Analysis
-
max time kernel
120s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
17-12-2024 21:23
General
-
Target
fabaa189d3d25ebb00cb64943b8507694fa8c8ecde0069d8e7be3acbc01a63cfN.exe
-
Size
83KB
-
MD5
d392214af365ed354a5b48ed78e9c8f0
-
SHA1
b1dd06f4caaf33c648328e65803a6ac9d283d290
-
SHA256
fabaa189d3d25ebb00cb64943b8507694fa8c8ecde0069d8e7be3acbc01a63cf
-
SHA512
6d8eebf09fea206c6d4778a9f89f7f4aef85cf46869ad6eeb7a16196e438e12cd723131785e253fbc0469f361b3de76f14921f76ca992f9b2f1fbf40117a6888
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIIpIo60L9QrrA89Qt:ymb3NkkiQ3mdBjFIIp9L9QrrA8I
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 22 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 25 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\fabaa189d3d25ebb00cb64943b8507694fa8c8ecde0069d8e7be3acbc01a63cfN.exe"C:\Users\Admin\AppData\Local\Temp\fabaa189d3d25ebb00cb64943b8507694fa8c8ecde0069d8e7be3acbc01a63cfN.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\vvdjd.exec:\vvdjd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxxflrx.exec:\fxxflrx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rrlxflf.exec:\rrlxflf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9hbhtb.exec:\9hbhtb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jppjd.exec:\jppjd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjvvp.exec:\jjvvp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3vvjj.exec:\3vvjj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rxrllfx.exec:\rxrllfx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhthth.exec:\nhthth.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7ttthn.exec:\7ttthn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1dvjp.exec:\1dvjp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5fffllr.exec:\5fffllr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7llrflx.exec:\7llrflx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbhhht.exec:\bbhhht.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bhbhht.exec:\bhbhht.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ppjjj.exec:\ppjjj.exe17⤵
- Executes dropped EXE
-
\??\c:\lxrflrf.exec:\lxrflrf.exe18⤵
- Executes dropped EXE
-
\??\c:\nnttbh.exec:\nnttbh.exe19⤵
- Executes dropped EXE
-
\??\c:\hbbbbn.exec:\hbbbbn.exe20⤵
- Executes dropped EXE
-
\??\c:\ppjdv.exec:\ppjdv.exe21⤵
- Executes dropped EXE
-
