Analysis
-
max time kernel
120s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
18-12-2024 02:30
General
-
Target
0ea68803618a9886e7eecfcda8563fce9e7d990ba73203d4d0033504abc76273.exe
-
Size
83KB
-
MD5
1ba21cc120f0857bd04c038bc38d6b99
-
SHA1
5210a5dba10c2c06eeba04da14a432bad06bd464
-
SHA256
0ea68803618a9886e7eecfcda8563fce9e7d990ba73203d4d0033504abc76273
-
SHA512
b370fa16195e906f7a3c69a024199258c4983534a297c24924312e9fffed72860f3550eeea1c7a565af0a6b369f1e721bf919c986d7959db2c9497c5126bf648
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIIpIo60L9QrrA89Qf:ymb3NkkiQ3mdBjFIIp9L9QrrA8I
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 22 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 27 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ea68803618a9886e7eecfcda8563fce9e7d990ba73203d4d0033504abc76273.exe"C:\Users\Admin\AppData\Local\Temp\0ea68803618a9886e7eecfcda8563fce9e7d990ba73203d4d0033504abc76273.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\pdpvd.exec:\pdpvd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\g0886.exec:\g0886.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\6428444.exec:\6428444.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\626220.exec:\626220.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\4206224.exec:\4206224.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\e22426.exec:\e22426.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\084022.exec:\084022.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\20206.exec:\20206.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\84408.exec:\84408.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\u608026.exec:\u608026.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3jdjp.exec:\3jdjp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\htnntb.exec:\htnntb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\640826.exec:\640826.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vjdvp.exec:\vjdvp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\6040066.exec:\6040066.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9dpvv.exec:\9dpvv.exe17⤵
- Executes dropped EXE
-
\??\c:\g0806.exec:\g0806.exe18⤵
- Executes dropped EXE
-
\??\c:\s4228.exec:\s4228.exe19⤵
- Executes dropped EXE
-
\??\c:\2406628.exec:\2406628.exe20⤵
- Executes dropped EXE
-
\??\c:\486866.exec:\486866.exe21⤵
- Executes dropped EXE
-
\??\c:\g4802.exec:\g4802.exe22⤵
- Executes dropped EXE
-
\??\c:\5lfrrlr.exec:\5lfrrlr.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\rfrxllf.exec:\rfrxllf.exe24⤵
- Executes dropped EXE
-
\??\c:\rlffrrx.exec:\rlffrrx.exe25⤵
- Executes dropped EXE
-
\??\c:\hbbhnn.exec:\hbbhnn.exe26⤵
- Executes dropped EXE
-
\??\c:\tnbhnn.exec:\tnbhnn.exe27⤵
- Executes dropped EXE
-
\??\c:\04208.exec:\04208.exe28⤵
- Executes dropped EXE
-
\??\c:\484028.exec:\484028.exe29⤵
- Executes dropped EXE
-
\??\c:\62640.exec:\62640.exe30⤵
- Executes dropped EXE
-
\??\c:\6422884.exec:\6422884.exe31⤵
- Executes dropped EXE
-
\??\c:\2640206.exec:\2640206.exe32⤵
- Executes dropped EXE
-
\??\c:\jvppp.exec:\jvppp.exe33⤵
- Executes dropped EXE
-
\??\c:\xrxflfl.exec:\xrxflfl.exe34⤵
- Executes dropped EXE
-
\??\c:\3rrlxxx.exec:\3rrlxxx.exe35⤵
- Executes dropped EXE
-
\??\c:\jpvdp.exec:\jpvdp.exe36⤵
- Executes dropped EXE
-
\??\c:\llfffrl.exec:\llfffrl.exe37⤵
- Executes dropped EXE
-
\??\c:\xlxfrxx.exec:\xlxfrxx.exe38⤵
- Executes dropped EXE
-
\??\c:\rflrrxf.exec:\rflrrxf.exe39⤵
- Executes dropped EXE
-
\??\c:\60886.exec:\60886.exe40⤵
- Executes dropped EXE
-
\??\c:\llrrffl.exec:\llrrffl.exe41⤵
- Executes dropped EXE
-
\??\c:\1vjvv.exec:\1vjvv.exe42⤵
