Analysis
-
max time kernel
115s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
24-11-2024 20:19
General
-
Target
091f39c2ac1698aac61599ca09d852ad8a8df5c5f7d9ac574d1fa76f830d5cc8N.exe
-
Size
91KB
-
MD5
6af719a5edf29e38892683f1a4bd57f0
-
SHA1
43088ca57e32503dedc3819c04ccea38ae096628
-
SHA256
091f39c2ac1698aac61599ca09d852ad8a8df5c5f7d9ac574d1fa76f830d5cc8
-
SHA512
fa8175bd8d1e8ff76879daee88c59f5ab1fe962f31d4c729e4a7e66eda997e8993f731dd2ac28c6c9daf6d43606fd96bae6a3e2a11499c37b2f3a46368577a18
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxND+3T4+C2iJvRirE0DmmdL2jqWkBc:ymb3NkkiQ3mdBjF+3TU2iBRioSumWS1a
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 23 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 26 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\091f39c2ac1698aac61599ca09d852ad8a8df5c5f7d9ac574d1fa76f830d5cc8N.exe"C:\Users\Admin\AppData\Local\Temp\091f39c2ac1698aac61599ca09d852ad8a8df5c5f7d9ac574d1fa76f830d5cc8N.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\ddvpd.exec:\ddvpd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\i422400.exec:\i422400.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbntnb.exec:\hbntnb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\w24600.exec:\w24600.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\66024.exec:\66024.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\8280840.exec:\8280840.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\60246.exec:\60246.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\222600.exec:\222600.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\4826682.exec:\4826682.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnhtbb.exec:\tnhtbb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7ppvv.exec:\7ppvv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\60686.exec:\60686.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\820266.exec:\820266.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\82068.exec:\82068.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\q60602.exec:\q60602.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\8660440.exec:\8660440.exe17⤵
- Executes dropped EXE
-
\??\c:\608624.exec:\608624.exe18⤵
- Executes dropped EXE
-
\??\c:\xrflrxl.exec:\xrflrxl.exe19⤵
- Executes dropped EXE
-
\??\c:\ddpdp.exec:\ddpdp.exe20⤵
- Executes dropped EXE
-
\??\c:\5bthtb.exec:\5bthtb.exe21⤵
- Executes dropped EXE
-
\??\c:\82004.exec:\82004.exe22⤵
- Executes dropped EXE
-
\??\c:\k68406.exec:\k68406.exe23⤵
- Executes dropped EXE
-
\??\c:\1ddpp.exec:\1ddpp.exe24⤵
- Executes dropped EXE
-
\??\c:\3hntbn.exec:\3hntbn.exe25⤵
- Executes dropped EXE
-
\??\c:\ttbbtt.exec:\ttbbtt.exe26⤵
- Executes dropped EXE
-
\??\c:\rlxfxxl.exec:\rlxfxxl.exe27⤵
- Executes dropped EXE
-
\??\c:\rrlrllx.exec:\rrlrllx.exe28⤵
- Executes dropped EXE
-
\??\c:\8240622.exec:\8240622.exe29⤵
- Executes dropped EXE
-
\??\c:\jdddd.exec:\jdddd.exe30⤵
- Executes dropped EXE
-
\??\c:\xflrfrx.exec:\xflrfrx.exe31⤵
- Executes dropped EXE
-
\??\c:\0848888.exec:\0848888.exe32⤵
- Executes dropped EXE
-
\??\c:\a8068.exec:\a8068.exe33⤵
- Executes dropped EXE
-
\??\c:\fxlrlff.exec:\fxlrlff.exe34⤵
- Executes dropped EXE
-
\??\c:\nnhntb.exec:\nnhntb.exe35⤵
- Executes dropped EXE
-
\??\c:\8688822.exec:\8688822.exe36⤵
- Executes dropped EXE
-
\??\c:\ttthbn.exec:\ttthbn.exe37⤵
- Executes dropped EXE
-
\??\c:\20262.exec:\20262.exe38⤵
- Executes dropped EXE
-
\??\c:\rlxrxff.exec:\rlxrxff.exe39⤵
- Executes dropped EXE
-
\??\c:\686226.exec:\686226.exe40⤵
- Executes dropped EXE
-
\??\c:\4644228.exec:\4644228.exe41⤵
