Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
25/11/2024, 21:02
General
-
Target
7c73713c04794c2ada14572eb827eb860271fd97072e2da26149adeb73f01d93.exe
-
Size
73KB
-
MD5
e4a5bd15c9cbb756785f9e65f591d4d8
-
SHA1
397859f6caaec0b042e7e090f47bbee9e2c35744
-
SHA256
7c73713c04794c2ada14572eb827eb860271fd97072e2da26149adeb73f01d93
-
SHA512
96b02efe4f239cdb198446b2bf2fb7f4c96e005d625964ec84cba507f6371b9cce67bec4b90366b0c91d75bcb1d2db614fab15f1967b941bd8f140da63f37c52
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIFdJUDbAIdiW65V:ymb3NkkiQ3mdBjFIFdJ8bViW6L
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 21 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 32 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\7c73713c04794c2ada14572eb827eb860271fd97072e2da26149adeb73f01d93.exe"C:\Users\Admin\AppData\Local\Temp\7c73713c04794c2ada14572eb827eb860271fd97072e2da26149adeb73f01d93.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\rlffllx.exec:\rlffllx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbbbht.exec:\nbbbht.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvppd.exec:\dvppd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxfrrxl.exec:\lxfrrxl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5ntbbh.exec:\5ntbbh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dddvv.exec:\dddvv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7lrfrxf.exec:\7lrfrxf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nnbnbh.exec:\nnbnbh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbhttt.exec:\nbhttt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jvvvp.exec:\jvvvp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrxxfll.exec:\xrxxfll.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xflxlrl.exec:\xflxlrl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnhhtt.exec:\tnhhtt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3djjp.exec:\3djjp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlrrxfr.exec:\rlrrxfr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3lflrlx.exec:\3lflrlx.exe17⤵
- Executes dropped EXE
-
\??\c:\hbbbbh.exec:\hbbbbh.exe18⤵
- Executes dropped EXE
-
\??\c:\5nttbn.exec:\5nttbn.exe19⤵
- Executes dropped EXE
-
\??\c:\3dvdj.exec:\3dvdj.exe20⤵
- Executes dropped EXE
-
\??\c:\flfflrf.exec:\flfflrf.exe21⤵
- Executes dropped EXE
-
\??\c:\rlxrrlr.exec:\rlxrrlr.exe22⤵
- Executes dropped EXE
-
\??\c:\nhbhtt.exec:\nhbhtt.exe23⤵
- Executes dropped EXE
-
\??\c:\vdppp.exec:\vdppp.exe24⤵
- Executes dropped EXE
-
\??\c:\5dpdd.exec:\5dpdd.exe25⤵
- Executes dropped EXE
-
\??\c:\xlxlrlr.exec:\xlxlrlr.exe26⤵
- Executes dropped EXE
-
\??\c:\7thttt.exec:\7thttt.exe27⤵
- Executes dropped EXE
-
\??\c:\dpdpd.exec:\dpdpd.exe28⤵
- Executes dropped EXE
-
\??\c:\fxrfrxl.exec:\fxrfrxl.exe29⤵
- Executes dropped EXE
-
\??\c:\bthnbb.exec:\bthnbb.exe30⤵
- Executes dropped EXE
-
\??\c:\nhtthh.exec:\nhtthh.exe31⤵
- Executes dropped EXE
-
\??\c:\jpjjv.exec:\jpjjv.exe32⤵
- Executes dropped EXE
-
\??\c:\llfxxfl.exec:\llfxxfl.exe33⤵
- Executes dropped EXE
-
\??\c:\7lffxxl.exec:\7lffxxl.exe34⤵
- Executes dropped EXE
-
\??\c:\thtbhb.exec:\thtbhb.exe35⤵
- Executes dropped EXE
-
\??\c:\ddvvp.exec:\ddvvp.exe36⤵
- Executes dropped EXE
-
\??\c:\7rflrrx.exec:\7rflrrx.exe37⤵
- Executes dropped EXE
-
\??\c:\7bnbhh.exec:\7bnbhh.exe38⤵
- Executes dropped EXE
-
\??\c:\nbhhtt.exec:\nbhhtt.exe39⤵
- Executes dropped EXE
-
\??\c:\pvddd.exec:\pvddd.exe40⤵
- Executes dropped EXE
-
\??\c:\lflrffl.exec:\lflrffl.exe41⤵
- Executes dropped EXE
