Analysis
-
max time kernel
150s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
19/12/2024, 23:40
General
-
Target
4d593588e1af4e281b5cab102f5621d4c5dfe61aa60a1eed67089612a138ecb1.exe
-
Size
452KB
-
MD5
62c1d9a088678e1601be87e3a7812ad2
-
SHA1
c9b441abd87a50d43067ce8ba674e5ec29f8dd82
-
SHA256
4d593588e1af4e281b5cab102f5621d4c5dfe61aa60a1eed67089612a138ecb1
-
SHA512
f59ca0e23ae40d9736b31df83161245c6684540259ac8a704c4bec46b228e65ebad1fb5572962b94392af7a992c09f49b5ce52402e0ce023145e168985968f8c
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe/:q7Tc2NYHUrAwfMp3CD/
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 43 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 40 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4d593588e1af4e281b5cab102f5621d4c5dfe61aa60a1eed67089612a138ecb1.exe"C:\Users\Admin\AppData\Local\Temp\4d593588e1af4e281b5cab102f5621d4c5dfe61aa60a1eed67089612a138ecb1.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\3xfrrrr.exec:\3xfrrrr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jvddj.exec:\jvddj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\20002.exec:\20002.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\k04062.exec:\k04062.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfrxflr.exec:\lfrxflr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pdvpv.exec:\pdvpv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\6086842.exec:\6086842.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7jdjj.exec:\7jdjj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdjjp.exec:\jdjjp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nnnbth.exec:\nnnbth.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xfxrxrr.exec:\xfxrxrr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlfrfll.exec:\rlfrfll.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\a0828.exec:\a0828.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\4864220.exec:\4864220.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\822406.exec:\822406.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1thhtb.exec:\1thhtb.exe17⤵
- Executes dropped EXE
-
\??\c:\6020648.exec:\6020648.exe18⤵
- Executes dropped EXE
-
\??\c:\rfrrfff.exec:\rfrrfff.exe19⤵
- Executes dropped EXE
-
\??\c:\3hbhtb.exec:\3hbhtb.exe20⤵
- Executes dropped EXE
-
\??\c:\2602046.exec:\2602046.exe21⤵
- Executes dropped EXE
-
\??\c:\82640.exec:\82640.exe22⤵
- Executes dropped EXE
-
\??\c:\7fflxlf.exec:\7fflxlf.exe23⤵
- Executes dropped EXE
-
\??\c:\xrlllll.exec:\xrlllll.exe24⤵
- Executes dropped EXE
-
\??\c:\thttbh.exec:\thttbh.exe25⤵
- Executes dropped EXE
-
\??\c:\c444680.exec:\c444680.exe26⤵
- Executes dropped EXE
-
\??\c:\lfffxfr.exec:\lfffxfr.exe27⤵
- Executes dropped EXE
-
\??\c:\7frlrxf.exec:\7frlrxf.exe28⤵
- Executes dropped EXE
-
\??\c:\dvddj.exec:\dvddj.exe29⤵
- Executes dropped EXE
-
\??\c:\20240.exec:\20240.exe30⤵
- Executes dropped EXE
-
\??\c:\ffrlrxf.exec:\ffrlrxf.exe31⤵
- Executes dropped EXE
-
\??\c:\pdjvj.exec:\pdjvj.exe32⤵
- Executes dropped EXE
-
\??\c:\w08844.exec:\w08844.exe33⤵
- Executes dropped EXE
-
\??\c:\rfffrlr.exec:\rfffrlr.exe34⤵
- Executes dropped EXE
-
\??\c:\bthtbb.exec:\bthtbb.exe35⤵
- Executes dropped EXE
-
\??\c:\260640.exec:\260640.exe36⤵
- Executes dropped EXE
-
\??\c:\rlxxffr.exec:\rlxxffr.exe37⤵
- Executes dropped EXE
-
\??\c:\dvvvp.exec:\dvvvp.exe38⤵
- Executes dropped EXE
-
\??\c:\1jdjv.exec:\1jdjv.exe39⤵
- Executes dropped EXE
-
\??\c:\hbtbnh.exec:\hbtbnh.exe40⤵
- Executes dropped EXE
-
\??\c:\dpdjp.exec:\dpdjp.exe41⤵
- Executes dropped EXE
