Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
19-12-2024 02:42
General
-
Target
ba36e7c1629787156004b83faab397024927a6dd2d89ee1d7c8759bda5c7f34e.exe
-
Size
454KB
-
MD5
4b57c9766eecfcef559a26ba4b838d26
-
SHA1
5beac97aa545e79ce68ff3a5be2ed09edea83bf3
-
SHA256
ba36e7c1629787156004b83faab397024927a6dd2d89ee1d7c8759bda5c7f34e
-
SHA512
7378de75809f458fbe5676ea3a0d9ee689b18cc3c58fb50a55e99cb44d96a5cb80e0be003708b6db35985b9db6725e4cea79500a22ab12f93da2e186831318ef
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeToA:q7Tc2NYHUrAwfMp3CDcA
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 39 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 43 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ba36e7c1629787156004b83faab397024927a6dd2d89ee1d7c8759bda5c7f34e.exe"C:\Users\Admin\AppData\Local\Temp\ba36e7c1629787156004b83faab397024927a6dd2d89ee1d7c8759bda5c7f34e.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\xxrrffl.exec:\xxrrffl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbbthb.exec:\bbbthb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\486240.exec:\486240.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\424466.exec:\424466.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrfllxf.exec:\xrfllxf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\04662.exec:\04662.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3nbhnh.exec:\3nbhnh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxrxflx.exec:\fxrxflx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xxrxxxf.exec:\xxrxxxf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\2084626.exec:\2084626.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5rlrxfr.exec:\5rlrxfr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\i640680.exec:\i640680.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\flrlxll.exec:\flrlxll.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1flrlxf.exec:\1flrlxf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\6468884.exec:\6468884.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\8228068.exec:\8228068.exe17⤵
- Executes dropped EXE
-
\??\c:\480000.exec:\480000.exe18⤵
- Executes dropped EXE
-
\??\c:\q86200.exec:\q86200.exe19⤵
- Executes dropped EXE
-
\??\c:\tnhntb.exec:\tnhntb.exe20⤵
- Executes dropped EXE
-
\??\c:\vpjvd.exec:\vpjvd.exe21⤵
- Executes dropped EXE
-
\??\c:\60846.exec:\60846.exe22⤵
- Executes dropped EXE
-
\??\c:\608644.exec:\608644.exe23⤵
- Executes dropped EXE
-
\??\c:\a8662.exec:\a8662.exe24⤵
- Executes dropped EXE
-
\??\c:\dddjv.exec:\dddjv.exe25⤵
- Executes dropped EXE
-
\??\c:\604028.exec:\604028.exe26⤵
- Executes dropped EXE
-
\??\c:\dvpdp.exec:\dvpdp.exe27⤵
- Executes dropped EXE
-
\??\c:\0488068.exec:\0488068.exe28⤵
- Executes dropped EXE
-
\??\c:\3rrxflf.exec:\3rrxflf.exe29⤵
- Executes dropped EXE
-
\??\c:\o800224.exec:\o800224.exe30⤵
- Executes dropped EXE
-
\??\c:\824022.exec:\824022.exe31⤵
- Executes dropped EXE
-
\??\c:\8244662.exec:\8244662.exe32⤵
- Executes dropped EXE
-
\??\c:\e62866.exec:\e62866.exe33⤵
- Executes dropped EXE
-
\??\c:\w02462.exec:\w02462.exe34⤵
- Executes dropped EXE
-
\??\c:\rlllrfr.exec:\rlllrfr.exe35⤵
- Executes dropped EXE
-
\??\c:\48668.exec:\48668.exe36⤵
- Executes dropped EXE
-
\??\c:\ppjpp.exec:\ppjpp.exe37⤵
- Executes dropped EXE
-
\??\c:\xrrxlxl.exec:\xrrxlxl.exe38⤵
- Executes dropped EXE
-
\??\c:\4606028.exec:\4606028.exe39⤵
- Executes dropped EXE
-
\??\c:\608028.exec:\608028.exe40⤵
- Executes dropped EXE
-
\??\c:\482866.exec:\482866.exe41⤵
- Executes dropped EXE
-