-
\??\c:\tnbttb.exec:\tnbttb.exe42⤵
- Executes dropped EXE
-
\??\c:\nhhnbb.exec:\nhhnbb.exe43⤵
- Executes dropped EXE
-
\??\c:\pjdjd.exec:\pjdjd.exe44⤵
- Executes dropped EXE
-
\??\c:\ddpdv.exec:\ddpdv.exe45⤵
- Executes dropped EXE
-
\??\c:\lfrllll.exec:\lfrllll.exe46⤵
- Executes dropped EXE
-
\??\c:\hntbbb.exec:\hntbbb.exe47⤵
- Executes dropped EXE
-
\??\c:\tnthhh.exec:\tnthhh.exe48⤵
- Executes dropped EXE
-
\??\c:\dpvpv.exec:\dpvpv.exe49⤵
- Executes dropped EXE
-
\??\c:\pjvpv.exec:\pjvpv.exe50⤵
- Executes dropped EXE
-
\??\c:\rxffffx.exec:\rxffffx.exe51⤵
- Executes dropped EXE
-
\??\c:\tthnnt.exec:\tthnnt.exe52⤵
- Executes dropped EXE
-
\??\c:\bnnbbt.exec:\bnnbbt.exe53⤵
- Executes dropped EXE
-
\??\c:\vdpvp.exec:\vdpvp.exe54⤵
- Executes dropped EXE
-
\??\c:\vvdjd.exec:\vvdjd.exe55⤵
- Executes dropped EXE
-
\??\c:\lrfrrlr.exec:\lrfrrlr.exe56⤵
- Executes dropped EXE
-
\??\c:\fxffxxf.exec:\fxffxxf.exe57⤵
- Executes dropped EXE
-
\??\c:\nbhntb.exec:\nbhntb.exe58⤵
- Executes dropped EXE
-
\??\c:\hnnbth.exec:\hnnbth.exe59⤵
- Executes dropped EXE
-
\??\c:\pdvpd.exec:\pdvpd.exe60⤵
- Executes dropped EXE
-
\??\c:\jpjpj.exec:\jpjpj.exe61⤵
- Executes dropped EXE
-
\??\c:\rfrfxfr.exec:\rfrfxfr.exe62⤵
- Executes dropped EXE
-
\??\c:\rffflff.exec:\rffflff.exe63⤵
- Executes dropped EXE
-
\??\c:\ththbt.exec:\ththbt.exe64⤵
- Executes dropped EXE
-
\??\c:\pvjpj.exec:\pvjpj.exe65⤵
- Executes dropped EXE
-
\??\c:\dpppp.exec:\dpppp.exe66⤵
-
\??\c:\1lrlfxf.exec:\1lrlfxf.exe67⤵
-
\??\c:\rflrrxx.exec:\rflrrxx.exe68⤵
-
\??\c:\3ttntt.exec:\3ttntt.exe69⤵
-
\??\c:\5tnttt.exec:\5tnttt.exe70⤵
-
\??\c:\vpdpv.exec:\vpdpv.exe71⤵
-
\??\c:\dvdjv.exec:\dvdjv.exe72⤵
-
\??\c:\rrrfxlx.exec:\rrrfxlx.exe73⤵
-
\??\c:\nhbhtt.exec:\nhbhtt.exe74⤵
-
\??\c:\3bbtbh.exec:\3bbtbh.exe75⤵
-
\??\c:\jvvjd.exec:\jvvjd.exe76⤵
-
\??\c:\7flrxxf.exec:\7flrxxf.exe77⤵
-
\??\c:\xrfxflr.exec:\xrfxflr.exe78⤵
-
\??\c:\btthtt.exec:\btthtt.exe79⤵
-
\??\c:\jvjjp.exec:\jvjjp.exe80⤵
-
\??\c:\vdpjv.exec:\vdpjv.exe81⤵
-
\??\c:\rrlxfxf.exec:\rrlxfxf.exe82⤵
-
\??\c:\5lxfffr.exec:\5lxfffr.exe83⤵
-
\??\c:\3tnnbb.exec:\3tnnbb.exe84⤵
-
\??\c:\hhtbtb.exec:\hhtbtb.exe85⤵
-
\??\c:\ddjjj.exec:\ddjjj.exe86⤵
-
\??\c:\pjvvp.exec:\pjvvp.exe87⤵
-
\??\c:\rxflxxf.exec:\rxflxxf.exe88⤵
-
\??\c:\rlrrffl.exec:\rlrrffl.exe89⤵
-
\??\c:\hthhnt.exec:\hthhnt.exe90⤵
-
\??\c:\vvdvd.exec:\vvdvd.exe91⤵
-
\??\c:\vvdpv.exec:\vvdpv.exe92⤵
-
\??\c:\lrxlfll.exec:\lrxlfll.exe93⤵
-
\??\c:\1xlrrlr.exec:\1xlrrlr.exe94⤵
-
\??\c:\nbnnth.exec:\nbnnth.exe95⤵
-
\??\c:\nbbhbt.exec:\nbbhbt.exe96⤵
-
\??\c:\dpdjv.exec:\dpdjv.exe97⤵
-
\??\c:\9fxflxf.exec:\9fxflxf.exe98⤵
-
\??\c:\xrfrfxl.exec:\xrfrfxl.exe99⤵
-
\??\c:\3hbtth.exec:\3hbtth.exe100⤵
-
\??\c:\5nbhnn.exec:\5nbhnn.exe101⤵
-
\??\c:\dppjp.exec:\dppjp.exe102⤵
-
\??\c:\xfrrxrf.exec:\xfrrxrf.exe103⤵
-
\??\c:\rfrxxxx.exec:\rfrxxxx.exe104⤵
-
\??\c:\5hnthb.exec:\5hnthb.exe105⤵
-
\??\c:\3hthhh.exec:\3hthhh.exe106⤵
-
\??\c:\pddjp.exec:\pddjp.exe107⤵
-
\??\c:\3rxrrfr.exec:\3rxrrfr.exe108⤵
-
\??\c:\rlxxffr.exec:\rlxxffr.exe109⤵
-
\??\c:\lflfllx.exec:\lflfllx.exe110⤵
-
\??\c:\tbbnhb.exec:\tbbnhb.exe111⤵
-
\??\c:\5xxflrx.exec:\5xxflrx.exe112⤵
-
\??\c:\9rlxffr.exec:\9rlxffr.exe113⤵
-
\??\c:\nhbhhh.exec:\nhbhhh.exe114⤵
-
\??\c:\djjpj.exec:\djjpj.exe115⤵
-
\??\c:\jdvdj.exec:\jdvdj.exe116⤵
-
\??\c:\xxxrlxl.exec:\xxxrlxl.exe117⤵
-
\??\c:\thtbhb.exec:\thtbhb.exe118⤵
-
\??\c:\7hhbtb.exec:\7hhbtb.exe119⤵
-
\??\c:\5jdjv.exec:\5jdjv.exe120⤵
-
\??\c:\dvjjp.exec:\dvjjp.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-