79d4918e1fe502946222de8d06c59b1fb4a995
-
SHA512
8499aef9637c0e483905a2d61e7e66f9a10d56a400d2292159bfd921b786fb16bc7bd8618eb20e809612ae303b4fbbf09781ae576a6fe827d6f712b14288ae50
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDoAXPfgr2hKmdbcPi2vhdW/:ymb3NkkiQ3mdBjFo6Pfgy3dbc/hdW/
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 24 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 28 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f63c1573e9607c6635c9adfbcb79d4918e1fe502946222de8d06c59b1fb4a995.exe"C:\Users\Admin\AppData\Local\Temp\f63c1573e9607c6635c9adfbcb79d4918e1fe502946222de8d06c59b1fb4a995.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\9llxfxx.exec:\9llxfxx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\htbhhh.exec:\htbhhh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7dpvp.exec:\7dpvp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjjpv.exec:\pjjpv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7xrxxff.exec:\7xrxxff.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\htbtnn.exec:\htbtnn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddpdj.exec:\ddpdj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1rrflrf.exec:\1rrflrf.exe9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\htbntt.exec:\htbntt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5bbttn.exec:\5bbttn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pdjjv.exec:\pdjjv.exe12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\rlxxffl.exec:\rlxxffl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrxlrxf.exec:\xrxlrxf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7httbt.exec:\7httbt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvvdv.exec:\dvvdv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7jddd.exec:\7jddd.exe17⤵
- Executes dropped EXE
-
\??\c:\xrfrrrx.exec:\xrfrrrx.exe18⤵
- Executes dropped EXE
-
\??\c:\hntnbh.exec:\hntnbh.exe19⤵
- Executes dropped EXE
-
\??\c:\thttbb.exec:\thttbb.exe20⤵
- Executes dropped EXE
-
\??\c:\5jpvp.exec:\5jpvp.exe21⤵
- Executes dropped EXE
-
\??\c:\frxfllr.exec:\frxfllr.exe22⤵
- Executes dropped EXE
-
\??\c:\5xflrlx.exec:\5xflrlx.exe23⤵
- Executes dropped EXE
-
\??\c:\3hnhnb.exec:\3hnhnb.exe24⤵
- Executes dropped EXE
-
\??\c:\jdppd.exec:\jdppd.exe25⤵
- Executes dropped EXE
-
\??\c:\lfxrrrx.exec:\lfxrrrx.exe26⤵
- Executes dropped EXE
-
\??\c:\frfffff.exec:\frfffff.exe27⤵
- Executes dropped EXE
-
\??\c:\thhbbb.exec:\thhbbb.exe28⤵
- Executes dropped EXE
-
\??\c:\9nbtbh.exec:\9nbtbh.exe29⤵
- Executes dropped EXE
-
\??\c:\dvdvd.exec:\dvdvd.exe30⤵
- Executes dropped EXE
-
\??\c:\3lrrxxf.exec:\3lrrxxf.exe31⤵
- Executes dropped EXE
-
\??\c:\fxrlrrr.exec:\fxrlrrr.exe32⤵
- Executes dropped EXE
-
\??\c:\bhnnbb.exec:\bhnnbb.exe33⤵
- Executes dropped EXE
-
\??\c:\jdvvv.exec:\jdvvv.exe34⤵
-
\??\c:\dvjjp.exec:\dvjjp.exe35⤵
- Executes dropped EXE
-
\??\c:\xlxrrlr.exec:\xlxrrlr.exe36⤵
- Executes dropped EXE
-
\??\c:\rfrrfff.exec:\rfrrfff.exe37⤵
- Executes dropped EXE
-
\??\c:\tnnhhh.exec:\tnnhhh.exe38⤵
- Executes dropped EXE
-
\??\c:\9tnhnh.exec:\9tnhnh.exe39⤵
- Executes dropped EXE
-
\??\c:\dpdpv.exec:\dpdpv.exe40⤵
- Executes dropped EXE
-
\??\c:\jjppd.exec:\jjppd.exe41⤵
- Executes dropped EXE
-
\??\c:\xrxrrlr.exec:\xrxrrlr.exe42⤵
- Executes dropped EXE
-
\??\c:\frrflfl.exec:\frrflfl.exe43⤵
- Executes dropped EXE
-
\??\c:\nntnbn.exec:\nntnbn.exe44⤵
- Executes dropped EXE
-
