Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
24-11-2024 11:46
General
-
Target
f9df4404b6cd8faebba99cf1987fc0c3ab737078018d6deccceea2fcde774f72.exe
-
Size
66KB
-
MD5
7dc2efe69bce3e7b63a16301849e3114
-
SHA1
ae2ba113fca0dfab484e570cb7f6682aff94846f
-
SHA256
f9df4404b6cd8faebba99cf1987fc0c3ab737078018d6deccceea2fcde774f72
-
SHA512
66a36f6ea9106c5aa220f78b3da9dcc535f6f351364b8275c898ffe17d4b984736ffd065977ef79ad8ccd3ebf994bba8b75782808f10870ee5cd4c3f7704d55f
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIvuzkzNM+:ymb3NkkiQ3mdBjFIvlpM+
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 22 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 25 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f9df4404b6cd8faebba99cf1987fc0c3ab737078018d6deccceea2fcde774f72.exe"C:\Users\Admin\AppData\Local\Temp\f9df4404b6cd8faebba99cf1987fc0c3ab737078018d6deccceea2fcde774f72.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\ttnnht.exec:\ttnnht.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpdpj.exec:\vpdpj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5ppvd.exec:\5ppvd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rfxlrrx.exec:\rfxlrrx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bnbhbb.exec:\bnbhbb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jvpvv.exec:\jvpvv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5frflfl.exec:\5frflfl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tbnhnh.exec:\tbnhnh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1jvpv.exec:\1jvpv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3lxfrrf.exec:\3lxfrrf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bthntb.exec:\bthntb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1tnhnh.exec:\1tnhnh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ppvjd.exec:\ppvjd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9rllrxl.exec:\9rllrxl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxxflrf.exec:\fxxflrf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bthhhh.exec:\bthhhh.exe17⤵
- Executes dropped EXE
-
\??\c:\dvpjj.exec:\dvpjj.exe18⤵
- Executes dropped EXE
-
\??\c:\jdvdj.exec:\jdvdj.exe19⤵
- Executes dropped EXE
-
\??\c:\9xxxxlx.exec:\9xxxxlx.exe20⤵
- Executes dropped EXE
-
\??\c:\5btntt.exec:\5btntt.exe21⤵
- Executes dropped EXE
-
\??\c:\tbnbnb.exec:\tbnbnb.exe22⤵
- Executes dropped EXE
-
\??\c:\jjdvj.exec:\jjdvj.exe23⤵
- Executes dropped EXE
-
\??\c:\jvdpd.exec:\jvdpd.exe24⤵
- Executes dropped EXE
-
\??\c:\flxrfxx.exec:\flxrfxx.exe25⤵
- Executes dropped EXE
-
\??\c:\tnbhnt.exec:\tnbhnt.exe26⤵
- Executes dropped EXE
-
\??\c:\nbnbhb.exec:\nbnbhb.exe27⤵
- Executes dropped EXE
-
\??\c:\3rlrfrx.exec:\3rlrfrx.exe28⤵
- Executes dropped EXE
-
\??\c:\xrxflrx.exec:\xrxflrx.exe29⤵
- Executes dropped EXE
-
\??\c:\5hthnt.exec:\5hthnt.exe30⤵
- Executes dropped EXE
-
\??\c:\jdpvp.exec:\jdpvp.exe31⤵
- Executes dropped EXE
-
\??\c:\pjjpv.exec:\pjjpv.exe32⤵
- Executes dropped EXE
-
\??\c:\rllrxlf.exec:\rllrxlf.exe33⤵
- Executes dropped EXE
-
\??\c:\tntbhh.exec:\tntbhh.exe34⤵
- Executes dropped EXE
-
\??\c:\1nbntt.exec:\1nbntt.exe35⤵
- Executes dropped EXE
-
\??\c:\7vjpv.exec:\7vjpv.exe36⤵
- Executes dropped EXE
-
\??\c:\dpddj.exec:\dpddj.exe37⤵
- Executes dropped EXE
-
\??\c:\3rlxlrf.exec:\3rlxlrf.exe38⤵
- Executes dropped EXE
-
\??\c:\hthhhn.exec:\hthhhn.exe39⤵
- Executes dropped EXE
-
\??\c:\hbnbhh.exec:\hbnbhh.exe40⤵
- Executes dropped EXE
-
\??\c:\3nnbhh.exec:\3nnbhh.exe41⤵
- Executes dropped EXE
-
\??\c:\pjvvv.exec:\pjvvv.exe42⤵
- Executes dropped EXE
-
