Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
-
submitted
25-11-2024 05:24
General
-
Target
516f8a9fd67c820ddd9520c7538f2afa9589c786d26cc533032699aef5053378N.exe
-
Size
61KB
-
MD5
a42d7d30b4f9dc4ab00dde8b020f5bc0
-
SHA1
4a5f51b202680d114396aad2c40a51b4e44b8234
-
SHA256
516f8a9fd67c820ddd9520c7538f2afa9589c786d26cc533032699aef5053378
-
SHA512
a426cbab94972f2cded7e309efea3f214933a8b030e468e4c255d02157a4fc274c966f26e6e0c624cb96e579032abaaa70131e8346ed7a4d1cb92e6d15563a33
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxND+3T4+byi:ymb3NkkiQ3mdBjF+3Tp9
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 21 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 35 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\516f8a9fd67c820ddd9520c7538f2afa9589c786d26cc533032699aef5053378N.exe"C:\Users\Admin\AppData\Local\Temp\516f8a9fd67c820ddd9520c7538f2afa9589c786d26cc533032699aef5053378N.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\082622.exec:\082622.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dppjd.exec:\dppjd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\080028.exec:\080028.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbnbbb.exec:\bbnbbb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xllfrlx.exec:\xllfrlx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhtbbh.exec:\nhtbbh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlxrlrr.exec:\rlxrlrr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rflrxxf.exec:\rflrxxf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\648266.exec:\648266.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bhhbtb.exec:\bhhbtb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\862226.exec:\862226.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\o000040.exec:\o000040.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\868466.exec:\868466.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\046000.exec:\046000.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\4200284.exec:\4200284.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3dddd.exec:\3dddd.exe17⤵
- Executes dropped EXE
-
\??\c:\bnnthn.exec:\bnnthn.exe18⤵
- Executes dropped EXE
-
\??\c:\20684.exec:\20684.exe19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\2022440.exec:\2022440.exe20⤵
- Executes dropped EXE
-
\??\c:\6460664.exec:\6460664.exe21⤵
- Executes dropped EXE
-
\??\c:\vdjdd.exec:\vdjdd.exe22⤵
- Executes dropped EXE
-
\??\c:\2248482.exec:\2248482.exe23⤵
- Executes dropped EXE
-
\??\c:\1bhhtb.exec:\1bhhtb.exe24⤵
- Executes dropped EXE
-
\??\c:\280886.exec:\280886.exe25⤵
- Executes dropped EXE
-
\??\c:\q68028.exec:\q68028.exe26⤵
- Executes dropped EXE
-
\??\c:\6020664.exec:\6020664.exe27⤵
- Executes dropped EXE
-
\??\c:\m4662.exec:\m4662.exe28⤵
- Executes dropped EXE
-
\??\c:\1xrrffl.exec:\1xrrffl.exe29⤵
- Executes dropped EXE
-
\??\c:\8660040.exec:\8660040.exe30⤵
- Executes dropped EXE
-
\??\c:\208246.exec:\208246.exe31⤵
- Executes dropped EXE
-
\??\c:\864046.exec:\864046.exe32⤵
- Executes dropped EXE
-
\??\c:\64284.exec:\64284.exe33⤵
- Executes dropped EXE
-
\??\c:\nhnttt.exec:\nhnttt.exe34⤵
- Executes dropped EXE
-
\??\c:\8226240.exec:\8226240.exe35⤵
- Executes dropped EXE
-
\??\c:\68620.exec:\68620.exe36⤵
- Executes dropped EXE
-
\??\c:\w68840.exec:\w68840.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\dvddd.exec:\dvddd.exe38⤵
- Executes dropped EXE
-
\??\c:\ddpvd.exec:\ddpvd.exe39⤵
- Executes dropped EXE
-
\??\c:\864062.exec:\864062.exe40⤵
- Executes dropped EXE
-
\??\c:\rfrrxxl.exec:\rfrrxxl.exe41⤵
- Executes dropped EXE
