Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
20-12-2024 03:01
General
-
Target
874dff840b18a7be75b75f9cb07abe86bafb1661173102186ac7842bec414e85.exe
-
Size
93KB
-
MD5
789612a58fd4b8deaca1dcd85daa895d
-
SHA1
2c227d9ad452da6a3e763e2ab15908f9bf545031
-
SHA256
874dff840b18a7be75b75f9cb07abe86bafb1661173102186ac7842bec414e85
-
SHA512
888e6de09c4f9ea6e52829ddc20ef6a2530386820e4613cbe377217a004e6ca3ba3818a5b1aaac1ccbbb5f994eb32720e85d1c35cf3a9cb8da92bbede1951a79
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDo73t6MlYqn+jMp99zx/A0UtgK:ymb3NkkiQ3mdBjFo73tvn+Yp99zDut
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 21 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 34 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\874dff840b18a7be75b75f9cb07abe86bafb1661173102186ac7842bec414e85.exe"C:\Users\Admin\AppData\Local\Temp\874dff840b18a7be75b75f9cb07abe86bafb1661173102186ac7842bec414e85.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\nhnntt.exec:\nhnntt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddvjj.exec:\ddvjj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rflxxlx.exec:\rflxxlx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjvdd.exec:\pjvdd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\248240.exec:\248240.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\684462.exec:\684462.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xfffrlr.exec:\xfffrlr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhnhnh.exec:\nhnhnh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jvddj.exec:\jvddj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\86484.exec:\86484.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9frfrrr.exec:\9frfrrr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\46802.exec:\46802.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\6200824.exec:\6200824.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7thtbh.exec:\7thtbh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\024026.exec:\024026.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\u288488.exec:\u288488.exe17⤵
- Executes dropped EXE
-
\??\c:\ddpjj.exec:\ddpjj.exe18⤵
- Executes dropped EXE
-
\??\c:\xrffllr.exec:\xrffllr.exe19⤵
- Executes dropped EXE
-
\??\c:\08462.exec:\08462.exe20⤵
- Executes dropped EXE
-
\??\c:\dvjjj.exec:\dvjjj.exe21⤵
- Executes dropped EXE
-
\??\c:\9rxxxfr.exec:\9rxxxfr.exe22⤵
- Executes dropped EXE
-
\??\c:\284022.exec:\284022.exe23⤵
- Executes dropped EXE
-
\??\c:\fxfllxr.exec:\fxfllxr.exe24⤵
- Executes dropped EXE
-
\??\c:\tbbhhb.exec:\tbbhhb.exe25⤵
- Executes dropped EXE
-
\??\c:\xfffflf.exec:\xfffflf.exe26⤵
- Executes dropped EXE
-
\??\c:\428864.exec:\428864.exe27⤵
- Executes dropped EXE
-
\??\c:\pdjjj.exec:\pdjjj.exe28⤵
- Executes dropped EXE
-
\??\c:\hbhhhb.exec:\hbhhhb.exe29⤵
- Executes dropped EXE
-
\??\c:\0844006.exec:\0844006.exe30⤵
- Executes dropped EXE
-
\??\c:\628466.exec:\628466.exe31⤵
- Executes dropped EXE
-
\??\c:\20042.exec:\20042.exe32⤵
- Executes dropped EXE
-
\??\c:\9tbttn.exec:\9tbttn.exe33⤵
- Executes dropped EXE
-
\??\c:\42464.exec:\42464.exe34⤵
- Executes dropped EXE
-
\??\c:\08822.exec:\08822.exe35⤵
- Executes dropped EXE
-
\??\c:\9bhbbb.exec:\9bhbbb.exe36⤵
- Executes dropped EXE
-
\??\c:\6844006.exec:\6844006.exe37⤵
- Executes dropped EXE
-
\??\c:\q84626.exec:\q84626.exe38⤵
- Executes dropped EXE
-
\??\c:\xrxrlfl.exec:\xrxrlfl.exe39⤵
- Executes dropped EXE
-
\??\c:\dpddj.exec:\dpddj.exe40⤵
- Executes dropped EXE
-
\??\c:\62824.exec:\62824.exe41⤵
- Executes dropped EXE
-
