Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
24/12/2024, 00:26
General
-
Target
acf4c30908e3dd4bfa3a7510fef2e33640569555e3b3f05503c3e2e0f2de3582.exe
-
Size
453KB
-
MD5
dda859c1e7986cab886e126bdff21813
-
SHA1
391e2761ea9d2ed0f5d83f2c986dfbb393661ab8
-
SHA256
acf4c30908e3dd4bfa3a7510fef2e33640569555e3b3f05503c3e2e0f2de3582
-
SHA512
2577c49c10aa950b1d2b7c2b6003ee5b5b8ef11b8afdde8ad75a19d1fc5f1876c087db40d11720e2d8a0369c4c1be8e4167c826c94114450bd2a348b27a1706d
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeI:q7Tc2NYHUrAwfMp3CDI
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 44 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 41 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\acf4c30908e3dd4bfa3a7510fef2e33640569555e3b3f05503c3e2e0f2de3582.exe"C:\Users\Admin\AppData\Local\Temp\acf4c30908e3dd4bfa3a7510fef2e33640569555e3b3f05503c3e2e0f2de3582.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\k60240.exec:\k60240.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\8246846.exec:\8246846.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bthtbh.exec:\bthtbh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xfxxlrf.exec:\xfxxlrf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\6028446.exec:\6028446.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\486462.exec:\486462.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\0868402.exec:\0868402.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnbhht.exec:\tnbhht.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\88024.exec:\88024.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lrrllrx.exec:\lrrllrx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xxxlrxr.exec:\xxxlrxr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddvjp.exec:\ddvjp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\66846.exec:\66846.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rllrxfx.exec:\rllrxfx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7frxlrf.exec:\7frxlrf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hnbhth.exec:\hnbhth.exe17⤵
- Executes dropped EXE
-
\??\c:\26842.exec:\26842.exe18⤵
- Executes dropped EXE
-
\??\c:\a4880.exec:\a4880.exe19⤵
- Executes dropped EXE
-
\??\c:\08280.exec:\08280.exe20⤵
- Executes dropped EXE
-
\??\c:\jjdjv.exec:\jjdjv.exe21⤵
- Executes dropped EXE
-
\??\c:\5nbbhn.exec:\5nbbhn.exe22⤵
- Executes dropped EXE
-
\??\c:\202844.exec:\202844.exe23⤵
- Executes dropped EXE
-
\??\c:\484628.exec:\484628.exe24⤵
- Executes dropped EXE
-
\??\c:\5lxfxfl.exec:\5lxfxfl.exe25⤵
- Executes dropped EXE
-
\??\c:\vpdpv.exec:\vpdpv.exe26⤵
- Executes dropped EXE
-
\??\c:\482484.exec:\482484.exe27⤵
- Executes dropped EXE
-
\??\c:\ffxlfrf.exec:\ffxlfrf.exe28⤵
- Executes dropped EXE
-
\??\c:\llxfxxl.exec:\llxfxxl.exe29⤵
- Executes dropped EXE
-
\??\c:\o268068.exec:\o268068.exe30⤵
- Executes dropped EXE
-
\??\c:\e60206.exec:\e60206.exe31⤵
- Executes dropped EXE
-
\??\c:\u262004.exec:\u262004.exe32⤵
- Executes dropped EXE
-
\??\c:\222462.exec:\222462.exe33⤵
- Executes dropped EXE
-
\??\c:\m4280.exec:\m4280.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\bbntnt.exec:\bbntnt.exe35⤵
- Executes dropped EXE
-
\??\c:\60468.exec:\60468.exe36⤵
- Executes dropped EXE
-
\??\c:\a4846.exec:\a4846.exe37⤵
- Executes dropped EXE
-
\??\c:\1bhbbb.exec:\1bhbbb.exe38⤵
- Executes dropped EXE
-
\??\c:\pjddp.exec:\pjddp.exe39⤵
- Executes dropped EXE
-
\??\c:\nbthnb.exec:\nbthnb.exe40⤵
- Executes dropped EXE
-
\??\c:\rlrxffx.exec:\rlrxffx.exe41⤵
- Executes dropped EXE
-
\??\c:\0408242.exec:\0408242.exe42⤵
