Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
-
submitted
19-12-2024 01:00
General
-
Target
a03e31161177fad3e588ed064a4d90fc8a3ba57cb78f92d54ff28db3f5f45f78.exe
-
Size
454KB
-
MD5
bf8dd92f65db3a8656792528570d83c3
-
SHA1
9e3e7fcad8132949cf40be9335f45250efc02374
-
SHA256
a03e31161177fad3e588ed064a4d90fc8a3ba57cb78f92d54ff28db3f5f45f78
-
SHA512
558bd9edc52c79d8625f131248d0a14328296ad0d7aeb314c8faa364d27608e9ae909de1766a548d0de5a79a5d27f82d6ed81cc838800e325f4772418a002ab2
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeU:q7Tc2NYHUrAwfMp3CDU
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 41 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 42 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a03e31161177fad3e588ed064a4d90fc8a3ba57cb78f92d54ff28db3f5f45f78.exe"C:\Users\Admin\AppData\Local\Temp\a03e31161177fad3e588ed064a4d90fc8a3ba57cb78f92d54ff28db3f5f45f78.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\thtbtb.exec:\thtbtb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3jvjp.exec:\3jvjp.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\dpjdd.exec:\dpjdd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xlrxlll.exec:\xlrxlll.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnnntt.exec:\tnnntt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\llflxlx.exec:\llflxlx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxfflxf.exec:\lxfflxf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pvppd.exec:\pvppd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rfxfxfl.exec:\rfxfxfl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ntnnbh.exec:\ntnnbh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3rrxlfx.exec:\3rrxlfx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hnttbh.exec:\hnttbh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjpdd.exec:\jjpdd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ntthhn.exec:\ntthhn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5htbhh.exec:\5htbhh.exe16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\lxflrff.exec:\lxflrff.exe17⤵
- Executes dropped EXE
-
\??\c:\jpddj.exec:\jpddj.exe18⤵
- Executes dropped EXE
-
\??\c:\rrflxlx.exec:\rrflxlx.exe19⤵
- Executes dropped EXE
-
\??\c:\nnttnt.exec:\nnttnt.exe20⤵
- Executes dropped EXE
-
\??\c:\rrlfxlr.exec:\rrlfxlr.exe21⤵
- Executes dropped EXE
-
\??\c:\9llrflx.exec:\9llrflx.exe22⤵
- Executes dropped EXE
-
\??\c:\pdppd.exec:\pdppd.exe23⤵
- Executes dropped EXE
-
\??\c:\xrrrlxl.exec:\xrrrlxl.exe24⤵
- Executes dropped EXE
-
\??\c:\hhtbnb.exec:\hhtbnb.exe25⤵
- Executes dropped EXE
-
\??\c:\xlxfxlx.exec:\xlxfxlx.exe26⤵
- Executes dropped EXE
-
\??\c:\hhhbth.exec:\hhhbth.exe27⤵
- Executes dropped EXE
-
\??\c:\tnhhtb.exec:\tnhhtb.exe28⤵
- Executes dropped EXE
-
\??\c:\5dvdd.exec:\5dvdd.exe29⤵
- Executes dropped EXE
-
\??\c:\flxxlxl.exec:\flxxlxl.exe30⤵
- Executes dropped EXE
-
\??\c:\vvdvd.exec:\vvdvd.exe31⤵
- Executes dropped EXE
-
\??\c:\jdddv.exec:\jdddv.exe32⤵
- Executes dropped EXE
-
\??\c:\tbtntb.exec:\tbtntb.exe33⤵
- Executes dropped EXE
-
\??\c:\dppvd.exec:\dppvd.exe34⤵
- Executes dropped EXE
-
\??\c:\1fxlrxl.exec:\1fxlrxl.exe35⤵
- Executes dropped EXE
-
\??\c:\flxxfrx.exec:\flxxfrx.exe36⤵
- Executes dropped EXE
-
\??\c:\tnnbbt.exec:\tnnbbt.exe37⤵
- Executes dropped EXE
-
\??\c:\ppvjv.exec:\ppvjv.exe38⤵
- Executes dropped EXE
-
\??\c:\xxffllr.exec:\xxffllr.exe39⤵
- Executes dropped EXE
-
\??\c:\5llfflr.exec:\5llfflr.exe40⤵
- Executes dropped EXE
-
\??\c:\ntnntb.exec:\ntnntb.exe41⤵
- Executes dropped EXE
