Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
-
submitted
23-11-2024 20:23
General
-
Target
20f7d72feb99d42814edcd10e400466a161bd0b86f90763360820a90b7582282.exe
-
Size
50KB
-
MD5
d66d1f39e03f980574c1cb69994925b7
-
SHA1
5622eadb2e97405ce00cbb01b934035b28b6adc2
-
SHA256
20f7d72feb99d42814edcd10e400466a161bd0b86f90763360820a90b7582282
-
SHA512
b92a50c8e9dabc49afbe888706c1185f5c581cf8fb3ae6de72e0215e3bdedab46e11e5f37312d2c2a0b8210f4f088b65ecee29b61f524bb918b6da5530242970
-
SSDEEP
1536:mAocdpeVoBDulhzHMb7xNAa04Mcg5IKvl2:0cdpeeBSHHMHLf9RyIN
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 55 IoCs
-
Executes dropped EXE 64 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\20f7d72feb99d42814edcd10e400466a161bd0b86f90763360820a90b7582282.exe"C:\Users\Admin\AppData\Local\Temp\20f7d72feb99d42814edcd10e400466a161bd0b86f90763360820a90b7582282.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\6066262.exec:\6066262.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btbtbh.exec:\btbtbh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jvddv.exec:\jvddv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnbbbh.exec:\tnbbbh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bttthn.exec:\bttthn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdvjd.exec:\jdvjd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrxxlfr.exec:\xrxxlfr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bthntt.exec:\bthntt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpjpj.exec:\vpjpj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\264022.exec:\264022.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbbbhh.exec:\bbbbhh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7bhhhn.exec:\7bhhhn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\048800.exec:\048800.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\220228.exec:\220228.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\8628040.exec:\8628040.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pvddd.exec:\pvddd.exe17⤵
- Executes dropped EXE
-
\??\c:\btnnhb.exec:\btnnhb.exe18⤵
- Executes dropped EXE
-
\??\c:\xxrflrx.exec:\xxrflrx.exe19⤵
- Executes dropped EXE
-
\??\c:\btnbtt.exec:\btnbtt.exe20⤵
- Executes dropped EXE
-
\??\c:\btnntb.exec:\btnntb.exe21⤵
- Executes dropped EXE
-
\??\c:\2488664.exec:\2488664.exe22⤵
- Executes dropped EXE
-
\??\c:\dpvdj.exec:\dpvdj.exe23⤵
- Executes dropped EXE
-
\??\c:\g8062.exec:\g8062.exe24⤵
- Executes dropped EXE
-
\??\c:\xxfxfff.exec:\xxfxfff.exe25⤵
- Executes dropped EXE
-
\??\c:\dpjvp.exec:\dpjvp.exe26⤵
- Executes dropped EXE
-
\??\c:\264808.exec:\264808.exe27⤵
- Executes dropped EXE
-
\??\c:\dpvdj.exec:\dpvdj.exe28⤵
- Executes dropped EXE
-
\??\c:\m4606.exec:\m4606.exe29⤵
- Executes dropped EXE
-
\??\c:\tnbhtt.exec:\tnbhtt.exe30⤵
- Executes dropped EXE
-
\??\c:\xxllrrx.exec:\xxllrrx.exe31⤵
- Executes dropped EXE
-
\??\c:\5vvvp.exec:\5vvvp.exe32⤵
- Executes dropped EXE
-
\??\c:\bntnhh.exec:\bntnhh.exe33⤵
- Executes dropped EXE
-
\??\c:\6066666.exec:\6066666.exe34⤵
- Executes dropped EXE
-
\??\c:\dvvpp.exec:\dvvpp.exe35⤵
- Executes dropped EXE
-
\??\c:\ththth.exec:\ththth.exe36⤵
- Executes dropped EXE
-
\??\c:\7ntbtb.exec:\7ntbtb.exe37⤵
- Executes dropped EXE
-
\??\c:\rfxxfxf.exec:\rfxxfxf.exe38⤵
- Executes dropped EXE
-
\??\c:\02062.exec:\02062.exe39⤵
- Executes dropped EXE
-
\??\c:\3ntttn.exec:\3ntttn.exe40⤵
- Executes dropped EXE
-
\??\c:\7frlrrr.exec:\7frlrrr.exe41⤵
- Executes dropped EXE
-
\??\c:\rflxlff.exec:\rflxlff.exe42⤵
