Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
18-12-2024 21:24
General
-
Target
4efbe558859c51d8abbe470c1aad9054f7dc0a2493c8f823b990894b4f74ab3d.exe
-
Size
82KB
-
MD5
a67205c38d1e1643d6857a8ded9c3d0f
-
SHA1
c19a68e2cbea3217f0b6c44a9e5ba085ab3bb44b
-
SHA256
4efbe558859c51d8abbe470c1aad9054f7dc0a2493c8f823b990894b4f74ab3d
-
SHA512
8c5eaaad694f32815a430b6d3e58a823d12e48d019beda495e1a2417f797751f492577d900db334d821ddc33c7c4339cd2121897f2f05b8eb7e1d802220625a9
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIsIpWCz+FR4RzWqC5rINFE4yeqa:ymb3NkkiQ3mdBjFIsIpZ+R4RzWqCu4rS
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 23 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 36 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4efbe558859c51d8abbe470c1aad9054f7dc0a2493c8f823b990894b4f74ab3d.exe"C:\Users\Admin\AppData\Local\Temp\4efbe558859c51d8abbe470c1aad9054f7dc0a2493c8f823b990894b4f74ab3d.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\vpppp.exec:\vpppp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxxxfff.exec:\lxxxfff.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3tbbhh.exec:\3tbbhh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfrlrlr.exec:\lfrlrlr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7nhnbt.exec:\7nhnbt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bntttn.exec:\bntttn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjdpv.exec:\pjdpv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxxfllr.exec:\fxxfllr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhtbhn.exec:\nhtbhn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jvpvv.exec:\jvpvv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3jvvd.exec:\3jvvd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1xflxxl.exec:\1xflxxl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nnnbbb.exec:\nnnbbb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnhhtt.exec:\tnhhtt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7vppv.exec:\7vppv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxlrfll.exec:\lxlrfll.exe17⤵
- Executes dropped EXE
-
\??\c:\ffrxllr.exec:\ffrxllr.exe18⤵
- Executes dropped EXE
-
\??\c:\7tntbh.exec:\7tntbh.exe19⤵
- Executes dropped EXE
-
\??\c:\bnbbhh.exec:\bnbbhh.exe20⤵
- Executes dropped EXE
-
\??\c:\pddvd.exec:\pddvd.exe21⤵
- Executes dropped EXE
-
\??\c:\flxxxfl.exec:\flxxxfl.exe22⤵
- Executes dropped EXE
-
\??\c:\5xxrfxx.exec:\5xxrfxx.exe23⤵
- Executes dropped EXE
-
\??\c:\9thbhn.exec:\9thbhn.exe24⤵
- Executes dropped EXE
-
\??\c:\jpjpp.exec:\jpjpp.exe25⤵
- Executes dropped EXE
-
\??\c:\pdvdj.exec:\pdvdj.exe26⤵
- Executes dropped EXE
-
\??\c:\xxrflxf.exec:\xxrflxf.exe27⤵
- Executes dropped EXE
-
\??\c:\llfrlfl.exec:\llfrlfl.exe28⤵
- Executes dropped EXE
-
\??\c:\3tbtnh.exec:\3tbtnh.exe29⤵
- Executes dropped EXE
-
\??\c:\jdpvd.exec:\jdpvd.exe30⤵
- Executes dropped EXE
-
\??\c:\pdppv.exec:\pdppv.exe31⤵
- Executes dropped EXE
-
\??\c:\lfxrxlr.exec:\lfxrxlr.exe32⤵
- Executes dropped EXE
-
\??\c:\bnbhnt.exec:\bnbhnt.exe33⤵
- Executes dropped EXE
-
\??\c:\nnntnb.exec:\nnntnb.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\pdppp.exec:\pdppp.exe35⤵
- Executes dropped EXE
-
\??\c:\dvvpv.exec:\dvvpv.exe36⤵
- Executes dropped EXE
-
\??\c:\1llllff.exec:\1llllff.exe37⤵
- Executes dropped EXE
-
\??\c:\3xfxxrr.exec:\3xfxxrr.exe38⤵
- Executes dropped EXE
-
\??\c:\ntbbhb.exec:\ntbbhb.exe39⤵
- Executes dropped EXE
-
\??\c:\nbhntt.exec:\nbhntt.exe40⤵
- Executes dropped EXE
-
\??\c:\jdjpv.exec:\jdjpv.exe41⤵
- Executes dropped EXE
-
