Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
30-11-2024 05:13
General
-
Target
eefa5b53fceff1cf1207bdfbdf03e4f7060b721ab07b4259d748e6acc1ced1fd.exe
-
Size
105KB
-
MD5
a4c210bbb97e01caf3f428a3d44172f2
-
SHA1
fc9e2a416cb8a26622e3c668c7c0f4af265498bc
-
SHA256
eefa5b53fceff1cf1207bdfbdf03e4f7060b721ab07b4259d748e6acc1ced1fd
-
SHA512
cf790335aa1841a2f216a00ab39d09b034d7bc005e235d324b4179f1ac743f75cea7353e7974c7d0e11614ba1a39d376b92b3b46f5920ef1c77daca9f8dff610
-
SSDEEP
3072:ymb3NkkiQ3mdBjFo73tvn+Yp99zm+/KZBHq82PC1:n3C9BRo7tvnJ99T/KZE891
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 20 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 23 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\eefa5b53fceff1cf1207bdfbdf03e4f7060b721ab07b4259d748e6acc1ced1fd.exe"C:\Users\Admin\AppData\Local\Temp\eefa5b53fceff1cf1207bdfbdf03e4f7060b721ab07b4259d748e6acc1ced1fd.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\jdpvj.exec:\jdpvj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvjjp.exec:\vvjjp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7lxxxxf.exec:\7lxxxxf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxflrxl.exec:\fxflrxl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3btbnt.exec:\3btbnt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bhntbt.exec:\bhntbt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dddpp.exec:\dddpp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1xrrffr.exec:\1xrrffr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btbbnb.exec:\btbbnb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vjppp.exec:\vjppp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxllxfl.exec:\lxllxfl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xlfxrxf.exec:\xlfxrxf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhttnt.exec:\nhttnt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hthntb.exec:\hthntb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vjvpd.exec:\vjvpd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frxrxrx.exec:\frxrxrx.exe17⤵
- Executes dropped EXE
-
\??\c:\3fxfrrf.exec:\3fxfrrf.exe18⤵
- Executes dropped EXE
-
\??\c:\bnbhhb.exec:\bnbhhb.exe19⤵
- Executes dropped EXE
-
\??\c:\nbhnhn.exec:\nbhnhn.exe20⤵
- Executes dropped EXE
-
\??\c:\1jjvj.exec:\1jjvj.exe21⤵
- Executes dropped EXE
-
\??\c:\5pppv.exec:\5pppv.exe22⤵
