Analysis
-
max time kernel
120s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
25-11-2024 07:05
General
-
Target
7aa887eae0af0f1f611cd5470ae6410746b8b196cc7ce3286c9c7e6a134f2df5.exe
-
Size
72KB
-
MD5
c87b1e04cf065062e516255230eae513
-
SHA1
49b5ba4738560e18eee190d6f3bd3fdf9b7b6114
-
SHA256
7aa887eae0af0f1f611cd5470ae6410746b8b196cc7ce3286c9c7e6a134f2df5
-
SHA512
e32a94c83208f03c857d2a4898d190f974d2c068df14863dc738207d4587676f36165cbd0f29d6b2abd0ef10ff480f74ff0a937414d17faf35bf99fed24eaa34
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIFdJUDbAIdiW65k:ymb3NkkiQ3mdBjFIFdJ8bViW62
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 25 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 31 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\7aa887eae0af0f1f611cd5470ae6410746b8b196cc7ce3286c9c7e6a134f2df5.exe"C:\Users\Admin\AppData\Local\Temp\7aa887eae0af0f1f611cd5470ae6410746b8b196cc7ce3286c9c7e6a134f2df5.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\9bhtnt.exec:\9bhtnt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lrfrrrr.exec:\lrfrrrr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnhhhh.exec:\tnhhhh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjvdv.exec:\pjvdv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\k02600.exec:\k02600.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rrfxxff.exec:\rrfxxff.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tntbbh.exec:\tntbbh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjppe.exec:\jjppe.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\8682026.exec:\8682026.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\08028.exec:\08028.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\228840.exec:\228840.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\088020.exec:\088020.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\6688822.exec:\6688822.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\w28888.exec:\w28888.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\646828.exec:\646828.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lllffxl.exec:\lllffxl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hhnttt.exec:\hhnttt.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrlffff.exec:\xrlffff.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\882222.exec:\882222.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\04262.exec:\04262.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rrflxll.exec:\rrflxll.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\48008.exec:\48008.exe23⤵
- Executes dropped EXE
-
\??\c:\llxxffr.exec:\llxxffr.exe24⤵
- Executes dropped EXE
-
\??\c:\nnnnhn.exec:\nnnnhn.exe25⤵
- Executes dropped EXE
-
\??\c:\g8882.exec:\g8882.exe26⤵
- Executes dropped EXE
-
\??\c:\3bbtnh.exec:\3bbtnh.exe27⤵
- Executes dropped EXE
-
\??\c:\680208.exec:\680208.exe28⤵
- Executes dropped EXE
-
\??\c:\20226.exec:\20226.exe29⤵
- Executes dropped EXE
-
\??\c:\a4022.exec:\a4022.exe30⤵
- Executes dropped EXE
-
\??\c:\dppjd.exec:\dppjd.exe31⤵
- Executes dropped EXE
-
\??\c:\c004888.exec:\c004888.exe32⤵
- Executes dropped EXE
-
\??\c:\tbnntt.exec:\tbnntt.exe33⤵
- Executes dropped EXE
-
\??\c:\20224.exec:\20224.exe34⤵
- Executes dropped EXE
-
\??\c:\xlrrllf.exec:\xlrrllf.exe35⤵
- Executes dropped EXE
-
\??\c:\e46004.exec:\e46004.exe36⤵
- Executes dropped EXE
-
\??\c:\84840.exec:\84840.exe37⤵
- Executes dropped EXE
-
\??\c:\nhhhbb.exec:\nhhhbb.exe38⤵
- Executes dropped EXE
-
\??\c:\242486.exec:\242486.exe39⤵
- Executes dropped EXE
-
\??\c:\0422480.exec:\0422480.exe40⤵
- Executes dropped EXE
-
