Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
25-11-2024 08:09
General
-
Target
587856e04c5cb030aff137f3fbc4c4d093436c464fd1bb6f8e91336954aeea0cN.exe
-
Size
64KB
-
MD5
5a092aba06b25a3bab39707b9cb8f740
-
SHA1
191c9d682e8d8e303c9db4ffbccb2f97b54509ae
-
SHA256
587856e04c5cb030aff137f3fbc4c4d093436c464fd1bb6f8e91336954aeea0c
-
SHA512
4e98927577990c35071ea71c9d8bf07748c26a822356d2ca06973ddca1c36bc0bc6e3ea0569428d6c097de8eace5f2832198ee5c5ff750f1638539ba284c3c26
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIrmCeRMBW9:ymb3NkkiQ3mdBjFIjeu0
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 21 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 27 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\587856e04c5cb030aff137f3fbc4c4d093436c464fd1bb6f8e91336954aeea0cN.exe"C:\Users\Admin\AppData\Local\Temp\587856e04c5cb030aff137f3fbc4c4d093436c464fd1bb6f8e91336954aeea0cN.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\bthhtt.exec:\bthhtt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbhntb.exec:\bbhntb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\k24844.exec:\k24844.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\o462440.exec:\o462440.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\008842.exec:\008842.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpppv.exec:\vpppv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\0280600.exec:\0280600.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frxxllr.exec:\frxxllr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrxfrrx.exec:\xrxfrrx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\004442.exec:\004442.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ntbttt.exec:\ntbttt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bntttb.exec:\bntttb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\488620.exec:\488620.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\k68400.exec:\k68400.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\a8484.exec:\a8484.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\48628.exec:\48628.exe17⤵
- Executes dropped EXE
-
\??\c:\64802.exec:\64802.exe18⤵
- Executes dropped EXE
-
\??\c:\9djpp.exec:\9djpp.exe19⤵
- Executes dropped EXE
-
\??\c:\s4688.exec:\s4688.exe20⤵
- Executes dropped EXE
-
\??\c:\hthbbb.exec:\hthbbb.exe21⤵
- Executes dropped EXE
-
\??\c:\c886224.exec:\c886224.exe22⤵
- Executes dropped EXE
-
\??\c:\g8668.exec:\g8668.exe23⤵
- Executes dropped EXE
-
\??\c:\dvjjp.exec:\dvjjp.exe24⤵
- Executes dropped EXE
-
\??\c:\vvvvv.exec:\vvvvv.exe25⤵
- Executes dropped EXE
-
\??\c:\686666.exec:\686666.exe26⤵
- Executes dropped EXE
-
\??\c:\004646.exec:\004646.exe27⤵
- Executes dropped EXE
-
\??\c:\o628484.exec:\o628484.exe28⤵
- Executes dropped EXE
-
\??\c:\o828040.exec:\o828040.exe29⤵
- Executes dropped EXE
-
\??\c:\ttbhht.exec:\ttbhht.exe30⤵
- Executes dropped EXE
-
\??\c:\5rfxxxf.exec:\5rfxxxf.exe31⤵
- Executes dropped EXE
-
\??\c:\m0666.exec:\m0666.exe32⤵
- Executes dropped EXE
-
\??\c:\080666.exec:\080666.exe33⤵
- Executes dropped EXE
-
\??\c:\dvppj.exec:\dvppj.exe34⤵
- Executes dropped EXE
-
\??\c:\9fllfxl.exec:\9fllfxl.exe35⤵
- Executes dropped EXE
-
\??\c:\bnnntt.exec:\bnnntt.exe36⤵
- Executes dropped EXE
-
\??\c:\fxxfllr.exec:\fxxfllr.exe37⤵
- Executes dropped EXE
-
\??\c:\jvddd.exec:\jvddd.exe38⤵
- Executes dropped EXE
-
\??\c:\600048.exec:\600048.exe39⤵
- Executes dropped EXE
-
\??\c:\jdpjv.exec:\jdpjv.exe40⤵
- Executes dropped EXE
-
\??\c:\bthbhn.exec:\bthbhn.exe41⤵
- Executes dropped EXE
-
\??\c:\820682.exec:\820682.exe42⤵
