Analysis
-
max time kernel
120s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
24-11-2024 01:48
General
-
Target
c81a98664ccc133419938b9cf45b3cacfef17d1532cf2268d9781234d77795e7N.exe
-
Size
81KB
-
MD5
b6cf6aadf7676a92e6bda3f5a15aba80
-
SHA1
a328464a4187e48dad5e28121068ae690fd4c872
-
SHA256
c81a98664ccc133419938b9cf45b3cacfef17d1532cf2268d9781234d77795e7
-
SHA512
b3492d1cc071908d5af85951d90d79b775495f2542f87dcedb74abc2682a2f5ffa41a775e772a94391bad219b0fe6f172cda46fa04eebc05e2347855d13ea8d0
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIsIpWCz+FR4RzWqC5rINFE4yeqx:ymb3NkkiQ3mdBjFIsIpZ+R4RzWqCu41
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 24 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 37 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c81a98664ccc133419938b9cf45b3cacfef17d1532cf2268d9781234d77795e7N.exe"C:\Users\Admin\AppData\Local\Temp\c81a98664ccc133419938b9cf45b3cacfef17d1532cf2268d9781234d77795e7N.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\dvpvd.exec:\dvpvd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\llfrxxr.exec:\llfrxxr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hhbhnh.exec:\hhbhnh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvpjd.exec:\dvpjd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxlrxlf.exec:\fxlrxlf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhntbb.exec:\nhntbb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdpdp.exec:\jdpdp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvppv.exec:\dvppv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bthnbn.exec:\bthnbn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5hhttt.exec:\5hhttt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdvjv.exec:\jdvjv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5rffffr.exec:\5rffffr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\llxxfrx.exec:\llxxfrx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bntbnt.exec:\bntbnt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdvdp.exec:\jdvdp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9djvd.exec:\9djvd.exe17⤵
- Executes dropped EXE
-
\??\c:\ffxxxrx.exec:\ffxxxrx.exe18⤵
- Executes dropped EXE
-
\??\c:\xrfrrxx.exec:\xrfrrxx.exe19⤵
- Executes dropped EXE
-
\??\c:\nhbbnb.exec:\nhbbnb.exe20⤵
- Executes dropped EXE
-
\??\c:\nhtnnt.exec:\nhtnnt.exe21⤵
- Executes dropped EXE
-
\??\c:\pjdjd.exec:\pjdjd.exe22⤵
- Executes dropped EXE
-
\??\c:\frxrrlf.exec:\frxrrlf.exe23⤵
- Executes dropped EXE
-
\??\c:\lfxfrxr.exec:\lfxfrxr.exe24⤵
- Executes dropped EXE
-
\??\c:\7bhnbn.exec:\7bhnbn.exe25⤵
- Executes dropped EXE
-
\??\c:\tthhnt.exec:\tthhnt.exe26⤵
- Executes dropped EXE
-
\??\c:\dvjpv.exec:\dvjpv.exe27⤵
- Executes dropped EXE
-
\??\c:\fxfflll.exec:\fxfflll.exe28⤵
- Executes dropped EXE
-
\??\c:\tnbhhh.exec:\tnbhhh.exe29⤵
- Executes dropped EXE
-
\??\c:\hbnhnn.exec:\hbnhnn.exe30⤵
- Executes dropped EXE
-
\??\c:\5vppv.exec:\5vppv.exe31⤵
- Executes dropped EXE
-
\??\c:\rfrfllr.exec:\rfrfllr.exe32⤵
- Executes dropped EXE
-
\??\c:\llrrxfr.exec:\llrrxfr.exe33⤵
- Executes dropped EXE
-
\??\c:\nntnbh.exec:\nntnbh.exe34⤵
- Executes dropped EXE
-
\??\c:\1jddj.exec:\1jddj.exe35⤵
- Executes dropped EXE
-
\??\c:\jddpp.exec:\jddpp.exe36⤵
- Executes dropped EXE
-
\??\c:\rfllxrr.exec:\rfllxrr.exe37⤵
- Executes dropped EXE
-
\??\c:\xxfflrr.exec:\xxfflrr.exe38⤵
- Executes dropped EXE
-
\??\c:\3hbbhb.exec:\3hbbhb.exe39⤵
- Executes dropped EXE
-
\??\c:\1jvvv.exec:\1jvvv.exe40⤵
- Executes dropped EXE
-
\??\c:\dpdjj.exec:\dpdjj.exe41⤵
- Executes dropped EXE
-
