Analysis
-
max time kernel
120s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
19-12-2024 05:10
General
-
Target
73aaf61e78dd18a4984b2315770ce403ab95defa37049d79de21871ec7b97ef7.exe
-
Size
454KB
-
MD5
353d3c1170ee6c5ee5cf0972a414cc91
-
SHA1
91a90cff4960757f85e460bbc593dc6980ab0033
-
SHA256
73aaf61e78dd18a4984b2315770ce403ab95defa37049d79de21871ec7b97ef7
-
SHA512
6c69ca11d86995751308a28f2b2a74c875f0e1db6ae067d317de3a5f0bdcae8826e95209f292c47f37a4e0c9cc07cfdfa350bd99cc8e8e119c57f88931c30c23
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeV:q7Tc2NYHUrAwfMp3CDV
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 38 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 42 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\73aaf61e78dd18a4984b2315770ce403ab95defa37049d79de21871ec7b97ef7.exe"C:\Users\Admin\AppData\Local\Temp\73aaf61e78dd18a4984b2315770ce403ab95defa37049d79de21871ec7b97ef7.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\xdnvht.exec:\xdnvht.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\txbvtv.exec:\txbvtv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dpbfxl.exec:\dpbfxl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bdddntp.exec:\bdddntp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rdldv.exec:\rdldv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hhnntx.exec:\hhnntx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hlplxn.exec:\hlplxn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jnbdpx.exec:\jnbdpx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xnbjlt.exec:\xnbjlt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pblpvf.exec:\pblpvf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xfltlj.exec:\xfltlj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\brnpblr.exec:\brnpblr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dnpnbbb.exec:\dnpnbbb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rvnll.exec:\rvnll.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xlpltd.exec:\xlpltd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bxbrpx.exec:\bxbrpx.exe17⤵
- Executes dropped EXE
-
\??\c:\hldlt.exec:\hldlt.exe18⤵
- Executes dropped EXE
-
\??\c:\rrrxhtj.exec:\rrrxhtj.exe19⤵
- Executes dropped EXE
-
\??\c:\lphvh.exec:\lphvh.exe20⤵
- Executes dropped EXE
-
\??\c:\bdvtxnt.exec:\bdvtxnt.exe21⤵
- Executes dropped EXE
-
\??\c:\xddtt.exec:\xddtt.exe22⤵
- Executes dropped EXE
-
\??\c:\lbrflf.exec:\lbrflf.exe23⤵
- Executes dropped EXE
-
\??\c:\hxvllbl.exec:\hxvllbl.exe24⤵
- Executes dropped EXE
-
\??\c:\ljhpd.exec:\ljhpd.exe25⤵
- Executes dropped EXE
-
\??\c:\jlhxtn.exec:\jlhxtn.exe26⤵
- Executes dropped EXE
-
\??\c:\tdrjr.exec:\tdrjr.exe27⤵
- Executes dropped EXE
-
\??\c:\dlxfpx.exec:\dlxfpx.exe28⤵
- Executes dropped EXE
-
\??\c:\jplvvhb.exec:\jplvvhb.exe29⤵
- Executes dropped EXE
-
\??\c:\rdvrj.exec:\rdvrj.exe30⤵
- Executes dropped EXE
-
\??\c:\hhfdhp.exec:\hhfdhp.exe31⤵
- Executes dropped EXE
-
\??\c:\fxltbd.exec:\fxltbd.exe32⤵
- Executes dropped EXE
-
\??\c:\tlftx.exec:\tlftx.exe33⤵
- Executes dropped EXE
-
\??\c:\bprbdl.exec:\bprbdl.exe34⤵
- Executes dropped EXE
-
\??\c:\tdjdv.exec:\tdjdv.exe35⤵
- Executes dropped EXE
-
\??\c:\tdbnrlh.exec:\tdbnrlh.exe36⤵
- Executes dropped EXE
-
\??\c:\vprjp.exec:\vprjp.exe37⤵
- Executes dropped EXE
-
\??\c:\ffhhppr.exec:\ffhhppr.exe38⤵
- Executes dropped EXE
-
\??\c:\hlflh.exec:\hlflh.exe39⤵
- Executes dropped EXE
-
\??\c:\lvbrrfl.exec:\lvbrrfl.exe40⤵
- Executes dropped EXE
-
\??\c:\xbltdv.exec:\xbltdv.exe41⤵
- Executes dropped EXE
-
\??\c:\bdtlrh.exec:\bdtlrh.exe42⤵
