Analysis
-
max time kernel
120s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
24-11-2024 01:21
General
-
Target
988b7520d682dbac0ceef153b106c1efaf2411751ec61cbde3587c6b39f016ecN.exe
-
Size
229KB
-
MD5
c5e7534975529f51823f5fd4190ede40
-
SHA1
ec7522020a699a8273ac8a81bcfe21bf1341ef1c
-
SHA256
988b7520d682dbac0ceef153b106c1efaf2411751ec61cbde3587c6b39f016ec
-
SHA512
99a9daf063e56f950e6aa884f3679d1df16e29fcb8b978dac2eecc5f6203cdb62a4bc9da27be6dcc63d4110b8ae5767964fd1e698d2be0a5fb9aa47bd9cd8b74
-
SSDEEP
3072:ymb3NkkiQ3mdBjFo73PYP1lri3KoSV31x4xLjBeGdQ:n3C9BRo7MlrWKo+lxKU
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 20 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 24 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\988b7520d682dbac0ceef153b106c1efaf2411751ec61cbde3587c6b39f016ecN.exe"C:\Users\Admin\AppData\Local\Temp\988b7520d682dbac0ceef153b106c1efaf2411751ec61cbde3587c6b39f016ecN.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\06208.exec:\06208.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3llrffl.exec:\3llrffl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\820600.exec:\820600.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ffxfrxl.exec:\ffxfrxl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\20426.exec:\20426.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\w42466.exec:\w42466.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5dvjv.exec:\5dvjv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5lrxfll.exec:\5lrxfll.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjjdp.exec:\jjjdp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\82468.exec:\82468.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\c084662.exec:\c084662.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\486840.exec:\486840.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9dvdp.exec:\9dvdp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfxrlrf.exec:\lfxrlrf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\06422.exec:\06422.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3thhbb.exec:\3thhbb.exe17⤵
- Executes dropped EXE
-
\??\c:\604088.exec:\604088.exe18⤵
- Executes dropped EXE
-
\??\c:\7llxlfx.exec:\7llxlfx.exe19⤵
- Executes dropped EXE
-
\??\c:\486022.exec:\486022.exe20⤵
- Executes dropped EXE
-
\??\c:\6266200.exec:\6266200.exe21⤵
- Executes dropped EXE
-
\??\c:\nthbtn.exec:\nthbtn.exe22⤵
- Executes dropped EXE
-
\??\c:\rrxflrl.exec:\rrxflrl.exe23⤵
- Executes dropped EXE
-
\??\c:\6602846.exec:\6602846.exe24⤵
- Executes dropped EXE
-
\??\c:\dvppd.exec:\dvppd.exe25⤵
- Executes dropped EXE
-
\??\c:\7pddp.exec:\7pddp.exe26⤵
- Executes dropped EXE
-
\??\c:\7pjpv.exec:\7pjpv.exe27⤵
- Executes dropped EXE
-
\??\c:\hhthbn.exec:\hhthbn.exe28⤵
- Executes dropped EXE
-
\??\c:\5djvv.exec:\5djvv.exe29⤵
- Executes dropped EXE
-
\??\c:\882862.exec:\882862.exe30⤵
- Executes dropped EXE
-
\??\c:\3tntbn.exec:\3tntbn.exe31⤵
- Executes dropped EXE
-
\??\c:\w26400.exec:\w26400.exe32⤵
- Executes dropped EXE
-
\??\c:\g6680.exec:\g6680.exe33⤵
- Executes dropped EXE
-
\??\c:\22248.exec:\22248.exe34⤵
- Executes dropped EXE
-
\??\c:\22224.exec:\22224.exe35⤵
- Executes dropped EXE
-
\??\c:\066806.exec:\066806.exe36⤵
- Executes dropped EXE
-
\??\c:\2820866.exec:\2820866.exe37⤵
- Executes dropped EXE
-
\??\c:\46608.exec:\46608.exe38⤵
- Executes dropped EXE
-
\??\c:\64624.exec:\64624.exe39⤵
- Executes dropped EXE
-
\??\c:\8868668.exec:\8868668.exe40⤵
- Executes dropped EXE
-
\??\c:\a8628.exec:\a8628.exe41⤵
- Executes dropped EXE
-