-
\??\c:\xrlxrxr.exec:\xrlxrxr.exe42⤵
- Executes dropped EXE
-
\??\c:\640840.exec:\640840.exe43⤵
- Executes dropped EXE
-
\??\c:\frfxxxf.exec:\frfxxxf.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\8600006.exec:\8600006.exe45⤵
- Executes dropped EXE
-
\??\c:\60286.exec:\60286.exe46⤵
- Executes dropped EXE
-
\??\c:\xxrfflf.exec:\xxrfflf.exe47⤵
- Executes dropped EXE
-
\??\c:\8262802.exec:\8262802.exe48⤵
- Executes dropped EXE
-
\??\c:\2082224.exec:\2082224.exe49⤵
- Executes dropped EXE
-
\??\c:\1vjjp.exec:\1vjjp.exe50⤵
- Executes dropped EXE
-
\??\c:\m2068.exec:\m2068.exe51⤵
- Executes dropped EXE
-
\??\c:\868804.exec:\868804.exe52⤵
- Executes dropped EXE
-
\??\c:\0800040.exec:\0800040.exe53⤵
- Executes dropped EXE
-
\??\c:\jdppd.exec:\jdppd.exe54⤵
- Executes dropped EXE
-
\??\c:\dvpvj.exec:\dvpvj.exe55⤵
- Executes dropped EXE
-
\??\c:\2028006.exec:\2028006.exe56⤵
- Executes dropped EXE
-
\??\c:\3xllllx.exec:\3xllllx.exe57⤵
- Executes dropped EXE
-
\??\c:\64640.exec:\64640.exe58⤵
- Executes dropped EXE
-
\??\c:\btntbb.exec:\btntbb.exe59⤵
- Executes dropped EXE
-
\??\c:\866026.exec:\866026.exe60⤵
- Executes dropped EXE
-
\??\c:\082288.exec:\082288.exe61⤵
- Executes dropped EXE
-
\??\c:\3nthnn.exec:\3nthnn.exe62⤵
- Executes dropped EXE
-
\??\c:\xlrllfx.exec:\xlrllfx.exe63⤵
- Executes dropped EXE
-
\??\c:\htbbbb.exec:\htbbbb.exe64⤵
- Executes dropped EXE
-
\??\c:\vjvdv.exec:\vjvdv.exe65⤵
- Executes dropped EXE
-
\??\c:\xxrrxxl.exec:\xxrrxxl.exe66⤵
-
\??\c:\26802.exec:\26802.exe67⤵
-
\??\c:\c260280.exec:\c260280.exe68⤵
-
\??\c:\64884.exec:\64884.exe69⤵
-
\??\c:\6800662.exec:\6800662.exe70⤵
-
\??\c:\dpjjp.exec:\dpjjp.exe71⤵
-
\??\c:\4240606.exec:\4240606.exe72⤵
-
\??\c:\2688204.exec:\2688204.exe73⤵
-
\??\c:\2640624.exec:\2640624.exe74⤵
-
\??\c:\08280.exec:\08280.exe75⤵
-
\??\c:\bnbbtt.exec:\bnbbtt.exe76⤵
-
\??\c:\6084002.exec:\6084002.exe77⤵
-
\??\c:\dvpvj.exec:\dvpvj.exe78⤵
-
\??\c:\q42288.exec:\q42288.exe79⤵
-
\??\c:\pddpp.exec:\pddpp.exe80⤵
-
\??\c:\nnntbb.exec:\nnntbb.exe81⤵
-
\??\c:\vpjvj.exec:\vpjvj.exe82⤵
-
\??\c:\tthhbh.exec:\tthhbh.exe83⤵
-
\??\c:\046022.exec:\046022.exe84⤵
-
\??\c:\fxllffr.exec:\fxllffr.exe85⤵
-
\??\c:\5pdjv.exec:\5pdjv.exe86⤵
-
\??\c:\4246402.exec:\4246402.exe87⤵
-
\??\c:\tnhhtt.exec:\tnhhtt.exe88⤵
-
\??\c:\jdpvd.exec:\jdpvd.exe89⤵
-
\??\c:\7pdpj.exec:\7pdpj.exe90⤵
-
\??\c:\rxlxlxr.exec:\rxlxlxr.exe91⤵
-
\??\c:\2422484.exec:\2422484.exe92⤵
-
\??\c:\3xxlrxf.exec:\3xxlrxf.exe93⤵
-
\??\c:\nhbnnt.exec:\nhbnnt.exe94⤵
-
\??\c:\w20026.exec:\w20026.exe95⤵
-
\??\c:\q40688.exec:\q40688.exe96⤵
-
\??\c:\btnnbb.exec:\btnnbb.exe97⤵
-
\??\c:\vvjjd.exec:\vvjjd.exe98⤵
-
\??\c:\080660.exec:\080660.exe99⤵
-
\??\c:\7thbhh.exec:\7thbhh.exe100⤵
-
\??\c:\42002.exec:\42002.exe101⤵
-
\??\c:\202800.exec:\202800.exe102⤵
-
\??\c:\pjvjv.exec:\pjvjv.exe103⤵
-
\??\c:\6468402.exec:\6468402.exe104⤵
-
\??\c:\42062.exec:\42062.exe105⤵
-
\??\c:\828024.exec:\828024.exe106⤵
-
\??\c:\xrffrrf.exec:\xrffrrf.exe107⤵
-
\??\c:\xlxxxfl.exec:\xlxxxfl.exe108⤵
-
\??\c:\vpdjv.exec:\vpdjv.exe109⤵
-
\??\c:\e86284.exec:\e86284.exe110⤵
-
\??\c:\ppdpp.exec:\ppdpp.exe111⤵
-
\??\c:\2022246.exec:\2022246.exe112⤵
-
\??\c:\vpjpv.exec:\vpjpv.exe113⤵
-
\??\c:\k42460.exec:\k42460.exe114⤵
-
\??\c:\o280222.exec:\o280222.exe115⤵
-
\??\c:\xrxxffr.exec:\xrxxffr.exe116⤵
-
\??\c:\0402644.exec:\0402644.exe117⤵
-
\??\c:\60402.exec:\60402.exe118⤵
-
\??\c:\82008.exec:\82008.exe119⤵
-
\??\c:\9hbtnh.exec:\9hbtnh.exe120⤵
-
\??\c:\tnbntn.exec:\tnbntn.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-