Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
23-12-2024 01:38
General
-
Target
9f810998df6102e7d45fbac65130610cded309b6566c82dbff3508e8268c33f7.exe
-
Size
454KB
-
MD5
7da8d92eb3239e2873cf55d9f78f7ddf
-
SHA1
b5c1e180310c363376c267f6a43782a692b5b605
-
SHA256
9f810998df6102e7d45fbac65130610cded309b6566c82dbff3508e8268c33f7
-
SHA512
6e7a6290916e0cace2e773c3ae5209117ef4bacc7cf9eb12a33ef4ae895af297fbf97df131e4caa707ddc4c17eafe3e4bcbfe4f5806f1c2a6562a02172d5e19f
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbet7:q7Tc2NYHUrAwfMp3CDt7
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 38 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 42 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\9f810998df6102e7d45fbac65130610cded309b6566c82dbff3508e8268c33f7.exe"C:\Users\Admin\AppData\Local\Temp\9f810998df6102e7d45fbac65130610cded309b6566c82dbff3508e8268c33f7.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\ffrxlrf.exec:\ffrxlrf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ttnnbh.exec:\ttnnbh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btnnhh.exec:\btnnhh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ppjjv.exec:\ppjjv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9rllffx.exec:\9rllffx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ttbhnn.exec:\ttbhnn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7vdpj.exec:\7vdpj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9xlfflr.exec:\9xlfflr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1ttntn.exec:\1ttntn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jpdvd.exec:\jpdvd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hhbhnt.exec:\hhbhnt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jpvvv.exec:\jpvvv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxllxfr.exec:\fxllxfr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5bbbhh.exec:\5bbbhh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3frrrlf.exec:\3frrrlf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhnhtn.exec:\nhnhtn.exe17⤵
- Executes dropped EXE
-
\??\c:\5jpdd.exec:\5jpdd.exe18⤵
- Executes dropped EXE
-
\??\c:\frlllrx.exec:\frlllrx.exe19⤵
- Executes dropped EXE
-
\??\c:\nnttbb.exec:\nnttbb.exe20⤵
- Executes dropped EXE
-
\??\c:\5jvvp.exec:\5jvvp.exe21⤵
- Executes dropped EXE
-
\??\c:\xlfxrrx.exec:\xlfxrrx.exe22⤵
- Executes dropped EXE
-
\??\c:\ddppv.exec:\ddppv.exe23⤵
- Executes dropped EXE
-
\??\c:\frxrrff.exec:\frxrrff.exe24⤵
- Executes dropped EXE
-
\??\c:\bntttn.exec:\bntttn.exe25⤵
- Executes dropped EXE
-
\??\c:\flrrrrf.exec:\flrrrrf.exe26⤵
- Executes dropped EXE
-
\??\c:\9hnbtn.exec:\9hnbtn.exe27⤵
- Executes dropped EXE
-
\??\c:\7rllxfr.exec:\7rllxfr.exe28⤵
- Executes dropped EXE
-
\??\c:\nhnhhh.exec:\nhnhhh.exe29⤵
- Executes dropped EXE
-
\??\c:\9pppp.exec:\9pppp.exe30⤵
- Executes dropped EXE
-
\??\c:\3flfxxx.exec:\3flfxxx.exe31⤵
- Executes dropped EXE
-
\??\c:\hhhnbn.exec:\hhhnbn.exe32⤵
- Executes dropped EXE
-
\??\c:\1jvvv.exec:\1jvvv.exe33⤵
- Executes dropped EXE
-
\??\c:\rlxffxf.exec:\rlxffxf.exe34⤵
- Executes dropped EXE
-
\??\c:\nbttbt.exec:\nbttbt.exe35⤵
- Executes dropped EXE
-
\??\c:\9djdv.exec:\9djdv.exe36⤵
- Executes dropped EXE
-
\??\c:\rrflllx.exec:\rrflllx.exe37⤵
- Executes dropped EXE
-
\??\c:\3thttt.exec:\3thttt.exe38⤵
- Executes dropped EXE
-
\??\c:\thnbtt.exec:\thnbtt.exe39⤵
- Executes dropped EXE
-
\??\c:\vjvpv.exec:\vjvpv.exe40⤵
- Executes dropped EXE
-
\??\c:\xxffxxx.exec:\xxffxxx.exe41⤵
- Executes dropped EXE
-
\??\c:\tntbbh.exec:\tntbbh.exe42⤵
