Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
25-11-2024 07:05
General
-
Target
7aa887eae0af0f1f611cd5470ae6410746b8b196cc7ce3286c9c7e6a134f2df5.exe
-
Size
72KB
-
MD5
c87b1e04cf065062e516255230eae513
-
SHA1
49b5ba4738560e18eee190d6f3bd3fdf9b7b6114
-
SHA256
7aa887eae0af0f1f611cd5470ae6410746b8b196cc7ce3286c9c7e6a134f2df5
-
SHA512
e32a94c83208f03c857d2a4898d190f974d2c068df14863dc738207d4587676f36165cbd0f29d6b2abd0ef10ff480f74ff0a937414d17faf35bf99fed24eaa34
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIFdJUDbAIdiW65k:ymb3NkkiQ3mdBjFIFdJ8bViW62
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 22 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 24 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\7aa887eae0af0f1f611cd5470ae6410746b8b196cc7ce3286c9c7e6a134f2df5.exe"C:\Users\Admin\AppData\Local\Temp\7aa887eae0af0f1f611cd5470ae6410746b8b196cc7ce3286c9c7e6a134f2df5.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\4602206.exec:\4602206.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrrlfff.exec:\xrrlfff.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvpvj.exec:\dvpvj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\44820.exec:\44820.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\82068.exec:\82068.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\26400.exec:\26400.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\htnnnn.exec:\htnnnn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\86646.exec:\86646.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\480648.exec:\480648.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jddjp.exec:\jddjp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpjpp.exec:\vpjpp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\806644.exec:\806644.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\00864.exec:\00864.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbnnbt.exec:\nbnnbt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\i824624.exec:\i824624.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\8268020.exec:\8268020.exe17⤵
- Executes dropped EXE
-
\??\c:\q86628.exec:\q86628.exe18⤵
- Executes dropped EXE
-
\??\c:\00468.exec:\00468.exe19⤵
- Executes dropped EXE
-
\??\c:\206086.exec:\206086.exe20⤵
- Executes dropped EXE
-
\??\c:\80884.exec:\80884.exe21⤵
- Executes dropped EXE
-
\??\c:\dvjvd.exec:\dvjvd.exe22⤵
- Executes dropped EXE
-
\??\c:\fxfflxx.exec:\fxfflxx.exe23⤵
- Executes dropped EXE
-
\??\c:\rfrrrxl.exec:\rfrrrxl.exe24⤵
- Executes dropped EXE
-
\??\c:\1fxrrlr.exec:\1fxrrlr.exe25⤵
- Executes dropped EXE
-
\??\c:\7rxlrfl.exec:\7rxlrfl.exe26⤵
- Executes dropped EXE
-
\??\c:\ddpvj.exec:\ddpvj.exe27⤵
- Executes dropped EXE
-
\??\c:\620062.exec:\620062.exe28⤵
- Executes dropped EXE
-
\??\c:\7pjpd.exec:\7pjpd.exe29⤵
- Executes dropped EXE
-
\??\c:\86484.exec:\86484.exe30⤵
- Executes dropped EXE
-
\??\c:\lllrflf.exec:\lllrflf.exe31⤵
- Executes dropped EXE
-
\??\c:\hbthhn.exec:\hbthhn.exe32⤵
- Executes dropped EXE
-
\??\c:\ffxrlfl.exec:\ffxrlfl.exe33⤵
- Executes dropped EXE
-
\??\c:\42884.exec:\42884.exe34⤵
- Executes dropped EXE
-
\??\c:\vjdvv.exec:\vjdvv.exe35⤵
- Executes dropped EXE
-
\??\c:\frxxlfr.exec:\frxxlfr.exe36⤵
- Executes dropped EXE
-
\??\c:\082648.exec:\082648.exe37⤵
- Executes dropped EXE
-
\??\c:\42068.exec:\42068.exe38⤵
- Executes dropped EXE
-
\??\c:\6466628.exec:\6466628.exe39⤵
- Executes dropped EXE
-
\??\c:\042806.exec:\042806.exe40⤵
- Executes dropped EXE
-
\??\c:\9tttbh.exec:\9tttbh.exe41⤵
- Executes dropped EXE
-
\??\c:\thnnnn.exec:\thnnnn.exe42⤵
