Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
24-11-2024 06:45
General
-
Target
4dbd80c8481330cf6d45c49bb4b201a4e5e903587fd94b893215e09726ba6cce.exe
-
Size
75KB
-
MD5
3b2cfa78ac01b81ef92a5aca15213f52
-
SHA1
31a8050eaa5aa43c3cb9adab4e6ec3bbf5ea778d
-
SHA256
4dbd80c8481330cf6d45c49bb4b201a4e5e903587fd94b893215e09726ba6cce
-
SHA512
df725d212f9174c192b66510349d7cd663262b71b37dc523cb1dbdd16a0f6f62b8c4fc2aa9883f6003cbd226ca62b66f104013932a7b8be99483d9a708839136
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIkpi+qiImgS5ih6:ymb3NkkiQ3mdBjFIj+qiImgS5ih6
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 22 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 30 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4dbd80c8481330cf6d45c49bb4b201a4e5e903587fd94b893215e09726ba6cce.exe"C:\Users\Admin\AppData\Local\Temp\4dbd80c8481330cf6d45c49bb4b201a4e5e903587fd94b893215e09726ba6cce.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\1xxxlrf.exec:\1xxxlrf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1thnbb.exec:\1thnbb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjvvj.exec:\pjvvj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9lfrlrf.exec:\9lfrlrf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vppjv.exec:\vppjv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rfrlrfl.exec:\rfrlrfl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ttntht.exec:\ttntht.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7ntbbb.exec:\7ntbbb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjddj.exec:\pjddj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frxrrrl.exec:\frxrrrl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxlttth.exec:\fxlttth.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5bhbnb.exec:\5bhbnb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpjjv.exec:\vpjjv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfxrrrx.exec:\lfxrrrx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5lfxfxf.exec:\5lfxfxf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hhbbbh.exec:\hhbbbh.exe17⤵
- Executes dropped EXE
-
\??\c:\vvppj.exec:\vvppj.exe18⤵
- Executes dropped EXE
-
\??\c:\vvppv.exec:\vvppv.exe19⤵
- Executes dropped EXE
-
\??\c:\rllllrr.exec:\rllllrr.exe20⤵
- Executes dropped EXE
-
\??\c:\bthnbn.exec:\bthnbn.exe21⤵
- Executes dropped EXE
-
\??\c:\3hhbnn.exec:\3hhbnn.exe22⤵
- Executes dropped EXE
-
\??\c:\jddjp.exec:\jddjp.exe23⤵
- Executes dropped EXE
-
\??\c:\lfrfxfl.exec:\lfrfxfl.exe24⤵
- Executes dropped EXE
-
\??\c:\ttnbbh.exec:\ttnbbh.exe25⤵
- Executes dropped EXE
-
\??\c:\ttnthn.exec:\ttnthn.exe26⤵
- Executes dropped EXE
-
\??\c:\9dpjv.exec:\9dpjv.exe27⤵
- Executes dropped EXE
-
\??\c:\rlrrrlr.exec:\rlrrrlr.exe28⤵
- Executes dropped EXE
-
\??\c:\ttnbnn.exec:\ttnbnn.exe29⤵
- Executes dropped EXE
-
\??\c:\vjpvp.exec:\vjpvp.exe30⤵
- Executes dropped EXE
-
\??\c:\vpjpv.exec:\vpjpv.exe31⤵
- Executes dropped EXE
-
\??\c:\3xrxffl.exec:\3xrxffl.exe32⤵
- Executes dropped EXE
-
\??\c:\frfffxl.exec:\frfffxl.exe33⤵
- Executes dropped EXE
-
\??\c:\bthnbb.exec:\bthnbb.exe34⤵
- Executes dropped EXE
-
\??\c:\pjpdv.exec:\pjpdv.exe35⤵
- Executes dropped EXE
-
\??\c:\jdjjp.exec:\jdjjp.exe36⤵
- Executes dropped EXE
-
\??\c:\1lrrrrf.exec:\1lrrrrf.exe37⤵
- Executes dropped EXE
-
\??\c:\xrxrrll.exec:\xrxrrll.exe38⤵
- Executes dropped EXE
-
\??\c:\nhbhbt.exec:\nhbhbt.exe39⤵
- Executes dropped EXE
-
\??\c:\9vpjp.exec:\9vpjp.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\1jdvv.exec:\1jdvv.exe41⤵
- Executes dropped EXE
