Analysis
-
max time kernel
120s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
25/11/2024, 21:45
General
-
Target
0f73853d0bb87b83dee77d0125870d2555550b8578965dcfaa558f8a256b5dc9.exe
-
Size
61KB
-
MD5
82fb189d757d46b906dee1dd955dee97
-
SHA1
581519de4e1328684fe445a51d857cf60052910e
-
SHA256
0f73853d0bb87b83dee77d0125870d2555550b8578965dcfaa558f8a256b5dc9
-
SHA512
572ddb2a2ad4294d4a21665164a819012b22983de6a7db02474bff4619a65be24c3768e4a3759e849a2ae3c1a645754420112aa811f403748dea96c5d4f83efb
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxND+3T4+byu:ymb3NkkiQ3mdBjF+3TpL
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 21 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 27 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f73853d0bb87b83dee77d0125870d2555550b8578965dcfaa558f8a256b5dc9.exe"C:\Users\Admin\AppData\Local\Temp\0f73853d0bb87b83dee77d0125870d2555550b8578965dcfaa558f8a256b5dc9.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\nthbbn.exec:\nthbbn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddpjj.exec:\ddpjj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3bttbh.exec:\3bttbh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dddpv.exec:\dddpv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3frxfxf.exec:\3frxfxf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7tthnn.exec:\7tthnn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpdjp.exec:\vpdjp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bnbttt.exec:\bnbttt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hhhtbn.exec:\hhhtbn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pvppv.exec:\pvppv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xlrffxx.exec:\xlrffxx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hthnnh.exec:\hthnnh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbtbnn.exec:\bbtbnn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\djppd.exec:\djppd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxrflrf.exec:\fxrflrf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9hnhth.exec:\9hnhth.exe17⤵
- Executes dropped EXE
-
\??\c:\ppppv.exec:\ppppv.exe18⤵
- Executes dropped EXE
-
\??\c:\1vdvj.exec:\1vdvj.exe19⤵
- Executes dropped EXE
-
\??\c:\7jjpd.exec:\7jjpd.exe20⤵
- Executes dropped EXE
-
\??\c:\5htbth.exec:\5htbth.exe21⤵
- Executes dropped EXE
-
\??\c:\btntnn.exec:\btntnn.exe22⤵
- Executes dropped EXE
-
\??\c:\pdvdp.exec:\pdvdp.exe23⤵
- Executes dropped EXE
-
\??\c:\7vpdp.exec:\7vpdp.exe24⤵
- Executes dropped EXE
-
\??\c:\lfxrlfx.exec:\lfxrlfx.exe25⤵
- Executes dropped EXE
-
\??\c:\9hbbbh.exec:\9hbbbh.exe26⤵
- Executes dropped EXE
-
\??\c:\tttbtb.exec:\tttbtb.exe27⤵
- Executes dropped EXE
-
\??\c:\vpjvj.exec:\vpjvj.exe28⤵
- Executes dropped EXE
-
\??\c:\3rrrrll.exec:\3rrrrll.exe29⤵
- Executes dropped EXE
-
\??\c:\nnbhbt.exec:\nnbhbt.exe30⤵
- Executes dropped EXE
-
\??\c:\jdvvd.exec:\jdvvd.exe31⤵
- Executes dropped EXE
-
\??\c:\pjvvv.exec:\pjvvv.exe32⤵
- Executes dropped EXE
-
\??\c:\lflfflf.exec:\lflfflf.exe33⤵
- Executes dropped EXE
-
\??\c:\nnbnbn.exec:\nnbnbn.exe34⤵
- Executes dropped EXE
-
\??\c:\nhhttb.exec:\nhhttb.exe35⤵
- Executes dropped EXE
-
\??\c:\jdvdp.exec:\jdvdp.exe36⤵
- Executes dropped EXE
-
\??\c:\vpjpd.exec:\vpjpd.exe37⤵
- Executes dropped EXE
-
\??\c:\ffrxlrl.exec:\ffrxlrl.exe38⤵
- Executes dropped EXE
-
\??\c:\5nnnnb.exec:\5nnnnb.exe39⤵
- Executes dropped EXE
-
\??\c:\hhbnth.exec:\hhbnth.exe40⤵
- Executes dropped EXE
-
\??\c:\jjjvd.exec:\jjjvd.exe41⤵
- Executes dropped EXE
-
\??\c:\jdpdj.exec:\jdpdj.exe42⤵