- Executes dropped EXE
-
\??\c:\u248006.exec:\u248006.exe43⤵
- Executes dropped EXE
-
\??\c:\nhhbhh.exec:\nhhbhh.exe44⤵
- Executes dropped EXE
-
\??\c:\tnhhnn.exec:\tnhhnn.exe45⤵
- Executes dropped EXE
-
\??\c:\vjdvj.exec:\vjdvj.exe46⤵
- Executes dropped EXE
-
\??\c:\q02006.exec:\q02006.exe47⤵
- Executes dropped EXE
-
\??\c:\20240.exec:\20240.exe48⤵
- Executes dropped EXE
-
\??\c:\1nttbb.exec:\1nttbb.exe49⤵
- Executes dropped EXE
-
\??\c:\62480.exec:\62480.exe50⤵
- Executes dropped EXE
-
\??\c:\pjpvd.exec:\pjpvd.exe51⤵
- Executes dropped EXE
-
\??\c:\jdddd.exec:\jdddd.exe52⤵
- Executes dropped EXE
-
\??\c:\ddvdp.exec:\ddvdp.exe53⤵
- Executes dropped EXE
-
\??\c:\1dvvd.exec:\1dvvd.exe54⤵
- Executes dropped EXE
-
\??\c:\rrxxrrr.exec:\rrxxrrr.exe55⤵
- Executes dropped EXE
-
\??\c:\5fxxfff.exec:\5fxxfff.exe56⤵
- Executes dropped EXE
-
\??\c:\64400.exec:\64400.exe57⤵
- Executes dropped EXE
-
\??\c:\3lxlllx.exec:\3lxlllx.exe58⤵
- Executes dropped EXE
-
\??\c:\pdvjv.exec:\pdvjv.exe59⤵
- Executes dropped EXE
-
\??\c:\028282.exec:\028282.exe60⤵
- Executes dropped EXE
-
\??\c:\5lllrlx.exec:\5lllrlx.exe61⤵
- Executes dropped EXE
-
\??\c:\bbbbnn.exec:\bbbbnn.exe62⤵
- Executes dropped EXE
-
\??\c:\640004.exec:\640004.exe63⤵
- Executes dropped EXE
-
\??\c:\dvpdp.exec:\dvpdp.exe64⤵
- Executes dropped EXE
-
\??\c:\420082.exec:\420082.exe65⤵
- Executes dropped EXE
-
\??\c:\hbhbtn.exec:\hbhbtn.exe66⤵
-
\??\c:\88648.exec:\88648.exe67⤵
-
\??\c:\pdpjv.exec:\pdpjv.exe68⤵
-
\??\c:\nhnnnh.exec:\nhnnnh.exe69⤵
-
\??\c:\642282.exec:\642282.exe70⤵
-
\??\c:\0806888.exec:\0806888.exe71⤵
-
\??\c:\pdpvj.exec:\pdpvj.exe72⤵
-
\??\c:\08062.exec:\08062.exe73⤵
-
\??\c:\240482.exec:\240482.exe74⤵
-
\??\c:\u206082.exec:\u206082.exe75⤵
-
\??\c:\4248044.exec:\4248044.exe76⤵
-
\??\c:\5bhtbh.exec:\5bhtbh.exe77⤵
-
\??\c:\462406.exec:\462406.exe78⤵
-
\??\c:\rllxrrr.exec:\rllxrrr.exe79⤵
-
\??\c:\48002.exec:\48002.exe80⤵
-
\??\c:\2640044.exec:\2640044.exe81⤵
-
\??\c:\rfxflff.exec:\rfxflff.exe82⤵
-
\??\c:\640442.exec:\640442.exe83⤵
-
\??\c:\dpvjv.exec:\dpvjv.exe84⤵
-
\??\c:\rffflfl.exec:\rffflfl.exe85⤵
-
\??\c:\xrxfffl.exec:\xrxfffl.exe86⤵
-
\??\c:\9jddd.exec:\9jddd.exe87⤵
-
\??\c:\bhhnbh.exec:\bhhnbh.exe88⤵
-
\??\c:\04446.exec:\04446.exe89⤵
-
\??\c:\o282888.exec:\o282888.exe90⤵
-
\??\c:\428240.exec:\428240.exe91⤵
-
\??\c:\bnthnn.exec:\bnthnn.exe92⤵
-
\??\c:\82266.exec:\82266.exe93⤵
-
\??\c:\3bhhbb.exec:\3bhhbb.exe94⤵
-
\??\c:\7nbnth.exec:\7nbnth.exe95⤵
-
\??\c:\e80288.exec:\e80288.exe96⤵
-
\??\c:\208884.exec:\208884.exe97⤵
-
\??\c:\46266.exec:\46266.exe98⤵
-
\??\c:\hbhnbb.exec:\hbhnbb.exe99⤵
-
\??\c:\rfxrllr.exec:\rfxrllr.exe100⤵
-
\??\c:\w88428.exec:\w88428.exe101⤵
-
\??\c:\hbhhnn.exec:\hbhhnn.exe102⤵
-
\??\c:\fxfrxxf.exec:\fxfrxxf.exe103⤵
- System Location Discovery: System Language Discovery
-
\??\c:\080660.exec:\080660.exe104⤵
-
\??\c:\8628042.exec:\8628042.exe105⤵
-
\??\c:\9vppd.exec:\9vppd.exe106⤵
-
\??\c:\68642.exec:\68642.exe107⤵
-
\??\c:\80262.exec:\80262.exe108⤵
-
\??\c:\lflffxf.exec:\lflffxf.exe109⤵
-
\??\c:\e60020.exec:\e60020.exe110⤵
-
\??\c:\4240262.exec:\4240262.exe111⤵
-
\??\c:\64628.exec:\64628.exe112⤵
-
\??\c:\lfrflfl.exec:\lfrflfl.exe113⤵
-
\??\c:\i288844.exec:\i288844.exe114⤵
-
\??\c:\bhnntb.exec:\bhnntb.exe115⤵
-
\??\c:\dvvjp.exec:\dvvjp.exe116⤵
-
\??\c:\7tnnhh.exec:\7tnnhh.exe117⤵
-
\??\c:\5thhnn.exec:\5thhnn.exe118⤵
-
\??\c:\o422484.exec:\o422484.exe119⤵
-
\??\c:\08062.exec:\08062.exe120⤵
-
\??\c:\rffflff.exec:\rffflff.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-