\??\c:\vpdpd.exec:\vpdpd.exe42⤵
- Executes dropped EXE
-
\??\c:\xfxfrlx.exec:\xfxfrlx.exe43⤵
- Executes dropped EXE
-
\??\c:\lffxffx.exec:\lffxffx.exe44⤵
- Executes dropped EXE
-
\??\c:\htbbhh.exec:\htbbhh.exe45⤵
- Executes dropped EXE
-
\??\c:\ntbbbh.exec:\ntbbbh.exe46⤵
- Executes dropped EXE
-
\??\c:\dppvd.exec:\dppvd.exe47⤵
- Executes dropped EXE
-
\??\c:\jdppp.exec:\jdppp.exe48⤵
- Executes dropped EXE
-
\??\c:\rfxflfx.exec:\rfxflfx.exe49⤵
- Executes dropped EXE
-
\??\c:\xrffrlx.exec:\xrffrlx.exe50⤵
- Executes dropped EXE
-
\??\c:\nhtttt.exec:\nhtttt.exe51⤵
- Executes dropped EXE
-
\??\c:\1tthnh.exec:\1tthnh.exe52⤵
- Executes dropped EXE
-
\??\c:\vpvvp.exec:\vpvvp.exe53⤵
- Executes dropped EXE
-
\??\c:\dpvpd.exec:\dpvpd.exe54⤵
- Executes dropped EXE
-
\??\c:\9rxxxxx.exec:\9rxxxxx.exe55⤵
- Executes dropped EXE
-
\??\c:\xrxlxfl.exec:\xrxlxfl.exe56⤵
- Executes dropped EXE
-
\??\c:\thhhtn.exec:\thhhtn.exe57⤵
- Executes dropped EXE
-
\??\c:\7hbtbh.exec:\7hbtbh.exe58⤵
- Executes dropped EXE
-
\??\c:\5vpdv.exec:\5vpdv.exe59⤵
- Executes dropped EXE
-
\??\c:\dvpvp.exec:\dvpvp.exe60⤵
- Executes dropped EXE
-
\??\c:\frrrxll.exec:\frrrxll.exe61⤵
- Executes dropped EXE
-
\??\c:\tntbnn.exec:\tntbnn.exe62⤵
- Executes dropped EXE
-
\??\c:\jpdjv.exec:\jpdjv.exe63⤵
- Executes dropped EXE
-
\??\c:\vpdjv.exec:\vpdjv.exe64⤵
- Executes dropped EXE
-
\??\c:\9fxxxrr.exec:\9fxxxrr.exe65⤵
- Executes dropped EXE
-
\??\c:\fxfxffl.exec:\fxfxffl.exe66⤵
-
\??\c:\nbhntt.exec:\nbhntt.exe67⤵
-
\??\c:\ttbbbt.exec:\ttbbbt.exe68⤵
-
\??\c:\jvjjd.exec:\jvjjd.exe69⤵
-
\??\c:\dpvpd.exec:\dpvpd.exe70⤵
-
\??\c:\lfffrrr.exec:\lfffrrr.exe71⤵
-
\??\c:\lxllxrx.exec:\lxllxrx.exe72⤵
-
\??\c:\7tnntt.exec:\7tnntt.exe73⤵
-
\??\c:\7tbntn.exec:\7tbntn.exe74⤵
-
\??\c:\dvpjv.exec:\dvpjv.exe75⤵
-
\??\c:\pjvpv.exec:\pjvpv.exe76⤵
-
\??\c:\xlfxfxl.exec:\xlfxfxl.exe77⤵
-
\??\c:\fxflrrx.exec:\fxflrrx.exe78⤵
-
\??\c:\5hbhhh.exec:\5hbhhh.exe79⤵
-
\??\c:\tbnhbb.exec:\tbnhbb.exe80⤵
-
\??\c:\vpdpv.exec:\vpdpv.exe81⤵
-
\??\c:\pdvpv.exec:\pdvpv.exe82⤵
-
\??\c:\xlrxfrx.exec:\xlrxfrx.exe83⤵
-
\??\c:\bnnnhb.exec:\bnnnhb.exe84⤵
-
\??\c:\bttnbh.exec:\bttnbh.exe85⤵
-
\??\c:\ppvpd.exec:\ppvpd.exe86⤵
-
\??\c:\jdvpp.exec:\jdvpp.exe87⤵
-
\??\c:\lfrrxxf.exec:\lfrrxxf.exe88⤵
-
\??\c:\lfffxrl.exec:\lfffxrl.exe89⤵
-
\??\c:\7hhbhh.exec:\7hhbhh.exe90⤵
-
\??\c:\1thhhn.exec:\1thhhn.exe91⤵
-
\??\c:\jdppd.exec:\jdppd.exe92⤵
-
\??\c:\7jddp.exec:\7jddp.exe93⤵
-
\??\c:\3xllrfl.exec:\3xllrfl.exe94⤵
-
\??\c:\fxxfxxx.exec:\fxxfxxx.exe95⤵
-
\??\c:\hthhtn.exec:\hthhtn.exe96⤵
-
\??\c:\nhbbhb.exec:\nhbbhb.exe97⤵
- System Location Discovery: System Language Discovery
-
\??\c:\jvjdj.exec:\jvjdj.exe98⤵
-
\??\c:\1vvvd.exec:\1vvvd.exe99⤵
-
\??\c:\lxxrxrr.exec:\lxxrxrr.exe100⤵
-
\??\c:\lfrrrrx.exec:\lfrrrrx.exe101⤵
-
\??\c:\tnthnt.exec:\tnthnt.exe102⤵
-
\??\c:\bhbbbt.exec:\bhbbbt.exe103⤵
-
\??\c:\1bhbhh.exec:\1bhbhh.exe104⤵
-
\??\c:\pjpdv.exec:\pjpdv.exe105⤵
-
\??\c:\pddjd.exec:\pddjd.exe106⤵
-
\??\c:\rxxxxll.exec:\rxxxxll.exe107⤵
-
\??\c:\lxfflrr.exec:\lxfflrr.exe108⤵
-
\??\c:\hhtbhn.exec:\hhtbhn.exe109⤵
-
\??\c:\9nnhhn.exec:\9nnhhn.exe110⤵
-
\??\c:\htnnhh.exec:\htnnhh.exe111⤵
-
\??\c:\jjvpv.exec:\jjvpv.exe112⤵
-
\??\c:\ddvvd.exec:\ddvvd.exe113⤵
-
\??\c:\lfrlrrr.exec:\lfrlrrr.exe114⤵
-
\??\c:\rxffrlx.exec:\rxffrlx.exe115⤵
-
\??\c:\htnntt.exec:\htnntt.exe116⤵
-
\??\c:\3tnthb.exec:\3tnthb.exe117⤵
-
\??\c:\pjvdp.exec:\pjvdp.exe118⤵
-
\??\c:\lxllrlf.exec:\lxllrlf.exe119⤵
-
\??\c:\5rlxffx.exec:\5rlxffx.exe120⤵
-
\??\c:\thbbbb.exec:\thbbbb.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-