Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
23-11-2024 19:57
General
-
Target
efab4e55f715fc0bcf1b1ebf74509c5b96a010ecc76885200a8a96fb161ba3e6N.exe
-
Size
335KB
-
MD5
3352ae640f8d2019a968527ea34338f0
-
SHA1
0f78bda70a60163b91bae2082e6b9d2f4124cadc
-
SHA256
efab4e55f715fc0bcf1b1ebf74509c5b96a010ecc76885200a8a96fb161ba3e6
-
SHA512
5fdcf2896e3fddc0c102aa88ca2df0b42fa23fe966569efb27a27e38625ccd1dcb2645148fc62fa4e61fbb15535c1b6e3d016b662002331c28807c31865b7505
-
SSDEEP
6144:Lcm4FmowdHoSHt251UriZFwfsDX2UznsaFVNJCMKAbeRb:R4wFHoSHYHUrAwfMp3CDRb
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 48 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 64 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\efab4e55f715fc0bcf1b1ebf74509c5b96a010ecc76885200a8a96fb161ba3e6N.exe"C:\Users\Admin\AppData\Local\Temp\efab4e55f715fc0bcf1b1ebf74509c5b96a010ecc76885200a8a96fb161ba3e6N.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\vpdvj.exec:\vpdvj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\g6884.exec:\g6884.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\w66840.exec:\w66840.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\602626.exec:\602626.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhbthn.exec:\nhbthn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\246006.exec:\246006.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\m4246.exec:\m4246.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\882280.exec:\882280.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxllxfr.exec:\fxllxfr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxrfrfl.exec:\fxrfrfl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\q02662.exec:\q02662.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1tbhtt.exec:\1tbhtt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\08848.exec:\08848.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjvdp.exec:\jjvdp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\820028.exec:\820028.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\s4228.exec:\s4228.exe17⤵
- Executes dropped EXE
-
\??\c:\7tbtnt.exec:\7tbtnt.exe18⤵
- Executes dropped EXE
-
\??\c:\48620.exec:\48620.exe19⤵
- Executes dropped EXE
-
\??\c:\42440.exec:\42440.exe20⤵
- Executes dropped EXE
-
\??\c:\22646.exec:\22646.exe21⤵
- Executes dropped EXE
-
\??\c:\646024.exec:\646024.exe22⤵
- Executes dropped EXE
-
\??\c:\0460628.exec:\0460628.exe23⤵
- Executes dropped EXE
-
\??\c:\tnbbnn.exec:\tnbbnn.exe24⤵
- Executes dropped EXE
-
\??\c:\64228.exec:\64228.exe25⤵
- Executes dropped EXE
-
\??\c:\7rxrllx.exec:\7rxrllx.exe26⤵
- Executes dropped EXE
-
\??\c:\2222408.exec:\2222408.exe27⤵
- Executes dropped EXE
-
\??\c:\rrrxflx.exec:\rrrxflx.exe28⤵
- Executes dropped EXE
-
\??\c:\xrlrxxf.exec:\xrlrxxf.exe29⤵
- Executes dropped EXE
-
\??\c:\264668.exec:\264668.exe30⤵
- Executes dropped EXE
-
\??\c:\26248.exec:\26248.exe31⤵
- Executes dropped EXE
-
\??\c:\8240280.exec:\8240280.exe32⤵
- Executes dropped EXE
-
\??\c:\vpjjd.exec:\vpjjd.exe33⤵
- Executes dropped EXE
-
\??\c:\nhthtt.exec:\nhthtt.exe34⤵
- Executes dropped EXE
-
\??\c:\42024.exec:\42024.exe35⤵
- Executes dropped EXE
-
\??\c:\lxffrrx.exec:\lxffrrx.exe36⤵
- Executes dropped EXE
-
\??\c:\o026228.exec:\o026228.exe37⤵
- Executes dropped EXE
-
\??\c:\c022884.exec:\c022884.exe38⤵
- Executes dropped EXE
-
\??\c:\s8040.exec:\s8040.exe39⤵
- Executes dropped EXE
-
\??\c:\rffxlff.exec:\rffxlff.exe40⤵
- Executes dropped EXE
-
\??\c:\bbnbhn.exec:\bbnbhn.exe41⤵
- Executes dropped EXE