-
\??\c:\7rflrxl.exec:\7rflrxl.exe42⤵
- Executes dropped EXE
-
\??\c:\xrxxffl.exec:\xrxxffl.exe43⤵
- Executes dropped EXE
-
\??\c:\288828.exec:\288828.exe44⤵
- Executes dropped EXE
-
\??\c:\208440.exec:\208440.exe45⤵
- Executes dropped EXE
-
\??\c:\u206406.exec:\u206406.exe46⤵
- Executes dropped EXE
-
\??\c:\642840.exec:\642840.exe47⤵
- Executes dropped EXE
-
\??\c:\ppvpp.exec:\ppvpp.exe48⤵
- Executes dropped EXE
-
\??\c:\ppjpv.exec:\ppjpv.exe49⤵
- Executes dropped EXE
-
\??\c:\7rlrrrf.exec:\7rlrrrf.exe50⤵
- Executes dropped EXE
-
\??\c:\646288.exec:\646288.exe51⤵
- Executes dropped EXE
-
\??\c:\s6846.exec:\s6846.exe52⤵
- Executes dropped EXE
-
\??\c:\602800.exec:\602800.exe53⤵
- Executes dropped EXE
-
\??\c:\rlxfrlr.exec:\rlxfrlr.exe54⤵
- Executes dropped EXE
-
\??\c:\2646484.exec:\2646484.exe55⤵
- Executes dropped EXE
-
\??\c:\268062.exec:\268062.exe56⤵
- Executes dropped EXE
-
\??\c:\nntntn.exec:\nntntn.exe57⤵
- Executes dropped EXE
-
\??\c:\g2668.exec:\g2668.exe58⤵
- Executes dropped EXE
-
\??\c:\420028.exec:\420028.exe59⤵
- Executes dropped EXE
-
\??\c:\08006.exec:\08006.exe60⤵
- Executes dropped EXE
-
\??\c:\8400662.exec:\8400662.exe61⤵
- Executes dropped EXE
-
\??\c:\08406.exec:\08406.exe62⤵
- Executes dropped EXE
-
\??\c:\886866.exec:\886866.exe63⤵
- Executes dropped EXE
-
\??\c:\frflfff.exec:\frflfff.exe64⤵
- Executes dropped EXE
-
\??\c:\rlrlrlf.exec:\rlrlrlf.exe65⤵
- Executes dropped EXE
-
\??\c:\424640.exec:\424640.exe66⤵
-
\??\c:\5tbttn.exec:\5tbttn.exe67⤵
-
\??\c:\lxffllr.exec:\lxffllr.exe68⤵
-
\??\c:\26846.exec:\26846.exe69⤵
-
\??\c:\86884.exec:\86884.exe70⤵
-
\??\c:\26400.exec:\26400.exe71⤵
-
\??\c:\86229.exec:\86229.exe72⤵
-
\??\c:\824026.exec:\824026.exe73⤵
-
\??\c:\xrxxffl.exec:\xrxxffl.exe74⤵
-
\??\c:\tnbbhh.exec:\tnbbhh.exe75⤵
- System Location Discovery: System Language Discovery
-
\??\c:\xrllrrf.exec:\xrllrrf.exe76⤵
-
\??\c:\642626.exec:\642626.exe77⤵
-
\??\c:\862840.exec:\862840.exe78⤵
-
\??\c:\bthbhh.exec:\bthbhh.exe79⤵
-
\??\c:\ppddp.exec:\ppddp.exe80⤵
-
\??\c:\60022.exec:\60022.exe81⤵
-
\??\c:\0480868.exec:\0480868.exe82⤵
-
\??\c:\1xllxll.exec:\1xllxll.exe83⤵
-
\??\c:\q80066.exec:\q80066.exe84⤵
-
\??\c:\002806.exec:\002806.exe85⤵
-
\??\c:\1hbhtb.exec:\1hbhtb.exe86⤵
-
\??\c:\866626.exec:\866626.exe87⤵
-
\??\c:\k02444.exec:\k02444.exe88⤵
-
\??\c:\648646.exec:\648646.exe89⤵
-
\??\c:\dpjjj.exec:\dpjjj.exe90⤵
-
\??\c:\htttbt.exec:\htttbt.exe91⤵
-
\??\c:\808226.exec:\808226.exe92⤵
-
\??\c:\086066.exec:\086066.exe93⤵
-
\??\c:\pdddd.exec:\pdddd.exe94⤵
-
\??\c:\rrffflr.exec:\rrffflr.exe95⤵
-
\??\c:\2028440.exec:\2028440.exe96⤵
-
\??\c:\82624.exec:\82624.exe97⤵
-
\??\c:\86440.exec:\86440.exe98⤵
-
\??\c:\04246.exec:\04246.exe99⤵
-
\??\c:\nntttb.exec:\nntttb.exe100⤵
-
\??\c:\ntbbbb.exec:\ntbbbb.exe101⤵
-
\??\c:\1btbhh.exec:\1btbhh.exe102⤵
-
\??\c:\8080824.exec:\8080824.exe103⤵
-
\??\c:\7lffllx.exec:\7lffllx.exe104⤵
-
\??\c:\m2024.exec:\m2024.exe105⤵
-
\??\c:\hbnttt.exec:\hbnttt.exe106⤵
-
\??\c:\1ttbtt.exec:\1ttbtt.exe107⤵
-
\??\c:\llxlffx.exec:\llxlffx.exe108⤵
-
\??\c:\6080228.exec:\6080228.exe109⤵
-
\??\c:\tnbtbh.exec:\tnbtbh.exe110⤵
-
\??\c:\9bnntb.exec:\9bnntb.exe111⤵
-
\??\c:\k42222.exec:\k42222.exe112⤵
-
\??\c:\c822880.exec:\c822880.exe113⤵
-
\??\c:\lffxfff.exec:\lffxfff.exe114⤵
-
\??\c:\lrrflfl.exec:\lrrflfl.exe115⤵
-
\??\c:\fxxxlll.exec:\fxxxlll.exe116⤵
-
\??\c:\jdvvd.exec:\jdvvd.exe117⤵
-
\??\c:\08006.exec:\08006.exe118⤵
-
\??\c:\4824006.exec:\4824006.exe119⤵
-
\??\c:\vjdjp.exec:\vjdjp.exe120⤵
-
\??\c:\08068.exec:\08068.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-