- Executes dropped EXE
-
\??\c:\1xrrxff.exec:\1xrrxff.exe23⤵
- Executes dropped EXE
-
\??\c:\thnntn.exec:\thnntn.exe24⤵
- Executes dropped EXE
-
\??\c:\tntbhn.exec:\tntbhn.exe25⤵
- Executes dropped EXE
-
\??\c:\vjvvv.exec:\vjvvv.exe26⤵
- Executes dropped EXE
-
\??\c:\pjddp.exec:\pjddp.exe27⤵
- Executes dropped EXE
-
\??\c:\fxllrxl.exec:\fxllrxl.exe28⤵
- Executes dropped EXE
-
\??\c:\3hbbhh.exec:\3hbbhh.exe29⤵
- Executes dropped EXE
-
\??\c:\pjpdv.exec:\pjpdv.exe30⤵
- Executes dropped EXE
-
\??\c:\ddvjv.exec:\ddvjv.exe31⤵
- Executes dropped EXE
-
\??\c:\rfffxfr.exec:\rfffxfr.exe32⤵
- Executes dropped EXE
-
\??\c:\rlrrxxl.exec:\rlrrxxl.exe33⤵
- Executes dropped EXE
-
\??\c:\nnhbbn.exec:\nnhbbn.exe34⤵
- Executes dropped EXE
-
\??\c:\bbbhtt.exec:\bbbhtt.exe35⤵
- Executes dropped EXE
-
\??\c:\jjvjp.exec:\jjvjp.exe36⤵
- Executes dropped EXE
-
\??\c:\1dppp.exec:\1dppp.exe37⤵
- Executes dropped EXE
-
\??\c:\xrfxlrf.exec:\xrfxlrf.exe38⤵
- Executes dropped EXE
-
\??\c:\llxfllr.exec:\llxfllr.exe39⤵
- Executes dropped EXE
-
\??\c:\9htbhh.exec:\9htbhh.exe40⤵
- Executes dropped EXE
-
\??\c:\1nhhnn.exec:\1nhhnn.exe41⤵
- Executes dropped EXE
-
\??\c:\vpvjp.exec:\vpvjp.exe42⤵
- Executes dropped EXE
-
\??\c:\ddvpj.exec:\ddvpj.exe43⤵
- Executes dropped EXE
-
\??\c:\9rxfffr.exec:\9rxfffr.exe44⤵
- Executes dropped EXE
-
\??\c:\lfrxrxf.exec:\lfrxrxf.exe45⤵
- Executes dropped EXE
-
\??\c:\9ntbhh.exec:\9ntbhh.exe46⤵
- Executes dropped EXE
-
\??\c:\7bnnbb.exec:\7bnnbb.exe47⤵
- Executes dropped EXE
-
\??\c:\nnbbnt.exec:\nnbbnt.exe48⤵
- Executes dropped EXE
-
\??\c:\jjvjv.exec:\jjvjv.exe49⤵
- Executes dropped EXE
-
\??\c:\jdvvp.exec:\jdvvp.exe50⤵
- Executes dropped EXE
-
\??\c:\9frflrr.exec:\9frflrr.exe51⤵
- Executes dropped EXE
-
\??\c:\xlxxffx.exec:\xlxxffx.exe52⤵
- Executes dropped EXE
-
\??\c:\tnnbnt.exec:\tnnbnt.exe53⤵
- Executes dropped EXE
-
\??\c:\nhntbh.exec:\nhntbh.exe54⤵
- Executes dropped EXE
-
\??\c:\1dddp.exec:\1dddp.exe55⤵
- Executes dropped EXE
-
\??\c:\dvdjv.exec:\dvdjv.exe56⤵
- Executes dropped EXE
-
\??\c:\9frlffl.exec:\9frlffl.exe57⤵
- Executes dropped EXE
-
\??\c:\xrfrflx.exec:\xrfrflx.exe58⤵
- Executes dropped EXE
-
\??\c:\tnnbnt.exec:\tnnbnt.exe59⤵
- Executes dropped EXE
-
\??\c:\7bntbb.exec:\7bntbb.exe60⤵
- Executes dropped EXE
-
\??\c:\7bntbb.exec:\7bntbb.exe61⤵
- Executes dropped EXE
-
\??\c:\dpjjd.exec:\dpjjd.exe62⤵