\??\c:\jdjjp.exec:\jdjjp.exe43⤵
- Executes dropped EXE
-
\??\c:\fxrrfxf.exec:\fxrrfxf.exe44⤵
- Executes dropped EXE
-
\??\c:\rlrrxfl.exec:\rlrrxfl.exe45⤵
- Executes dropped EXE
-
\??\c:\tnbhtt.exec:\tnbhtt.exe46⤵
- Executes dropped EXE
-
\??\c:\nnntbn.exec:\nnntbn.exe47⤵
- Executes dropped EXE
-
\??\c:\vdvdd.exec:\vdvdd.exe48⤵
- Executes dropped EXE
-
\??\c:\jdppj.exec:\jdppj.exe49⤵
- Executes dropped EXE
-
\??\c:\lxrrffl.exec:\lxrrffl.exe50⤵
- Executes dropped EXE
-
\??\c:\rllrllf.exec:\rllrllf.exe51⤵
- Executes dropped EXE
-
\??\c:\9xxflfx.exec:\9xxflfx.exe52⤵
- Executes dropped EXE
-
\??\c:\hbnthn.exec:\hbnthn.exe53⤵
- Executes dropped EXE
-
\??\c:\9nbtth.exec:\9nbtth.exe54⤵
- Executes dropped EXE
-
\??\c:\rrrlrxl.exec:\rrrlrxl.exe55⤵
- Executes dropped EXE
-
\??\c:\frrrffl.exec:\frrrffl.exe56⤵
- Executes dropped EXE
-
\??\c:\nhtbht.exec:\nhtbht.exe57⤵
- Executes dropped EXE
-
\??\c:\3ntnnt.exec:\3ntnnt.exe58⤵
- Executes dropped EXE
-
\??\c:\vppdp.exec:\vppdp.exe59⤵
- Executes dropped EXE
-
\??\c:\vpdvd.exec:\vpdvd.exe60⤵
- Executes dropped EXE
-
\??\c:\3rrxllx.exec:\3rrxllx.exe61⤵
- Executes dropped EXE
-
\??\c:\fxlxrrx.exec:\fxlxrrx.exe62⤵
- Executes dropped EXE
-
\??\c:\3nhnbb.exec:\3nhnbb.exe63⤵
- Executes dropped EXE
-
\??\c:\tttnhh.exec:\tttnhh.exe64⤵
- Executes dropped EXE
-
\??\c:\3ppdv.exec:\3ppdv.exe65⤵
- Executes dropped EXE
-
\??\c:\9jvpv.exec:\9jvpv.exe66⤵
-
\??\c:\5djvj.exec:\5djvj.exe67⤵
-
\??\c:\7fxxflr.exec:\7fxxflr.exe68⤵
-
\??\c:\rllrffr.exec:\rllrffr.exe69⤵
-
\??\c:\5nhbth.exec:\5nhbth.exe70⤵
- System Location Discovery: System Language Discovery
-
\??\c:\ththtb.exec:\ththtb.exe71⤵
-
\??\c:\pjjjp.exec:\pjjjp.exe72⤵
-
\??\c:\vpjpd.exec:\vpjpd.exe73⤵
-
\??\c:\9xfxlxf.exec:\9xfxlxf.exe74⤵
-
\??\c:\xrflxxf.exec:\xrflxxf.exe75⤵
-
\??\c:\nhnbhb.exec:\nhnbhb.exe76⤵
-
\??\c:\ttnhth.exec:\ttnhth.exe77⤵
-
\??\c:\vjjvp.exec:\vjjvp.exe78⤵
-
\??\c:\3pvjp.exec:\3pvjp.exe79⤵
-
\??\c:\xxfrffl.exec:\xxfrffl.exe80⤵
-
\??\c:\llxfrxl.exec:\llxfrxl.exe81⤵
-
\??\c:\9hbnbb.exec:\9hbnbb.exe82⤵
-
\??\c:\7djdv.exec:\7djdv.exe83⤵
-
\??\c:\3jvpp.exec:\3jvpp.exe84⤵
-
\??\c:\frxflrf.exec:\frxflrf.exe85⤵
-
\??\c:\fflflxx.exec:\fflflxx.exe86⤵
-
\??\c:\tthhnb.exec:\tthhnb.exe87⤵
-
\??\c:\ttnhtb.exec:\ttnhtb.exe88⤵
-
\??\c:\jvjpv.exec:\jvjpv.exe89⤵
-
\??\c:\xrrfrxr.exec:\xrrfrxr.exe90⤵
-
\??\c:\llxlffr.exec:\llxlffr.exe91⤵
-
\??\c:\5lfrxxr.exec:\5lfrxxr.exe92⤵
-
\??\c:\ttnbtb.exec:\ttnbtb.exe93⤵
-
\??\c:\nnhntt.exec:\nnhntt.exe94⤵
-
\??\c:\pdpvv.exec:\pdpvv.exe95⤵
-
\??\c:\jvvpp.exec:\jvvpp.exe96⤵
-
\??\c:\1ffrxfr.exec:\1ffrxfr.exe97⤵
-
\??\c:\rlxffrx.exec:\rlxffrx.exe98⤵
-
\??\c:\thhthn.exec:\thhthn.exe99⤵
-
\??\c:\vjddj.exec:\vjddj.exe100⤵
-
\??\c:\vvpjd.exec:\vvpjd.exe101⤵
-
\??\c:\lxllrrl.exec:\lxllrrl.exe102⤵
-
\??\c:\xflrlff.exec:\xflrlff.exe103⤵
-
\??\c:\hbhnbb.exec:\hbhnbb.exe104⤵
-
\??\c:\tntntt.exec:\tntntt.exe105⤵
-
\??\c:\jpvpp.exec:\jpvpp.exe106⤵
-
\??\c:\pdjjd.exec:\pdjjd.exe107⤵
-
\??\c:\5rffrxr.exec:\5rffrxr.exe108⤵
-
\??\c:\xrlrflr.exec:\xrlrflr.exe109⤵
-
\??\c:\1hnttb.exec:\1hnttb.exe110⤵
-
\??\c:\hbbhnb.exec:\hbbhnb.exe111⤵
-
\??\c:\jdvdp.exec:\jdvdp.exe112⤵
-
\??\c:\vjdvd.exec:\vjdvd.exe113⤵
-
\??\c:\xlxfxfr.exec:\xlxfxfr.exe114⤵
- System Location Discovery: System Language Discovery
-
\??\c:\rlfxffl.exec:\rlfxffl.exe115⤵
-
\??\c:\9nhntn.exec:\9nhntn.exe116⤵
-
\??\c:\5nnnbh.exec:\5nnnbh.exe117⤵
-
\??\c:\vvpvv.exec:\vvpvv.exe118⤵
-
\??\c:\fxffllf.exec:\fxffllf.exe119⤵
-
\??\c:\rlrxllr.exec:\rlrxllr.exe120⤵
-
\??\c:\hbbnbn.exec:\hbbnbn.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-