- Executes dropped EXE
-
\??\c:\rxhhrvl.exec:\rxhhrvl.exe43⤵
- Executes dropped EXE
-
\??\c:\tbbhxp.exec:\tbbhxp.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\vdrnd.exec:\vdrnd.exe45⤵
- Executes dropped EXE
-
\??\c:\xdtvfh.exec:\xdtvfh.exe46⤵
- Executes dropped EXE
-
\??\c:\rbxrld.exec:\rbxrld.exe47⤵
- Executes dropped EXE
-
\??\c:\htjjtnn.exec:\htjjtnn.exe48⤵
- Executes dropped EXE
-
\??\c:\bbplbl.exec:\bbplbl.exe49⤵
- Executes dropped EXE
-
\??\c:\dbbfpl.exec:\dbbfpl.exe50⤵
- Executes dropped EXE
-
\??\c:\fprjvt.exec:\fprjvt.exe51⤵
- Executes dropped EXE
-
\??\c:\dltthj.exec:\dltthj.exe52⤵
- Executes dropped EXE
-
\??\c:\lpxht.exec:\lpxht.exe53⤵
- Executes dropped EXE
-
\??\c:\bnvft.exec:\bnvft.exe54⤵
- Executes dropped EXE
-
\??\c:\prljldx.exec:\prljldx.exe55⤵
- Executes dropped EXE
-
\??\c:\tvplt.exec:\tvplt.exe56⤵
- Executes dropped EXE
-
\??\c:\bbdbv.exec:\bbdbv.exe57⤵
- Executes dropped EXE
-
\??\c:\ljnrh.exec:\ljnrh.exe58⤵
- Executes dropped EXE
-
\??\c:\xfhjhn.exec:\xfhjhn.exe59⤵
- Executes dropped EXE
-
\??\c:\nptdpbb.exec:\nptdpbb.exe60⤵
- Executes dropped EXE
-
\??\c:\xxvln.exec:\xxvln.exe61⤵
- Executes dropped EXE
-
\??\c:\fnjdlp.exec:\fnjdlp.exe62⤵
- Executes dropped EXE
-
\??\c:\hvfbnd.exec:\hvfbnd.exe63⤵
- Executes dropped EXE
-
\??\c:\jrbxh.exec:\jrbxh.exe64⤵
- Executes dropped EXE
-
\??\c:\jxtrttd.exec:\jxtrttd.exe65⤵
- Executes dropped EXE
-
\??\c:\brvtn.exec:\brvtn.exe66⤵
-
\??\c:\ffvdf.exec:\ffvdf.exe67⤵
-
\??\c:\ldrrjvr.exec:\ldrrjvr.exe68⤵
-
\??\c:\jnnbtj.exec:\jnnbtj.exe69⤵
-
\??\c:\rvfldjf.exec:\rvfldjf.exe70⤵
-
\??\c:\ddlxpfl.exec:\ddlxpfl.exe71⤵
-
\??\c:\tlrblfb.exec:\tlrblfb.exe72⤵
-
\??\c:\fhpprd.exec:\fhpprd.exe73⤵
-
\??\c:\ltnjrlt.exec:\ltnjrlt.exe74⤵
-
\??\c:\dhthx.exec:\dhthx.exe75⤵
-
\??\c:\lhjnb.exec:\lhjnb.exe76⤵
-
\??\c:\hdnnltx.exec:\hdnnltx.exe77⤵
-
\??\c:\nvxdtjh.exec:\nvxdtjh.exe78⤵
-
\??\c:\nfftf.exec:\nfftf.exe79⤵
-
\??\c:\xlhfrf.exec:\xlhfrf.exe80⤵
-
\??\c:\npltnv.exec:\npltnv.exe81⤵
-
\??\c:\pfpjvt.exec:\pfpjvt.exe82⤵
-
\??\c:\nxhvr.exec:\nxhvr.exe83⤵
-
\??\c:\dltpn.exec:\dltpn.exe84⤵
-
\??\c:\vjdxllp.exec:\vjdxllp.exe85⤵
-
\??\c:\nbtbffd.exec:\nbtbffd.exe86⤵
-
\??\c:\xdtdtj.exec:\xdtdtj.exe87⤵
-
\??\c:\hhfddvf.exec:\hhfddvf.exe88⤵
-
\??\c:\xjrfv.exec:\xjrfv.exe89⤵
-
\??\c:\tlrvf.exec:\tlrvf.exe90⤵
-
\??\c:\djppfdr.exec:\djppfdr.exe91⤵
- System Location Discovery: System Language Discovery
-
\??\c:\rjpthr.exec:\rjpthr.exe92⤵
-
\??\c:\xtttvln.exec:\xtttvln.exe93⤵
-
\??\c:\frppvr.exec:\frppvr.exe94⤵
-
\??\c:\lnxbv.exec:\lnxbv.exe95⤵
-
\??\c:\rfbtvp.exec:\rfbtvp.exe96⤵
-
\??\c:\hdfhnhr.exec:\hdfhnhr.exe97⤵
-
\??\c:\bxnxhb.exec:\bxnxhb.exe98⤵
-
\??\c:\xfjtlpd.exec:\xfjtlpd.exe99⤵
-
\??\c:\llxlxj.exec:\llxlxj.exe100⤵
-
\??\c:\dbnpbl.exec:\dbnpbl.exe101⤵
-
\??\c:\prlphfb.exec:\prlphfb.exe102⤵
-
\??\c:\rppht.exec:\rppht.exe103⤵
-
\??\c:\flnjjh.exec:\flnjjh.exe104⤵
-
\??\c:\tjdjd.exec:\tjdjd.exe105⤵
-
\??\c:\dxxbp.exec:\dxxbp.exe106⤵
-
\??\c:\llbdlh.exec:\llbdlh.exe107⤵
-
\??\c:\dbpbr.exec:\dbpbr.exe108⤵
-
\??\c:\hdrxlff.exec:\hdrxlff.exe109⤵
-
\??\c:\xdrlnp.exec:\xdrlnp.exe110⤵
-
\??\c:\lnxxdll.exec:\lnxxdll.exe111⤵
-
\??\c:\drvjd.exec:\drvjd.exe112⤵
-
\??\c:\vxxhp.exec:\vxxhp.exe113⤵
-
\??\c:\htptxn.exec:\htptxn.exe114⤵
-
\??\c:\nbxhnxt.exec:\nbxhnxt.exe115⤵
-
\??\c:\ppjxbnx.exec:\ppjxbnx.exe116⤵
-
\??\c:\ttpdfxl.exec:\ttpdfxl.exe117⤵
-
\??\c:\pxlnlp.exec:\pxlnlp.exe118⤵
-
\??\c:\bldxfxf.exec:\bldxfxf.exe119⤵
-
\??\c:\prdpd.exec:\prdpd.exe120⤵
-
\??\c:\drtbbtr.exec:\drtbbtr.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-