Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
24-11-2024 03:07
General
-
Target
c4e8ca21bb6882fccd0e899a6d93aa473b859e60423db6eca0645c9316169346.exe
-
Size
96KB
-
MD5
78df64c258f26ecec4361c803b9934a8
-
SHA1
de84e215db2887f2c0b15110f814df1a67bda402
-
SHA256
c4e8ca21bb6882fccd0e899a6d93aa473b859e60423db6eca0645c9316169346
-
SHA512
a7fdebceb0f20f9d01d66cb04be1b6f64b4c0843fb73dc8f26fe798fac1bf629e331173b1682d7e4dcdde7a0c76fb6938e3114428ed263625e560e9d62f86b69
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDoLuePjDYlZMzcLI:ymb3NkkiQ3mdBjFoLucjD7cM
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 21 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 37 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c4e8ca21bb6882fccd0e899a6d93aa473b859e60423db6eca0645c9316169346.exe"C:\Users\Admin\AppData\Local\Temp\c4e8ca21bb6882fccd0e899a6d93aa473b859e60423db6eca0645c9316169346.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\7xlflfr.exec:\7xlflfr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5bnnbb.exec:\5bnnbb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpppv.exec:\vpppv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1vpvd.exec:\1vpvd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lflxfrx.exec:\lflxfrx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nnhbnn.exec:\nnhbnn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjddp.exec:\jjddp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnhtbh.exec:\tnhtbh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jpjpd.exec:\jpjpd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjdjj.exec:\pjdjj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rrlfrrf.exec:\rrlfrrf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9nbbnh.exec:\9nbbnh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnbnnt.exec:\tnbnnt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdvjp.exec:\jdvjp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lrrrfff.exec:\lrrrfff.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9lxlxxl.exec:\9lxlxxl.exe17⤵
- Executes dropped EXE
-
\??\c:\hbtttt.exec:\hbtttt.exe18⤵
- Executes dropped EXE
-
\??\c:\ddvpd.exec:\ddvpd.exe19⤵
- Executes dropped EXE
-
\??\c:\fxxrxfr.exec:\fxxrxfr.exe20⤵
- Executes dropped EXE
-
\??\c:\lffrflf.exec:\lffrflf.exe21⤵
- Executes dropped EXE
-
\??\c:\thtnnn.exec:\thtnnn.exe22⤵
- Executes dropped EXE
-
\??\c:\thhhbb.exec:\thhhbb.exe23⤵
- Executes dropped EXE
-
\??\c:\dvjjp.exec:\dvjjp.exe24⤵
- Executes dropped EXE
-
\??\c:\rrfffxf.exec:\rrfffxf.exe25⤵
- Executes dropped EXE
-
\??\c:\thtntt.exec:\thtntt.exe26⤵
- Executes dropped EXE
-
\??\c:\nhhtbh.exec:\nhhtbh.exe27⤵
- Executes dropped EXE
-
\??\c:\3jdvj.exec:\3jdvj.exe28⤵
- Executes dropped EXE
-
\??\c:\lfllllr.exec:\lfllllr.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\hbnntt.exec:\hbnntt.exe30⤵
- Executes dropped EXE
-
\??\c:\vjpjv.exec:\vjpjv.exe31⤵
- Executes dropped EXE
-
\??\c:\jdpvd.exec:\jdpvd.exe32⤵
- Executes dropped EXE
-
\??\c:\9lflxxf.exec:\9lflxxf.exe33⤵
-
\??\c:\bnbhhh.exec:\bnbhhh.exe34⤵
- Executes dropped EXE
-
\??\c:\dpvvj.exec:\dpvvj.exe35⤵
- Executes dropped EXE
-
\??\c:\jpvdv.exec:\jpvdv.exe36⤵
- Executes dropped EXE
-
\??\c:\xrflxfl.exec:\xrflxfl.exe37⤵
- Executes dropped EXE
-
\??\c:\rlfxxxf.exec:\rlfxxxf.exe38⤵
- Executes dropped EXE
-
\??\c:\5nbhbn.exec:\5nbhbn.exe39⤵
- Executes dropped EXE
-
\??\c:\thhhhh.exec:\thhhhh.exe40⤵
- Executes dropped EXE
-
\??\c:\7dppv.exec:\7dppv.exe41⤵
- Executes dropped EXE
-
\??\c:\5vjdd.exec:\5vjdd.exe42⤵