-
\??\c:\jvdjv.exec:\jvdjv.exe42⤵
- Executes dropped EXE
-
\??\c:\ddjjp.exec:\ddjjp.exe43⤵
- Executes dropped EXE
-
\??\c:\lxfxxxf.exec:\lxfxxxf.exe44⤵
- Executes dropped EXE
-
\??\c:\3tntbt.exec:\3tntbt.exe45⤵
- Executes dropped EXE
-
\??\c:\ddddp.exec:\ddddp.exe46⤵
- Executes dropped EXE
-
\??\c:\pjvjv.exec:\pjvjv.exe47⤵
- Executes dropped EXE
-
\??\c:\3frlrxr.exec:\3frlrxr.exe48⤵
- Executes dropped EXE
-
\??\c:\ntbbhb.exec:\ntbbhb.exe49⤵
- Executes dropped EXE
-
\??\c:\hhntbt.exec:\hhntbt.exe50⤵
- Executes dropped EXE
-
\??\c:\vvddp.exec:\vvddp.exe51⤵
- Executes dropped EXE
-
\??\c:\9rffllr.exec:\9rffllr.exe52⤵
- Executes dropped EXE
-
\??\c:\xflrxxf.exec:\xflrxxf.exe53⤵
- Executes dropped EXE
-
\??\c:\nnbbbh.exec:\nnbbbh.exe54⤵
- Executes dropped EXE
-
\??\c:\ppddp.exec:\ppddp.exe55⤵
- Executes dropped EXE
-
\??\c:\rrxxfll.exec:\rrxxfll.exe56⤵
- Executes dropped EXE
-
\??\c:\rfxxrxx.exec:\rfxxrxx.exe57⤵
- Executes dropped EXE
-
\??\c:\nbntbn.exec:\nbntbn.exe58⤵
- Executes dropped EXE
-
\??\c:\jjppv.exec:\jjppv.exe59⤵
- Executes dropped EXE
-
\??\c:\jpdjj.exec:\jpdjj.exe60⤵
- Executes dropped EXE
-
\??\c:\flflrxf.exec:\flflrxf.exe61⤵
- Executes dropped EXE
-
\??\c:\bbnnnt.exec:\bbnnnt.exe62⤵
- Executes dropped EXE
-
\??\c:\hhhbhn.exec:\hhhbhn.exe63⤵
- Executes dropped EXE
-
\??\c:\3dpvj.exec:\3dpvj.exe64⤵
- Executes dropped EXE
-
\??\c:\7rffllx.exec:\7rffllx.exe65⤵
- Executes dropped EXE
-
\??\c:\5xlrxxl.exec:\5xlrxxl.exe66⤵
-
\??\c:\hntthn.exec:\hntthn.exe67⤵
-
\??\c:\pppvj.exec:\pppvj.exe68⤵
-
\??\c:\jvjpv.exec:\jvjpv.exe69⤵
-
\??\c:\7xlrrxl.exec:\7xlrrxl.exe70⤵
-
\??\c:\ntbhtt.exec:\ntbhtt.exe71⤵
-
\??\c:\3pjvj.exec:\3pjvj.exe72⤵
-
\??\c:\ffrrrrf.exec:\ffrrrrf.exe73⤵
-
\??\c:\7btnbb.exec:\7btnbb.exe74⤵
-
\??\c:\llrxflr.exec:\llrxflr.exe75⤵
-
\??\c:\5nhhth.exec:\5nhhth.exe76⤵
-
\??\c:\nntthh.exec:\nntthh.exe77⤵
-
\??\c:\7dddd.exec:\7dddd.exe78⤵
-
\??\c:\5xffffr.exec:\5xffffr.exe79⤵
-
\??\c:\ppjvd.exec:\ppjvd.exe80⤵
-
\??\c:\lrffllr.exec:\lrffllr.exe81⤵
-
\??\c:\tthnnt.exec:\tthnnt.exe82⤵
-
\??\c:\xfllrxf.exec:\xfllrxf.exe83⤵
-
\??\c:\rrlrxxx.exec:\rrlrxxx.exe84⤵
-
\??\c:\bbhnbh.exec:\bbhnbh.exe85⤵
-
\??\c:\ppvdj.exec:\ppvdj.exe86⤵
-
\??\c:\3dpdj.exec:\3dpdj.exe87⤵
-
\??\c:\vvjjv.exec:\vvjjv.exe88⤵
-
\??\c:\lllxlxl.exec:\lllxlxl.exe89⤵
-
\??\c:\nnhbnt.exec:\nnhbnt.exe90⤵
-
\??\c:\1jvdj.exec:\1jvdj.exe91⤵
-
\??\c:\xxrfrfr.exec:\xxrfrfr.exe92⤵
-
\??\c:\hbhthn.exec:\hbhthn.exe93⤵
-
\??\c:\ppdpv.exec:\ppdpv.exe94⤵
-
\??\c:\rlxrxlx.exec:\rlxrxlx.exe95⤵
-
\??\c:\ttbthn.exec:\ttbthn.exe96⤵
-
\??\c:\vdjdd.exec:\vdjdd.exe97⤵
-
\??\c:\9xxlrfl.exec:\9xxlrfl.exe98⤵
-
\??\c:\tbttth.exec:\tbttth.exe99⤵
-
\??\c:\djjjd.exec:\djjjd.exe100⤵
-
\??\c:\rfrrxfl.exec:\rfrrxfl.exe101⤵
-
\??\c:\nbnbbb.exec:\nbnbbb.exe102⤵
-
\??\c:\ttnhbn.exec:\ttnhbn.exe103⤵
-
\??\c:\ddppv.exec:\ddppv.exe104⤵
-
\??\c:\ffrxllf.exec:\ffrxllf.exe105⤵
-
\??\c:\ttthbb.exec:\ttthbb.exe106⤵
-
\??\c:\ddpjd.exec:\ddpjd.exe107⤵
-
\??\c:\jjppd.exec:\jjppd.exe108⤵
-
\??\c:\rrxlxfr.exec:\rrxlxfr.exe109⤵
-
\??\c:\bhbhtb.exec:\bhbhtb.exe110⤵
-
\??\c:\jjdvp.exec:\jjdvp.exe111⤵
-
\??\c:\flrfllx.exec:\flrfllx.exe112⤵
-
\??\c:\tntbnn.exec:\tntbnn.exe113⤵
-
\??\c:\ddddv.exec:\ddddv.exe114⤵
-
\??\c:\3ppjj.exec:\3ppjj.exe115⤵
-
\??\c:\fxflflx.exec:\fxflflx.exe116⤵
-
\??\c:\ntnnbh.exec:\ntnnbh.exe117⤵
-
\??\c:\ppjpv.exec:\ppjpv.exe118⤵
-
\??\c:\lrxfffl.exec:\lrxfffl.exe119⤵
-
\??\c:\xlxllrf.exec:\xlxllrf.exe120⤵
-
\??\c:\7btthn.exec:\7btthn.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-