Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
19-12-2024 05:14
General
-
Target
db6a16c461a445cf3bdb6f049ba820f7165d05accf48fb51381f615393abeafc.exe
-
Size
67KB
-
MD5
dc1da99ec8ddc07b09536060c824760c
-
SHA1
c279ac114ae52732f48f24ceaa04e385c4487c9b
-
SHA256
db6a16c461a445cf3bdb6f049ba820f7165d05accf48fb51381f615393abeafc
-
SHA512
21a9935477f132441a6438a471dc359266149539dff893512b76b024d1977cc6410eeec69a96765f2ca67294f73e952d213f2fd523ae8d1b78483507539c6427
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxND0yU+kbxe7:ymb3NkkiQ3mdBjF0y7kbU7
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 21 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 33 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\db6a16c461a445cf3bdb6f049ba820f7165d05accf48fb51381f615393abeafc.exe"C:\Users\Admin\AppData\Local\Temp\db6a16c461a445cf3bdb6f049ba820f7165d05accf48fb51381f615393abeafc.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\llfrflx.exec:\llfrflx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpppv.exec:\vpppv.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\ntnnht.exec:\ntnnht.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7nbnhb.exec:\7nbnhb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lrrlxfl.exec:\lrrlxfl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfxflll.exec:\lfxflll.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvjdj.exec:\vvjdj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5xflrxl.exec:\5xflrxl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9btbnt.exec:\9btbnt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbbbhh.exec:\nbbbhh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jpddd.exec:\jpddd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5rxxlrl.exec:\5rxxlrl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbbbht.exec:\bbbbht.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hhthnb.exec:\hhthnb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9vjdd.exec:\9vjdd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xxxxlrf.exec:\xxxxlrf.exe17⤵
- Executes dropped EXE
-
\??\c:\nntbbh.exec:\nntbbh.exe18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\ddddp.exec:\ddddp.exe19⤵
- Executes dropped EXE
-
\??\c:\djjpj.exec:\djjpj.exe20⤵
- Executes dropped EXE
-
\??\c:\3lrxlxf.exec:\3lrxlxf.exe21⤵
- Executes dropped EXE
-
\??\c:\hhthtb.exec:\hhthtb.exe22⤵
- Executes dropped EXE
-
\??\c:\jjdpp.exec:\jjdpp.exe23⤵
- Executes dropped EXE
-
\??\c:\lfrxllx.exec:\lfrxllx.exe24⤵
- Executes dropped EXE
-
\??\c:\rrrfrrl.exec:\rrrfrrl.exe25⤵
- Executes dropped EXE
-
\??\c:\hhhhht.exec:\hhhhht.exe26⤵
- Executes dropped EXE
-
\??\c:\hhthth.exec:\hhthth.exe27⤵
- Executes dropped EXE
-
\??\c:\3xflxlf.exec:\3xflxlf.exe28⤵
- Executes dropped EXE
-
\??\c:\bhtnhb.exec:\bhtnhb.exe29⤵
- Executes dropped EXE
-
\??\c:\7hbhhn.exec:\7hbhhn.exe30⤵
- Executes dropped EXE
-
\??\c:\ttttbn.exec:\ttttbn.exe31⤵
- Executes dropped EXE
-
\??\c:\jdvjp.exec:\jdvjp.exe32⤵
- Executes dropped EXE
-
\??\c:\rrxllrl.exec:\rrxllrl.exe33⤵
- Executes dropped EXE
-
\??\c:\lrxrlxr.exec:\lrxrlxr.exe34⤵
- Executes dropped EXE
-
\??\c:\hthnhn.exec:\hthnhn.exe35⤵
- Executes dropped EXE
-
\??\c:\pdpjv.exec:\pdpjv.exe36⤵
- Executes dropped EXE
-
\??\c:\7jpdp.exec:\7jpdp.exe37⤵
- Executes dropped EXE
-
\??\c:\7xfrxrl.exec:\7xfrxrl.exe38⤵
- Executes dropped EXE
-
\??\c:\xllrffx.exec:\xllrffx.exe39⤵
- Executes dropped EXE
-
\??\c:\nnbtbn.exec:\nnbtbn.exe40⤵
- Executes dropped EXE
-
\??\c:\ddppj.exec:\ddppj.exe41⤵
- Executes dropped EXE
-
