Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
19-12-2024 20:10
General
-
Target
1cdfb2b33ceb41e786ead2a34ebafba71c00679b6be1e7d35c96cada579c0917N.exe
-
Size
454KB
-
MD5
8f2590f52d13073458724f80ab4e4aa0
-
SHA1
081776eb25b2c1226da576343f34541d2a26bd0b
-
SHA256
1cdfb2b33ceb41e786ead2a34ebafba71c00679b6be1e7d35c96cada579c0917
-
SHA512
29e77601ee1400bd1816326ea17831d6fd5db479ff972d05936e04dbdb519b885cee58456d6e06fee67d6698d8a1edff2941fd04fa0abf5e4b1ea253374c831d
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeV:q7Tc2NYHUrAwfMp3CDV
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 37 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 48 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1cdfb2b33ceb41e786ead2a34ebafba71c00679b6be1e7d35c96cada579c0917N.exe"C:\Users\Admin\AppData\Local\Temp\1cdfb2b33ceb41e786ead2a34ebafba71c00679b6be1e7d35c96cada579c0917N.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\xffrllx.exec:\xffrllx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvvvv.exec:\vvvvv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbnthh.exec:\nbnthh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjvvj.exec:\pjvvj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbtbhn.exec:\hbtbhn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1tbbbh.exec:\1tbbbh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7xxxxff.exec:\7xxxxff.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1nhhnb.exec:\1nhhnb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxxxffl.exec:\lxxxffl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhnttn.exec:\nhnttn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1pvvj.exec:\1pvvj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1xlllfl.exec:\1xlllfl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvjpp.exec:\dvjpp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfrlllr.exec:\lfrlllr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhthnh.exec:\nhthnh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjvvj.exec:\pjvvj.exe17⤵
- Executes dropped EXE
-
\??\c:\btbttt.exec:\btbttt.exe18⤵
- Executes dropped EXE
-
\??\c:\5jvvd.exec:\5jvvd.exe19⤵
- Executes dropped EXE
-
\??\c:\fxrffll.exec:\fxrffll.exe20⤵
- Executes dropped EXE
-
\??\c:\thtthb.exec:\thtthb.exe21⤵
- Executes dropped EXE
-
\??\c:\ffrrfrx.exec:\ffrrfrx.exe22⤵
- Executes dropped EXE
-
\??\c:\hbhhtb.exec:\hbhhtb.exe23⤵
- Executes dropped EXE
-
\??\c:\rxrxffx.exec:\rxrxffx.exe24⤵
- Executes dropped EXE
-
\??\c:\tnhthn.exec:\tnhthn.exe25⤵
- Executes dropped EXE
-
\??\c:\pvdjd.exec:\pvdjd.exe26⤵
- Executes dropped EXE
-
\??\c:\lxxrxxl.exec:\lxxrxxl.exe27⤵
- Executes dropped EXE
-
\??\c:\1dppv.exec:\1dppv.exe28⤵
- Executes dropped EXE
-
\??\c:\fxffflr.exec:\fxffflr.exe29⤵
- Executes dropped EXE
-
\??\c:\nbtntt.exec:\nbtntt.exe30⤵
- Executes dropped EXE
-
\??\c:\3pddp.exec:\3pddp.exe31⤵
- Executes dropped EXE
-
\??\c:\bnthbb.exec:\bnthbb.exe32⤵
- Executes dropped EXE
-
\??\c:\ddvvv.exec:\ddvvv.exe33⤵
- Executes dropped EXE
-
\??\c:\xrrxrxl.exec:\xrrxrxl.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\dddvj.exec:\dddvj.exe35⤵
- Executes dropped EXE
-
\??\c:\jvjjd.exec:\jvjjd.exe36⤵
- Executes dropped EXE
-
\??\c:\xrffllr.exec:\xrffllr.exe37⤵
- Executes dropped EXE
-
\??\c:\btnnbb.exec:\btnnbb.exe38⤵
- Executes dropped EXE
-
\??\c:\3btbhn.exec:\3btbhn.exe39⤵
- Executes dropped EXE
-
\??\c:\pddvd.exec:\pddvd.exe40⤵
- Executes dropped EXE
-
\??\c:\rffxfxx.exec:\rffxfxx.exe41⤵
- Executes dropped EXE
-