- Executes dropped EXE
-
\??\c:\bnnthn.exec:\bnnthn.exe43⤵
- Executes dropped EXE
-
\??\c:\rllrxfl.exec:\rllrxfl.exe44⤵
- Executes dropped EXE
-
\??\c:\7bnbhn.exec:\7bnbhn.exe45⤵
- Executes dropped EXE
-
\??\c:\btbhbh.exec:\btbhbh.exe46⤵
- Executes dropped EXE
-
\??\c:\pjpvj.exec:\pjpvj.exe47⤵
- Executes dropped EXE
-
\??\c:\vvdjp.exec:\vvdjp.exe48⤵
- Executes dropped EXE
-
\??\c:\fxlrrxx.exec:\fxlrrxx.exe49⤵
- Executes dropped EXE
-
\??\c:\jvpvp.exec:\jvpvp.exe50⤵
- Executes dropped EXE
-
\??\c:\o684684.exec:\o684684.exe51⤵
- Executes dropped EXE
-
\??\c:\tnbbtb.exec:\tnbbtb.exe52⤵
- Executes dropped EXE
-
\??\c:\g2406.exec:\g2406.exe53⤵
- Executes dropped EXE
-
\??\c:\o640280.exec:\o640280.exe54⤵
- Executes dropped EXE
-
\??\c:\5llrxfl.exec:\5llrxfl.exe55⤵
- Executes dropped EXE
-
\??\c:\nhtbhn.exec:\nhtbhn.exe56⤵
- Executes dropped EXE
-
\??\c:\60242.exec:\60242.exe57⤵
- Executes dropped EXE
-
\??\c:\jdppv.exec:\jdppv.exe58⤵
- Executes dropped EXE
-
\??\c:\264468.exec:\264468.exe59⤵
- Executes dropped EXE
-
\??\c:\480082.exec:\480082.exe60⤵
- Executes dropped EXE
-
\??\c:\5vddp.exec:\5vddp.exe61⤵
- Executes dropped EXE
-
\??\c:\2680668.exec:\2680668.exe62⤵
- Executes dropped EXE
-
\??\c:\hbtbhn.exec:\hbtbhn.exe63⤵
- Executes dropped EXE
-
\??\c:\646888.exec:\646888.exe64⤵
- Executes dropped EXE
-
\??\c:\jjvdv.exec:\jjvdv.exe65⤵
- Executes dropped EXE
-
\??\c:\bbthhn.exec:\bbthhn.exe66⤵
-
\??\c:\ffrrfxl.exec:\ffrrfxl.exe67⤵
-
\??\c:\8624486.exec:\8624486.exe68⤵
-
\??\c:\6406822.exec:\6406822.exe69⤵
-
\??\c:\86844.exec:\86844.exe70⤵
-
\??\c:\1vpvv.exec:\1vpvv.exe71⤵
- System Location Discovery: System Language Discovery
-
\??\c:\pdvpv.exec:\pdvpv.exe72⤵
-
\??\c:\dpdvv.exec:\dpdvv.exe73⤵
-
\??\c:\4828046.exec:\4828046.exe74⤵
-
\??\c:\82624.exec:\82624.exe75⤵
-
\??\c:\bnbbnt.exec:\bnbbnt.exe76⤵
-
\??\c:\4228062.exec:\4228062.exe77⤵
-
\??\c:\btbhtb.exec:\btbhtb.exe78⤵
- System Location Discovery: System Language Discovery
-
\??\c:\8644280.exec:\8644280.exe79⤵
-
\??\c:\tnhbht.exec:\tnhbht.exe80⤵
-
\??\c:\8268806.exec:\8268806.exe81⤵
-
\??\c:\pjvdp.exec:\pjvdp.exe82⤵
-
\??\c:\864066.exec:\864066.exe83⤵
-
\??\c:\268400.exec:\268400.exe84⤵
-
\??\c:\60802.exec:\60802.exe85⤵
-
\??\c:\pjvpd.exec:\pjvpd.exe86⤵
-
\??\c:\vvpdv.exec:\vvpdv.exe87⤵
-
\??\c:\bhtbnn.exec:\bhtbnn.exe88⤵
-
\??\c:\fxrfllr.exec:\fxrfllr.exe89⤵
-
\??\c:\64686.exec:\64686.exe90⤵
-
\??\c:\42028.exec:\42028.exe91⤵
-
\??\c:\jdvdv.exec:\jdvdv.exe92⤵
-
\??\c:\8268002.exec:\8268002.exe93⤵
- System Location Discovery: System Language Discovery
-
\??\c:\222244.exec:\222244.exe94⤵
-
\??\c:\dvvdp.exec:\dvvdp.exe95⤵
-
\??\c:\jjddp.exec:\jjddp.exe96⤵
-
\??\c:\44846.exec:\44846.exe97⤵
-
\??\c:\0844480.exec:\0844480.exe98⤵
-
\??\c:\dvjpp.exec:\dvjpp.exe99⤵
-
\??\c:\20402.exec:\20402.exe100⤵
-
\??\c:\9dvpv.exec:\9dvpv.exe101⤵
-
\??\c:\k60284.exec:\k60284.exe102⤵
-
\??\c:\7xrxfxf.exec:\7xrxfxf.exe103⤵
-
\??\c:\jvdjj.exec:\jvdjj.exe104⤵
-
\??\c:\7ppjd.exec:\7ppjd.exe105⤵
-
\??\c:\08000.exec:\08000.exe106⤵
-
\??\c:\9vjdp.exec:\9vjdp.exe107⤵
-
\??\c:\e46266.exec:\e46266.exe108⤵
-
\??\c:\m4628.exec:\m4628.exe109⤵
-
\??\c:\nhnntt.exec:\nhnntt.exe110⤵
-
\??\c:\pdpvd.exec:\pdpvd.exe111⤵
-
\??\c:\jdvdp.exec:\jdvdp.exe112⤵
-
\??\c:\2208068.exec:\2208068.exe113⤵
-
\??\c:\rlrlxxl.exec:\rlrlxxl.exe114⤵
-
\??\c:\pdpvj.exec:\pdpvj.exe115⤵
-
\??\c:\xlrrxxx.exec:\xlrrxxx.exe116⤵
-
\??\c:\hbbbnb.exec:\hbbbnb.exe117⤵
-
\??\c:\hhbnth.exec:\hhbnth.exe118⤵
-
\??\c:\26064.exec:\26064.exe119⤵
-
\??\c:\bnbbhb.exec:\bnbbhb.exe120⤵
-
\??\c:\g0668.exec:\g0668.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-