Analysis
-
max time kernel
120s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
20-12-2024 04:07
General
-
Target
e0829a2c00d58c231653c30380fa62623e86c0f1464932a100594b1f0beaa886N.exe
-
Size
454KB
-
MD5
421d2a75a6ac51faa655fd916c253000
-
SHA1
6eb113e876829cb66fe8ef582ccebdaa7b7b3417
-
SHA256
e0829a2c00d58c231653c30380fa62623e86c0f1464932a100594b1f0beaa886
-
SHA512
df16774ff525b54c59650510dbb7fb2c0dfd2739d6047535625a0b8b2b8e2bbd7d76376aa05d767ca15c95b932f16796d6552e05615f42858988ff263b50cb7a
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbec:q7Tc2NYHUrAwfMp3CDc
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 42 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 45 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e0829a2c00d58c231653c30380fa62623e86c0f1464932a100594b1f0beaa886N.exe"C:\Users\Admin\AppData\Local\Temp\e0829a2c00d58c231653c30380fa62623e86c0f1464932a100594b1f0beaa886N.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\pjjjp.exec:\pjjjp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nnbbbt.exec:\nnbbbt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrfrlrf.exec:\xrfrlrf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhtbhn.exec:\nhtbhn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rxfxfxl.exec:\rxfxfxl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fflxfrl.exec:\fflxfrl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3jdjp.exec:\3jdjp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlfrlrr.exec:\rlfrlrr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3dvdp.exec:\3dvdp.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\lffrflr.exec:\lffrflr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btnbhn.exec:\btnbhn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vdvpd.exec:\vdvpd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tbtbnt.exec:\tbtbnt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbtbnb.exec:\bbtbnb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvvdp.exec:\vvvdp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tntnnh.exec:\tntnnh.exe17⤵
- Executes dropped EXE
-
\??\c:\dddjv.exec:\dddjv.exe18⤵
- Executes dropped EXE
-
\??\c:\hbbnbh.exec:\hbbnbh.exe19⤵
- Executes dropped EXE
-
\??\c:\fflflfx.exec:\fflflfx.exe20⤵
- Executes dropped EXE
-
\??\c:\bbbtbh.exec:\bbbtbh.exe21⤵
- Executes dropped EXE
-
\??\c:\pppjd.exec:\pppjd.exe22⤵
- Executes dropped EXE
-
\??\c:\xxrfrxl.exec:\xxrfrxl.exe23⤵
- Executes dropped EXE
-
\??\c:\dvpjp.exec:\dvpjp.exe24⤵
- Executes dropped EXE
-
\??\c:\dvppv.exec:\dvppv.exe25⤵
- Executes dropped EXE
-
\??\c:\tnbhtb.exec:\tnbhtb.exe26⤵
- Executes dropped EXE
-
\??\c:\dvpdj.exec:\dvpdj.exe27⤵
- Executes dropped EXE
-
\??\c:\hbbhtb.exec:\hbbhtb.exe28⤵
- Executes dropped EXE
-
\??\c:\pjjvp.exec:\pjjvp.exe29⤵
- Executes dropped EXE
-
\??\c:\hhttbn.exec:\hhttbn.exe30⤵
- Executes dropped EXE
-
\??\c:\dddpj.exec:\dddpj.exe31⤵
- Executes dropped EXE
-
\??\c:\llxlfrl.exec:\llxlfrl.exe32⤵
- Executes dropped EXE
-
\??\c:\5bntnt.exec:\5bntnt.exe33⤵
- Executes dropped EXE
-
\??\c:\lflllfr.exec:\lflllfr.exe34⤵
- Executes dropped EXE
-
\??\c:\nhbtnt.exec:\nhbtnt.exe35⤵
- Executes dropped EXE
-
\??\c:\dvppd.exec:\dvppd.exe36⤵
- Executes dropped EXE
-
\??\c:\xxrfrxf.exec:\xxrfrxf.exe37⤵
- Executes dropped EXE
-
\??\c:\thtnbb.exec:\thtnbb.exe38⤵
- Executes dropped EXE
-
\??\c:\5jddp.exec:\5jddp.exe39⤵
- Executes dropped EXE
-
\??\c:\flfxlxl.exec:\flfxlxl.exe40⤵
- Executes dropped EXE
-
\??\c:\btttbb.exec:\btttbb.exe41⤵
- Executes dropped EXE
-
\??\c:\jdvjp.exec:\jdvjp.exe42⤵
