Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
19-12-2024 00:52
General
-
Target
9ee11916504a12e3af36c7567edccd61f858debc92bfcb66f93a92d1f6164946.exe
-
Size
455KB
-
MD5
34ba055ccefa7f7c51290aab003a3646
-
SHA1
3268a60f7a4be956c8a67c2bf2153f2e6958e835
-
SHA256
9ee11916504a12e3af36c7567edccd61f858debc92bfcb66f93a92d1f6164946
-
SHA512
04db03670f95875a3088c9680e52b97586c1ead7274c2dec23b89224a627b6c9283915e5c90adc1e35104244c1dfec3b5783fe1e9dd854c4af151c04e91c4b05
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeTT:q7Tc2NYHUrAwfMp3CD/
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 46 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 36 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\9ee11916504a12e3af36c7567edccd61f858debc92bfcb66f93a92d1f6164946.exe"C:\Users\Admin\AppData\Local\Temp\9ee11916504a12e3af36c7567edccd61f858debc92bfcb66f93a92d1f6164946.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\820644.exec:\820644.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjjpj.exec:\pjjpj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3xllrxx.exec:\3xllrxx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\llxlffx.exec:\llxlffx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\8242060.exec:\8242060.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\626806.exec:\626806.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hhbhtb.exec:\hhbhtb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\26064.exec:\26064.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\88628.exec:\88628.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxlllxr.exec:\fxlllxr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tthhtt.exec:\tthhtt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xffxllr.exec:\xffxllr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\0462408.exec:\0462408.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdpdd.exec:\jdpdd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\488680.exec:\488680.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\880806.exec:\880806.exe17⤵
- Executes dropped EXE
-
\??\c:\0426228.exec:\0426228.exe18⤵
- Executes dropped EXE
-
\??\c:\2606886.exec:\2606886.exe19⤵
- Executes dropped EXE
-
\??\c:\rlxflrf.exec:\rlxflrf.exe20⤵
- Executes dropped EXE
-
\??\c:\00468.exec:\00468.exe21⤵
- Executes dropped EXE
-
\??\c:\486642.exec:\486642.exe22⤵
- Executes dropped EXE
-
\??\c:\660646.exec:\660646.exe23⤵
- Executes dropped EXE
-
\??\c:\608066.exec:\608066.exe24⤵
- Executes dropped EXE
-
\??\c:\3ntntt.exec:\3ntntt.exe25⤵
- Executes dropped EXE
-
\??\c:\lxfxxrr.exec:\lxfxxrr.exe26⤵
- Executes dropped EXE
-
\??\c:\9tntnb.exec:\9tntnb.exe27⤵
- Executes dropped EXE
-
\??\c:\5pjdv.exec:\5pjdv.exe28⤵
- Executes dropped EXE
-
\??\c:\vvpjv.exec:\vvpjv.exe29⤵
- Executes dropped EXE
-
\??\c:\jpdpj.exec:\jpdpj.exe30⤵
- Executes dropped EXE
-
\??\c:\042262.exec:\042262.exe31⤵
- Executes dropped EXE
-
\??\c:\00402.exec:\00402.exe32⤵
- Executes dropped EXE
-
\??\c:\86402.exec:\86402.exe33⤵
- Executes dropped EXE
-
\??\c:\1thttb.exec:\1thttb.exe34⤵
- Executes dropped EXE
-
\??\c:\dpdpp.exec:\dpdpp.exe35⤵
- Executes dropped EXE
-
\??\c:\e82844.exec:\e82844.exe36⤵
- Executes dropped EXE
-
\??\c:\604826.exec:\604826.exe37⤵
- Executes dropped EXE
-
\??\c:\i202846.exec:\i202846.exe38⤵
- Executes dropped EXE
-
\??\c:\8202068.exec:\8202068.exe39⤵
- Executes dropped EXE
-
\??\c:\m4468.exec:\m4468.exe40⤵
- Executes dropped EXE
-
\??\c:\04808.exec:\04808.exe41⤵
- Executes dropped EXE
-
\??\c:\jvpjv.exec:\jvpjv.exe42⤵
