Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
-
submitted
25-11-2024 04:19
General
-
Target
d35a13a885375a3897c94d3834037a5328d266df18c8558be3dbf20e3d191392.exe
-
Size
95KB
-
MD5
a0fd18a63d054daff3c27c2c710496bf
-
SHA1
3ba87cbba65e44f0b9391c816911a3a824b69c8c
-
SHA256
d35a13a885375a3897c94d3834037a5328d266df18c8558be3dbf20e3d191392
-
SHA512
1e77b82d29dde1d688b0ce6f0dc90613c935891e57ede09aafcd7039b353ebf3fec4319300006351f02dd10d11bbaf703615e28532dcb8e36dbc617e7cc5adac
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxND+3T4+C2lmf6g7xYIM0:ymb3NkkiQ3mdBjF+3TU20LO0
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 24 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 23 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d35a13a885375a3897c94d3834037a5328d266df18c8558be3dbf20e3d191392.exe"C:\Users\Admin\AppData\Local\Temp\d35a13a885375a3897c94d3834037a5328d266df18c8558be3dbf20e3d191392.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\1dvvd.exec:\1dvvd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvvjv.exec:\vvvjv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7btbtt.exec:\7btbtt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\862268.exec:\862268.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\220082.exec:\220082.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\o682020.exec:\o682020.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\608800.exec:\608800.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1fflrrf.exec:\1fflrrf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\26824.exec:\26824.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhhnhn.exec:\nhhnhn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3vjpv.exec:\3vjpv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\g0284.exec:\g0284.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\646288.exec:\646288.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrlrrfr.exec:\xrlrrfr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjjvd.exec:\pjjvd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\djpvj.exec:\djpvj.exe17⤵
- Executes dropped EXE
-
\??\c:\lxflrxx.exec:\lxflrxx.exe18⤵
- Executes dropped EXE
-
\??\c:\xrflrrf.exec:\xrflrrf.exe19⤵
- Executes dropped EXE
-
\??\c:\042244.exec:\042244.exe20⤵
- Executes dropped EXE
-
\??\c:\208400.exec:\208400.exe21⤵
- Executes dropped EXE
-
\??\c:\hbnnhh.exec:\hbnnhh.exe22⤵
- Executes dropped EXE
-
\??\c:\rrrfflf.exec:\rrrfflf.exe23⤵
- Executes dropped EXE
-
\??\c:\0484662.exec:\0484662.exe24⤵
- Executes dropped EXE
-
\??\c:\6048006.exec:\6048006.exe25⤵
- Executes dropped EXE
-
\??\c:\nhttbt.exec:\nhttbt.exe26⤵
- Executes dropped EXE
-
\??\c:\k64082.exec:\k64082.exe27⤵
- Executes dropped EXE
-
\??\c:\rfrlxxf.exec:\rfrlxxf.exe28⤵
- Executes dropped EXE
-
\??\c:\llffrrl.exec:\llffrrl.exe29⤵
- Executes dropped EXE
-
\??\c:\86062.exec:\86062.exe30⤵
- Executes dropped EXE
-
\??\c:\fxrrxxl.exec:\fxrrxxl.exe31⤵
- Executes dropped EXE
-
\??\c:\i428440.exec:\i428440.exe32⤵
- Executes dropped EXE
-
\??\c:\nhhhnn.exec:\nhhhnn.exe33⤵
- Executes dropped EXE
-
\??\c:\rfrlxrx.exec:\rfrlxrx.exe34⤵
- Executes dropped EXE
-
\??\c:\lxlffff.exec:\lxlffff.exe35⤵
- Executes dropped EXE
-
\??\c:\264004.exec:\264004.exe36⤵
- Executes dropped EXE
-
\??\c:\08262.exec:\08262.exe37⤵
- Executes dropped EXE
-
\??\c:\frxflxx.exec:\frxflxx.exe38⤵
- Executes dropped EXE
-
\??\c:\pjvdv.exec:\pjvdv.exe39⤵
- Executes dropped EXE
-
\??\c:\4266228.exec:\4266228.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\e28088.exec:\e28088.exe41⤵