- Executes dropped EXE
-
\??\c:\vpdpj.exec:\vpdpj.exe63⤵
- Executes dropped EXE
-
\??\c:\frrfxlf.exec:\frrfxlf.exe64⤵
- Executes dropped EXE
-
\??\c:\rlrxxlr.exec:\rlrxxlr.exe65⤵
- Executes dropped EXE
-
\??\c:\rlxxxxf.exec:\rlxxxxf.exe66⤵
-
\??\c:\hthnbb.exec:\hthnbb.exe67⤵
-
\??\c:\5bhhhh.exec:\5bhhhh.exe68⤵
-
\??\c:\jdddv.exec:\jdddv.exe69⤵
-
\??\c:\3vjdj.exec:\3vjdj.exe70⤵
-
\??\c:\5xrrlrf.exec:\5xrrlrf.exe71⤵
-
\??\c:\flrxrfl.exec:\flrxrfl.exe72⤵
-
\??\c:\thtbnt.exec:\thtbnt.exe73⤵
-
\??\c:\bnthth.exec:\bnthth.exe74⤵
-
\??\c:\hbhnbb.exec:\hbhnbb.exe75⤵
-
\??\c:\pjpvd.exec:\pjpvd.exe76⤵
-
\??\c:\1jjpv.exec:\1jjpv.exe77⤵
-
\??\c:\fxfrrxf.exec:\fxfrrxf.exe78⤵
-
\??\c:\rrllrfl.exec:\rrllrfl.exe79⤵
-
\??\c:\rfrxxff.exec:\rfrxxff.exe80⤵
-
\??\c:\1ntbhh.exec:\1ntbhh.exe81⤵
-
\??\c:\5nhnbb.exec:\5nhnbb.exe82⤵
-
\??\c:\pjjpd.exec:\pjjpd.exe83⤵
-
\??\c:\5jvvv.exec:\5jvvv.exe84⤵
-
\??\c:\xffrlxl.exec:\xffrlxl.exe85⤵
-
\??\c:\1fllllr.exec:\1fllllr.exe86⤵
-
\??\c:\hbbhbh.exec:\hbbhbh.exe87⤵
-
\??\c:\nhbbhh.exec:\nhbbhh.exe88⤵
-
\??\c:\5vjpd.exec:\5vjpd.exe89⤵
-
\??\c:\3jvpp.exec:\3jvpp.exe90⤵
-
\??\c:\rlfrxfl.exec:\rlfrxfl.exe91⤵
-
\??\c:\5flflxf.exec:\5flflxf.exe92⤵
-
\??\c:\1hbnbh.exec:\1hbnbh.exe93⤵
-
\??\c:\tbnnnh.exec:\tbnnnh.exe94⤵
-
\??\c:\pjpvj.exec:\pjpvj.exe95⤵
-
\??\c:\7jdpv.exec:\7jdpv.exe96⤵
-
\??\c:\xlxrrxl.exec:\xlxrrxl.exe97⤵
-
\??\c:\xrflxll.exec:\xrflxll.exe98⤵
-
\??\c:\nhttbb.exec:\nhttbb.exe99⤵
-
\??\c:\thtntn.exec:\thtntn.exe100⤵
-
\??\c:\3dvdj.exec:\3dvdj.exe101⤵
-
\??\c:\1dpjj.exec:\1dpjj.exe102⤵
- System Location Discovery: System Language Discovery
-
\??\c:\7lxrxxf.exec:\7lxrxxf.exe103⤵
-
\??\c:\lrxrllx.exec:\lrxrllx.exe104⤵
-
\??\c:\1thhnh.exec:\1thhnh.exe105⤵
-
\??\c:\hbnbth.exec:\hbnbth.exe106⤵
-
\??\c:\vjvdj.exec:\vjvdj.exe107⤵
-
\??\c:\ppjdj.exec:\ppjdj.exe108⤵
-
\??\c:\frfrrxf.exec:\frfrrxf.exe109⤵
-
\??\c:\rfllxxx.exec:\rfllxxx.exe110⤵
-
\??\c:\tnbbtt.exec:\tnbbtt.exe111⤵
-
\??\c:\9bnhtt.exec:\9bnhtt.exe112⤵
-
\??\c:\5thhhn.exec:\5thhhn.exe113⤵
-
\??\c:\vvvvd.exec:\vvvvd.exe114⤵
-
\??\c:\9jjjd.exec:\9jjjd.exe115⤵
-
\??\c:\lfrrllx.exec:\lfrrllx.exe116⤵
-
\??\c:\nbbhbh.exec:\nbbhbh.exe117⤵
-
\??\c:\nhnnnh.exec:\nhnnnh.exe118⤵
-
\??\c:\dvjpd.exec:\dvjpd.exe119⤵
-
\??\c:\vppjv.exec:\vppjv.exe120⤵
-
\??\c:\llxflrl.exec:\llxflrl.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-