Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
19-12-2024 00:35
General
-
Target
68a954c1260e890a6273a024662bbbfaa37844925d1bfd3bbc2eff1c39abbde8.exe
-
Size
71KB
-
MD5
f6f566f622dda5972b3864d8606fe126
-
SHA1
3163e2f4edf8459faa50494c6804ba3062cf147f
-
SHA256
68a954c1260e890a6273a024662bbbfaa37844925d1bfd3bbc2eff1c39abbde8
-
SHA512
56ba0e453b16a78da75b6321717d2969a3be79b28aa69099e65d15ce6a011415da3d3f3d91e1a989d216f3117861dcafd6a49b4eed7f4ddfcad63b15bc1c2c57
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIb0z6Mu/ePS3A8N:ymb3NkkiQ3mdBjFI46TQ8N
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 23 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 34 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\68a954c1260e890a6273a024662bbbfaa37844925d1bfd3bbc2eff1c39abbde8.exe"C:\Users\Admin\AppData\Local\Temp\68a954c1260e890a6273a024662bbbfaa37844925d1bfd3bbc2eff1c39abbde8.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\vpjjv.exec:\vpjjv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjvdv.exec:\pjvdv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hhthtb.exec:\hhthtb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hhhttn.exec:\hhhttn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ffxrxxl.exec:\ffxrxxl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbtbnn.exec:\bbtbnn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vppdj.exec:\vppdj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ffllxxl.exec:\ffllxxl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnbhnb.exec:\tnbhnb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\htbnhb.exec:\htbnhb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjdvd.exec:\pjdvd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xxrflrf.exec:\xxrflrf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nntthb.exec:\nntthb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7bbnbh.exec:\7bbnbh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjdvp.exec:\jjdvp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjvdp.exec:\pjvdp.exe17⤵
- Executes dropped EXE
-
\??\c:\llrflxx.exec:\llrflxx.exe18⤵
- Executes dropped EXE
-
\??\c:\bhbnnn.exec:\bhbnnn.exe19⤵
- Executes dropped EXE
-
\??\c:\ppjpd.exec:\ppjpd.exe20⤵
- Executes dropped EXE
-
\??\c:\jdvjv.exec:\jdvjv.exe21⤵
- Executes dropped EXE
-
\??\c:\lllrflf.exec:\lllrflf.exe22⤵
- Executes dropped EXE
-
\??\c:\nnnbhn.exec:\nnnbhn.exe23⤵
- Executes dropped EXE
-
\??\c:\1nbbht.exec:\1nbbht.exe24⤵
- Executes dropped EXE
-
\??\c:\ddpvj.exec:\ddpvj.exe25⤵
- Executes dropped EXE
-
\??\c:\ffflxrf.exec:\ffflxrf.exe26⤵
- Executes dropped EXE
-
\??\c:\llflxlr.exec:\llflxlr.exe27⤵
- Executes dropped EXE
-
\??\c:\nhbbnn.exec:\nhbbnn.exe28⤵
- Executes dropped EXE
-
\??\c:\dvjpv.exec:\dvjpv.exe29⤵
- Executes dropped EXE
-
\??\c:\rrrxrrf.exec:\rrrxrrf.exe30⤵
- Executes dropped EXE
-
\??\c:\xxlfrrx.exec:\xxlfrrx.exe31⤵
- Executes dropped EXE
-
\??\c:\bbnthn.exec:\bbnthn.exe32⤵
- Executes dropped EXE
-
\??\c:\3vvjj.exec:\3vvjj.exe33⤵
- Executes dropped EXE
-
\??\c:\5pjvv.exec:\5pjvv.exe34⤵
- Executes dropped EXE
-
\??\c:\xlffrrx.exec:\xlffrrx.exe35⤵
- Executes dropped EXE
-
\??\c:\7fxfffl.exec:\7fxfffl.exe36⤵
- Executes dropped EXE
-
\??\c:\hbnhbh.exec:\hbnhbh.exe37⤵
- Executes dropped EXE
-
\??\c:\pdpdj.exec:\pdpdj.exe38⤵
- Executes dropped EXE
-
\??\c:\5jjjv.exec:\5jjjv.exe39⤵
- Executes dropped EXE
-
\??\c:\3xfrflr.exec:\3xfrflr.exe40⤵
- Executes dropped EXE
-
\??\c:\fxrxffr.exec:\fxrxffr.exe41⤵
- Executes dropped EXE
-
\??\c:\nhhhnh.exec:\nhhhnh.exe42⤵
