Analysis
-
max time kernel
120s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
-
submitted
20-12-2024 05:15
General
-
Target
edf178def828a4835bcaadc5dd4006c6502f770c0948c5c22f2bf1eb35a5077bN.exe
-
Size
70KB
-
MD5
c1b30d8ffe3c0b578b19e19e5a677690
-
SHA1
0c9474d6b65b9fbe09d999abc03638cf876d558f
-
SHA256
edf178def828a4835bcaadc5dd4006c6502f770c0948c5c22f2bf1eb35a5077b
-
SHA512
979ea833491cb1d3d6f3436af3469eb7614191af345bc5a5edf930896f73a5934739191ec6a85efe3d5cdd18d1a189872e95962a6c29428d8dfc66c469eee673
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIsIoAcN:ymb3NkkiQ3mdBjFIsIVcN
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 22 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 29 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\edf178def828a4835bcaadc5dd4006c6502f770c0948c5c22f2bf1eb35a5077bN.exe"C:\Users\Admin\AppData\Local\Temp\edf178def828a4835bcaadc5dd4006c6502f770c0948c5c22f2bf1eb35a5077bN.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\rrlrxrx.exec:\rrlrxrx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thttbt.exec:\thttbt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjjpp.exec:\pjjpp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ffrlrxf.exec:\ffrlrxf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhnnnn.exec:\nhnnnn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lflfllr.exec:\lflfllr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1flffrx.exec:\1flffrx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbtbbt.exec:\bbtbbt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddppv.exec:\ddppv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rrxxlrl.exec:\rrxxlrl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5tnthh.exec:\5tnthh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbntbh.exec:\bbntbh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3jvdj.exec:\3jvdj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddjjv.exec:\ddjjv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ffrrlrf.exec:\ffrrlrf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nntthb.exec:\nntthb.exe17⤵
- Executes dropped EXE
-
\??\c:\7tnnnt.exec:\7tnnnt.exe18⤵
- Executes dropped EXE
-
\??\c:\jvvpp.exec:\jvvpp.exe19⤵
- Executes dropped EXE
-
\??\c:\llrrrrf.exec:\llrrrrf.exe20⤵
- Executes dropped EXE
-
\??\c:\fffxlll.exec:\fffxlll.exe21⤵
- Executes dropped EXE
-
\??\c:\bbhbhh.exec:\bbhbhh.exe22⤵
- Executes dropped EXE
-
\??\c:\dpppp.exec:\dpppp.exe23⤵
- Executes dropped EXE
-
\??\c:\jdjpd.exec:\jdjpd.exe24⤵
- Executes dropped EXE
-
\??\c:\rlllrrx.exec:\rlllrrx.exe25⤵
- Executes dropped EXE
-
\??\c:\hhnntb.exec:\hhnntb.exe26⤵
- Executes dropped EXE
-
\??\c:\3hbnbh.exec:\3hbnbh.exe27⤵
- Executes dropped EXE
-
\??\c:\ddpdj.exec:\ddpdj.exe28⤵
- Executes dropped EXE
-
\??\c:\llrfrrx.exec:\llrfrrx.exe29⤵
- Executes dropped EXE
-
\??\c:\rrxrllr.exec:\rrxrllr.exe30⤵
- Executes dropped EXE
-
\??\c:\1btbht.exec:\1btbht.exe31⤵
- Executes dropped EXE
-
\??\c:\jjppv.exec:\jjppv.exe32⤵
- Executes dropped EXE
-
\??\c:\xrxxxxl.exec:\xrxxxxl.exe33⤵
- Executes dropped EXE
-
\??\c:\xfflxfl.exec:\xfflxfl.exe34⤵
- Executes dropped EXE
-
\??\c:\9bbthn.exec:\9bbthn.exe35⤵
- Executes dropped EXE
-
\??\c:\7hthnt.exec:\7hthnt.exe36⤵
- Executes dropped EXE
-
\??\c:\jjddj.exec:\jjddj.exe37⤵
- Executes dropped EXE
-
\??\c:\9dppp.exec:\9dppp.exe38⤵
- Executes dropped EXE
-
\??\c:\ffflrxf.exec:\ffflrxf.exe39⤵
- Executes dropped EXE
-
\??\c:\1frlxlx.exec:\1frlxlx.exe40⤵
- Executes dropped EXE
-
\??\c:\tbnbnh.exec:\tbnbnh.exe41⤵