\??\c:\nhbbhn.exec:\nhbbhn.exe45⤵
- Executes dropped EXE
-
\??\c:\dvjdj.exec:\dvjdj.exe46⤵
- Executes dropped EXE
-
\??\c:\jvddj.exec:\jvddj.exe47⤵
- Executes dropped EXE
-
\??\c:\jvdpv.exec:\jvdpv.exe48⤵
- Executes dropped EXE
-
\??\c:\rlrfrxf.exec:\rlrfrxf.exe49⤵
- Executes dropped EXE
-
\??\c:\xlrlrll.exec:\xlrlrll.exe50⤵
- Executes dropped EXE
-
\??\c:\hbntnt.exec:\hbntnt.exe51⤵
- Executes dropped EXE
-
\??\c:\dpjvd.exec:\dpjvd.exe52⤵
- Executes dropped EXE
-
\??\c:\fxlxllr.exec:\fxlxllr.exe53⤵
- Executes dropped EXE
-
\??\c:\frffffl.exec:\frffffl.exe54⤵
- Executes dropped EXE
-
\??\c:\htbbbb.exec:\htbbbb.exe55⤵
- Executes dropped EXE
-
\??\c:\tbtttn.exec:\tbtttn.exe56⤵
- Executes dropped EXE
-
\??\c:\jvdjp.exec:\jvdjp.exe57⤵
- Executes dropped EXE
-
\??\c:\3dvvp.exec:\3dvvp.exe58⤵
- Executes dropped EXE
-
\??\c:\fxxrlll.exec:\fxxrlll.exe59⤵
- Executes dropped EXE
-
\??\c:\5rxxrxx.exec:\5rxxrxx.exe60⤵
- Executes dropped EXE
-
\??\c:\bnnhbh.exec:\bnnhbh.exe61⤵
- Executes dropped EXE
-
\??\c:\3hhhhb.exec:\3hhhhb.exe62⤵
- Executes dropped EXE
-
\??\c:\dpvjp.exec:\dpvjp.exe63⤵
- Executes dropped EXE
-
\??\c:\vjppv.exec:\vjppv.exe64⤵
- Executes dropped EXE
-
\??\c:\xlxrfff.exec:\xlxrfff.exe65⤵
- Executes dropped EXE
-
\??\c:\frxrxrf.exec:\frxrxrf.exe66⤵
- Executes dropped EXE
-
\??\c:\nbnntn.exec:\nbnntn.exe67⤵
-
\??\c:\7nhhnh.exec:\7nhhnh.exe68⤵
-
\??\c:\9jjpd.exec:\9jjpd.exe69⤵
-
\??\c:\vpdjp.exec:\vpdjp.exe70⤵
-
\??\c:\xxrlrrf.exec:\xxrlrrf.exe71⤵
-
\??\c:\5frxxxx.exec:\5frxxxx.exe72⤵
-
\??\c:\rflfffl.exec:\rflfffl.exe73⤵
-
\??\c:\5htttt.exec:\5htttt.exe74⤵
-
\??\c:\bntntt.exec:\bntntt.exe75⤵
-
\??\c:\pjdvp.exec:\pjdvp.exe76⤵
-
\??\c:\3jpvd.exec:\3jpvd.exe77⤵
-
\??\c:\rrfrxxf.exec:\rrfrxxf.exe78⤵
-
\??\c:\lflxffr.exec:\lflxffr.exe79⤵
-
\??\c:\lxrrxlx.exec:\lxrrxlx.exe80⤵
-
\??\c:\hbntht.exec:\hbntht.exe81⤵
-
\??\c:\bnnhbt.exec:\bnnhbt.exe82⤵
-
\??\c:\pjpjp.exec:\pjpjp.exe83⤵
-
\??\c:\pjvvv.exec:\pjvvv.exe84⤵
-
\??\c:\xrlrffx.exec:\xrlrffx.exe85⤵
-
\??\c:\3lffffl.exec:\3lffffl.exe86⤵
-
\??\c:\fxlfllr.exec:\fxlfllr.exe87⤵
-
\??\c:\tntthh.exec:\tntthh.exe88⤵
-
\??\c:\nnbhhh.exec:\nnbhhh.exe89⤵
-
\??\c:\5vdvd.exec:\5vdvd.exe90⤵
-
\??\c:\pdjpd.exec:\pdjpd.exe91⤵
-
\??\c:\5lrflff.exec:\5lrflff.exe92⤵
-
\??\c:\rlrfrxf.exec:\rlrfrxf.exe93⤵
-
\??\c:\xrlflll.exec:\xrlflll.exe94⤵
-
\??\c:\3bttbb.exec:\3bttbb.exe95⤵
-
\??\c:\bttntt.exec:\bttntt.exe96⤵
-
\??\c:\vjjjp.exec:\vjjjp.exe97⤵
-
\??\c:\dpppp.exec:\dpppp.exe98⤵
-
\??\c:\fxlllrr.exec:\fxlllrr.exe99⤵
-
\??\c:\lrfflll.exec:\lrfflll.exe100⤵
- System Location Discovery: System Language Discovery
-
\??\c:\thtntn.exec:\thtntn.exe101⤵
-
\??\c:\bttbbb.exec:\bttbbb.exe102⤵
-
\??\c:\jppjv.exec:\jppjv.exe103⤵
-
\??\c:\vjvdp.exec:\vjvdp.exe104⤵
-
\??\c:\rflfllr.exec:\rflfllr.exe105⤵
-
\??\c:\lflrrrl.exec:\lflrrrl.exe106⤵
-
\??\c:\thnhtb.exec:\thnhtb.exe107⤵
-
\??\c:\bnhhbh.exec:\bnhhbh.exe108⤵
-
\??\c:\htnhtt.exec:\htnhtt.exe109⤵
-
\??\c:\5vjdj.exec:\5vjdj.exe110⤵
-
\??\c:\pdpjj.exec:\pdpjj.exe111⤵
-
\??\c:\rfxrrrf.exec:\rfxrrrf.exe112⤵
-
\??\c:\llfxffr.exec:\llfxffr.exe113⤵
-
\??\c:\nbnntt.exec:\nbnntt.exe114⤵
-
\??\c:\nbbntb.exec:\nbbntb.exe115⤵
-
\??\c:\vpdjp.exec:\vpdjp.exe116⤵
-
\??\c:\vpvvd.exec:\vpvvd.exe117⤵
-
\??\c:\7pvjj.exec:\7pvjj.exe118⤵
-
\??\c:\1frlrrx.exec:\1frlrrx.exe119⤵
-
\??\c:\lfxxxxf.exec:\lfxxxxf.exe120⤵
-
\??\c:\nnhthn.exec:\nnhthn.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-