\??\c:\tnttbb.exec:\tnttbb.exe42⤵
- Executes dropped EXE
-
\??\c:\5dpdj.exec:\5dpdj.exe43⤵
- Executes dropped EXE
-
\??\c:\xffrxlx.exec:\xffrxlx.exe44⤵
- Executes dropped EXE
-
\??\c:\nhtttt.exec:\nhtttt.exe45⤵
- Executes dropped EXE
-
\??\c:\9bttnt.exec:\9bttnt.exe46⤵
- Executes dropped EXE
-
\??\c:\ffxlflf.exec:\ffxlflf.exe47⤵
- Executes dropped EXE
-
\??\c:\5rflxfl.exec:\5rflxfl.exe48⤵
- Executes dropped EXE
-
\??\c:\1hhhbh.exec:\1hhhbh.exe49⤵
- Executes dropped EXE
-
\??\c:\pjdjd.exec:\pjdjd.exe50⤵
- Executes dropped EXE
-
\??\c:\fxxxlrf.exec:\fxxxlrf.exe51⤵
- Executes dropped EXE
-
\??\c:\9tnbth.exec:\9tnbth.exe52⤵
- Executes dropped EXE
-
\??\c:\vpjvj.exec:\vpjvj.exe53⤵
- Executes dropped EXE
-
\??\c:\fxrxllx.exec:\fxrxllx.exe54⤵
- Executes dropped EXE
-
\??\c:\hnnhht.exec:\hnnhht.exe55⤵
- Executes dropped EXE
-
\??\c:\ttthtb.exec:\ttthtb.exe56⤵
- Executes dropped EXE
-
\??\c:\pjvdd.exec:\pjvdd.exe57⤵
- Executes dropped EXE
-
\??\c:\xxrlrrx.exec:\xxrlrrx.exe58⤵
- Executes dropped EXE
-
\??\c:\bntbbh.exec:\bntbbh.exe59⤵
- Executes dropped EXE
-
\??\c:\ddjjp.exec:\ddjjp.exe60⤵
- Executes dropped EXE
-
\??\c:\jjddp.exec:\jjddp.exe61⤵
- Executes dropped EXE
-
\??\c:\9lflrxl.exec:\9lflrxl.exe62⤵
- Executes dropped EXE
-
\??\c:\hhhtbh.exec:\hhhtbh.exe63⤵
- Executes dropped EXE
-
\??\c:\pvpvp.exec:\pvpvp.exe64⤵
- Executes dropped EXE
-
\??\c:\9frlrrx.exec:\9frlrrx.exe65⤵
- Executes dropped EXE
-
\??\c:\rrfllrx.exec:\rrfllrx.exe66⤵
-
\??\c:\nbnhnn.exec:\nbnhnn.exe67⤵
-
\??\c:\7ppvv.exec:\7ppvv.exe68⤵
-
\??\c:\rfxfllr.exec:\rfxfllr.exe69⤵
-
\??\c:\lfxlllr.exec:\lfxlllr.exe70⤵
-
\??\c:\hnnhth.exec:\hnnhth.exe71⤵
-
\??\c:\jdvvv.exec:\jdvvv.exe72⤵
-
\??\c:\frllrlx.exec:\frllrlx.exe73⤵
-
\??\c:\nhnthn.exec:\nhnthn.exe74⤵
-
\??\c:\djvjd.exec:\djvjd.exe75⤵
-
\??\c:\lxlxxlr.exec:\lxlxxlr.exe76⤵
-
\??\c:\llrfrrl.exec:\llrfrrl.exe77⤵
-
\??\c:\tbbtnt.exec:\tbbtnt.exe78⤵
-
\??\c:\ppppv.exec:\ppppv.exe79⤵
-
\??\c:\btnnhh.exec:\btnnhh.exe80⤵
-
\??\c:\3nhhhn.exec:\3nhhhn.exe81⤵
-
\??\c:\jdjpd.exec:\jdjpd.exe82⤵
-
\??\c:\flfrlxf.exec:\flfrlxf.exe83⤵
-
\??\c:\lfxflrx.exec:\lfxflrx.exe84⤵
-
\??\c:\9hnnbh.exec:\9hnnbh.exe85⤵
-
\??\c:\pvpdp.exec:\pvpdp.exe86⤵
-
\??\c:\rrflflf.exec:\rrflflf.exe87⤵
-
\??\c:\7rlxrxl.exec:\7rlxrxl.exe88⤵
-
\??\c:\bttbhn.exec:\bttbhn.exe89⤵
-
\??\c:\9djjj.exec:\9djjj.exe90⤵
-
\??\c:\rxfxrlf.exec:\rxfxrlf.exe91⤵
-
\??\c:\tbbtnt.exec:\tbbtnt.exe92⤵
-
\??\c:\9ppjd.exec:\9ppjd.exe93⤵
-
\??\c:\jjvjj.exec:\jjvjj.exe94⤵
-
\??\c:\xxxlrxl.exec:\xxxlrxl.exe95⤵
-
\??\c:\ttnbnt.exec:\ttnbnt.exe96⤵
-
\??\c:\hbbbhn.exec:\hbbbhn.exe97⤵
-
\??\c:\vjjjd.exec:\vjjjd.exe98⤵
-
\??\c:\ffrlffx.exec:\ffrlffx.exe99⤵
-
\??\c:\bhthbh.exec:\bhthbh.exe100⤵
-
\??\c:\pdddj.exec:\pdddj.exe101⤵
-
\??\c:\1vppp.exec:\1vppp.exe102⤵
-
\??\c:\rxrlrff.exec:\rxrlrff.exe103⤵
-
\??\c:\btnnnn.exec:\btnnnn.exe104⤵
-
\??\c:\jdvdd.exec:\jdvdd.exe105⤵
-
\??\c:\pjpvd.exec:\pjpvd.exe106⤵
-
\??\c:\1lfxlrr.exec:\1lfxlrr.exe107⤵
-
\??\c:\nhtbbh.exec:\nhtbbh.exe108⤵
-
\??\c:\9djpd.exec:\9djpd.exe109⤵
-
\??\c:\rrlrlxl.exec:\rrlrlxl.exe110⤵
-
\??\c:\frlxffl.exec:\frlxffl.exe111⤵
-
\??\c:\tnnnbt.exec:\tnnnbt.exe112⤵
-
\??\c:\pjjdp.exec:\pjjdp.exe113⤵
-
\??\c:\lfxfffr.exec:\lfxfffr.exe114⤵
-
\??\c:\hhbbhh.exec:\hhbbhh.exe115⤵
-
\??\c:\vjppv.exec:\vjppv.exe116⤵
-
\??\c:\rflllff.exec:\rflllff.exe117⤵
-
\??\c:\9tbbnn.exec:\9tbbnn.exe118⤵
-
\??\c:\pjvpp.exec:\pjvpp.exe119⤵
-
\??\c:\rfrrffx.exec:\rfrrffx.exe120⤵
-
\??\c:\xlxxrrr.exec:\xlxxrrr.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-