Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
24-11-2024 14:16
General
-
Target
b99586c3fc6e0f48f064ac8a49ddc657ab932b3c9a7b71ff8e0ceecf9494a70a.exe
-
Size
69KB
-
MD5
4a8039cf581bbec82ee1fd8d9743cc77
-
SHA1
1cb69dd2513e70ae1f0644007ac9343e350df2da
-
SHA256
b99586c3fc6e0f48f064ac8a49ddc657ab932b3c9a7b71ff8e0ceecf9494a70a
-
SHA512
23b61816860e13ba4b573bce98cdfa21437d5b051547d43215ac154b32a37094c64aacbdde9881eefb6142da861c2f1b061c69143561ec68956d05beaba561f7
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIsIoAch:ymb3NkkiQ3mdBjFIsIVch
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 24 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 30 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b99586c3fc6e0f48f064ac8a49ddc657ab932b3c9a7b71ff8e0ceecf9494a70a.exe"C:\Users\Admin\AppData\Local\Temp\b99586c3fc6e0f48f064ac8a49ddc657ab932b3c9a7b71ff8e0ceecf9494a70a.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\tttbhh.exec:\tttbhh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9jdjj.exec:\9jdjj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\djpvd.exec:\djpvd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7fxrfrl.exec:\7fxrfrl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pvjvv.exec:\pvjvv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vdddj.exec:\vdddj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7thhnn.exec:\7thhnn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7dpdp.exec:\7dpdp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rxxlflx.exec:\rxxlflx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhtbnt.exec:\nhtbnt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tbthbn.exec:\tbthbn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jvddj.exec:\jvddj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rrrlxfr.exec:\rrrlxfr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbbhtb.exec:\bbbhtb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ppjpj.exec:\ppjpj.exe16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\jjjdp.exec:\jjjdp.exe17⤵
- Executes dropped EXE
-
\??\c:\fffrxxf.exec:\fffrxxf.exe18⤵
- Executes dropped EXE
-
\??\c:\hnbnbn.exec:\hnbnbn.exe19⤵
- Executes dropped EXE
-
\??\c:\vvvdp.exec:\vvvdp.exe20⤵
- Executes dropped EXE
-
\??\c:\dpjpv.exec:\dpjpv.exe21⤵
- Executes dropped EXE
-
\??\c:\llfxrfx.exec:\llfxrfx.exe22⤵
- Executes dropped EXE
-
\??\c:\xrffrxf.exec:\xrffrxf.exe23⤵
- Executes dropped EXE
-
\??\c:\htbttn.exec:\htbttn.exe24⤵
- Executes dropped EXE
-
\??\c:\dvjdd.exec:\dvjdd.exe25⤵
- Executes dropped EXE
-
\??\c:\7pppd.exec:\7pppd.exe26⤵
- Executes dropped EXE
-
\??\c:\rxrfxlx.exec:\rxrfxlx.exe27⤵
- Executes dropped EXE
-
\??\c:\ntnnht.exec:\ntnnht.exe28⤵
- Executes dropped EXE
-
\??\c:\vvvdp.exec:\vvvdp.exe29⤵
- Executes dropped EXE
-
\??\c:\9flrlrf.exec:\9flrlrf.exe30⤵
- Executes dropped EXE
-
\??\c:\thtttt.exec:\thtttt.exe31⤵
- Executes dropped EXE
-
\??\c:\vdjdv.exec:\vdjdv.exe32⤵
- Executes dropped EXE
-
\??\c:\vvpvd.exec:\vvpvd.exe33⤵
- Executes dropped EXE
-
\??\c:\7lxflrf.exec:\7lxflrf.exe34⤵
- Executes dropped EXE
-
\??\c:\hhtnnn.exec:\hhtnnn.exe35⤵
- Executes dropped EXE
-
\??\c:\djpjp.exec:\djpjp.exe36⤵
- Executes dropped EXE
-
\??\c:\ddvdv.exec:\ddvdv.exe37⤵
- Executes dropped EXE
-
\??\c:\xrflxfr.exec:\xrflxfr.exe38⤵
- Executes dropped EXE
-
\??\c:\3bbbhn.exec:\3bbbhn.exe39⤵
- Executes dropped EXE
-
\??\c:\hhhbth.exec:\hhhbth.exe40⤵
- Executes dropped EXE
-
\??\c:\1jdjj.exec:\1jdjj.exe41⤵
- Executes dropped EXE
-
\??\c:\7ddjp.exec:\7ddjp.exe42⤵
- Executes dropped EXE
-