\??\c:\jjjvd.exec:\jjjvd.exe22⤵
- Executes dropped EXE
-
\??\c:\xrxfrxl.exec:\xrxfrxl.exe23⤵
- Executes dropped EXE
-
\??\c:\xrflrxf.exec:\xrflrxf.exe24⤵
- Executes dropped EXE
-
\??\c:\nnhnhn.exec:\nnhnhn.exe25⤵
- Executes dropped EXE
-
\??\c:\3nhhtb.exec:\3nhhtb.exe26⤵
- Executes dropped EXE
-
\??\c:\dddjv.exec:\dddjv.exe27⤵
- Executes dropped EXE
-
\??\c:\3rflrxl.exec:\3rflrxl.exe28⤵
- Executes dropped EXE
-
\??\c:\nntbhn.exec:\nntbhn.exe29⤵
- Executes dropped EXE
-
\??\c:\nnnnbn.exec:\nnnnbn.exe30⤵
- Executes dropped EXE
-
\??\c:\1jdpv.exec:\1jdpv.exe31⤵
- Executes dropped EXE
-
\??\c:\1pvdp.exec:\1pvdp.exe32⤵
- Executes dropped EXE
-
\??\c:\rxxlxff.exec:\rxxlxff.exe33⤵
- Executes dropped EXE
-
\??\c:\9bhtbn.exec:\9bhtbn.exe34⤵
- Executes dropped EXE
-
\??\c:\hhbbbh.exec:\hhbbbh.exe35⤵
- Executes dropped EXE
-
\??\c:\jjjdv.exec:\jjjdv.exe36⤵
- Executes dropped EXE
-
\??\c:\1ppdj.exec:\1ppdj.exe37⤵
- Executes dropped EXE
-
\??\c:\rrllxlx.exec:\rrllxlx.exe38⤵
- Executes dropped EXE
-
\??\c:\3flxfrl.exec:\3flxfrl.exe39⤵
- Executes dropped EXE
-
\??\c:\nhtttb.exec:\nhtttb.exe40⤵
- Executes dropped EXE
-
\??\c:\5nhtnt.exec:\5nhtnt.exe41⤵
- Executes dropped EXE
-
\??\c:\vvvdv.exec:\vvvdv.exe42⤵
- Executes dropped EXE
-
\??\c:\dvjjp.exec:\dvjjp.exe43⤵
- Executes dropped EXE
-
\??\c:\vvvpd.exec:\vvvpd.exe44⤵
- Executes dropped EXE
-
\??\c:\5xrfllf.exec:\5xrfllf.exe45⤵
- Executes dropped EXE
-
\??\c:\rllrrrl.exec:\rllrrrl.exe46⤵
- Executes dropped EXE
-
\??\c:\bthbnn.exec:\bthbnn.exe47⤵
- Executes dropped EXE
-
\??\c:\dvjdj.exec:\dvjdj.exe48⤵
- Executes dropped EXE
-
\??\c:\jjppd.exec:\jjppd.exe49⤵
- Executes dropped EXE
-
\??\c:\pjvvd.exec:\pjvvd.exe50⤵
- Executes dropped EXE
-
\??\c:\xxrrlrx.exec:\xxrrlrx.exe51⤵
- Executes dropped EXE
-
\??\c:\nnhthn.exec:\nnhthn.exe52⤵
- Executes dropped EXE
-
\??\c:\nnntnt.exec:\nnntnt.exe53⤵
- Executes dropped EXE
-
\??\c:\thtthh.exec:\thtthh.exe54⤵
- Executes dropped EXE
-
\??\c:\jvdjj.exec:\jvdjj.exe55⤵
- Executes dropped EXE
-
\??\c:\fxlfrrf.exec:\fxlfrrf.exe56⤵
- Executes dropped EXE
-
\??\c:\1frxllx.exec:\1frxllx.exe57⤵
- Executes dropped EXE
-
\??\c:\tbnbht.exec:\tbnbht.exe58⤵
- Executes dropped EXE
-
\??\c:\tnhnbb.exec:\tnhnbb.exe59⤵
- Executes dropped EXE
-
\??\c:\9vjdv.exec:\9vjdv.exe60⤵
- Executes dropped EXE
-
\??\c:\jdppj.exec:\jdppj.exe61⤵
- Executes dropped EXE
-