\??\c:\020660.exec:\020660.exe42⤵
- Executes dropped EXE
-
\??\c:\7thnnn.exec:\7thnnn.exe43⤵
- Executes dropped EXE
-
\??\c:\424444.exec:\424444.exe44⤵
- Executes dropped EXE
-
\??\c:\8266068.exec:\8266068.exe45⤵
- Executes dropped EXE
-
\??\c:\3djjp.exec:\3djjp.exe46⤵
- Executes dropped EXE
-
\??\c:\nhbbhh.exec:\nhbbhh.exe47⤵
- Executes dropped EXE
-
\??\c:\1bhnnn.exec:\1bhnnn.exe48⤵
- Executes dropped EXE
-
\??\c:\rrlrlll.exec:\rrlrlll.exe49⤵
- Executes dropped EXE
-
\??\c:\thbbnh.exec:\thbbnh.exe50⤵
- Executes dropped EXE
-
\??\c:\8646286.exec:\8646286.exe51⤵
- Executes dropped EXE
-
\??\c:\thtthh.exec:\thtthh.exe52⤵
- Executes dropped EXE
-
\??\c:\20628.exec:\20628.exe53⤵
- Executes dropped EXE
-
\??\c:\k04448.exec:\k04448.exe54⤵
- Executes dropped EXE
-
\??\c:\m6408.exec:\m6408.exe55⤵
- Executes dropped EXE
-
\??\c:\820288.exec:\820288.exe56⤵
- Executes dropped EXE
-
\??\c:\0844000.exec:\0844000.exe57⤵
- Executes dropped EXE
-
\??\c:\llxlrll.exec:\llxlrll.exe58⤵
- Executes dropped EXE
-
\??\c:\c828620.exec:\c828620.exe59⤵
- Executes dropped EXE
-
\??\c:\fxllxfl.exec:\fxllxfl.exe60⤵
- Executes dropped EXE
-
\??\c:\000488.exec:\000488.exe61⤵
- Executes dropped EXE
-
\??\c:\608426.exec:\608426.exe62⤵
- Executes dropped EXE
-
\??\c:\vpddj.exec:\vpddj.exe63⤵
- Executes dropped EXE
-
\??\c:\dpddp.exec:\dpddp.exe64⤵
- Executes dropped EXE
-
\??\c:\nhbhnn.exec:\nhbhnn.exe65⤵
- Executes dropped EXE
-
\??\c:\pdddv.exec:\pdddv.exe66⤵
-
\??\c:\604022.exec:\604022.exe67⤵
-
\??\c:\vjjpd.exec:\vjjpd.exe68⤵
-
\??\c:\c084628.exec:\c084628.exe69⤵
-
\??\c:\dvjpd.exec:\dvjpd.exe70⤵
-
\??\c:\608466.exec:\608466.exe71⤵
-
\??\c:\rlfrflx.exec:\rlfrflx.exe72⤵
-
\??\c:\jjvdj.exec:\jjvdj.exe73⤵
-
\??\c:\g8868.exec:\g8868.exe74⤵
-
\??\c:\xlfrlrx.exec:\xlfrlrx.exe75⤵
-
\??\c:\7jppv.exec:\7jppv.exe76⤵
-
\??\c:\3bnthn.exec:\3bnthn.exe77⤵
-
\??\c:\868462.exec:\868462.exe78⤵
-
\??\c:\4866286.exec:\4866286.exe79⤵
-
\??\c:\i866268.exec:\i866268.exe80⤵
-
\??\c:\68602.exec:\68602.exe81⤵
-
\??\c:\24482.exec:\24482.exe82⤵
-
\??\c:\a8666.exec:\a8666.exe83⤵
-
\??\c:\jjdpj.exec:\jjdpj.exe84⤵
-
\??\c:\vvjvp.exec:\vvjvp.exe85⤵
-
\??\c:\4828406.exec:\4828406.exe86⤵
-
\??\c:\fxlrflr.exec:\fxlrflr.exe87⤵
-
\??\c:\860284.exec:\860284.exe88⤵
-
\??\c:\60802.exec:\60802.exe89⤵
-
\??\c:\dpdjv.exec:\dpdjv.exe90⤵
-
\??\c:\080026.exec:\080026.exe91⤵
-
\??\c:\24040.exec:\24040.exe92⤵
-
\??\c:\6428068.exec:\6428068.exe93⤵
-
\??\c:\46482.exec:\46482.exe94⤵
-
\??\c:\thhhtb.exec:\thhhtb.exe95⤵
-
\??\c:\684822.exec:\684822.exe96⤵
-
\??\c:\s2228.exec:\s2228.exe97⤵
-
\??\c:\vjvvd.exec:\vjvvd.exe98⤵
-
\??\c:\2646840.exec:\2646840.exe99⤵
-
\??\c:\u644006.exec:\u644006.exe100⤵
-
\??\c:\llllxfl.exec:\llllxfl.exe101⤵
-
\??\c:\a2222.exec:\a2222.exe102⤵
-
\??\c:\7xrlrfl.exec:\7xrlrfl.exe103⤵
-
\??\c:\s2820.exec:\s2820.exe104⤵
-
\??\c:\dvpvd.exec:\dvpvd.exe105⤵
-
\??\c:\6408466.exec:\6408466.exe106⤵
- System Location Discovery: System Language Discovery
-
\??\c:\tnbhnn.exec:\tnbhnn.exe107⤵
-
\??\c:\7jddp.exec:\7jddp.exe108⤵
-
\??\c:\04846.exec:\04846.exe109⤵
-
\??\c:\m0246.exec:\m0246.exe110⤵
-
\??\c:\q28882.exec:\q28882.exe111⤵
-
\??\c:\c644062.exec:\c644062.exe112⤵
-
\??\c:\e20022.exec:\e20022.exe113⤵
-
\??\c:\vjvvp.exec:\vjvvp.exe114⤵
-
\??\c:\486206.exec:\486206.exe115⤵
-
\??\c:\hbbntt.exec:\hbbntt.exe116⤵
-
\??\c:\nhnbhb.exec:\nhnbhb.exe117⤵
-
\??\c:\lxfxxrr.exec:\lxfxxrr.exe118⤵
-
\??\c:\3lrrrxl.exec:\3lrrrxl.exe119⤵
-
\??\c:\02002.exec:\02002.exe120⤵
-
\??\c:\86266.exec:\86266.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-