-
\??\c:\7vjvv.exec:\7vjvv.exe42⤵
- Executes dropped EXE
-
\??\c:\s6488.exec:\s6488.exe43⤵
- Executes dropped EXE
-
\??\c:\20404.exec:\20404.exe44⤵
- Executes dropped EXE
-
\??\c:\9pdvv.exec:\9pdvv.exe45⤵
- Executes dropped EXE
-
\??\c:\k28882.exec:\k28882.exe46⤵
- Executes dropped EXE
-
\??\c:\w68400.exec:\w68400.exe47⤵
- Executes dropped EXE
-
\??\c:\868004.exec:\868004.exe48⤵
- Executes dropped EXE
-
\??\c:\240026.exec:\240026.exe49⤵
- Executes dropped EXE
-
\??\c:\1vvdp.exec:\1vvdp.exe50⤵
- Executes dropped EXE
-
\??\c:\rfrrxxx.exec:\rfrrxxx.exe51⤵
- Executes dropped EXE
-
\??\c:\nbntnn.exec:\nbntnn.exe52⤵
- Executes dropped EXE
-
\??\c:\420004.exec:\420004.exe53⤵
- Executes dropped EXE
-
\??\c:\nbhbbt.exec:\nbhbbt.exe54⤵
- Executes dropped EXE
-
\??\c:\bnntbb.exec:\bnntbb.exe55⤵
- Executes dropped EXE
-
\??\c:\86888.exec:\86888.exe56⤵
- Executes dropped EXE
-
\??\c:\868828.exec:\868828.exe57⤵
- Executes dropped EXE
-
\??\c:\btnnbh.exec:\btnnbh.exe58⤵
- Executes dropped EXE
-
\??\c:\86888.exec:\86888.exe59⤵
- Executes dropped EXE
-
\??\c:\hbtbhh.exec:\hbtbhh.exe60⤵
- Executes dropped EXE
-
\??\c:\2080624.exec:\2080624.exe61⤵
- Executes dropped EXE
-
\??\c:\xrrrffl.exec:\xrrrffl.exe62⤵
- Executes dropped EXE
-
\??\c:\bnbbbb.exec:\bnbbbb.exe63⤵
- Executes dropped EXE
-
\??\c:\042288.exec:\042288.exe64⤵
- Executes dropped EXE
-
\??\c:\86484.exec:\86484.exe65⤵
- Executes dropped EXE
-
\??\c:\08828.exec:\08828.exe66⤵
-
\??\c:\nthhhh.exec:\nthhhh.exe67⤵
-
\??\c:\ppdjp.exec:\ppdjp.exe68⤵
-
\??\c:\202806.exec:\202806.exe69⤵
-
\??\c:\0422440.exec:\0422440.exe70⤵
-
\??\c:\xflrllr.exec:\xflrllr.exe71⤵
-
\??\c:\vjppv.exec:\vjppv.exe72⤵
-
\??\c:\pdjpv.exec:\pdjpv.exe73⤵
-
\??\c:\80624.exec:\80624.exe74⤵
-
\??\c:\8628006.exec:\8628006.exe75⤵
-
\??\c:\9pddv.exec:\9pddv.exe76⤵
-
\??\c:\2202008.exec:\2202008.exe77⤵
-
\??\c:\e02244.exec:\e02244.exe78⤵
-
\??\c:\3xlxxrr.exec:\3xlxxrr.exe79⤵
-
\??\c:\7jjpp.exec:\7jjpp.exe80⤵
-
\??\c:\486800.exec:\486800.exe81⤵
-
\??\c:\9pvdj.exec:\9pvdj.exe82⤵
-
\??\c:\nhttbh.exec:\nhttbh.exe83⤵
-
\??\c:\s4606.exec:\s4606.exe84⤵
-
\??\c:\pppdv.exec:\pppdv.exe85⤵
-
\??\c:\42440.exec:\42440.exe86⤵
-
\??\c:\q08460.exec:\q08460.exe87⤵
-
\??\c:\24284.exec:\24284.exe88⤵
-
\??\c:\rlxxxff.exec:\rlxxxff.exe89⤵
-
\??\c:\68800.exec:\68800.exe90⤵
-
\??\c:\6466824.exec:\6466824.exe91⤵
-
\??\c:\frflxfl.exec:\frflxfl.exe92⤵
-
\??\c:\64268.exec:\64268.exe93⤵
-
\??\c:\3ffflll.exec:\3ffflll.exe94⤵
-
\??\c:\420088.exec:\420088.exe95⤵
-
\??\c:\rrxfllx.exec:\rrxfllx.exe96⤵
-
\??\c:\m4620.exec:\m4620.exe97⤵
-
\??\c:\2426626.exec:\2426626.exe98⤵
-
\??\c:\xrfxxfl.exec:\xrfxxfl.exe99⤵
-
\??\c:\842062.exec:\842062.exe100⤵
-
\??\c:\8240280.exec:\8240280.exe101⤵
-
\??\c:\3rfrrlx.exec:\3rfrrlx.exe102⤵
-
\??\c:\c088662.exec:\c088662.exe103⤵
-
\??\c:\8622828.exec:\8622828.exe104⤵
-
\??\c:\vvvdp.exec:\vvvdp.exe105⤵
-
\??\c:\7bnttb.exec:\7bnttb.exe106⤵
-
\??\c:\868822.exec:\868822.exe107⤵
-
\??\c:\3nbbtb.exec:\3nbbtb.exe108⤵
-
\??\c:\5lfxxfr.exec:\5lfxxfr.exe109⤵
-
\??\c:\hbtbtt.exec:\hbtbtt.exe110⤵
-
\??\c:\886240.exec:\886240.exe111⤵
-
\??\c:\8686060.exec:\8686060.exe112⤵
-
\??\c:\c222464.exec:\c222464.exe113⤵
-
\??\c:\282460.exec:\282460.exe114⤵
-
\??\c:\lfxlxxr.exec:\lfxlxxr.exe115⤵
-
\??\c:\a8062.exec:\a8062.exe116⤵
-
\??\c:\004602.exec:\004602.exe117⤵
-
\??\c:\bnthnt.exec:\bnthnt.exe118⤵
-
\??\c:\jjvjv.exec:\jjvjv.exe119⤵
-
\??\c:\264686.exec:\264686.exe120⤵
-
\??\c:\nnhhht.exec:\nnhhht.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-