- Executes dropped EXE
-
\??\c:\rlflrrf.exec:\rlflrrf.exe43⤵
- Executes dropped EXE
-
\??\c:\thnttt.exec:\thnttt.exe44⤵
- Executes dropped EXE
-
\??\c:\tbhttn.exec:\tbhttn.exe45⤵
- Executes dropped EXE
-
\??\c:\jpdvp.exec:\jpdvp.exe46⤵
- Executes dropped EXE
-
\??\c:\9xxfllr.exec:\9xxfllr.exe47⤵
- Executes dropped EXE
-
\??\c:\xrlfrrl.exec:\xrlfrrl.exe48⤵
- Executes dropped EXE
-
\??\c:\nnnthh.exec:\nnnthh.exe49⤵
- Executes dropped EXE
-
\??\c:\tbnhbt.exec:\tbnhbt.exe50⤵
- Executes dropped EXE
-
\??\c:\ppdpv.exec:\ppdpv.exe51⤵
- Executes dropped EXE
-
\??\c:\xxrrlxr.exec:\xxrrlxr.exe52⤵
- Executes dropped EXE
-
\??\c:\1tbnhn.exec:\1tbnhn.exe53⤵
- Executes dropped EXE
-
\??\c:\djpdd.exec:\djpdd.exe54⤵
- Executes dropped EXE
-
\??\c:\vpjvp.exec:\vpjvp.exe55⤵
- Executes dropped EXE
-
\??\c:\lfrrxlf.exec:\lfrrxlf.exe56⤵
- Executes dropped EXE
-
\??\c:\fxrlffr.exec:\fxrlffr.exe57⤵
- Executes dropped EXE
-
\??\c:\hthhnh.exec:\hthhnh.exe58⤵
- Executes dropped EXE
-
\??\c:\tbhntn.exec:\tbhntn.exe59⤵
- Executes dropped EXE
-
\??\c:\pdppp.exec:\pdppp.exe60⤵
- Executes dropped EXE
-
\??\c:\vvpvj.exec:\vvpvj.exe61⤵
- Executes dropped EXE
-
\??\c:\7lflflx.exec:\7lflflx.exe62⤵
- Executes dropped EXE
-
\??\c:\fflrrlf.exec:\fflrrlf.exe63⤵
- Executes dropped EXE
-
\??\c:\bnbhnn.exec:\bnbhnn.exe64⤵
- Executes dropped EXE
-
\??\c:\5tnbnt.exec:\5tnbnt.exe65⤵
- Executes dropped EXE
-
\??\c:\jdvjp.exec:\jdvjp.exe66⤵
-
\??\c:\9jpjp.exec:\9jpjp.exe67⤵
-
\??\c:\5ffffrl.exec:\5ffffrl.exe68⤵
-
\??\c:\lfxlffr.exec:\lfxlffr.exe69⤵
-
\??\c:\bbtbhn.exec:\bbtbhn.exe70⤵
-
\??\c:\hbthhn.exec:\hbthhn.exe71⤵
- System Location Discovery: System Language Discovery
-
\??\c:\1jjdj.exec:\1jjdj.exe72⤵
-
\??\c:\ddvvd.exec:\ddvvd.exe73⤵
-
\??\c:\xrlrfrf.exec:\xrlrfrf.exe74⤵
-
\??\c:\1fxfrxx.exec:\1fxfrxx.exe75⤵
-
\??\c:\hhbthn.exec:\hhbthn.exe76⤵
-
\??\c:\5vdvd.exec:\5vdvd.exe77⤵
-
\??\c:\5vvpd.exec:\5vvpd.exe78⤵
-
\??\c:\llxfxxl.exec:\llxfxxl.exe79⤵
-
\??\c:\tnbhnn.exec:\tnbhnn.exe80⤵
-
\??\c:\nttnth.exec:\nttnth.exe81⤵
-
\??\c:\9ppdj.exec:\9ppdj.exe82⤵
-
\??\c:\vvppv.exec:\vvppv.exe83⤵
-
\??\c:\xxrxlrf.exec:\xxrxlrf.exe84⤵
-
\??\c:\1llrllr.exec:\1llrllr.exe85⤵
-
\??\c:\ttttbh.exec:\ttttbh.exe86⤵
-
\??\c:\vjjjd.exec:\vjjjd.exe87⤵
-
\??\c:\jvdvd.exec:\jvdvd.exe88⤵
-
\??\c:\rlxlxrx.exec:\rlxlxrx.exe89⤵
-
\??\c:\ttnbnt.exec:\ttnbnt.exe90⤵
-
\??\c:\nnbbhb.exec:\nnbbhb.exe91⤵
-
\??\c:\pjvdv.exec:\pjvdv.exe92⤵
-
\??\c:\pppvd.exec:\pppvd.exe93⤵
-
\??\c:\lfrrfrl.exec:\lfrrfrl.exe94⤵
-
\??\c:\5rrxflx.exec:\5rrxflx.exe95⤵
-
\??\c:\nthnnh.exec:\nthnnh.exe96⤵
-
\??\c:\nhhnhn.exec:\nhhnhn.exe97⤵
-
\??\c:\7jpdd.exec:\7jpdd.exe98⤵
-
\??\c:\rrrfrlx.exec:\rrrfrlx.exe99⤵
-
\??\c:\rrfrllf.exec:\rrfrllf.exe100⤵
-
\??\c:\9nhbhn.exec:\9nhbhn.exe101⤵
-
\??\c:\nntbnb.exec:\nntbnb.exe102⤵
-
\??\c:\ppjvd.exec:\ppjvd.exe103⤵
-
\??\c:\dvppd.exec:\dvppd.exe104⤵
-
\??\c:\flxxffl.exec:\flxxffl.exe105⤵
-
\??\c:\llxrflf.exec:\llxrflf.exe106⤵
-
\??\c:\nhnthn.exec:\nhnthn.exe107⤵
-
\??\c:\7ntnnb.exec:\7ntnnb.exe108⤵
-
\??\c:\vjpjv.exec:\vjpjv.exe109⤵
-
\??\c:\lfxrxfx.exec:\lfxrxfx.exe110⤵
-
\??\c:\fxrxflx.exec:\fxrxflx.exe111⤵
-
\??\c:\htnttb.exec:\htnttb.exe112⤵
-
\??\c:\hbhbhh.exec:\hbhbhh.exe113⤵
-
\??\c:\vvvpv.exec:\vvvpv.exe114⤵
-
\??\c:\jvjdj.exec:\jvjdj.exe115⤵
-
\??\c:\1xlffxf.exec:\1xlffxf.exe116⤵
-
\??\c:\bhbthb.exec:\bhbthb.exe117⤵
-
\??\c:\bbtnbh.exec:\bbtnbh.exe118⤵
-
\??\c:\vvppj.exec:\vvppj.exe119⤵
-
\??\c:\vjvjp.exec:\vjvjp.exe120⤵
-
\??\c:\rlfrxlr.exec:\rlfrxlr.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-