- Executes dropped EXE
-
\??\c:\ddddj.exec:\ddddj.exe43⤵
- Executes dropped EXE
-
\??\c:\ffflrfr.exec:\ffflrfr.exe44⤵
- Executes dropped EXE
-
\??\c:\btbhtn.exec:\btbhtn.exe45⤵
- Executes dropped EXE
-
\??\c:\5ddpj.exec:\5ddpj.exe46⤵
- Executes dropped EXE
-
\??\c:\llxlxfl.exec:\llxlxfl.exe47⤵
- Executes dropped EXE
-
\??\c:\ttttbn.exec:\ttttbn.exe48⤵
- Executes dropped EXE
-
\??\c:\nhbntb.exec:\nhbntb.exe49⤵
- Executes dropped EXE
-
\??\c:\dddvv.exec:\dddvv.exe50⤵
- Executes dropped EXE
-
\??\c:\ffrfxxf.exec:\ffrfxxf.exe51⤵
- Executes dropped EXE
-
\??\c:\5nbhnt.exec:\5nbhnt.exe52⤵
- Executes dropped EXE
-
\??\c:\5djdp.exec:\5djdp.exe53⤵
- Executes dropped EXE
-
\??\c:\xrlrlrl.exec:\xrlrlrl.exe54⤵
- Executes dropped EXE
-
\??\c:\tnhhth.exec:\tnhhth.exe55⤵
- Executes dropped EXE
-
\??\c:\vpjpv.exec:\vpjpv.exe56⤵
- Executes dropped EXE
-
\??\c:\fffxflf.exec:\fffxflf.exe57⤵
- Executes dropped EXE
-
\??\c:\xxlxlrf.exec:\xxlxlrf.exe58⤵
- Executes dropped EXE
-
\??\c:\1nhnht.exec:\1nhnht.exe59⤵
- Executes dropped EXE
-
\??\c:\1vppd.exec:\1vppd.exe60⤵
- Executes dropped EXE
-
\??\c:\fllxxff.exec:\fllxxff.exe61⤵
- Executes dropped EXE
-
\??\c:\3nbbbh.exec:\3nbbbh.exe62⤵
- Executes dropped EXE
-
\??\c:\dvjpp.exec:\dvjpp.exe63⤵
- Executes dropped EXE
-
\??\c:\xrflrxl.exec:\xrflrxl.exe64⤵
- Executes dropped EXE
-
\??\c:\nhhnbh.exec:\nhhnbh.exe65⤵
- Executes dropped EXE
-
\??\c:\3vjvj.exec:\3vjvj.exe66⤵
-
\??\c:\pdvvd.exec:\pdvvd.exe67⤵
-
\??\c:\llrxffx.exec:\llrxffx.exe68⤵
-
\??\c:\tnbntt.exec:\tnbntt.exe69⤵
-
\??\c:\jpvjv.exec:\jpvjv.exe70⤵
-
\??\c:\llrfxxl.exec:\llrfxxl.exe71⤵
-
\??\c:\1hhnbn.exec:\1hhnbn.exe72⤵
-
\??\c:\bbnbhh.exec:\bbnbhh.exe73⤵
-
\??\c:\1ddjv.exec:\1ddjv.exe74⤵
-
\??\c:\lfllrxf.exec:\lfllrxf.exe75⤵
-
\??\c:\tnbbnn.exec:\tnbbnn.exe76⤵
-
\??\c:\jjppp.exec:\jjppp.exe77⤵
-
\??\c:\xrffrrx.exec:\xrffrrx.exe78⤵
-
\??\c:\xrrxfff.exec:\xrrxfff.exe79⤵
-
\??\c:\hbtbtb.exec:\hbtbtb.exe80⤵
-
\??\c:\7pdpv.exec:\7pdpv.exe81⤵
-
\??\c:\fxllxfr.exec:\fxllxfr.exe82⤵
-
\??\c:\lxlfffl.exec:\lxlfffl.exe83⤵
-
\??\c:\tntnnt.exec:\tntnnt.exe84⤵
-
\??\c:\vjjpj.exec:\vjjpj.exe85⤵
-
\??\c:\pdddd.exec:\pdddd.exe86⤵
-
\??\c:\rflxxxf.exec:\rflxxxf.exe87⤵
-
\??\c:\ttttnb.exec:\ttttnb.exe88⤵
-
\??\c:\ppjpd.exec:\ppjpd.exe89⤵
-
\??\c:\xlxxrxl.exec:\xlxxrxl.exe90⤵
-
\??\c:\nntntt.exec:\nntntt.exe91⤵
-
\??\c:\dvpvv.exec:\dvpvv.exe92⤵
-
\??\c:\lflrrfx.exec:\lflrrfx.exe93⤵
-
\??\c:\nhtbnn.exec:\nhtbnn.exe94⤵
-
\??\c:\hbhhnb.exec:\hbhhnb.exe95⤵
-
\??\c:\dvvjp.exec:\dvvjp.exe96⤵
-
\??\c:\ffxlflf.exec:\ffxlflf.exe97⤵
-
\??\c:\xxxrrrx.exec:\xxxrrrx.exe98⤵
-
\??\c:\nhhbtt.exec:\nhhbtt.exe99⤵
-
\??\c:\pjdpj.exec:\pjdpj.exe100⤵
-
\??\c:\5lfrrrx.exec:\5lfrrrx.exe101⤵
-
\??\c:\7fxfrxx.exec:\7fxfrxx.exe102⤵
-
\??\c:\bbnbnt.exec:\bbnbnt.exe103⤵
-
\??\c:\3ppdv.exec:\3ppdv.exe104⤵
-
\??\c:\rlflrxl.exec:\rlflrxl.exe105⤵
- System Location Discovery: System Language Discovery
-
\??\c:\nttbnb.exec:\nttbnb.exe106⤵
-
\??\c:\1ttbnn.exec:\1ttbnn.exe107⤵
-
\??\c:\pjdvd.exec:\pjdvd.exe108⤵
-
\??\c:\llllxlr.exec:\llllxlr.exe109⤵
-
\??\c:\nhhtnb.exec:\nhhtnb.exe110⤵
-
\??\c:\dvjjv.exec:\dvjjv.exe111⤵
-
\??\c:\fxrxfll.exec:\fxrxfll.exe112⤵
-
\??\c:\jjpvv.exec:\jjpvv.exe113⤵
-
\??\c:\fllrllx.exec:\fllrllx.exe114⤵
-
\??\c:\9hbhbh.exec:\9hbhbh.exe115⤵
-
\??\c:\pdddp.exec:\pdddp.exe116⤵
-
\??\c:\lfflxll.exec:\lfflxll.exe117⤵
-
\??\c:\btnnnt.exec:\btnnnt.exe118⤵
-
\??\c:\jjvdj.exec:\jjvdj.exe119⤵
-
\??\c:\pvjdp.exec:\pvjdp.exe120⤵
-
\??\c:\5rrxflx.exec:\5rrxflx.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-