\??\c:\rrffrxl.exec:\rrffrxl.exe42⤵
- Executes dropped EXE
-
\??\c:\7tnnbn.exec:\7tnnbn.exe43⤵
- Executes dropped EXE
-
\??\c:\pjjpp.exec:\pjjpp.exe44⤵
- Executes dropped EXE
-
\??\c:\vjvpp.exec:\vjvpp.exe45⤵
- Executes dropped EXE
-
\??\c:\xlflfrx.exec:\xlflfrx.exe46⤵
- Executes dropped EXE
-
\??\c:\hthntn.exec:\hthntn.exe47⤵
- Executes dropped EXE
-
\??\c:\htbhhh.exec:\htbhhh.exe48⤵
- Executes dropped EXE
-
\??\c:\7jjjv.exec:\7jjjv.exe49⤵
- Executes dropped EXE
-
\??\c:\7dppj.exec:\7dppj.exe50⤵
- Executes dropped EXE
-
\??\c:\lxrrxxf.exec:\lxrrxxf.exe51⤵
- Executes dropped EXE
-
\??\c:\1htnbt.exec:\1htnbt.exe52⤵
- Executes dropped EXE
-
\??\c:\pjjjd.exec:\pjjjd.exe53⤵
- Executes dropped EXE
-
\??\c:\7jdvd.exec:\7jdvd.exe54⤵
- Executes dropped EXE
-
\??\c:\1xxxffl.exec:\1xxxffl.exe55⤵
- Executes dropped EXE
-
\??\c:\lfflffx.exec:\lfflffx.exe56⤵
- Executes dropped EXE
-
\??\c:\1tthtb.exec:\1tthtb.exe57⤵
- Executes dropped EXE
-
\??\c:\jdvjd.exec:\jdvjd.exe58⤵
- Executes dropped EXE
-
\??\c:\pdpjv.exec:\pdpjv.exe59⤵
- Executes dropped EXE
-
\??\c:\1xrrxxr.exec:\1xrrxxr.exe60⤵
- Executes dropped EXE
-
\??\c:\nnhhhh.exec:\nnhhhh.exe61⤵
- Executes dropped EXE
-
\??\c:\bnbbnt.exec:\bnbbnt.exe62⤵
- Executes dropped EXE
-
\??\c:\vvpdv.exec:\vvpdv.exe63⤵
- Executes dropped EXE
-
\??\c:\rrlfxrx.exec:\rrlfxrx.exe64⤵
- Executes dropped EXE
-
\??\c:\xrlflrx.exec:\xrlflrx.exe65⤵
- Executes dropped EXE
-
\??\c:\bbthtb.exec:\bbthtb.exe66⤵
-
\??\c:\bbhnhb.exec:\bbhnhb.exe67⤵
-
\??\c:\vvvpv.exec:\vvvpv.exe68⤵
-
\??\c:\jpdpv.exec:\jpdpv.exe69⤵
-
\??\c:\fxfxfxl.exec:\fxfxfxl.exe70⤵
-
\??\c:\3hhnhb.exec:\3hhnhb.exe71⤵
-
\??\c:\hhnnnn.exec:\hhnnnn.exe72⤵
-
\??\c:\dvppv.exec:\dvppv.exe73⤵
-
\??\c:\xxrfxxx.exec:\xxrfxxx.exe74⤵
-
\??\c:\rlxlxrf.exec:\rlxlxrf.exe75⤵
-
\??\c:\1ntbtb.exec:\1ntbtb.exe76⤵
-
\??\c:\jjpvp.exec:\jjpvp.exe77⤵
-
\??\c:\vpppp.exec:\vpppp.exe78⤵
-
\??\c:\rxxlllf.exec:\rxxlllf.exe79⤵
-
\??\c:\rflrxfl.exec:\rflrxfl.exe80⤵
-
\??\c:\nntnnh.exec:\nntnnh.exe81⤵
-
\??\c:\3jvdv.exec:\3jvdv.exe82⤵
-
\??\c:\vvdjd.exec:\vvdjd.exe83⤵
-
\??\c:\lfflxrr.exec:\lfflxrr.exe84⤵
-
\??\c:\xllxxrx.exec:\xllxxrx.exe85⤵
-
\??\c:\bnhnht.exec:\bnhnht.exe86⤵
-
\??\c:\jdppp.exec:\jdppp.exe87⤵
-
\??\c:\pjddj.exec:\pjddj.exe88⤵
-
\??\c:\5xxrxfl.exec:\5xxrxfl.exe89⤵
-
\??\c:\xrrrlxf.exec:\xrrrlxf.exe90⤵
-
\??\c:\bththt.exec:\bththt.exe91⤵
-
\??\c:\3tnntn.exec:\3tnntn.exe92⤵
-
\??\c:\jdjvp.exec:\jdjvp.exe93⤵
-
\??\c:\3jpdd.exec:\3jpdd.exe94⤵
-
\??\c:\xrrrxlr.exec:\xrrrxlr.exe95⤵
-
\??\c:\thbnbh.exec:\thbnbh.exe96⤵
-
\??\c:\tntbhh.exec:\tntbhh.exe97⤵
-
\??\c:\ddppj.exec:\ddppj.exe98⤵
-
\??\c:\dvdvp.exec:\dvdvp.exe99⤵
-
\??\c:\9lxrflr.exec:\9lxrflr.exe100⤵
-
\??\c:\7tbhbb.exec:\7tbhbb.exe101⤵
-
\??\c:\bththt.exec:\bththt.exe102⤵
-
\??\c:\7jdjj.exec:\7jdjj.exe103⤵
-
\??\c:\pvjpj.exec:\pvjpj.exe104⤵
-
\??\c:\lfxxxfl.exec:\lfxxxfl.exe105⤵
-
\??\c:\bbtthh.exec:\bbtthh.exe106⤵
-
\??\c:\htbhhh.exec:\htbhhh.exe107⤵
-
\??\c:\1tthnn.exec:\1tthnn.exe108⤵
-
\??\c:\pjjjj.exec:\pjjjj.exe109⤵
-
\??\c:\7xrfrrf.exec:\7xrfrrf.exe110⤵
-
\??\c:\xrfrfrr.exec:\xrfrfrr.exe111⤵
-
\??\c:\thnhbn.exec:\thnhbn.exe112⤵
-
\??\c:\bhttbb.exec:\bhttbb.exe113⤵
-
\??\c:\pjvdj.exec:\pjvdj.exe114⤵
-
\??\c:\fxlflrx.exec:\fxlflrx.exe115⤵
-
\??\c:\llxlxlr.exec:\llxlxlr.exe116⤵
- System Location Discovery: System Language Discovery
-
\??\c:\lxfxllr.exec:\lxfxllr.exe117⤵
-
\??\c:\tnbhhn.exec:\tnbhhn.exe118⤵
-
\??\c:\djvpv.exec:\djvpv.exe119⤵
-
\??\c:\3vpdp.exec:\3vpdp.exe120⤵
-
\??\c:\ffrxllx.exec:\ffrxllx.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-