- Executes dropped EXE
-
\??\c:\tbtttb.exec:\tbtttb.exe43⤵
- Executes dropped EXE
-
\??\c:\w48044.exec:\w48044.exe44⤵
- Executes dropped EXE
-
\??\c:\64848.exec:\64848.exe45⤵
- Executes dropped EXE
-
\??\c:\ddjpp.exec:\ddjpp.exe46⤵
- Executes dropped EXE
-
\??\c:\fxxfflr.exec:\fxxfflr.exe47⤵
- Executes dropped EXE
-
\??\c:\1rlrxfr.exec:\1rlrxfr.exe48⤵
- Executes dropped EXE
-
\??\c:\886440.exec:\886440.exe49⤵
- Executes dropped EXE
-
\??\c:\4202840.exec:\4202840.exe50⤵
- Executes dropped EXE
-
\??\c:\o806880.exec:\o806880.exe51⤵
- Executes dropped EXE
-
\??\c:\7fxxffl.exec:\7fxxffl.exe52⤵
- Executes dropped EXE
-
\??\c:\w20684.exec:\w20684.exe53⤵
- Executes dropped EXE
-
\??\c:\048066.exec:\048066.exe54⤵
- Executes dropped EXE
-
\??\c:\llflxfl.exec:\llflxfl.exe55⤵
- Executes dropped EXE
-
\??\c:\604684.exec:\604684.exe56⤵
- Executes dropped EXE
-
\??\c:\264088.exec:\264088.exe57⤵
- Executes dropped EXE
-
\??\c:\vpjpj.exec:\vpjpj.exe58⤵
- Executes dropped EXE
-
\??\c:\nnbnht.exec:\nnbnht.exe59⤵
- Executes dropped EXE
-
\??\c:\4806228.exec:\4806228.exe60⤵
- Executes dropped EXE
-
\??\c:\9jdvj.exec:\9jdvj.exe61⤵
- Executes dropped EXE
-
\??\c:\xxllxxf.exec:\xxllxxf.exe62⤵
- Executes dropped EXE
-
\??\c:\44448.exec:\44448.exe63⤵
- Executes dropped EXE
-
\??\c:\xrflffr.exec:\xrflffr.exe64⤵
- Executes dropped EXE
-
\??\c:\pjvvj.exec:\pjvvj.exe65⤵
- Executes dropped EXE
-
\??\c:\nthttt.exec:\nthttt.exe66⤵
-
\??\c:\60460.exec:\60460.exe67⤵
-
\??\c:\82206.exec:\82206.exe68⤵
-
\??\c:\7fllxll.exec:\7fllxll.exe69⤵
-
\??\c:\8200846.exec:\8200846.exe70⤵
-
\??\c:\0028682.exec:\0028682.exe71⤵
-
\??\c:\042422.exec:\042422.exe72⤵
-
\??\c:\btthht.exec:\btthht.exe73⤵
-
\??\c:\20284.exec:\20284.exe74⤵
-
\??\c:\fflrlrf.exec:\fflrlrf.exe75⤵
-
\??\c:\m6408.exec:\m6408.exe76⤵
-
\??\c:\ttttnt.exec:\ttttnt.exe77⤵
-
\??\c:\flfrlrl.exec:\flfrlrl.exe78⤵
-
\??\c:\1lxrflx.exec:\1lxrflx.exe79⤵
-
\??\c:\o668220.exec:\o668220.exe80⤵
- System Location Discovery: System Language Discovery
-
\??\c:\2688468.exec:\2688468.exe81⤵
-
\??\c:\60624.exec:\60624.exe82⤵
-
\??\c:\hthbht.exec:\hthbht.exe83⤵
-
\??\c:\jjdjv.exec:\jjdjv.exe84⤵
-
\??\c:\5pppv.exec:\5pppv.exe85⤵
-
\??\c:\046888.exec:\046888.exe86⤵
-
\??\c:\820648.exec:\820648.exe87⤵
-
\??\c:\w64484.exec:\w64484.exe88⤵
-
\??\c:\3dppj.exec:\3dppj.exe89⤵
-
\??\c:\1ttbhn.exec:\1ttbhn.exe90⤵
-
\??\c:\ntntnn.exec:\ntntnn.exe91⤵
-
\??\c:\7frfrrx.exec:\7frfrrx.exe92⤵
-
\??\c:\60842.exec:\60842.exe93⤵
-
\??\c:\60446.exec:\60446.exe94⤵
-
\??\c:\642800.exec:\642800.exe95⤵
-
\??\c:\22002.exec:\22002.exe96⤵
-
\??\c:\rfxflrr.exec:\rfxflrr.exe97⤵
-
\??\c:\5vvdp.exec:\5vvdp.exe98⤵
-
\??\c:\86408.exec:\86408.exe99⤵
-
\??\c:\9rrrfxf.exec:\9rrrfxf.exe100⤵
-
\??\c:\llrrrrf.exec:\llrrrrf.exe101⤵
-
\??\c:\0024280.exec:\0024280.exe102⤵
-
\??\c:\6608460.exec:\6608460.exe103⤵
-
\??\c:\826866.exec:\826866.exe104⤵
-
\??\c:\e26206.exec:\e26206.exe105⤵
-
\??\c:\tbntth.exec:\tbntth.exe106⤵
-
\??\c:\86464.exec:\86464.exe107⤵
-
\??\c:\nnntnn.exec:\nnntnn.exe108⤵
-
\??\c:\bbbnhn.exec:\bbbnhn.exe109⤵
-
\??\c:\9pjvp.exec:\9pjvp.exe110⤵
-
\??\c:\k64022.exec:\k64022.exe111⤵
-
\??\c:\820684.exec:\820684.exe112⤵
-
\??\c:\622442.exec:\622442.exe113⤵
-
\??\c:\86808.exec:\86808.exe114⤵
-
\??\c:\1pdpd.exec:\1pdpd.exe115⤵
-
\??\c:\htthth.exec:\htthth.exe116⤵
-
\??\c:\jpvdd.exec:\jpvdd.exe117⤵
-
\??\c:\40600.exec:\40600.exe118⤵
-
\??\c:\pjvdp.exec:\pjvdp.exe119⤵
-
\??\c:\4866840.exec:\4866840.exe120⤵
-
\??\c:\9rffrrf.exec:\9rffrrf.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-