- Executes dropped EXE
-
\??\c:\bbbntb.exec:\bbbntb.exe43⤵
- Executes dropped EXE
-
\??\c:\pdvjp.exec:\pdvjp.exe44⤵
- Executes dropped EXE
-
\??\c:\xfrlrxx.exec:\xfrlrxx.exe45⤵
- Executes dropped EXE
-
\??\c:\xxfxrxl.exec:\xxfxrxl.exe46⤵
- Executes dropped EXE
-
\??\c:\7thnhn.exec:\7thnhn.exe47⤵
- Executes dropped EXE
-
\??\c:\nnbnth.exec:\nnbnth.exe48⤵
- Executes dropped EXE
-
\??\c:\jjvjp.exec:\jjvjp.exe49⤵
- Executes dropped EXE
-
\??\c:\5fxfrlf.exec:\5fxfrlf.exe50⤵
- Executes dropped EXE
-
\??\c:\xlxfxxf.exec:\xlxfxxf.exe51⤵
- Executes dropped EXE
-
\??\c:\tnbhnt.exec:\tnbhnt.exe52⤵
- Executes dropped EXE
-
\??\c:\tntthb.exec:\tntthb.exe53⤵
- Executes dropped EXE
-
\??\c:\7vjdj.exec:\7vjdj.exe54⤵
- Executes dropped EXE
-
\??\c:\llflrfr.exec:\llflrfr.exe55⤵
- Executes dropped EXE
-
\??\c:\7lfrflx.exec:\7lfrflx.exe56⤵
- Executes dropped EXE
-
\??\c:\3bbhbt.exec:\3bbhbt.exe57⤵
- Executes dropped EXE
-
\??\c:\btnntn.exec:\btnntn.exe58⤵
- Executes dropped EXE
-
\??\c:\1vvpv.exec:\1vvpv.exe59⤵
- Executes dropped EXE
-
\??\c:\dvppv.exec:\dvppv.exe60⤵
- Executes dropped EXE
-
\??\c:\lrxffff.exec:\lrxffff.exe61⤵
- Executes dropped EXE
-
\??\c:\3nnbnh.exec:\3nnbnh.exe62⤵
- Executes dropped EXE
-
\??\c:\nhttbb.exec:\nhttbb.exe63⤵
- Executes dropped EXE
-
\??\c:\ddppj.exec:\ddppj.exe64⤵
- Executes dropped EXE
-
\??\c:\vvvdj.exec:\vvvdj.exe65⤵
- Executes dropped EXE
-
\??\c:\7lfflxf.exec:\7lfflxf.exe66⤵
-
\??\c:\5bhhbn.exec:\5bhhbn.exe67⤵
-
\??\c:\tthtbb.exec:\tthtbb.exe68⤵
-
\??\c:\ppddj.exec:\ppddj.exe69⤵
-
\??\c:\dvvdj.exec:\dvvdj.exe70⤵
-
\??\c:\xxrfxfl.exec:\xxrfxfl.exe71⤵
-
\??\c:\lxxflrr.exec:\lxxflrr.exe72⤵
-
\??\c:\3nbhhn.exec:\3nbhhn.exe73⤵
-
\??\c:\thhhtn.exec:\thhhtn.exe74⤵
-
\??\c:\vdjjp.exec:\vdjjp.exe75⤵
-
\??\c:\7ppjj.exec:\7ppjj.exe76⤵
-
\??\c:\1fxlrxr.exec:\1fxlrxr.exe77⤵
-
\??\c:\xxxrfxx.exec:\xxxrfxx.exe78⤵
-
\??\c:\tnbbhh.exec:\tnbbhh.exe79⤵
-
\??\c:\3pjvj.exec:\3pjvj.exe80⤵
-
\??\c:\ppddv.exec:\ppddv.exe81⤵
-
\??\c:\5rxflrl.exec:\5rxflrl.exe82⤵
-
\??\c:\llflxlx.exec:\llflxlx.exe83⤵
-
\??\c:\ntnhnb.exec:\ntnhnb.exe84⤵
-
\??\c:\bttbhn.exec:\bttbhn.exe85⤵
-
\??\c:\ddpvv.exec:\ddpvv.exe86⤵
-
\??\c:\7djpv.exec:\7djpv.exe87⤵
-
\??\c:\ffxflxf.exec:\ffxflxf.exe88⤵
-
\??\c:\7lrfrrf.exec:\7lrfrrf.exe89⤵
-
\??\c:\hbntht.exec:\hbntht.exe90⤵
-
\??\c:\nhtbht.exec:\nhtbht.exe91⤵
-
\??\c:\1vdvd.exec:\1vdvd.exe92⤵
-
\??\c:\rlfrxlr.exec:\rlfrxlr.exe93⤵
-
\??\c:\rrflrfr.exec:\rrflrfr.exe94⤵
-
\??\c:\nnhbtb.exec:\nnhbtb.exe95⤵
-
\??\c:\hhbhbb.exec:\hhbhbb.exe96⤵
-
\??\c:\jdpvj.exec:\jdpvj.exe97⤵
-
\??\c:\3vpjv.exec:\3vpjv.exe98⤵
-
\??\c:\rlfllrl.exec:\rlfllrl.exe99⤵
-
\??\c:\7thntb.exec:\7thntb.exe100⤵
-
\??\c:\btbbnt.exec:\btbbnt.exe101⤵
-
\??\c:\1jdpd.exec:\1jdpd.exe102⤵
-
\??\c:\vvpvv.exec:\vvpvv.exe103⤵
-
\??\c:\xrlxlrx.exec:\xrlxlrx.exe104⤵
-
\??\c:\xrlrxlx.exec:\xrlrxlx.exe105⤵
-
\??\c:\hththt.exec:\hththt.exe106⤵
-
\??\c:\ffrlxlr.exec:\ffrlxlr.exe107⤵
-
\??\c:\ttntbh.exec:\ttntbh.exe108⤵
- System Location Discovery: System Language Discovery
-
\??\c:\nhnntt.exec:\nhnntt.exe109⤵
-
\??\c:\1ddjv.exec:\1ddjv.exe110⤵
-
\??\c:\rrllxfl.exec:\rrllxfl.exe111⤵
-
\??\c:\xrlxrrx.exec:\xrlxrrx.exe112⤵
-
\??\c:\ntbbbt.exec:\ntbbbt.exe113⤵
-
\??\c:\tnbnnt.exec:\tnbnnt.exe114⤵
-
\??\c:\9dddp.exec:\9dddp.exe115⤵
-
\??\c:\jjjdj.exec:\jjjdj.exe116⤵
-
\??\c:\rrlflxf.exec:\rrlflxf.exe117⤵
-
\??\c:\rrxfxxl.exec:\rrxfxxl.exe118⤵
-
\??\c:\7tnnbb.exec:\7tnnbb.exe119⤵
-
\??\c:\nnnbbb.exec:\nnnbbb.exe120⤵
-
\??\c:\1btbbn.exec:\1btbbn.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-