- Executes dropped EXE
-
\??\c:\lfxlxlf.exec:\lfxlxlf.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\04884.exec:\04884.exe44⤵
- Executes dropped EXE
-
\??\c:\826206.exec:\826206.exe45⤵
- Executes dropped EXE
-
\??\c:\vpvjd.exec:\vpvjd.exe46⤵
- Executes dropped EXE
-
\??\c:\864406.exec:\864406.exe47⤵
- Executes dropped EXE
-
\??\c:\826644.exec:\826644.exe48⤵
- Executes dropped EXE
-
\??\c:\864088.exec:\864088.exe49⤵
- Executes dropped EXE
-
\??\c:\2646880.exec:\2646880.exe50⤵
- Executes dropped EXE
-
\??\c:\9tnhhn.exec:\9tnhhn.exe51⤵
- Executes dropped EXE
-
\??\c:\9dppd.exec:\9dppd.exe52⤵
- Executes dropped EXE
-
\??\c:\c484846.exec:\c484846.exe53⤵
- Executes dropped EXE
-
\??\c:\08246.exec:\08246.exe54⤵
- Executes dropped EXE
-
\??\c:\dvjjv.exec:\dvjjv.exe55⤵
- Executes dropped EXE
-
\??\c:\s0068.exec:\s0068.exe56⤵
- Executes dropped EXE
-
\??\c:\llxflrf.exec:\llxflrf.exe57⤵
- Executes dropped EXE
-
\??\c:\btbbnn.exec:\btbbnn.exe58⤵
- Executes dropped EXE
-
\??\c:\fflrxfl.exec:\fflrxfl.exe59⤵
- Executes dropped EXE
-
\??\c:\a2646.exec:\a2646.exe60⤵
- Executes dropped EXE
-
\??\c:\rlfrrrf.exec:\rlfrrrf.exe61⤵
- Executes dropped EXE
-
\??\c:\42406.exec:\42406.exe62⤵
- Executes dropped EXE
-
\??\c:\1pjpd.exec:\1pjpd.exe63⤵
- Executes dropped EXE
-
\??\c:\8244068.exec:\8244068.exe64⤵
- Executes dropped EXE
-
\??\c:\rlfxlrf.exec:\rlfxlrf.exe65⤵
- Executes dropped EXE
-
\??\c:\xfxxxfr.exec:\xfxxxfr.exe66⤵
- System Location Discovery: System Language Discovery
-
\??\c:\48060.exec:\48060.exe67⤵
-
\??\c:\26464.exec:\26464.exe68⤵
-
\??\c:\5dvvj.exec:\5dvvj.exe69⤵
-
\??\c:\5bthht.exec:\5bthht.exe70⤵
-
\??\c:\ppddj.exec:\ppddj.exe71⤵
-
\??\c:\rrrfrrx.exec:\rrrfrrx.exe72⤵
-
\??\c:\hhbhnt.exec:\hhbhnt.exe73⤵
-
\??\c:\8600266.exec:\8600266.exe74⤵
-
\??\c:\ddvdr.exec:\ddvdr.exe75⤵
-
\??\c:\6604628.exec:\6604628.exe76⤵
-
\??\c:\rlflrxf.exec:\rlflrxf.exe77⤵
-
\??\c:\xrrrxxf.exec:\xrrrxxf.exe78⤵
-
\??\c:\c868400.exec:\c868400.exe79⤵
-
\??\c:\0824624.exec:\0824624.exe80⤵
-
\??\c:\pjvjd.exec:\pjvjd.exe81⤵
-
\??\c:\82068.exec:\82068.exe82⤵
-
\??\c:\dddpd.exec:\dddpd.exe83⤵
-
\??\c:\rxrxflx.exec:\rxrxflx.exe84⤵
-
\??\c:\1tnhbt.exec:\1tnhbt.exe85⤵
-
\??\c:\26882.exec:\26882.exe86⤵
-
\??\c:\1hhbnh.exec:\1hhbnh.exe87⤵
-
\??\c:\nnhnbh.exec:\nnhnbh.exe88⤵
-
\??\c:\2640846.exec:\2640846.exe89⤵
-
\??\c:\1xxlrrl.exec:\1xxlrrl.exe90⤵
-
\??\c:\5bthbh.exec:\5bthbh.exe91⤵
-
\??\c:\nhbbhn.exec:\nhbbhn.exe92⤵
-
\??\c:\3ffrfxx.exec:\3ffrfxx.exe93⤵
-
\??\c:\dvjvd.exec:\dvjvd.exe94⤵
-
\??\c:\vpdjv.exec:\vpdjv.exe95⤵
-
\??\c:\dddjp.exec:\dddjp.exe96⤵
-
\??\c:\1tbtht.exec:\1tbtht.exe97⤵
-
\??\c:\c640880.exec:\c640880.exe98⤵
-
\??\c:\26284.exec:\26284.exe99⤵
-
\??\c:\264028.exec:\264028.exe100⤵
-
\??\c:\tthnth.exec:\tthnth.exe101⤵
-
\??\c:\2640284.exec:\2640284.exe102⤵
-
\??\c:\6044680.exec:\6044680.exe103⤵
-
\??\c:\w42406.exec:\w42406.exe104⤵
-
\??\c:\7hbbhn.exec:\7hbbhn.exe105⤵
-
\??\c:\9tthnh.exec:\9tthnh.exe106⤵
-
\??\c:\bthhtn.exec:\bthhtn.exe107⤵
-
\??\c:\djpvp.exec:\djpvp.exe108⤵
-
\??\c:\260240.exec:\260240.exe109⤵
-
\??\c:\9rflllx.exec:\9rflllx.exe110⤵
-
\??\c:\404244.exec:\404244.exe111⤵
-
\??\c:\c644464.exec:\c644464.exe112⤵
-
\??\c:\08062.exec:\08062.exe113⤵
-
\??\c:\bnnnnn.exec:\bnnnnn.exe114⤵
-
\??\c:\8202002.exec:\8202002.exe115⤵
-
\??\c:\m8444.exec:\m8444.exe116⤵
-
\??\c:\4684668.exec:\4684668.exe117⤵
-
\??\c:\xrffrrx.exec:\xrffrrx.exe118⤵
-
\??\c:\pjvdp.exec:\pjvdp.exe119⤵
-
\??\c:\thtnth.exec:\thtnth.exe120⤵
-
\??\c:\vpdjp.exec:\vpdjp.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-