- Executes dropped EXE
-
\??\c:\tbnhhh.exec:\tbnhhh.exe43⤵
- Executes dropped EXE
-
\??\c:\3ppjj.exec:\3ppjj.exe44⤵
- Executes dropped EXE
-
\??\c:\rflffrr.exec:\rflffrr.exe45⤵
- Executes dropped EXE
-
\??\c:\5bnttt.exec:\5bnttt.exe46⤵
- Executes dropped EXE
-
\??\c:\7bnnnh.exec:\7bnnnh.exe47⤵
- Executes dropped EXE
-
\??\c:\jvjjj.exec:\jvjjj.exe48⤵
- Executes dropped EXE
-
\??\c:\xxllllf.exec:\xxllllf.exe49⤵
- Executes dropped EXE
-
\??\c:\ffxlllr.exec:\ffxlllr.exe50⤵
- Executes dropped EXE
-
\??\c:\5hnbbb.exec:\5hnbbb.exe51⤵
- Executes dropped EXE
-
\??\c:\pdvvv.exec:\pdvvv.exe52⤵
- Executes dropped EXE
-
\??\c:\fllxlff.exec:\fllxlff.exe53⤵
- Executes dropped EXE
-
\??\c:\nbnnhn.exec:\nbnnhn.exe54⤵
- Executes dropped EXE
-
\??\c:\nhbntb.exec:\nhbntb.exe55⤵
- Executes dropped EXE
-
\??\c:\1vjdj.exec:\1vjdj.exe56⤵
- Executes dropped EXE
-
\??\c:\xrllxxf.exec:\xrllxxf.exe57⤵
- Executes dropped EXE
-
\??\c:\bbbhhh.exec:\bbbhhh.exe58⤵
- Executes dropped EXE
-
\??\c:\3htnhh.exec:\3htnhh.exe59⤵
- Executes dropped EXE
-
\??\c:\dvjvd.exec:\dvjvd.exe60⤵
- Executes dropped EXE
-
\??\c:\frrfrfl.exec:\frrfrfl.exe61⤵
- Executes dropped EXE
-
\??\c:\nbntbb.exec:\nbntbb.exe62⤵
- Executes dropped EXE
-
\??\c:\7bhtnh.exec:\7bhtnh.exe63⤵
- Executes dropped EXE
-
\??\c:\dvdvp.exec:\dvdvp.exe64⤵
- Executes dropped EXE
-
\??\c:\vpvvd.exec:\vpvvd.exe65⤵
- Executes dropped EXE
-
\??\c:\xrflxrx.exec:\xrflxrx.exe66⤵
-
\??\c:\bnhhhb.exec:\bnhhhb.exe67⤵
-
\??\c:\jdpjp.exec:\jdpjp.exe68⤵
-
\??\c:\7pdjp.exec:\7pdjp.exe69⤵
-
\??\c:\lxlrrlr.exec:\lxlrrlr.exe70⤵
-
\??\c:\hhttbh.exec:\hhttbh.exe71⤵
-
\??\c:\bthtbb.exec:\bthtbb.exe72⤵
-
\??\c:\pdjvp.exec:\pdjvp.exe73⤵
-
\??\c:\lxfxxxf.exec:\lxfxxxf.exe74⤵
-
\??\c:\9rfxxxf.exec:\9rfxxxf.exe75⤵
-
\??\c:\3bbbtt.exec:\3bbbtt.exe76⤵
-
\??\c:\1pdjj.exec:\1pdjj.exe77⤵
-
\??\c:\5rrxxfl.exec:\5rrxxfl.exe78⤵
-
\??\c:\1xlffxx.exec:\1xlffxx.exe79⤵
-
\??\c:\hthhhb.exec:\hthhhb.exe80⤵
-
\??\c:\7vvpj.exec:\7vvpj.exe81⤵
-
\??\c:\xlxxllx.exec:\xlxxllx.exe82⤵
-
\??\c:\1hnntt.exec:\1hnntt.exe83⤵
-
\??\c:\btnntb.exec:\btnntb.exe84⤵
-
\??\c:\ppddv.exec:\ppddv.exe85⤵
-
\??\c:\xrrrflx.exec:\xrrrflx.exe86⤵
-
\??\c:\xlllfxx.exec:\xlllfxx.exe87⤵
-
\??\c:\3ttthh.exec:\3ttthh.exe88⤵
-
\??\c:\pdpvj.exec:\pdpvj.exe89⤵
-
\??\c:\9rxrrrx.exec:\9rxrrrx.exe90⤵
-
\??\c:\xrlrxrx.exec:\xrlrxrx.exe91⤵
-
\??\c:\9nbnnh.exec:\9nbnnh.exe92⤵
-
\??\c:\7jpjd.exec:\7jpjd.exe93⤵
-
\??\c:\pdvpv.exec:\pdvpv.exe94⤵
-
\??\c:\5rxxfxx.exec:\5rxxfxx.exe95⤵
-
\??\c:\tthnnb.exec:\tthnnb.exe96⤵
-
\??\c:\1bbtnn.exec:\1bbtnn.exe97⤵
-
\??\c:\jdpvd.exec:\jdpvd.exe98⤵
-
\??\c:\frffrrx.exec:\frffrrx.exe99⤵
- System Location Discovery: System Language Discovery
-
\??\c:\nhtthh.exec:\nhtthh.exe100⤵
-
\??\c:\1htbtt.exec:\1htbtt.exe101⤵
-
\??\c:\dvpjp.exec:\dvpjp.exe102⤵
-
\??\c:\1fffffx.exec:\1fffffx.exe103⤵
-
\??\c:\frfflff.exec:\frfflff.exe104⤵
-
\??\c:\hbntbt.exec:\hbntbt.exe105⤵
-
\??\c:\pjvvd.exec:\pjvvd.exe106⤵
-
\??\c:\xlxrlfl.exec:\xlxrlfl.exe107⤵
-
\??\c:\9llflrr.exec:\9llflrr.exe108⤵
-
\??\c:\bthhhh.exec:\bthhhh.exe109⤵
-
\??\c:\vpdvd.exec:\vpdvd.exe110⤵
-
\??\c:\lxrrxrx.exec:\lxrrxrx.exe111⤵
-
\??\c:\llxffff.exec:\llxffff.exe112⤵
-
\??\c:\5bnntt.exec:\5bnntt.exe113⤵
-
\??\c:\jvvjd.exec:\jvvjd.exe114⤵
-
\??\c:\rflrllr.exec:\rflrllr.exe115⤵
-
\??\c:\lxfxrlf.exec:\lxfxrlf.exe116⤵
-
\??\c:\bhnbbn.exec:\bhnbbn.exe117⤵
-
\??\c:\pjppv.exec:\pjppv.exe118⤵
-
\??\c:\rlfxrll.exec:\rlfxrll.exe119⤵
-
\??\c:\frrfrrx.exec:\frrfrrx.exe120⤵
-
\??\c:\hnttbt.exec:\hnttbt.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-