\??\c:\jjvvd.exec:\jjvvd.exe41⤵
- Executes dropped EXE
-
\??\c:\622042.exec:\622042.exe42⤵
- Executes dropped EXE
-
\??\c:\i066088.exec:\i066088.exe43⤵
- Executes dropped EXE
-
\??\c:\5xlxrrr.exec:\5xlxrrr.exe44⤵
- Executes dropped EXE
-
\??\c:\vvvvv.exec:\vvvvv.exe45⤵
- Executes dropped EXE
-
\??\c:\42482.exec:\42482.exe46⤵
- Executes dropped EXE
-
\??\c:\880428.exec:\880428.exe47⤵
- Executes dropped EXE
-
\??\c:\vdjpj.exec:\vdjpj.exe48⤵
- Executes dropped EXE
-
\??\c:\86826.exec:\86826.exe49⤵
- Executes dropped EXE
-
\??\c:\06626.exec:\06626.exe50⤵
- Executes dropped EXE
-
\??\c:\7hbttb.exec:\7hbttb.exe51⤵
- Executes dropped EXE
-
\??\c:\880004.exec:\880004.exe52⤵
- Executes dropped EXE
-
\??\c:\9rlfxxx.exec:\9rlfxxx.exe53⤵
- Executes dropped EXE
-
\??\c:\c200880.exec:\c200880.exe54⤵
- Executes dropped EXE
-
\??\c:\llllflf.exec:\llllflf.exe55⤵
- Executes dropped EXE
-
\??\c:\1tntht.exec:\1tntht.exe56⤵
- Executes dropped EXE
-
\??\c:\640044.exec:\640044.exe57⤵
- Executes dropped EXE
-
\??\c:\4622066.exec:\4622066.exe58⤵
- Executes dropped EXE
-
\??\c:\1djjj.exec:\1djjj.exe59⤵
- Executes dropped EXE
-
\??\c:\60000.exec:\60000.exe60⤵
- Executes dropped EXE
-
\??\c:\44600.exec:\44600.exe61⤵
- Executes dropped EXE
-
\??\c:\vjddv.exec:\vjddv.exe62⤵
- Executes dropped EXE
-
\??\c:\rlxxlll.exec:\rlxxlll.exe63⤵
- Executes dropped EXE
-
\??\c:\264040.exec:\264040.exe64⤵
- Executes dropped EXE
-
\??\c:\rxrlfrr.exec:\rxrlfrr.exe65⤵
- Executes dropped EXE
-
\??\c:\k02222.exec:\k02222.exe66⤵
-
\??\c:\ddvdv.exec:\ddvdv.exe67⤵
-
\??\c:\08844.exec:\08844.exe68⤵
-
\??\c:\fffxrrr.exec:\fffxrrr.exe69⤵
-
\??\c:\7rlffll.exec:\7rlffll.exe70⤵
-
\??\c:\082884.exec:\082884.exe71⤵
-
\??\c:\406044.exec:\406044.exe72⤵
-
\??\c:\5hnhnn.exec:\5hnhnn.exe73⤵
-
\??\c:\vvpjj.exec:\vvpjj.exe74⤵
-
\??\c:\e02820.exec:\e02820.exe75⤵
-
\??\c:\rrfxllr.exec:\rrfxllr.exe76⤵
-
\??\c:\xfxllrx.exec:\xfxllrx.exe77⤵
-
\??\c:\frxfffx.exec:\frxfffx.exe78⤵
-
\??\c:\020444.exec:\020444.exe79⤵
-
\??\c:\jjddv.exec:\jjddv.exe80⤵
- System Location Discovery: System Language Discovery
-
\??\c:\nnbhnn.exec:\nnbhnn.exe81⤵
-
\??\c:\q82228.exec:\q82228.exe82⤵
-
\??\c:\bnttnn.exec:\bnttnn.exe83⤵
-
\??\c:\1ddpp.exec:\1ddpp.exe84⤵
-
\??\c:\662068.exec:\662068.exe85⤵
-
\??\c:\4404804.exec:\4404804.exe86⤵
-
\??\c:\jpjvv.exec:\jpjvv.exe87⤵
-
\??\c:\ttttnn.exec:\ttttnn.exe88⤵
-
\??\c:\8644008.exec:\8644008.exe89⤵
-
\??\c:\jpvvj.exec:\jpvvj.exe90⤵
-
\??\c:\s4000.exec:\s4000.exe91⤵
-
\??\c:\djvpj.exec:\djvpj.exe92⤵
-
\??\c:\e64404.exec:\e64404.exe93⤵
-
\??\c:\868266.exec:\868266.exe94⤵
-
\??\c:\jjjdv.exec:\jjjdv.exe95⤵
-
\??\c:\266600.exec:\266600.exe96⤵
-
\??\c:\5hhbtt.exec:\5hhbtt.exe97⤵
-
\??\c:\bhtthn.exec:\bhtthn.exe98⤵
-
\??\c:\620864.exec:\620864.exe99⤵
-
\??\c:\884828.exec:\884828.exe100⤵
-
\??\c:\bbhhbb.exec:\bbhhbb.exe101⤵
-
\??\c:\42480.exec:\42480.exe102⤵
-
\??\c:\0626082.exec:\0626082.exe103⤵
-
\??\c:\620066.exec:\620066.exe104⤵
-
\??\c:\5rrrlll.exec:\5rrrlll.exe105⤵
-
\??\c:\nhtbht.exec:\nhtbht.exe106⤵
-
\??\c:\40886.exec:\40886.exe107⤵
-
\??\c:\42400.exec:\42400.exe108⤵
-
\??\c:\02222.exec:\02222.exe109⤵
-
\??\c:\xlxrllf.exec:\xlxrllf.exe110⤵
-
\??\c:\hnbnht.exec:\hnbnht.exe111⤵
-
\??\c:\68622.exec:\68622.exe112⤵
-
\??\c:\8662424.exec:\8662424.exe113⤵
-
\??\c:\htnnhh.exec:\htnnhh.exe114⤵
-
\??\c:\02444.exec:\02444.exe115⤵
-
\??\c:\dvjdp.exec:\dvjdp.exe116⤵
-
\??\c:\xxlxxxl.exec:\xxlxxxl.exe117⤵
-
\??\c:\tnhhbb.exec:\tnhhbb.exe118⤵
-
\??\c:\i600668.exec:\i600668.exe119⤵
-
\??\c:\pvvvd.exec:\pvvvd.exe120⤵
-
\??\c:\nbtbtt.exec:\nbtbtt.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-