-
\??\c:\3lfxxxf.exec:\3lfxxxf.exe42⤵
- Executes dropped EXE
-
\??\c:\lxllrlr.exec:\lxllrlr.exe43⤵
- Executes dropped EXE
-
\??\c:\1htttt.exec:\1htttt.exe44⤵
- Executes dropped EXE
-
\??\c:\5vppp.exec:\5vppp.exe45⤵
- Executes dropped EXE
-
\??\c:\jdvvd.exec:\jdvvd.exe46⤵
- Executes dropped EXE
-
\??\c:\lffxfxf.exec:\lffxfxf.exe47⤵
- Executes dropped EXE
-
\??\c:\xrlfxxl.exec:\xrlfxxl.exe48⤵
- Executes dropped EXE
-
\??\c:\htttbn.exec:\htttbn.exe49⤵
- Executes dropped EXE
-
\??\c:\tntbhn.exec:\tntbhn.exe50⤵
- Executes dropped EXE
-
\??\c:\vjvdj.exec:\vjvdj.exe51⤵
- Executes dropped EXE
-
\??\c:\pjdvd.exec:\pjdvd.exe52⤵
- Executes dropped EXE
-
\??\c:\3lrrllf.exec:\3lrrllf.exe53⤵
- Executes dropped EXE
-
\??\c:\9hbnbn.exec:\9hbnbn.exe54⤵
- Executes dropped EXE
-
\??\c:\tntnbb.exec:\tntnbb.exe55⤵
- Executes dropped EXE
-
\??\c:\pjdjj.exec:\pjdjj.exe56⤵
- Executes dropped EXE
-
\??\c:\7vpvd.exec:\7vpvd.exe57⤵
- Executes dropped EXE
-
\??\c:\rffrrxf.exec:\rffrrxf.exe58⤵
- Executes dropped EXE
-
\??\c:\llxlxff.exec:\llxlxff.exe59⤵
- Executes dropped EXE
-
\??\c:\nhtttt.exec:\nhtttt.exe60⤵
- Executes dropped EXE
-
\??\c:\dpjpd.exec:\dpjpd.exe61⤵
- Executes dropped EXE
-
\??\c:\jjvjp.exec:\jjvjp.exe62⤵
- Executes dropped EXE
-
\??\c:\5lrlllf.exec:\5lrlllf.exe63⤵
- Executes dropped EXE
-
\??\c:\9xrlxxl.exec:\9xrlxxl.exe64⤵
- Executes dropped EXE
-
\??\c:\hhnbhh.exec:\hhnbhh.exe65⤵
- Executes dropped EXE
-
\??\c:\hbtntt.exec:\hbtntt.exe66⤵
-
\??\c:\vvjpd.exec:\vvjpd.exe67⤵
-
\??\c:\vjjdd.exec:\vjjdd.exe68⤵
-
\??\c:\xrllrlx.exec:\xrllrlx.exe69⤵
-
\??\c:\fxxxrrr.exec:\fxxxrrr.exe70⤵
-
\??\c:\htbtht.exec:\htbtht.exe71⤵
-
\??\c:\bthhtn.exec:\bthhtn.exe72⤵
-
\??\c:\5ddjd.exec:\5ddjd.exe73⤵
-
\??\c:\pjjvj.exec:\pjjvj.exe74⤵
-
\??\c:\xrffffr.exec:\xrffffr.exe75⤵
-
\??\c:\rlfrxxl.exec:\rlfrxxl.exe76⤵
-
\??\c:\bhnhhb.exec:\bhnhhb.exe77⤵
-
\??\c:\pvvdd.exec:\pvvdd.exe78⤵
-
\??\c:\1pvpv.exec:\1pvpv.exe79⤵
-
\??\c:\ddvdp.exec:\ddvdp.exe80⤵
-
\??\c:\3rllllr.exec:\3rllllr.exe81⤵
-
\??\c:\nbhnhb.exec:\nbhnhb.exe82⤵
-
\??\c:\nhnthh.exec:\nhnthh.exe83⤵
-
\??\c:\1pvvv.exec:\1pvvv.exe84⤵
-
\??\c:\9ppvj.exec:\9ppvj.exe85⤵
-
\??\c:\lxfllff.exec:\lxfllff.exe86⤵
-
\??\c:\rfllxrx.exec:\rfllxrx.exe87⤵
-
\??\c:\1nbbhh.exec:\1nbbhh.exe88⤵
-
\??\c:\tnhntb.exec:\tnhntb.exe89⤵
-
\??\c:\pdpjj.exec:\pdpjj.exe90⤵
-
\??\c:\ppddd.exec:\ppddd.exe91⤵
-
\??\c:\3xrrxrx.exec:\3xrrxrx.exe92⤵
-
\??\c:\fxrrfxf.exec:\fxrrfxf.exe93⤵
-
\??\c:\9nhtnb.exec:\9nhtnb.exe94⤵
-
\??\c:\hbntbh.exec:\hbntbh.exe95⤵
-
\??\c:\ddpvp.exec:\ddpvp.exe96⤵
-
\??\c:\xlrlxrf.exec:\xlrlxrf.exe97⤵
-
\??\c:\lrxxlll.exec:\lrxxlll.exe98⤵
-
\??\c:\tnbbnn.exec:\tnbbnn.exe99⤵
-
\??\c:\9hbbnh.exec:\9hbbnh.exe100⤵
-
\??\c:\hbhnbb.exec:\hbhnbb.exe101⤵
-
\??\c:\jjpdp.exec:\jjpdp.exe102⤵
-
\??\c:\pjvvv.exec:\pjvvv.exe103⤵
-
\??\c:\lfrflrx.exec:\lfrflrx.exe104⤵
-
\??\c:\lfrrrrx.exec:\lfrrrrx.exe105⤵
-
\??\c:\nhtbhh.exec:\nhtbhh.exe106⤵
-
\??\c:\5nnntt.exec:\5nnntt.exe107⤵
-
\??\c:\pdvvj.exec:\pdvvj.exe108⤵
-
\??\c:\pjdjj.exec:\pjdjj.exe109⤵
-
\??\c:\5xllllr.exec:\5xllllr.exe110⤵
-
\??\c:\rfxllxr.exec:\rfxllxr.exe111⤵
-
\??\c:\lxrrrfl.exec:\lxrrrfl.exe112⤵
-
\??\c:\bntttt.exec:\bntttt.exe113⤵
-
\??\c:\nntbth.exec:\nntbth.exe114⤵
-
\??\c:\3pppd.exec:\3pppd.exe115⤵
-
\??\c:\jdpdd.exec:\jdpdd.exe116⤵
-
\??\c:\3lrxfxf.exec:\3lrxfxf.exe117⤵
-
\??\c:\xllllll.exec:\xllllll.exe118⤵
-
\??\c:\bnbbtt.exec:\bnbbtt.exe119⤵
-
\??\c:\tnbhtb.exec:\tnbhtb.exe120⤵
-
\??\c:\pdjpj.exec:\pdjpj.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-