- Executes dropped EXE
-
\??\c:\7nhtnb.exec:\7nhtnb.exe43⤵
- Executes dropped EXE
-
\??\c:\bntbbh.exec:\bntbbh.exe44⤵
- Executes dropped EXE
-
\??\c:\82462.exec:\82462.exe45⤵
- Executes dropped EXE
-
\??\c:\8828400.exec:\8828400.exe46⤵
- Executes dropped EXE
-
\??\c:\q26206.exec:\q26206.exe47⤵
- Executes dropped EXE
-
\??\c:\82264.exec:\82264.exe48⤵
- Executes dropped EXE
-
\??\c:\hhbnth.exec:\hhbnth.exe49⤵
- Executes dropped EXE
-
\??\c:\60446.exec:\60446.exe50⤵
- Executes dropped EXE
-
\??\c:\3xxxffl.exec:\3xxxffl.exe51⤵
- Executes dropped EXE
-
\??\c:\224084.exec:\224084.exe52⤵
- Executes dropped EXE
-
\??\c:\3ddpp.exec:\3ddpp.exe53⤵
- Executes dropped EXE
-
\??\c:\tttnbb.exec:\tttnbb.exe54⤵
- Executes dropped EXE
-
\??\c:\7btbhb.exec:\7btbhb.exe55⤵
- Executes dropped EXE
-
\??\c:\jdvjv.exec:\jdvjv.exe56⤵
- Executes dropped EXE
-
\??\c:\006846.exec:\006846.exe57⤵
- Executes dropped EXE
-
\??\c:\864428.exec:\864428.exe58⤵
- Executes dropped EXE
-
\??\c:\jjpjj.exec:\jjpjj.exe59⤵
- Executes dropped EXE
-
\??\c:\822884.exec:\822884.exe60⤵
- Executes dropped EXE
-
\??\c:\i244628.exec:\i244628.exe61⤵
- Executes dropped EXE
-
\??\c:\rxrflrf.exec:\rxrflrf.exe62⤵
- Executes dropped EXE
-
\??\c:\48622.exec:\48622.exe63⤵
- Executes dropped EXE
-
\??\c:\4468044.exec:\4468044.exe64⤵
- Executes dropped EXE
-
\??\c:\nttbbn.exec:\nttbbn.exe65⤵
- Executes dropped EXE
-
\??\c:\26468.exec:\26468.exe66⤵
-
\??\c:\6404040.exec:\6404040.exe67⤵
-
\??\c:\lrxrxxf.exec:\lrxrxxf.exe68⤵
-
\??\c:\0088002.exec:\0088002.exe69⤵
-
\??\c:\llrrxfr.exec:\llrrxfr.exe70⤵
-
\??\c:\djvjj.exec:\djvjj.exe71⤵
-
\??\c:\q64688.exec:\q64688.exe72⤵
-
\??\c:\04008.exec:\04008.exe73⤵
-
\??\c:\0444062.exec:\0444062.exe74⤵
-
\??\c:\ntbnbt.exec:\ntbnbt.exe75⤵
-
\??\c:\rlflrxf.exec:\rlflrxf.exe76⤵
-
\??\c:\0244200.exec:\0244200.exe77⤵
-
\??\c:\4464668.exec:\4464668.exe78⤵
-
\??\c:\880606.exec:\880606.exe79⤵
-
\??\c:\lxfxllr.exec:\lxfxllr.exe80⤵
-
\??\c:\pjdvd.exec:\pjdvd.exe81⤵
-
\??\c:\848860.exec:\848860.exe82⤵
-
\??\c:\9frrfxl.exec:\9frrfxl.exe83⤵
-
\??\c:\5vjvd.exec:\5vjvd.exe84⤵
-
\??\c:\002284.exec:\002284.exe85⤵
-
\??\c:\ddvpj.exec:\ddvpj.exe86⤵
-
\??\c:\3bnnnn.exec:\3bnnnn.exe87⤵
-
\??\c:\vvjjj.exec:\vvjjj.exe88⤵
-
\??\c:\9xxxrrf.exec:\9xxxrrf.exe89⤵
-
\??\c:\llflrfx.exec:\llflrfx.exe90⤵
-
\??\c:\rxfxllx.exec:\rxfxllx.exe91⤵
-
\??\c:\064488.exec:\064488.exe92⤵
-
\??\c:\jjvdj.exec:\jjvdj.exe93⤵
-
\??\c:\dvjjj.exec:\dvjjj.exe94⤵
-
\??\c:\4462060.exec:\4462060.exe95⤵
-
\??\c:\bhhtht.exec:\bhhtht.exe96⤵
-
\??\c:\9llrfff.exec:\9llrfff.exe97⤵
-
\??\c:\42840.exec:\42840.exe98⤵
-
\??\c:\ppvjv.exec:\ppvjv.exe99⤵
-
\??\c:\hhtttt.exec:\hhtttt.exe100⤵
-
\??\c:\vvvvd.exec:\vvvvd.exe101⤵
-
\??\c:\9hhnnt.exec:\9hhnnt.exe102⤵
-
\??\c:\4800222.exec:\4800222.exe103⤵
-
\??\c:\264666.exec:\264666.exe104⤵
-
\??\c:\626288.exec:\626288.exe105⤵
-
\??\c:\c262402.exec:\c262402.exe106⤵
-
\??\c:\nhnnbb.exec:\nhnnbb.exe107⤵
-
\??\c:\7pdjj.exec:\7pdjj.exe108⤵
-
\??\c:\tthbhn.exec:\tthbhn.exe109⤵
-
\??\c:\o044006.exec:\o044006.exe110⤵
-
\??\c:\88848.exec:\88848.exe111⤵
-
\??\c:\0648444.exec:\0648444.exe112⤵
-
\??\c:\88202.exec:\88202.exe113⤵
-
\??\c:\rlxflll.exec:\rlxflll.exe114⤵
-
\??\c:\1xrlrll.exec:\1xrlrll.exe115⤵
-
\??\c:\tnnntb.exec:\tnnntb.exe116⤵
-
\??\c:\9tnbbh.exec:\9tnbbh.exe117⤵
-
\??\c:\7rllllr.exec:\7rllllr.exe118⤵
-
\??\c:\1bnttt.exec:\1bnttt.exe119⤵
-
\??\c:\lfflxlr.exec:\lfflxlr.exe120⤵
-
\??\c:\22628.exec:\22628.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-