- Executes dropped EXE
-
\??\c:\08228.exec:\08228.exe43⤵
- Executes dropped EXE
-
\??\c:\7lfxxrx.exec:\7lfxxrx.exe44⤵
- Executes dropped EXE
-
\??\c:\lrrlfrx.exec:\lrrlfrx.exe45⤵
- Executes dropped EXE
-
\??\c:\vjpjj.exec:\vjpjj.exe46⤵
- Executes dropped EXE
-
\??\c:\246826.exec:\246826.exe47⤵
- Executes dropped EXE
-
\??\c:\vjvpv.exec:\vjvpv.exe48⤵
- Executes dropped EXE
-
\??\c:\xrfxrll.exec:\xrfxrll.exe49⤵
- Executes dropped EXE
-
\??\c:\tnnnbh.exec:\tnnnbh.exe50⤵
- Executes dropped EXE
-
\??\c:\s6844.exec:\s6844.exe51⤵
- Executes dropped EXE
-
\??\c:\64440.exec:\64440.exe52⤵
- Executes dropped EXE
-
\??\c:\vdjjd.exec:\vdjjd.exe53⤵
- Executes dropped EXE
-
\??\c:\hbhhnh.exec:\hbhhnh.exe54⤵
- Executes dropped EXE
-
\??\c:\pdddv.exec:\pdddv.exe55⤵
- Executes dropped EXE
-
\??\c:\64666.exec:\64666.exe56⤵
- Executes dropped EXE
-
\??\c:\6844488.exec:\6844488.exe57⤵
- Executes dropped EXE
-
\??\c:\1jvpp.exec:\1jvpp.exe58⤵
- Executes dropped EXE
-
\??\c:\rfxxlll.exec:\rfxxlll.exe59⤵
- Executes dropped EXE
-
\??\c:\dpdvp.exec:\dpdvp.exe60⤵
- Executes dropped EXE
-
\??\c:\djppp.exec:\djppp.exe61⤵
- Executes dropped EXE
-
\??\c:\8600242.exec:\8600242.exe62⤵
- Executes dropped EXE
-
\??\c:\jdvvv.exec:\jdvvv.exe63⤵
- Executes dropped EXE
-
\??\c:\3jvpp.exec:\3jvpp.exe64⤵
- Executes dropped EXE
-
\??\c:\pjjdp.exec:\pjjdp.exe65⤵
- Executes dropped EXE
-
\??\c:\nbnbbn.exec:\nbnbbn.exe66⤵
-
\??\c:\o244446.exec:\o244446.exe67⤵
-
\??\c:\k84404.exec:\k84404.exe68⤵
-
\??\c:\640688.exec:\640688.exe69⤵
-
\??\c:\dvjpd.exec:\dvjpd.exe70⤵
-
\??\c:\m0286.exec:\m0286.exe71⤵
-
\??\c:\26822.exec:\26822.exe72⤵
-
\??\c:\208444.exec:\208444.exe73⤵
-
\??\c:\w42628.exec:\w42628.exe74⤵
-
\??\c:\8680628.exec:\8680628.exe75⤵
-
\??\c:\7jpdj.exec:\7jpdj.exe76⤵
-
\??\c:\e82462.exec:\e82462.exe77⤵
-
\??\c:\fxxlfff.exec:\fxxlfff.exe78⤵
-
\??\c:\64402.exec:\64402.exe79⤵
-
\??\c:\rlrxxxx.exec:\rlrxxxx.exe80⤵
-
\??\c:\20280.exec:\20280.exe81⤵
-
\??\c:\frrrxrx.exec:\frrrxrx.exe82⤵
-
\??\c:\1pjpv.exec:\1pjpv.exe83⤵
-
\??\c:\s2444.exec:\s2444.exe84⤵
-
\??\c:\pjpvj.exec:\pjpvj.exe85⤵
-
\??\c:\20040.exec:\20040.exe86⤵
-
\??\c:\1hbbhh.exec:\1hbbhh.exe87⤵
- System Location Discovery: System Language Discovery
-
\??\c:\64028.exec:\64028.exe88⤵
-
\??\c:\82424.exec:\82424.exe89⤵
-
\??\c:\5thbhb.exec:\5thbhb.exe90⤵
-
\??\c:\9tnhnn.exec:\9tnhnn.exe91⤵
-
\??\c:\frffllf.exec:\frffllf.exe92⤵
-
\??\c:\244444.exec:\244444.exe93⤵
-
\??\c:\m0228.exec:\m0228.exe94⤵
-
\??\c:\420244.exec:\420244.exe95⤵
-
\??\c:\jvdpp.exec:\jvdpp.exe96⤵
-
\??\c:\46888.exec:\46888.exe97⤵
-
\??\c:\rxffxrr.exec:\rxffxrr.exe98⤵
-
\??\c:\9vdpp.exec:\9vdpp.exe99⤵
-
\??\c:\bnhnnn.exec:\bnhnnn.exe100⤵
-
\??\c:\2048822.exec:\2048822.exe101⤵
-
\??\c:\xrrlrrr.exec:\xrrlrrr.exe102⤵
-
\??\c:\462248.exec:\462248.exe103⤵
-
\??\c:\4848822.exec:\4848822.exe104⤵
-
\??\c:\vjpdd.exec:\vjpdd.exe105⤵
-
\??\c:\684442.exec:\684442.exe106⤵
-
\??\c:\7ppjj.exec:\7ppjj.exe107⤵
-
\??\c:\dvjvv.exec:\dvjvv.exe108⤵
-
\??\c:\k06660.exec:\k06660.exe109⤵
- System Location Discovery: System Language Discovery
-
\??\c:\o648044.exec:\o648044.exe110⤵
-
\??\c:\4240228.exec:\4240228.exe111⤵
-
\??\c:\m6888.exec:\m6888.exe112⤵
-
\??\c:\lrrrxrr.exec:\lrrrxrr.exe113⤵
-
\??\c:\5dpvj.exec:\5dpvj.exe114⤵
-
\??\c:\68828.exec:\68828.exe115⤵
-
\??\c:\g0226.exec:\g0226.exe116⤵
-
\??\c:\jjppj.exec:\jjppj.exe117⤵
-
\??\c:\206626.exec:\206626.exe118⤵
-
\??\c:\8062482.exec:\8062482.exe119⤵
-
\??\c:\q46660.exec:\q46660.exe120⤵
-
\??\c:\6840200.exec:\6840200.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-