- Executes dropped EXE
-
\??\c:\w68444.exec:\w68444.exe42⤵
- Executes dropped EXE
-
\??\c:\jddjj.exec:\jddjj.exe43⤵
- Executes dropped EXE
-
\??\c:\7pjjd.exec:\7pjjd.exe44⤵
- Executes dropped EXE
-
\??\c:\020622.exec:\020622.exe45⤵
- Executes dropped EXE
-
\??\c:\824028.exec:\824028.exe46⤵
- Executes dropped EXE
-
\??\c:\86800.exec:\86800.exe47⤵
- Executes dropped EXE
-
\??\c:\hthnbh.exec:\hthnbh.exe48⤵
- Executes dropped EXE
-
\??\c:\nhtnhb.exec:\nhtnhb.exe49⤵
- Executes dropped EXE
-
\??\c:\w24444.exec:\w24444.exe50⤵
- Executes dropped EXE
-
\??\c:\rlxxlrf.exec:\rlxxlrf.exe51⤵
- Executes dropped EXE
-
\??\c:\vvvdj.exec:\vvvdj.exe52⤵
- Executes dropped EXE
-
\??\c:\6462266.exec:\6462266.exe53⤵
- Executes dropped EXE
-
\??\c:\7jjdd.exec:\7jjdd.exe54⤵
- Executes dropped EXE
-
\??\c:\hbtbbh.exec:\hbtbbh.exe55⤵
- Executes dropped EXE
-
\??\c:\42406.exec:\42406.exe56⤵
- Executes dropped EXE
-
\??\c:\484066.exec:\484066.exe57⤵
- Executes dropped EXE
-
\??\c:\42240.exec:\42240.exe58⤵
- Executes dropped EXE
-
\??\c:\1fxfrxl.exec:\1fxfrxl.exe59⤵
- Executes dropped EXE
-
\??\c:\8028484.exec:\8028484.exe60⤵
- Executes dropped EXE
-
\??\c:\btbbhh.exec:\btbbhh.exe61⤵
- Executes dropped EXE
-
\??\c:\0042206.exec:\0042206.exe62⤵
- Executes dropped EXE
-
\??\c:\nhhnbn.exec:\nhhnbn.exe63⤵
- Executes dropped EXE
-
\??\c:\pvdvp.exec:\pvdvp.exe64⤵
- Executes dropped EXE
-
\??\c:\vddjd.exec:\vddjd.exe65⤵
- Executes dropped EXE
-
\??\c:\rlxfxfx.exec:\rlxfxfx.exe66⤵
-
\??\c:\7pjpp.exec:\7pjpp.exe67⤵
-
\??\c:\8202846.exec:\8202846.exe68⤵
-
\??\c:\3nnbnt.exec:\3nnbnt.exe69⤵
-
\??\c:\0884884.exec:\0884884.exe70⤵
-
\??\c:\ffrfxlr.exec:\ffrfxlr.exe71⤵
-
\??\c:\llfxrxr.exec:\llfxrxr.exe72⤵
-
\??\c:\66462.exec:\66462.exe73⤵
-
\??\c:\2088488.exec:\2088488.exe74⤵
-
\??\c:\bbnhtt.exec:\bbnhtt.exe75⤵
-
\??\c:\g4806.exec:\g4806.exe76⤵
-
\??\c:\646884.exec:\646884.exe77⤵
-
\??\c:\fxxfflr.exec:\fxxfflr.exe78⤵
-
\??\c:\s4224.exec:\s4224.exe79⤵
-
\??\c:\4246468.exec:\4246468.exe80⤵
-
\??\c:\djdvp.exec:\djdvp.exe81⤵
-
\??\c:\ttnhnn.exec:\ttnhnn.exe82⤵
-
\??\c:\a8440.exec:\a8440.exe83⤵
-
\??\c:\nhtbtb.exec:\nhtbtb.exe84⤵
-
\??\c:\84284.exec:\84284.exe85⤵
-
\??\c:\6284488.exec:\6284488.exe86⤵
-
\??\c:\s8002.exec:\s8002.exe87⤵
-
\??\c:\xrfrflf.exec:\xrfrflf.exe88⤵
-
\??\c:\042244.exec:\042244.exe89⤵
-
\??\c:\ddvdv.exec:\ddvdv.exe90⤵
-
\??\c:\htttnt.exec:\htttnt.exe91⤵
-
\??\c:\ppjpv.exec:\ppjpv.exe92⤵
-
\??\c:\24224.exec:\24224.exe93⤵
-
\??\c:\o260228.exec:\o260228.exe94⤵
-
\??\c:\7llxrrx.exec:\7llxrrx.exe95⤵
-
\??\c:\u688606.exec:\u688606.exe96⤵
-
\??\c:\0806060.exec:\0806060.exe97⤵
-
\??\c:\ppvvv.exec:\ppvvv.exe98⤵
-
\??\c:\28664.exec:\28664.exe99⤵
-
\??\c:\xrrxrrf.exec:\xrrxrrf.exe100⤵
-
\??\c:\tnnntb.exec:\tnnntb.exe101⤵
-
\??\c:\bthhht.exec:\bthhht.exe102⤵
-
\??\c:\64280.exec:\64280.exe103⤵
-
\??\c:\q64806.exec:\q64806.exe104⤵
-
\??\c:\o262284.exec:\o262284.exe105⤵
-
\??\c:\5frxrrr.exec:\5frxrrr.exe106⤵
-
\??\c:\1flxrxl.exec:\1flxrxl.exe107⤵
-
\??\c:\u028440.exec:\u028440.exe108⤵
-
\??\c:\0462882.exec:\0462882.exe109⤵
-
\??\c:\88224.exec:\88224.exe110⤵
-
\??\c:\dvjpv.exec:\dvjpv.exe111⤵
-
\??\c:\804460.exec:\804460.exe112⤵
-
\??\c:\lfxfllx.exec:\lfxfllx.exe113⤵
-
\??\c:\lxlrlrr.exec:\lxlrlrr.exe114⤵
-
\??\c:\9vvdp.exec:\9vvdp.exe115⤵
-
\??\c:\42260.exec:\42260.exe116⤵
- System Location Discovery: System Language Discovery
-
\??\c:\ffxflrf.exec:\ffxflrf.exe117⤵
-
\??\c:\42446.exec:\42446.exe118⤵
-
\??\c:\040040.exec:\040040.exe119⤵
-
\??\c:\btnhhh.exec:\btnhhh.exe120⤵
-
\??\c:\xxlllff.exec:\xxlllff.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-