- Executes dropped EXE
-
\??\c:\fxffrrx.exec:\fxffrrx.exe43⤵
- Executes dropped EXE
-
\??\c:\fffrflr.exec:\fffrflr.exe44⤵
- Executes dropped EXE
-
\??\c:\nhthnb.exec:\nhthnb.exe45⤵
- Executes dropped EXE
-
\??\c:\1tttbb.exec:\1tttbb.exe46⤵
- Executes dropped EXE
-
\??\c:\jdjpd.exec:\jdjpd.exe47⤵
- Executes dropped EXE
-
\??\c:\rfllxrx.exec:\rfllxrx.exe48⤵
- Executes dropped EXE
-
\??\c:\hthnhh.exec:\hthnhh.exe49⤵
- Executes dropped EXE
-
\??\c:\djpjp.exec:\djpjp.exe50⤵
- Executes dropped EXE
-
\??\c:\jdppp.exec:\jdppp.exe51⤵
- Executes dropped EXE
-
\??\c:\rfllxxx.exec:\rfllxxx.exe52⤵
- Executes dropped EXE
-
\??\c:\lfxfffl.exec:\lfxfffl.exe53⤵
- Executes dropped EXE
-
\??\c:\tnhnbb.exec:\tnhnbb.exe54⤵
- Executes dropped EXE
-
\??\c:\dvjvj.exec:\dvjvj.exe55⤵
- Executes dropped EXE
-
\??\c:\vddjd.exec:\vddjd.exe56⤵
- Executes dropped EXE
-
\??\c:\xrfxllx.exec:\xrfxllx.exe57⤵
- Executes dropped EXE
-
\??\c:\lflxlll.exec:\lflxlll.exe58⤵
- Executes dropped EXE
-
\??\c:\hbnnnn.exec:\hbnnnn.exe59⤵
- Executes dropped EXE
-
\??\c:\7tnttt.exec:\7tnttt.exe60⤵
- Executes dropped EXE
-
\??\c:\vpjjv.exec:\vpjjv.exe61⤵
- Executes dropped EXE
-
\??\c:\jdvvj.exec:\jdvvj.exe62⤵
- Executes dropped EXE
-
\??\c:\lfrrxfx.exec:\lfrrxfx.exe63⤵
- Executes dropped EXE
-
\??\c:\xlflffr.exec:\xlflffr.exe64⤵
- Executes dropped EXE
-
\??\c:\rxllrrx.exec:\rxllrrx.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\hhbbtt.exec:\hhbbtt.exe66⤵
- Executes dropped EXE
-
\??\c:\jvjvd.exec:\jvjvd.exe67⤵
-
\??\c:\pdvjj.exec:\pdvjj.exe68⤵
-
\??\c:\xrlxxxf.exec:\xrlxxxf.exe69⤵
-
\??\c:\xrlflff.exec:\xrlflff.exe70⤵
-
\??\c:\btbhnn.exec:\btbhnn.exe71⤵
-
\??\c:\bbttbb.exec:\bbttbb.exe72⤵
-
\??\c:\pjjpp.exec:\pjjpp.exe73⤵
-
\??\c:\jjdpp.exec:\jjdpp.exe74⤵
-
\??\c:\rfxxlfl.exec:\rfxxlfl.exe75⤵
-
\??\c:\rlrrxxf.exec:\rlrrxxf.exe76⤵
-
\??\c:\nthnbb.exec:\nthnbb.exe77⤵
-
\??\c:\bthnbb.exec:\bthnbb.exe78⤵
-
\??\c:\vjpvp.exec:\vjpvp.exe79⤵
-
\??\c:\vjpvd.exec:\vjpvd.exe80⤵
-
\??\c:\flffrrf.exec:\flffrrf.exe81⤵
-
\??\c:\rfrrrxr.exec:\rfrrrxr.exe82⤵
-
\??\c:\9ttnnt.exec:\9ttnnt.exe83⤵
-
\??\c:\nhhnnt.exec:\nhhnnt.exe84⤵
-
\??\c:\3pdvv.exec:\3pdvv.exe85⤵
-
\??\c:\dpddd.exec:\dpddd.exe86⤵
-
\??\c:\xlfxxxl.exec:\xlfxxxl.exe87⤵
-
\??\c:\1rrrlfr.exec:\1rrrlfr.exe88⤵
-
\??\c:\bnbntb.exec:\bnbntb.exe89⤵
-
\??\c:\thtnnh.exec:\thtnnh.exe90⤵
-
\??\c:\9jvpv.exec:\9jvpv.exe91⤵
-
\??\c:\pjvpv.exec:\pjvpv.exe92⤵
-
\??\c:\lfrrxxf.exec:\lfrrxxf.exe93⤵
-
\??\c:\thhbnn.exec:\thhbnn.exe94⤵
-
\??\c:\nbnnbt.exec:\nbnnbt.exe95⤵
-
\??\c:\pjpdv.exec:\pjpdv.exe96⤵
-
\??\c:\pdpdv.exec:\pdpdv.exe97⤵
-
\??\c:\fffxffl.exec:\fffxffl.exe98⤵
-
\??\c:\flflrrx.exec:\flflrrx.exe99⤵
-
\??\c:\hbnhbh.exec:\hbnhbh.exe100⤵
-
\??\c:\thtbtn.exec:\thtbtn.exe101⤵
-
\??\c:\5htbhn.exec:\5htbhn.exe102⤵
-
\??\c:\dvdjp.exec:\dvdjp.exe103⤵
-
\??\c:\pjvdp.exec:\pjvdp.exe104⤵
-
\??\c:\7lrlxfr.exec:\7lrlxfr.exe105⤵
-
\??\c:\frfrlrf.exec:\frfrlrf.exe106⤵
-
\??\c:\thnnbt.exec:\thnnbt.exe107⤵
-
\??\c:\tnbhnn.exec:\tnbhnn.exe108⤵
-
\??\c:\bnhnbh.exec:\bnhnbh.exe109⤵
-
\??\c:\vvjdj.exec:\vvjdj.exe110⤵
-
\??\c:\9dvdv.exec:\9dvdv.exe111⤵
-
\??\c:\3rffllx.exec:\3rffllx.exe112⤵
-
\??\c:\xlflrrr.exec:\xlflrrr.exe113⤵
-
\??\c:\bttttt.exec:\bttttt.exe114⤵
-
\??\c:\9bnbhn.exec:\9bnbhn.exe115⤵
-
\??\c:\pjpjp.exec:\pjpjp.exe116⤵
-
\??\c:\jjvdd.exec:\jjvdd.exe117⤵
-
\??\c:\lfrxxrx.exec:\lfrxxrx.exe118⤵
-
\??\c:\rlxfrrx.exec:\rlxfrrx.exe119⤵
-
\??\c:\tthbhn.exec:\tthbhn.exe120⤵
-
\??\c:\btnntt.exec:\btnntt.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-