\??\c:\vpjjd.exec:\vpjjd.exe62⤵
- Executes dropped EXE
-
\??\c:\lfrlxfx.exec:\lfrlxfx.exe63⤵
- Executes dropped EXE
-
\??\c:\5nnntn.exec:\5nnntn.exe64⤵
- Executes dropped EXE
-
\??\c:\7vppv.exec:\7vppv.exe65⤵
- Executes dropped EXE
-
\??\c:\vpjjp.exec:\vpjjp.exe66⤵
-
\??\c:\9xxlfrf.exec:\9xxlfrf.exe67⤵
-
\??\c:\lfrxfrf.exec:\lfrxfrf.exe68⤵
-
\??\c:\3tbbnt.exec:\3tbbnt.exe69⤵
-
\??\c:\ttbntb.exec:\ttbntb.exe70⤵
-
\??\c:\pjpdp.exec:\pjpdp.exe71⤵
-
\??\c:\ppjvj.exec:\ppjvj.exe72⤵
-
\??\c:\9xrfrrf.exec:\9xrfrrf.exe73⤵
-
\??\c:\xxflrxl.exec:\xxflrxl.exe74⤵
-
\??\c:\hbtbnt.exec:\hbtbnt.exe75⤵
-
\??\c:\hhthth.exec:\hhthth.exe76⤵
-
\??\c:\dvpvj.exec:\dvpvj.exe77⤵
-
\??\c:\djdjd.exec:\djdjd.exe78⤵
-
\??\c:\vpppd.exec:\vpppd.exe79⤵
-
\??\c:\frllxfl.exec:\frllxfl.exe80⤵
-
\??\c:\7xlxrrl.exec:\7xlxrrl.exe81⤵
-
\??\c:\tnbbhn.exec:\tnbbhn.exe82⤵
-
\??\c:\9bbthh.exec:\9bbthh.exe83⤵
-
\??\c:\1pjjp.exec:\1pjjp.exe84⤵
- System Location Discovery: System Language Discovery
-
\??\c:\pdjjv.exec:\pdjjv.exe85⤵
-
\??\c:\3jdjd.exec:\3jdjd.exe86⤵
-
\??\c:\fxxxrlx.exec:\fxxxrlx.exe87⤵
-
\??\c:\xrlflrf.exec:\xrlflrf.exe88⤵
-
\??\c:\nbnbnb.exec:\nbnbnb.exe89⤵
-
\??\c:\3thnbb.exec:\3thnbb.exe90⤵
-
\??\c:\dvdjv.exec:\dvdjv.exe91⤵
-
\??\c:\7dvvv.exec:\7dvvv.exe92⤵
-
\??\c:\lfxrffr.exec:\lfxrffr.exe93⤵
-
\??\c:\lfxrxlx.exec:\lfxrxlx.exe94⤵
-
\??\c:\rrfrxfl.exec:\rrfrxfl.exe95⤵
-
\??\c:\tnbhnb.exec:\tnbhnb.exe96⤵
-
\??\c:\hbnthn.exec:\hbnthn.exe97⤵
-
\??\c:\vjvvd.exec:\vjvvd.exe98⤵
-
\??\c:\dvvdd.exec:\dvvdd.exe99⤵
-
\??\c:\fxlrrfx.exec:\fxlrrfx.exe100⤵
-
\??\c:\9lxfxlx.exec:\9lxfxlx.exe101⤵
-
\??\c:\xrxxxfl.exec:\xrxxxfl.exe102⤵
-
\??\c:\5hbtnn.exec:\5hbtnn.exe103⤵
-
\??\c:\9thhnb.exec:\9thhnb.exe104⤵
-
\??\c:\jddpp.exec:\jddpp.exe105⤵
-
\??\c:\9dddj.exec:\9dddj.exe106⤵
-
\??\c:\rlrrlxf.exec:\rlrrlxf.exe107⤵
-
\??\c:\rxrrrfr.exec:\rxrrrfr.exe108⤵
-
\??\c:\3bbtnb.exec:\3bbtnb.exe109⤵
-
\??\c:\hhbnbn.exec:\hhbnbn.exe110⤵
-
\??\c:\pppjp.exec:\pppjp.exe111⤵
-
\??\c:\ppvdp.exec:\ppvdp.exe112⤵
-
\??\c:\dpddp.exec:\dpddp.exe113⤵
-
\??\c:\fxflrfx.exec:\fxflrfx.exe114⤵
-
\??\c:\llxffrx.exec:\llxffrx.exe115⤵
-
\??\c:\hbhnhn.exec:\hbhnhn.exe116⤵
-
\??\c:\1nnhtt.exec:\1nnhtt.exe117⤵
-
\??\c:\3jjjp.exec:\3jjjp.exe118⤵
-
\??\c:\pdjjv.exec:\pdjjv.exe119⤵
-
\??\c:\9dvdj.exec:\9dvdj.exe120⤵
-
\??\c:\rllrlrl.exec:\rllrlrl.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-