\??\c:\dpvpv.exec:\dpvpv.exe42⤵
- Executes dropped EXE
-
\??\c:\xxxlrfr.exec:\xxxlrfr.exe43⤵
- Executes dropped EXE
-
\??\c:\xfrlfrx.exec:\xfrlfrx.exe44⤵
- Executes dropped EXE
-
\??\c:\tbbhhn.exec:\tbbhhn.exe45⤵
- Executes dropped EXE
-
\??\c:\tttnbn.exec:\tttnbn.exe46⤵
- Executes dropped EXE
-
\??\c:\ppjdv.exec:\ppjdv.exe47⤵
- Executes dropped EXE
-
\??\c:\ddpdv.exec:\ddpdv.exe48⤵
- Executes dropped EXE
-
\??\c:\xlfxxlx.exec:\xlfxxlx.exe49⤵
- Executes dropped EXE
-
\??\c:\nnhnnb.exec:\nnhnnb.exe50⤵
- Executes dropped EXE
-
\??\c:\jjdpj.exec:\jjdpj.exe51⤵
- Executes dropped EXE
-
\??\c:\ppvjj.exec:\ppvjj.exe52⤵
- Executes dropped EXE
-
\??\c:\flrxlxl.exec:\flrxlxl.exe53⤵
- Executes dropped EXE
-
\??\c:\lflxxrf.exec:\lflxxrf.exe54⤵
- Executes dropped EXE
-
\??\c:\7hbbtb.exec:\7hbbtb.exe55⤵
- Executes dropped EXE
-
\??\c:\bhthbn.exec:\bhthbn.exe56⤵
- Executes dropped EXE
-
\??\c:\5vjpj.exec:\5vjpj.exe57⤵
- Executes dropped EXE
-
\??\c:\djddp.exec:\djddp.exe58⤵
- Executes dropped EXE
-
\??\c:\rrrllrf.exec:\rrrllrf.exe59⤵
- Executes dropped EXE
-
\??\c:\llrlrxx.exec:\llrlrxx.exe60⤵
- Executes dropped EXE
-
\??\c:\tthnbn.exec:\tthnbn.exe61⤵
- Executes dropped EXE
-
\??\c:\9jvdp.exec:\9jvdp.exe62⤵
- Executes dropped EXE
-
\??\c:\vpjvp.exec:\vpjvp.exe63⤵
- Executes dropped EXE
-
\??\c:\lrxrrrr.exec:\lrxrrrr.exe64⤵
- Executes dropped EXE
-
\??\c:\3flxfrr.exec:\3flxfrr.exe65⤵
- Executes dropped EXE
-
\??\c:\ttnnhn.exec:\ttnnhn.exe66⤵
-
\??\c:\tnnbnb.exec:\tnnbnb.exe67⤵
-
\??\c:\3pvvd.exec:\3pvvd.exe68⤵
-
\??\c:\vvpdj.exec:\vvpdj.exe69⤵
-
\??\c:\frffxxr.exec:\frffxxr.exe70⤵
-
\??\c:\tththt.exec:\tththt.exe71⤵
-
\??\c:\bbbttb.exec:\bbbttb.exe72⤵
-
\??\c:\dddpd.exec:\dddpd.exe73⤵
-
\??\c:\vpddp.exec:\vpddp.exe74⤵
-
\??\c:\rrlrlxr.exec:\rrlrlxr.exe75⤵
-
\??\c:\nhhnbh.exec:\nhhnbh.exe76⤵
-
\??\c:\bnbnth.exec:\bnbnth.exe77⤵
-
\??\c:\pvpjd.exec:\pvpjd.exe78⤵
-
\??\c:\jvvpj.exec:\jvvpj.exe79⤵
-
\??\c:\rlxrxxr.exec:\rlxrxxr.exe80⤵
- System Location Discovery: System Language Discovery
-
\??\c:\1rlxrfr.exec:\1rlxrfr.exe81⤵
-
\??\c:\nnhntt.exec:\nnhntt.exe82⤵
-
\??\c:\bhbtbn.exec:\bhbtbn.exe83⤵
-
\??\c:\3jddj.exec:\3jddj.exe84⤵
-
\??\c:\9fflxfr.exec:\9fflxfr.exe85⤵
-
\??\c:\xrfffrx.exec:\xrfffrx.exe86⤵
-
\??\c:\1nnbnt.exec:\1nnbnt.exe87⤵
-
\??\c:\ttbnbh.exec:\ttbnbh.exe88⤵
-
\??\c:\1vvjd.exec:\1vvjd.exe89⤵
-
\??\c:\5ddjj.exec:\5ddjj.exe90⤵
-
\??\c:\3xxlfrx.exec:\3xxlfrx.exe91⤵
-
\??\c:\xrxfrxx.exec:\xrxfrxx.exe92⤵
-
\??\c:\7nhbnb.exec:\7nhbnb.exe93⤵
-
\??\c:\ntnbtt.exec:\ntnbtt.exe94⤵
-
\??\c:\jvjjd.exec:\jvjjd.exe95⤵
-
\??\c:\vdvvd.exec:\vdvvd.exe96⤵
-
\??\c:\xxxffrf.exec:\xxxffrf.exe97⤵
-
\??\c:\fffxrrf.exec:\fffxrrf.exe98⤵
-
\??\c:\tbnhtn.exec:\tbnhtn.exe99⤵
-
\??\c:\nhhnbn.exec:\nhhnbn.exe100⤵
-
\??\c:\ddddj.exec:\ddddj.exe101⤵
-
\??\c:\rlfxllf.exec:\rlfxllf.exe102⤵
-
\??\c:\rfllrxf.exec:\rfllrxf.exe103⤵
-
\??\c:\bhtnhb.exec:\bhtnhb.exe104⤵
-
\??\c:\9tbhht.exec:\9tbhht.exe105⤵
-
\??\c:\vpvvp.exec:\vpvvp.exe106⤵
-
\??\c:\dvjvp.exec:\dvjvp.exe107⤵
-
\??\c:\7xxlllx.exec:\7xxlllx.exe108⤵
-
\??\c:\fxflfrf.exec:\fxflfrf.exe109⤵
-
\??\c:\ttnhnb.exec:\ttnhnb.exe110⤵
-
\??\c:\httbnn.exec:\httbnn.exe111⤵
-
\??\c:\jdvjp.exec:\jdvjp.exe112⤵
-
\??\c:\pdpdd.exec:\pdpdd.exe113⤵
-
\??\c:\lrxrfxx.exec:\lrxrfxx.exe114⤵
-
\??\c:\frlrxlr.exec:\frlrxlr.exe115⤵
-
\??\c:\bthnbt.exec:\bthnbt.exe116⤵
-
\??\c:\bhthbn.exec:\bhthbn.exe117⤵
-
\??\c:\ddjpp.exec:\ddjpp.exe118⤵
-
\??\c:\jjdjj.exec:\jjdjj.exe119⤵
-
\??\c:\3flxlxl.exec:\3flxlxl.exe120⤵
-
\??\c:\fxrxlxl.exec:\fxrxlxl.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-