\??\c:\llxflrx.exec:\llxflrx.exe43⤵
- Executes dropped EXE
-
\??\c:\bbhhtb.exec:\bbhhtb.exe44⤵
- Executes dropped EXE
-
\??\c:\ttnntt.exec:\ttnntt.exe45⤵
- Executes dropped EXE
-
\??\c:\jddpd.exec:\jddpd.exe46⤵
- Executes dropped EXE
-
\??\c:\ddvdv.exec:\ddvdv.exe47⤵
- Executes dropped EXE
-
\??\c:\rlxxffl.exec:\rlxxffl.exe48⤵
- Executes dropped EXE
-
\??\c:\tnhntb.exec:\tnhntb.exe49⤵
- Executes dropped EXE
-
\??\c:\hhbhtb.exec:\hhbhtb.exe50⤵
- Executes dropped EXE
-
\??\c:\ppdvj.exec:\ppdvj.exe51⤵
- Executes dropped EXE
-
\??\c:\jdppj.exec:\jdppj.exe52⤵
- Executes dropped EXE
-
\??\c:\fffrlxr.exec:\fffrlxr.exe53⤵
- Executes dropped EXE
-
\??\c:\htthnt.exec:\htthnt.exe54⤵
- Executes dropped EXE
-
\??\c:\bbbtth.exec:\bbbtth.exe55⤵
- Executes dropped EXE
-
\??\c:\1jddp.exec:\1jddp.exe56⤵
- Executes dropped EXE
-
\??\c:\vpjpj.exec:\vpjpj.exe57⤵
- Executes dropped EXE
-
\??\c:\lfrxffl.exec:\lfrxffl.exe58⤵
- Executes dropped EXE
-
\??\c:\rxrfrfr.exec:\rxrfrfr.exe59⤵
- Executes dropped EXE
-
\??\c:\ttnbbn.exec:\ttnbbn.exe60⤵
- Executes dropped EXE
-
\??\c:\7dvdv.exec:\7dvdv.exe61⤵
- Executes dropped EXE
-
\??\c:\vvvdd.exec:\vvvdd.exe62⤵
- Executes dropped EXE
-
\??\c:\lllrrfr.exec:\lllrrfr.exe63⤵
- Executes dropped EXE
-
\??\c:\bhhhth.exec:\bhhhth.exe64⤵
- Executes dropped EXE
-
\??\c:\tththn.exec:\tththn.exe65⤵
- Executes dropped EXE
-
\??\c:\ppvpj.exec:\ppvpj.exe66⤵
-
\??\c:\jjvvd.exec:\jjvvd.exe67⤵
-
\??\c:\xrfxrxl.exec:\xrfxrxl.exe68⤵
-
\??\c:\btnnnn.exec:\btnnnn.exe69⤵
-
\??\c:\bbtthh.exec:\bbtthh.exe70⤵
- System Location Discovery: System Language Discovery
-
\??\c:\jppjd.exec:\jppjd.exe71⤵
-
\??\c:\3xrfxxl.exec:\3xrfxxl.exe72⤵
-
\??\c:\lfrfxfl.exec:\lfrfxfl.exe73⤵
-
\??\c:\bnnbhn.exec:\bnnbhn.exe74⤵
- System Location Discovery: System Language Discovery
-
\??\c:\5hnhbn.exec:\5hnhbn.exe75⤵
-
\??\c:\1pvpd.exec:\1pvpd.exe76⤵
-
\??\c:\rlffflx.exec:\rlffflx.exe77⤵
-
\??\c:\9flrffx.exec:\9flrffx.exe78⤵
-
\??\c:\hththh.exec:\hththh.exe79⤵
-
\??\c:\9ppdj.exec:\9ppdj.exe80⤵
-
\??\c:\1vvpd.exec:\1vvpd.exe81⤵
-
\??\c:\frxxfxf.exec:\frxxfxf.exe82⤵
-
\??\c:\tbtttt.exec:\tbtttt.exe83⤵
-
\??\c:\bthnbb.exec:\bthnbb.exe84⤵
-
\??\c:\ppjdv.exec:\ppjdv.exe85⤵
-
\??\c:\vvpjd.exec:\vvpjd.exe86⤵
-
\??\c:\xxxxfrl.exec:\xxxxfrl.exe87⤵
-
\??\c:\btbhhh.exec:\btbhhh.exe88⤵
-
\??\c:\tnbthb.exec:\tnbthb.exe89⤵
-
\??\c:\1pjvd.exec:\1pjvd.exe90⤵
-
\??\c:\jjpdj.exec:\jjpdj.exe91⤵
-
\??\c:\rrxflfx.exec:\rrxflfx.exe92⤵
-
\??\c:\hnnhbh.exec:\hnnhbh.exe93⤵
-
\??\c:\nnhbnt.exec:\nnhbnt.exe94⤵
-
\??\c:\jdvjv.exec:\jdvjv.exe95⤵
-
\??\c:\xlflrxl.exec:\xlflrxl.exe96⤵
-
\??\c:\lxfxlrx.exec:\lxfxlrx.exe97⤵
-
\??\c:\nhbbnn.exec:\nhbbnn.exe98⤵
-
\??\c:\9btthn.exec:\9btthn.exe99⤵
-
\??\c:\dvpdj.exec:\dvpdj.exe100⤵
-
\??\c:\7xfrflx.exec:\7xfrflx.exe101⤵
-
\??\c:\lfrfxlf.exec:\lfrfxlf.exe102⤵
-
\??\c:\nhntht.exec:\nhntht.exe103⤵
-
\??\c:\btbbnh.exec:\btbbnh.exe104⤵
-
\??\c:\7vvdv.exec:\7vvdv.exe105⤵
-
\??\c:\pddpp.exec:\pddpp.exe106⤵
-
\??\c:\9xrrfrr.exec:\9xrrfrr.exe107⤵
-
\??\c:\btnntt.exec:\btnntt.exe108⤵
-
\??\c:\3thbht.exec:\3thbht.exe109⤵
-
\??\c:\dpppv.exec:\dpppv.exe110⤵
-
\??\c:\jddjv.exec:\jddjv.exe111⤵
-
\??\c:\tnthnt.exec:\tnthnt.exe112⤵
-
\??\c:\nntbnn.exec:\nntbnn.exe113⤵
-
\??\c:\9ppdd.exec:\9ppdd.exe114⤵
-
\??\c:\lfrfrrr.exec:\lfrfrrr.exe115⤵
-
\??\c:\ffrfrrf.exec:\ffrfrrf.exe116⤵
-
\??\c:\tbnhnh.exec:\tbnhnh.exe117⤵
-
\??\c:\ntthhn.exec:\ntthhn.exe118⤵
-
\??\c:\dvjvp.exec:\dvjvp.exe119⤵
-
\??\c:\rlrfrxl.exec:\rlrfrxl.exe120⤵
-
\??\c:\fxfxffr.exec:\fxfxffr.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-