\??\c:\rlrxxrr.exec:\rlrxxrr.exe42⤵
- Executes dropped EXE
-
\??\c:\9hhtbt.exec:\9hhtbt.exe43⤵
- Executes dropped EXE
-
\??\c:\jjdjv.exec:\jjdjv.exe44⤵
- Executes dropped EXE
-
\??\c:\8424806.exec:\8424806.exe45⤵
- Executes dropped EXE
-
\??\c:\08246.exec:\08246.exe46⤵
- Executes dropped EXE
-
\??\c:\24040.exec:\24040.exe47⤵
- Executes dropped EXE
-
\??\c:\tttnht.exec:\tttnht.exe48⤵
- Executes dropped EXE
-
\??\c:\c202840.exec:\c202840.exe49⤵
- Executes dropped EXE
-
\??\c:\5lffflr.exec:\5lffflr.exe50⤵
- Executes dropped EXE
-
\??\c:\44820.exec:\44820.exe51⤵
- Executes dropped EXE
-
\??\c:\8244068.exec:\8244068.exe52⤵
- Executes dropped EXE
-
\??\c:\ddvdp.exec:\ddvdp.exe53⤵
- Executes dropped EXE
-
\??\c:\rrllxxx.exec:\rrllxxx.exe54⤵
- Executes dropped EXE
-
\??\c:\5nntnn.exec:\5nntnn.exe55⤵
- Executes dropped EXE
-
\??\c:\80460.exec:\80460.exe56⤵
- Executes dropped EXE
-
\??\c:\4444044.exec:\4444044.exe57⤵
- Executes dropped EXE
-
\??\c:\jdjdj.exec:\jdjdj.exe58⤵
- Executes dropped EXE
-
\??\c:\26062.exec:\26062.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\00424.exec:\00424.exe60⤵
- Executes dropped EXE
-
\??\c:\6086242.exec:\6086242.exe61⤵
- Executes dropped EXE
-
\??\c:\ddpjv.exec:\ddpjv.exe62⤵
- Executes dropped EXE
-
\??\c:\btnbhn.exec:\btnbhn.exe63⤵
- Executes dropped EXE
-
\??\c:\64462.exec:\64462.exe64⤵
- Executes dropped EXE
-
\??\c:\rlffrxf.exec:\rlffrxf.exe65⤵
- Executes dropped EXE
-
\??\c:\dpjpv.exec:\dpjpv.exe66⤵
-
\??\c:\06646.exec:\06646.exe67⤵
-
\??\c:\hbtnbb.exec:\hbtnbb.exe68⤵
-
\??\c:\c240668.exec:\c240668.exe69⤵
-
\??\c:\lllxlxr.exec:\lllxlxr.exe70⤵
-
\??\c:\8240668.exec:\8240668.exe71⤵
-
\??\c:\vvjpp.exec:\vvjpp.exe72⤵
-
\??\c:\4488402.exec:\4488402.exe73⤵
-
\??\c:\vpvjj.exec:\vpvjj.exe74⤵
-
\??\c:\c268008.exec:\c268008.exe75⤵
-
\??\c:\nnhnbh.exec:\nnhnbh.exe76⤵
-
\??\c:\7jdjv.exec:\7jdjv.exe77⤵
-
\??\c:\088820.exec:\088820.exe78⤵
-
\??\c:\nnnbnb.exec:\nnnbnb.exe79⤵
-
\??\c:\88664.exec:\88664.exe80⤵
-
\??\c:\82682.exec:\82682.exe81⤵
-
\??\c:\c208468.exec:\c208468.exe82⤵
- System Location Discovery: System Language Discovery
-
\??\c:\482202.exec:\482202.exe83⤵
-
\??\c:\7djdj.exec:\7djdj.exe84⤵
-
\??\c:\ddvvp.exec:\ddvvp.exe85⤵
-
\??\c:\nbtttn.exec:\nbtttn.exe86⤵
-
\??\c:\068008.exec:\068008.exe87⤵
-
\??\c:\822864.exec:\822864.exe88⤵
-
\??\c:\24864.exec:\24864.exe89⤵
-
\??\c:\dvddv.exec:\dvddv.exe90⤵
-
\??\c:\82062.exec:\82062.exe91⤵
-
\??\c:\0868668.exec:\0868668.exe92⤵
-
\??\c:\pjdpd.exec:\pjdpd.exe93⤵
-
\??\c:\dvdjp.exec:\dvdjp.exe94⤵
-
\??\c:\tnhnnb.exec:\tnhnnb.exe95⤵
-
\??\c:\3dvpd.exec:\3dvpd.exe96⤵
-
\??\c:\8200280.exec:\8200280.exe97⤵
-
\??\c:\nntbht.exec:\nntbht.exe98⤵
-
\??\c:\5pjjj.exec:\5pjjj.exe99⤵
-
\??\c:\w26424.exec:\w26424.exe100⤵
-
\??\c:\pdvjv.exec:\pdvjv.exe101⤵
-
\??\c:\dvdjd.exec:\dvdjd.exe102⤵
-
\??\c:\xrllxfr.exec:\xrllxfr.exe103⤵
-
\??\c:\tththh.exec:\tththh.exe104⤵
-
\??\c:\0040846.exec:\0040846.exe105⤵
-
\??\c:\8220664.exec:\8220664.exe106⤵
-
\??\c:\7tbhnh.exec:\7tbhnh.exe107⤵
-
\??\c:\jvjpp.exec:\jvjpp.exe108⤵
-
\??\c:\5jjdp.exec:\5jjdp.exe109⤵
-
\??\c:\420240.exec:\420240.exe110⤵
-
\??\c:\k48024.exec:\k48024.exe111⤵
-
\??\c:\ppvdp.exec:\ppvdp.exe112⤵
-
\??\c:\nhhbtt.exec:\nhhbtt.exe113⤵
-
\??\c:\3lxllxr.exec:\3lxllxr.exe114⤵
-
\??\c:\dvpjj.exec:\dvpjj.exe115⤵
-
\??\c:\xrrxrrr.exec:\xrrxrrr.exe116⤵
-
\??\c:\1hhnht.exec:\1hhnht.exe117⤵
-
\??\c:\hnntht.exec:\hnntht.exe118⤵
-
\??\c:\k88462.exec:\k88462.exe119⤵
-
\??\c:\5lrlflx.exec:\5lrlflx.exe120⤵
-
\??\c:\bhbnhb.exec:\bhbnhb.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-