Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
19-12-2024 02:53
General
-
Target
bd20a5cd3986550e04c854e6d2ae4fbe9b01ef44c43137f3754e334e7296436d.exe
-
Size
454KB
-
MD5
3e6f1f7480e8571754c1c49000f1e5ae
-
SHA1
f60a52d4cf86be71fa32f1841a37dc8d61d40e89
-
SHA256
bd20a5cd3986550e04c854e6d2ae4fbe9b01ef44c43137f3754e334e7296436d
-
SHA512
ef9924a742f693577a17edd73ca64b19324ca7158d62f8be76da917298123892a8e69d6dd043b53e5a5fb9e4bd2953716026b253105c0f1153572eb86e26ac2a
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeN:q7Tc2NYHUrAwfMp3CDN
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 38 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 46 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\bd20a5cd3986550e04c854e6d2ae4fbe9b01ef44c43137f3754e334e7296436d.exe"C:\Users\Admin\AppData\Local\Temp\bd20a5cd3986550e04c854e6d2ae4fbe9b01ef44c43137f3754e334e7296436d.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\jdvjp.exec:\jdvjp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bttntt.exec:\bttntt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bhhtnb.exec:\bhhtnb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\48286.exec:\48286.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\6084624.exec:\6084624.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\04624.exec:\04624.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\60406.exec:\60406.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdvjp.exec:\jdvjp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\820028.exec:\820028.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbtnbn.exec:\bbtnbn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ffrfxll.exec:\ffrfxll.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dpjdp.exec:\dpjdp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\826400.exec:\826400.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7nbhhn.exec:\7nbhhn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhttbb.exec:\nhttbb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjpvv.exec:\pjpvv.exe17⤵
- Executes dropped EXE
-
\??\c:\nhbbbb.exec:\nhbbbb.exe18⤵
- Executes dropped EXE
-
\??\c:\q04066.exec:\q04066.exe19⤵
- Executes dropped EXE
-
\??\c:\080626.exec:\080626.exe20⤵
- Executes dropped EXE
-
\??\c:\g6406.exec:\g6406.exe21⤵
- Executes dropped EXE
-
\??\c:\28808.exec:\28808.exe22⤵
- Executes dropped EXE
-
\??\c:\9rffllx.exec:\9rffllx.exe23⤵
- Executes dropped EXE
-
\??\c:\a2646.exec:\a2646.exe24⤵
- Executes dropped EXE
-
\??\c:\204400.exec:\204400.exe25⤵
- Executes dropped EXE
-
\??\c:\rlfrxfx.exec:\rlfrxfx.exe26⤵
- Executes dropped EXE
-
\??\c:\jjjpj.exec:\jjjpj.exe27⤵
- Executes dropped EXE
-
\??\c:\bbhttb.exec:\bbhttb.exe28⤵
- Executes dropped EXE
-
\??\c:\2024002.exec:\2024002.exe29⤵
- Executes dropped EXE
-
\??\c:\lrlrxll.exec:\lrlrxll.exe30⤵
- Executes dropped EXE
-
\??\c:\nhbthn.exec:\nhbthn.exe31⤵
- Executes dropped EXE
-
\??\c:\826806.exec:\826806.exe32⤵
- Executes dropped EXE
-
\??\c:\1jpvd.exec:\1jpvd.exe33⤵
- Executes dropped EXE
-
\??\c:\pjvdp.exec:\pjvdp.exe34⤵
- Executes dropped EXE
-
\??\c:\nhbntt.exec:\nhbntt.exe35⤵
- Executes dropped EXE
-
\??\c:\9lfrfxl.exec:\9lfrfxl.exe36⤵
- Executes dropped EXE
-
\??\c:\9bnhnt.exec:\9bnhnt.exe37⤵
- Executes dropped EXE
-
\??\c:\llfrflr.exec:\llfrflr.exe38⤵
- Executes dropped EXE
-
\??\c:\lfflxfr.exec:\lfflxfr.exe39⤵
- Executes dropped EXE
-
\??\c:\nnhtnb.exec:\nnhtnb.exe40⤵
- Executes dropped EXE
-
\??\c:\vpddd.exec:\vpddd.exe41⤵
- Executes dropped EXE
-
\??\c:\5thbbb.exec:\5thbbb.exe42⤵