\??\c:\2208680.exec:\2208680.exe42⤵
- Executes dropped EXE
-
\??\c:\jvddd.exec:\jvddd.exe43⤵
- Executes dropped EXE
-
\??\c:\nbnhtn.exec:\nbnhtn.exe44⤵
- Executes dropped EXE
-
\??\c:\4282660.exec:\4282660.exe45⤵
- Executes dropped EXE
-
\??\c:\8404242.exec:\8404242.exe46⤵
- Executes dropped EXE
-
\??\c:\08646.exec:\08646.exe47⤵
- Executes dropped EXE
-
\??\c:\7frxxlr.exec:\7frxxlr.exe48⤵
- Executes dropped EXE
-
\??\c:\82680.exec:\82680.exe49⤵
- Executes dropped EXE
-
\??\c:\bnbbnh.exec:\bnbbnh.exe50⤵
- Executes dropped EXE
-
\??\c:\htbttt.exec:\htbttt.exe51⤵
- Executes dropped EXE
-
\??\c:\2622228.exec:\2622228.exe52⤵
- Executes dropped EXE
-
\??\c:\frxxlrr.exec:\frxxlrr.exe53⤵
- Executes dropped EXE
-
\??\c:\hthnhh.exec:\hthnhh.exe54⤵
- Executes dropped EXE
-
\??\c:\vvvpj.exec:\vvvpj.exe55⤵
- Executes dropped EXE
-
\??\c:\nhbhnb.exec:\nhbhnb.exe56⤵
- Executes dropped EXE
-
\??\c:\m0402.exec:\m0402.exe57⤵
- Executes dropped EXE
-
\??\c:\60286.exec:\60286.exe58⤵
- Executes dropped EXE
-
\??\c:\rffflxx.exec:\rffflxx.exe59⤵
- Executes dropped EXE
-
\??\c:\080608.exec:\080608.exe60⤵
- Executes dropped EXE
-
\??\c:\xflxxlf.exec:\xflxxlf.exe61⤵
- Executes dropped EXE
-
\??\c:\7jdjd.exec:\7jdjd.exe62⤵
- Executes dropped EXE
-
\??\c:\20628.exec:\20628.exe63⤵
- Executes dropped EXE
-
\??\c:\btnntb.exec:\btnntb.exe64⤵
- Executes dropped EXE
-
\??\c:\00886.exec:\00886.exe65⤵
- Executes dropped EXE
-
\??\c:\pjvjp.exec:\pjvjp.exe66⤵
-
\??\c:\4688000.exec:\4688000.exe67⤵
-
\??\c:\m6062.exec:\m6062.exe68⤵
-
\??\c:\hbtnnh.exec:\hbtnnh.exe69⤵
-
\??\c:\nhtnbb.exec:\nhtnbb.exe70⤵
-
\??\c:\0424628.exec:\0424628.exe71⤵
-
\??\c:\bbttbn.exec:\bbttbn.exe72⤵
-
\??\c:\s0246.exec:\s0246.exe73⤵
- System Location Discovery: System Language Discovery
-
\??\c:\6062446.exec:\6062446.exe74⤵
-
\??\c:\084060.exec:\084060.exe75⤵
-
\??\c:\2262446.exec:\2262446.exe76⤵
-
\??\c:\68064.exec:\68064.exe77⤵
-
\??\c:\ppdpv.exec:\ppdpv.exe78⤵
-
\??\c:\nnthbn.exec:\nnthbn.exe79⤵
-
\??\c:\vpddd.exec:\vpddd.exe80⤵
-
\??\c:\8660080.exec:\8660080.exe81⤵
-
\??\c:\0420246.exec:\0420246.exe82⤵
-
\??\c:\60842.exec:\60842.exe83⤵
-
\??\c:\088882.exec:\088882.exe84⤵
-
\??\c:\tbttbn.exec:\tbttbn.exe85⤵
-
\??\c:\6660600.exec:\6660600.exe86⤵
-
\??\c:\3frflfx.exec:\3frflfx.exe87⤵
-
\??\c:\3lxxllf.exec:\3lxxllf.exe88⤵
-
\??\c:\w42866.exec:\w42866.exe89⤵
-
\??\c:\vpdpd.exec:\vpdpd.exe90⤵
-
\??\c:\w64088.exec:\w64088.exe91⤵
-
\??\c:\8684668.exec:\8684668.exe92⤵
-
\??\c:\m4224.exec:\m4224.exe93⤵
-
\??\c:\ddpjd.exec:\ddpjd.exe94⤵
-
\??\c:\608044.exec:\608044.exe95⤵
-
\??\c:\084606.exec:\084606.exe96⤵
-
\??\c:\dvjjv.exec:\dvjjv.exe97⤵
-
\??\c:\48240.exec:\48240.exe98⤵
-
\??\c:\046644.exec:\046644.exe99⤵
-
\??\c:\0800262.exec:\0800262.exe100⤵
-
\??\c:\60802.exec:\60802.exe101⤵
-
\??\c:\frffllr.exec:\frffllr.exe102⤵
-
\??\c:\djpjj.exec:\djpjj.exe103⤵
-
\??\c:\dpvdv.exec:\dpvdv.exe104⤵
-
\??\c:\02002.exec:\02002.exe105⤵
-
\??\c:\ntthnn.exec:\ntthnn.exe106⤵
-
\??\c:\tntbhb.exec:\tntbhb.exe107⤵
-
\??\c:\s8222.exec:\s8222.exe108⤵
-
\??\c:\208866.exec:\208866.exe109⤵
-
\??\c:\004640.exec:\004640.exe110⤵
-
\??\c:\frxfffl.exec:\frxfffl.exe111⤵
-
\??\c:\hhbbnt.exec:\hhbbnt.exe112⤵
-
\??\c:\80600.exec:\80600.exe113⤵
-
\??\c:\flxrxxx.exec:\flxrxxx.exe114⤵
-
\??\c:\2688628.exec:\2688628.exe115⤵
-
\??\c:\08806.exec:\08806.exe116⤵
-
\??\c:\4682888.exec:\4682888.exe117⤵
-
\??\c:\42222.exec:\42222.exe118⤵
-
\??\c:\82024.exec:\82024.exe119⤵
-
\??\c:\thtntb.exec:\thtntb.exe120⤵
-
\??\c:\hhbbtb.exec:\hhbbtb.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-