- Executes dropped EXE
-
\??\c:\9hnnbb.exec:\9hnnbb.exe42⤵
- Executes dropped EXE
-
\??\c:\826282.exec:\826282.exe43⤵
- Executes dropped EXE
-
\??\c:\60880.exec:\60880.exe44⤵
- Executes dropped EXE
-
\??\c:\rllrlrx.exec:\rllrlrx.exe45⤵
- Executes dropped EXE
-
\??\c:\22446.exec:\22446.exe46⤵
- Executes dropped EXE
-
\??\c:\nbtbnt.exec:\nbtbnt.exe47⤵
- Executes dropped EXE
-
\??\c:\86884.exec:\86884.exe48⤵
- Executes dropped EXE
-
\??\c:\208466.exec:\208466.exe49⤵
- Executes dropped EXE
-
\??\c:\7bnttt.exec:\7bnttt.exe50⤵
- Executes dropped EXE
-
\??\c:\xrfxfxf.exec:\xrfxfxf.exe51⤵
- Executes dropped EXE
-
\??\c:\lfxxllx.exec:\lfxxllx.exe52⤵
- Executes dropped EXE
-
\??\c:\02848.exec:\02848.exe53⤵
- Executes dropped EXE
-
\??\c:\rlxfrxr.exec:\rlxfrxr.exe54⤵
- Executes dropped EXE
-
\??\c:\1pjjv.exec:\1pjjv.exe55⤵
- Executes dropped EXE
-
\??\c:\xxrrrrr.exec:\xxrrrrr.exe56⤵
- Executes dropped EXE
-
\??\c:\48080.exec:\48080.exe57⤵
- Executes dropped EXE
-
\??\c:\2644228.exec:\2644228.exe58⤵
- Executes dropped EXE
-
\??\c:\vdjjd.exec:\vdjjd.exe59⤵
- Executes dropped EXE
-
\??\c:\pjdjv.exec:\pjdjv.exe60⤵
- Executes dropped EXE
-
\??\c:\5tntbb.exec:\5tntbb.exe61⤵
- Executes dropped EXE
-
\??\c:\q24444.exec:\q24444.exe62⤵
- Executes dropped EXE
-
\??\c:\djdpj.exec:\djdpj.exe63⤵
- Executes dropped EXE
-
\??\c:\5hhhbb.exec:\5hhhbb.exe64⤵
- Executes dropped EXE
-
\??\c:\864066.exec:\864066.exe65⤵
- Executes dropped EXE
-
\??\c:\6088062.exec:\6088062.exe66⤵
-
\??\c:\60202.exec:\60202.exe67⤵
-
\??\c:\022282.exec:\022282.exe68⤵
-
\??\c:\826000.exec:\826000.exe69⤵
-
\??\c:\426226.exec:\426226.exe70⤵
-
\??\c:\xrrxflr.exec:\xrrxflr.exe71⤵
-
\??\c:\rflflfl.exec:\rflflfl.exe72⤵
-
\??\c:\264682.exec:\264682.exe73⤵
-
\??\c:\7thhhh.exec:\7thhhh.exe74⤵
-
\??\c:\8288440.exec:\8288440.exe75⤵
-
\??\c:\202804.exec:\202804.exe76⤵
-
\??\c:\w64066.exec:\w64066.exe77⤵
-
\??\c:\220088.exec:\220088.exe78⤵
-
\??\c:\rlxxfxl.exec:\rlxxfxl.exe79⤵
-
\??\c:\pjppv.exec:\pjppv.exe80⤵
-
\??\c:\86462.exec:\86462.exe81⤵
-
\??\c:\2688440.exec:\2688440.exe82⤵
-
\??\c:\428406.exec:\428406.exe83⤵
-
\??\c:\080060.exec:\080060.exe84⤵
-
\??\c:\9tttbb.exec:\9tttbb.exe85⤵
-
\??\c:\vjvdd.exec:\vjvdd.exe86⤵
-
\??\c:\g8448.exec:\g8448.exe87⤵
-
\??\c:\20240.exec:\20240.exe88⤵
-
\??\c:\262288.exec:\262288.exe89⤵
-
\??\c:\480628.exec:\480628.exe90⤵
-
\??\c:\rfxrrlx.exec:\rfxrrlx.exe91⤵
-
\??\c:\rxlxxxr.exec:\rxlxxxr.exe92⤵
-
\??\c:\jddvv.exec:\jddvv.exe93⤵
-
\??\c:\xffrlfl.exec:\xffrlfl.exe94⤵
-
\??\c:\i800668.exec:\i800668.exe95⤵
-
\??\c:\5xxrrff.exec:\5xxrrff.exe96⤵
-
\??\c:\pdvpp.exec:\pdvpp.exe97⤵
-
\??\c:\q64022.exec:\q64022.exe98⤵
-
\??\c:\m6006.exec:\m6006.exe99⤵
-
\??\c:\rffffxf.exec:\rffffxf.exe100⤵
-
\??\c:\xlfrrlx.exec:\xlfrrlx.exe101⤵
-
\??\c:\vpdvv.exec:\vpdvv.exe102⤵
-
\??\c:\jvdvd.exec:\jvdvd.exe103⤵
-
\??\c:\862222.exec:\862222.exe104⤵
-
\??\c:\xlxrffr.exec:\xlxrffr.exe105⤵
-
\??\c:\hntthb.exec:\hntthb.exe106⤵
-
\??\c:\lfrrxrx.exec:\lfrrxrx.exe107⤵
-
\??\c:\c088006.exec:\c088006.exe108⤵
-
\??\c:\o288006.exec:\o288006.exe109⤵
-
\??\c:\6462402.exec:\6462402.exe110⤵
-
\??\c:\s6444.exec:\s6444.exe111⤵
-
\??\c:\1dpjp.exec:\1dpjp.exe112⤵
-
\??\c:\0844006.exec:\0844006.exe113⤵
-
\??\c:\1rxflrx.exec:\1rxflrx.exe114⤵
-
\??\c:\rlxfrxx.exec:\rlxfrxx.exe115⤵
-
\??\c:\xrfxfxx.exec:\xrfxfxx.exe116⤵
-
\??\c:\fxlrxxl.exec:\fxlrxxl.exe117⤵
-
\??\c:\flrlrfl.exec:\flrlrfl.exe118⤵
-
\??\c:\08460.exec:\08460.exe119⤵
-
\??\c:\5hbtnn.exec:\5hbtnn.exe120⤵
-
\??\c:\fxllffl.exec:\fxllffl.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-