- Executes dropped EXE
-
\??\c:\nhhntn.exec:\nhhntn.exe42⤵
- Executes dropped EXE
-
\??\c:\vvvvd.exec:\vvvvd.exe43⤵
- Executes dropped EXE
-
\??\c:\ddpjp.exec:\ddpjp.exe44⤵
- Executes dropped EXE
-
\??\c:\3xllxxf.exec:\3xllxxf.exe45⤵
- Executes dropped EXE
-
\??\c:\fflrrfl.exec:\fflrrfl.exe46⤵
- Executes dropped EXE
-
\??\c:\1hnhhn.exec:\1hnhhn.exe47⤵
- Executes dropped EXE
-
\??\c:\7hnnbh.exec:\7hnnbh.exe48⤵
- Executes dropped EXE
-
\??\c:\5ddjj.exec:\5ddjj.exe49⤵
- Executes dropped EXE
-
\??\c:\jpvvd.exec:\jpvvd.exe50⤵
- Executes dropped EXE
-
\??\c:\xrllrrr.exec:\xrllrrr.exe51⤵
- Executes dropped EXE
-
\??\c:\xrxflfl.exec:\xrxflfl.exe52⤵
- Executes dropped EXE
-
\??\c:\9ttthh.exec:\9ttthh.exe53⤵
- Executes dropped EXE
-
\??\c:\nntthh.exec:\nntthh.exe54⤵
- Executes dropped EXE
-
\??\c:\jdpvv.exec:\jdpvv.exe55⤵
- Executes dropped EXE
-
\??\c:\jjjvd.exec:\jjjvd.exe56⤵
- Executes dropped EXE
-
\??\c:\7rflxxf.exec:\7rflxxf.exe57⤵
- Executes dropped EXE
-
\??\c:\tnbnhn.exec:\tnbnhn.exe58⤵
- Executes dropped EXE
-
\??\c:\9bthhn.exec:\9bthhn.exe59⤵
- Executes dropped EXE
-
\??\c:\pjpdd.exec:\pjpdd.exe60⤵
- Executes dropped EXE
-
\??\c:\ppvvj.exec:\ppvvj.exe61⤵
- Executes dropped EXE
-
\??\c:\llrrffl.exec:\llrrffl.exe62⤵
- Executes dropped EXE
-
\??\c:\3xlxlfr.exec:\3xlxlfr.exe63⤵
- Executes dropped EXE
-
\??\c:\nhhthh.exec:\nhhthh.exe64⤵
- Executes dropped EXE
-
\??\c:\bbnbnh.exec:\bbnbnh.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\jjpvp.exec:\jjpvp.exe66⤵
-
\??\c:\vpdvd.exec:\vpdvd.exe67⤵
-
\??\c:\xlflxlf.exec:\xlflxlf.exe68⤵
-
\??\c:\ffrxfxl.exec:\ffrxfxl.exe69⤵
-
\??\c:\nnntht.exec:\nnntht.exe70⤵
-
\??\c:\btntnn.exec:\btntnn.exe71⤵
-
\??\c:\jpvvj.exec:\jpvvj.exe72⤵
-
\??\c:\djdvj.exec:\djdvj.exe73⤵
-
\??\c:\1rrrxrl.exec:\1rrrxrl.exe74⤵
-
\??\c:\lrxxffl.exec:\lrxxffl.exe75⤵
-
\??\c:\hhtbhh.exec:\hhtbhh.exe76⤵
-
\??\c:\tthbhn.exec:\tthbhn.exe77⤵
-
\??\c:\dddjv.exec:\dddjv.exe78⤵
-
\??\c:\dpvvv.exec:\dpvvv.exe79⤵
-
\??\c:\rrxxlrr.exec:\rrxxlrr.exe80⤵
-
\??\c:\5xlfxlr.exec:\5xlfxlr.exe81⤵
-
\??\c:\5nntht.exec:\5nntht.exe82⤵
-
\??\c:\ttbhtb.exec:\ttbhtb.exe83⤵
-
\??\c:\3hbhtt.exec:\3hbhtt.exe84⤵
-
\??\c:\3vpdp.exec:\3vpdp.exe85⤵
-
\??\c:\dddjv.exec:\dddjv.exe86⤵
-
\??\c:\xrrrxlr.exec:\xrrrxlr.exe87⤵
-
\??\c:\rrlrxxr.exec:\rrlrxxr.exe88⤵
-
\??\c:\bbhhtt.exec:\bbhhtt.exe89⤵
-
\??\c:\5bnhnt.exec:\5bnhnt.exe90⤵
-
\??\c:\ddddj.exec:\ddddj.exe91⤵
-
\??\c:\jjpdj.exec:\jjpdj.exe92⤵
-
\??\c:\djdjv.exec:\djdjv.exe93⤵
-
\??\c:\ffflxff.exec:\ffflxff.exe94⤵
-
\??\c:\rlxflrf.exec:\rlxflrf.exe95⤵
-
\??\c:\tbhnbn.exec:\tbhnbn.exe96⤵
-
\??\c:\thntbh.exec:\thntbh.exe97⤵
-
\??\c:\9dpjj.exec:\9dpjj.exe98⤵
-
\??\c:\vjjpv.exec:\vjjpv.exe99⤵
-
\??\c:\xfflxfl.exec:\xfflxfl.exe100⤵
-
\??\c:\3lxlxlr.exec:\3lxlxlr.exe101⤵
-
\??\c:\3tbbtb.exec:\3tbbtb.exe102⤵
-
\??\c:\9hthnn.exec:\9hthnn.exe103⤵
-
\??\c:\9vjpp.exec:\9vjpp.exe104⤵
-
\??\c:\ddpvd.exec:\ddpvd.exe105⤵
-
\??\c:\5xrrlrf.exec:\5xrrlrf.exe106⤵
-
\??\c:\llxlxxf.exec:\llxlxxf.exe107⤵
-
\??\c:\lrfflrr.exec:\lrfflrr.exe108⤵
-
\??\c:\bbhhnb.exec:\bbhhnb.exe109⤵
-
\??\c:\7hhntt.exec:\7hhntt.exe110⤵
-
\??\c:\5jjvd.exec:\5jjvd.exe111⤵
-
\??\c:\vdpvp.exec:\vdpvp.exe112⤵
-
\??\c:\rlrxlxl.exec:\rlrxlxl.exe113⤵
-
\??\c:\9fxfrfl.exec:\9fxfrfl.exe114⤵
-
\??\c:\9nbhbh.exec:\9nbhbh.exe115⤵
-
\??\c:\1bthhh.exec:\1bthhh.exe116⤵
-
\??\c:\tntnbh.exec:\tntnbh.exe117⤵
-
\??\c:\3vjpd.exec:\3vjpd.exe118⤵
-
\??\c:\ddddj.exec:\ddddj.exe119⤵
-
\??\c:\fxlfllr.exec:\fxlfllr.exe120⤵
-
\??\c:\7rflrfl.exec:\7rflrfl.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-