Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
-
submitted
24-11-2024 11:17
General
-
Target
94c5d09e7063dba9084ce23232694c9454c520f39092cde8f6d03f45232343a2.exe
-
Size
332KB
-
MD5
327d873702a29e016b3efb1d652ef7f1
-
SHA1
d492d233471bd1a83a19d3f32d0fe1f4ef610514
-
SHA256
94c5d09e7063dba9084ce23232694c9454c520f39092cde8f6d03f45232343a2
-
SHA512
9ee0b24f1beb135d5a9022e711adb0f993ace447a4a3edfc0b861b884940b5145dacf73c055e7c1248d6392c967961bc9bfb9711c4faf66c1954139096c5121c
-
SSDEEP
6144:Lcm4FmowdHoSHt251UriZFwfsDX2UznsaFVNJCMKAbe2:R4wFHoSHYHUrAwfMp3CD2
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 53 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 64 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\94c5d09e7063dba9084ce23232694c9454c520f39092cde8f6d03f45232343a2.exe"C:\Users\Admin\AppData\Local\Temp\94c5d09e7063dba9084ce23232694c9454c520f39092cde8f6d03f45232343a2.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\428400.exec:\428400.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\w04684.exec:\w04684.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\0408624.exec:\0408624.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbtthn.exec:\nbtthn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\480800.exec:\480800.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ffxxlrl.exec:\ffxxlrl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvppj.exec:\dvppj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvjpd.exec:\vvjpd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\i084468.exec:\i084468.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\04242.exec:\04242.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\0862884.exec:\0862884.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frfflll.exec:\frfflll.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\060644.exec:\060644.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvpdp.exec:\dvpdp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7jppv.exec:\7jppv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5tbhtt.exec:\5tbhtt.exe17⤵
- Executes dropped EXE
-
\??\c:\rrrrxxx.exec:\rrrrxxx.exe18⤵
- Executes dropped EXE
-
\??\c:\28824.exec:\28824.exe19⤵
- Executes dropped EXE
-
\??\c:\tbhtbb.exec:\tbhtbb.exe20⤵
- Executes dropped EXE
-
\??\c:\dddjv.exec:\dddjv.exe21⤵
- Executes dropped EXE
-
\??\c:\88682.exec:\88682.exe22⤵
- Executes dropped EXE
-
\??\c:\vdppj.exec:\vdppj.exe23⤵
- Executes dropped EXE
-
\??\c:\nnthhh.exec:\nnthhh.exe24⤵
- Executes dropped EXE
-
\??\c:\vvvdj.exec:\vvvdj.exe25⤵
- Executes dropped EXE
-
\??\c:\424024.exec:\424024.exe26⤵
- Executes dropped EXE
-
\??\c:\042468.exec:\042468.exe27⤵
- Executes dropped EXE
-
\??\c:\488664.exec:\488664.exe28⤵
- Executes dropped EXE
-
\??\c:\tnhnbh.exec:\tnhnbh.exe29⤵
- Executes dropped EXE
-
\??\c:\e88084.exec:\e88084.exe30⤵
- Executes dropped EXE
-
\??\c:\ppjvj.exec:\ppjvj.exe31⤵
- Executes dropped EXE
-
\??\c:\1rfllrr.exec:\1rfllrr.exe32⤵
- Executes dropped EXE
-
\??\c:\q64048.exec:\q64048.exe33⤵
- Executes dropped EXE
-
\??\c:\5vjpv.exec:\5vjpv.exe34⤵
- Executes dropped EXE
-
\??\c:\frrlrff.exec:\frrlrff.exe35⤵
- Executes dropped EXE
-
\??\c:\o462884.exec:\o462884.exe36⤵
- Executes dropped EXE
-
\??\c:\08006.exec:\08006.exe37⤵
- Executes dropped EXE
-
\??\c:\xlrxxxl.exec:\xlrxxxl.exe38⤵
- Executes dropped EXE
-
\??\c:\vddvv.exec:\vddvv.exe39⤵
- Executes dropped EXE
-
\??\c:\flrrrlx.exec:\flrrrlx.exe40⤵
- Executes dropped EXE
-
\??\c:\htnntt.exec:\htnntt.exe41⤵
- Executes dropped EXE
-