- Executes dropped EXE
-
\??\c:\o268024.exec:\o268024.exe43⤵
- Executes dropped EXE
-
\??\c:\m6062.exec:\m6062.exe44⤵
- Executes dropped EXE
-
\??\c:\ppjpj.exec:\ppjpj.exe45⤵
- Executes dropped EXE
-
\??\c:\82024.exec:\82024.exe46⤵
- Executes dropped EXE
-
\??\c:\264640.exec:\264640.exe47⤵
- Executes dropped EXE
-
\??\c:\rrffrrx.exec:\rrffrrx.exe48⤵
- Executes dropped EXE
-
\??\c:\820686.exec:\820686.exe49⤵
- Executes dropped EXE
-
\??\c:\44666.exec:\44666.exe50⤵
- Executes dropped EXE
-
\??\c:\q82428.exec:\q82428.exe51⤵
- Executes dropped EXE
-
\??\c:\rrflfll.exec:\rrflfll.exe52⤵
- Executes dropped EXE
-
\??\c:\424444.exec:\424444.exe53⤵
- Executes dropped EXE
-
\??\c:\hbtnnn.exec:\hbtnnn.exe54⤵
- Executes dropped EXE
-
\??\c:\g2046.exec:\g2046.exe55⤵
- Executes dropped EXE
-
\??\c:\w46620.exec:\w46620.exe56⤵
- Executes dropped EXE
-
\??\c:\048640.exec:\048640.exe57⤵
- Executes dropped EXE
-
\??\c:\066200.exec:\066200.exe58⤵
- Executes dropped EXE
-
\??\c:\7bnnnt.exec:\7bnnnt.exe59⤵
- Executes dropped EXE
-
\??\c:\202848.exec:\202848.exe60⤵
- Executes dropped EXE
-
\??\c:\8200280.exec:\8200280.exe61⤵
- Executes dropped EXE
-
\??\c:\rfrlrrf.exec:\rfrlrrf.exe62⤵
- Executes dropped EXE
-
\??\c:\ffrxflf.exec:\ffrxflf.exe63⤵
- Executes dropped EXE
-
\??\c:\8688002.exec:\8688002.exe64⤵
- Executes dropped EXE
-
\??\c:\246426.exec:\246426.exe65⤵
- Executes dropped EXE
-
\??\c:\tnhnhn.exec:\tnhnhn.exe66⤵
-
\??\c:\pdvdp.exec:\pdvdp.exe67⤵
-
\??\c:\2062844.exec:\2062844.exe68⤵
- System Location Discovery: System Language Discovery
-
\??\c:\fxlxffl.exec:\fxlxffl.exe69⤵
-
\??\c:\llfrxxr.exec:\llfrxxr.exe70⤵
-
\??\c:\2608064.exec:\2608064.exe71⤵
-
\??\c:\448062.exec:\448062.exe72⤵
-
\??\c:\5lxflrx.exec:\5lxflrx.exe73⤵
-
\??\c:\6664800.exec:\6664800.exe74⤵
-
\??\c:\826200.exec:\826200.exe75⤵
-
\??\c:\o828024.exec:\o828024.exe76⤵
-
\??\c:\5rrxxfr.exec:\5rrxxfr.exe77⤵
-
\??\c:\0800240.exec:\0800240.exe78⤵
-
\??\c:\vpjvd.exec:\vpjvd.exe79⤵
-
\??\c:\60802.exec:\60802.exe80⤵
-
\??\c:\3jdpv.exec:\3jdpv.exe81⤵
-
\??\c:\208206.exec:\208206.exe82⤵
-
\??\c:\0828608.exec:\0828608.exe83⤵
-
\??\c:\lfxrflx.exec:\lfxrflx.exe84⤵
-
\??\c:\jjdpd.exec:\jjdpd.exe85⤵
-
\??\c:\826624.exec:\826624.exe86⤵
-
\??\c:\4824002.exec:\4824002.exe87⤵
-
\??\c:\vvppj.exec:\vvppj.exe88⤵
-
\??\c:\g6468.exec:\g6468.exe89⤵
-
\??\c:\tbttnn.exec:\tbttnn.exe90⤵
-
\??\c:\btbbnn.exec:\btbbnn.exe91⤵
-
\??\c:\268002.exec:\268002.exe92⤵
-
\??\c:\a6682.exec:\a6682.exe93⤵
-
\??\c:\04402.exec:\04402.exe94⤵
-
\??\c:\xrrrxfx.exec:\xrrrxfx.exe95⤵
-
\??\c:\bbnthh.exec:\bbnthh.exe96⤵
-
\??\c:\0486426.exec:\0486426.exe97⤵
-
\??\c:\4802886.exec:\4802886.exe98⤵
-
\??\c:\6080224.exec:\6080224.exe99⤵
-
\??\c:\k68002.exec:\k68002.exe100⤵
-
\??\c:\jjpdp.exec:\jjpdp.exe101⤵
-
\??\c:\0044064.exec:\0044064.exe102⤵
-
\??\c:\rlffrxl.exec:\rlffrxl.exe103⤵
-
\??\c:\40662.exec:\40662.exe104⤵
-
\??\c:\44242.exec:\44242.exe105⤵
-
\??\c:\264624.exec:\264624.exe106⤵
-
\??\c:\fxrxlrl.exec:\fxrxlrl.exe107⤵
-
\??\c:\m2680.exec:\m2680.exe108⤵
-
\??\c:\a6068.exec:\a6068.exe109⤵
-
\??\c:\bthhnn.exec:\bthhnn.exe110⤵
-
\??\c:\btnntb.exec:\btnntb.exe111⤵
-
\??\c:\5bttbh.exec:\5bttbh.exe112⤵
-
\??\c:\404040.exec:\404040.exe113⤵
-
\??\c:\bhhbtn.exec:\bhhbtn.exe114⤵
-
\??\c:\bhnhbh.exec:\bhnhbh.exe115⤵
-
\??\c:\4204664.exec:\4204664.exe116⤵
-
\??\c:\48280.exec:\48280.exe117⤵
-
\??\c:\7pppd.exec:\7pppd.exe118⤵
-
\??\c:\rrllllx.exec:\rrllllx.exe119⤵
-
\??\c:\g0846.exec:\g0846.exe120⤵
-
\??\c:\tbtbhh.exec:\tbtbhh.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-