\??\c:\64284.exec:\64284.exe42⤵
- Executes dropped EXE
-
\??\c:\680062.exec:\680062.exe43⤵
- Executes dropped EXE
-
\??\c:\e80000.exec:\e80000.exe44⤵
- Executes dropped EXE
-
\??\c:\4228848.exec:\4228848.exe45⤵
- Executes dropped EXE
-
\??\c:\04602.exec:\04602.exe46⤵
- Executes dropped EXE
-
\??\c:\6660848.exec:\6660848.exe47⤵
- Executes dropped EXE
-
\??\c:\04868.exec:\04868.exe48⤵
- Executes dropped EXE
-
\??\c:\btbhhn.exec:\btbhhn.exe49⤵
- Executes dropped EXE
-
\??\c:\3nhntb.exec:\3nhntb.exe50⤵
- Executes dropped EXE
-
\??\c:\nntnnn.exec:\nntnnn.exe51⤵
- Executes dropped EXE
-
\??\c:\vjvdj.exec:\vjvdj.exe52⤵
- Executes dropped EXE
-
\??\c:\rlflxrx.exec:\rlflxrx.exe53⤵
- Executes dropped EXE
-
\??\c:\260288.exec:\260288.exe54⤵
- Executes dropped EXE
-
\??\c:\xrxffll.exec:\xrxffll.exe55⤵
- Executes dropped EXE
-
\??\c:\222264.exec:\222264.exe56⤵
- Executes dropped EXE
-
\??\c:\820608.exec:\820608.exe57⤵
- Executes dropped EXE
-
\??\c:\xrfrxxl.exec:\xrfrxxl.exe58⤵
- Executes dropped EXE
-
\??\c:\66802.exec:\66802.exe59⤵
- Executes dropped EXE
-
\??\c:\486846.exec:\486846.exe60⤵
- Executes dropped EXE
-
\??\c:\k22266.exec:\k22266.exe61⤵
- Executes dropped EXE
-
\??\c:\llxlflf.exec:\llxlflf.exe62⤵
- Executes dropped EXE
-
\??\c:\hntttn.exec:\hntttn.exe63⤵
- Executes dropped EXE
-
\??\c:\862402.exec:\862402.exe64⤵
- Executes dropped EXE
-
\??\c:\400486.exec:\400486.exe65⤵
- Executes dropped EXE
-
\??\c:\u460800.exec:\u460800.exe66⤵
-
\??\c:\xrxrrrx.exec:\xrxrrrx.exe67⤵
-
\??\c:\7jvdp.exec:\7jvdp.exe68⤵
-
\??\c:\tnbbnt.exec:\tnbbnt.exe69⤵
-
\??\c:\hhttbh.exec:\hhttbh.exe70⤵
-
\??\c:\86284.exec:\86284.exe71⤵
-
\??\c:\xxxrfxx.exec:\xxxrfxx.exe72⤵
-
\??\c:\0444840.exec:\0444840.exe73⤵
-
\??\c:\hhnbth.exec:\hhnbth.exe74⤵
-
\??\c:\jdppd.exec:\jdppd.exe75⤵
-
\??\c:\608806.exec:\608806.exe76⤵
-
\??\c:\rfrrxxf.exec:\rfrrxxf.exe77⤵
-
\??\c:\1bhhnn.exec:\1bhhnn.exe78⤵
-
\??\c:\g2446.exec:\g2446.exe79⤵
-
\??\c:\2680288.exec:\2680288.exe80⤵
-
\??\c:\8862068.exec:\8862068.exe81⤵
-
\??\c:\ttnbtt.exec:\ttnbtt.exe82⤵
-
\??\c:\7htntt.exec:\7htntt.exe83⤵
-
\??\c:\ttntnt.exec:\ttntnt.exe84⤵
-
\??\c:\pdpdj.exec:\pdpdj.exe85⤵
-
\??\c:\4824002.exec:\4824002.exe86⤵
-
\??\c:\00804.exec:\00804.exe87⤵
-
\??\c:\3nhbnh.exec:\3nhbnh.exe88⤵
-
\??\c:\hhhtbn.exec:\hhhtbn.exe89⤵
-
\??\c:\8880224.exec:\8880224.exe90⤵
-
\??\c:\btbbbb.exec:\btbbbb.exe91⤵
-
\??\c:\i244648.exec:\i244648.exe92⤵
-
\??\c:\680444.exec:\680444.exe93⤵
-
\??\c:\bttbnn.exec:\bttbnn.exe94⤵
-
\??\c:\26068.exec:\26068.exe95⤵
-
\??\c:\4484286.exec:\4484286.exe96⤵
-
\??\c:\i484668.exec:\i484668.exe97⤵
-
\??\c:\q04024.exec:\q04024.exe98⤵
-
\??\c:\2084624.exec:\2084624.exe99⤵
-
\??\c:\rfxlrfr.exec:\rfxlrfr.exe100⤵
-
\??\c:\44420.exec:\44420.exe101⤵
-
\??\c:\8688644.exec:\8688644.exe102⤵
-
\??\c:\6660240.exec:\6660240.exe103⤵
-
\??\c:\e20028.exec:\e20028.exe104⤵
-
\??\c:\428800.exec:\428800.exe105⤵
-
\??\c:\o200802.exec:\o200802.exe106⤵
-
\??\c:\ffxxllf.exec:\ffxxllf.exe107⤵
-
\??\c:\xxrlxfr.exec:\xxrlxfr.exe108⤵
-
\??\c:\lfxfrrr.exec:\lfxfrrr.exe109⤵
-
\??\c:\660066.exec:\660066.exe110⤵
-
\??\c:\i646228.exec:\i646228.exe111⤵
-
\??\c:\8680886.exec:\8680886.exe112⤵
-
\??\c:\rrflrxl.exec:\rrflrxl.exe113⤵
-
\??\c:\60620.exec:\60620.exe114⤵
-
\??\c:\2468062.exec:\2468062.exe115⤵
-
\??\c:\g2684.exec:\g2684.exe116⤵
-
\??\c:\m4224.exec:\m4224.exe117⤵
-
\??\c:\7tnthn.exec:\7tnthn.exe118⤵
-
\??\c:\086862.exec:\086862.exe119⤵
-
\??\c:\7jdvp.exec:\7jdvp.exe120⤵
-
\??\c:\208844.exec:\208844.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-