Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
24-12-2024 20:21
General
-
Target
21f770bb925e78503e397de3b0d29ad5081d3211abbb57733674fb38c90a14f0.exe
-
Size
54KB
-
MD5
b286483fb6d61f417c889121666538d6
-
SHA1
d84d87728b018c74ec989cf5f5b353555b90b678
-
SHA256
21f770bb925e78503e397de3b0d29ad5081d3211abbb57733674fb38c90a14f0
-
SHA512
7890f8e102c7e8d5877661704722c838f9268b3ce18f49ef90b9810f1427ec940c1df24c6c070a2a07e9ad63afafdf396fa897462bb00af084301034a2e79202
-
SSDEEP
1536:mAocdpeVoBDulhzHMb7xNAa04Mcg5IKvlNJt:0cdpeeBSHHMHLf9RyIET
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 54 IoCs
-
Executes dropped EXE 64 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\21f770bb925e78503e397de3b0d29ad5081d3211abbb57733674fb38c90a14f0.exe"C:\Users\Admin\AppData\Local\Temp\21f770bb925e78503e397de3b0d29ad5081d3211abbb57733674fb38c90a14f0.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\608068.exec:\608068.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\62248.exec:\62248.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\2684286.exec:\2684286.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\202288.exec:\202288.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9frfflr.exec:\9frfflr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\446806.exec:\446806.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1tntbb.exec:\1tntbb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjdpv.exec:\pjdpv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\82680.exec:\82680.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\882800.exec:\882800.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhnhtn.exec:\nhnhtn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\0046240.exec:\0046240.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3vjpv.exec:\3vjpv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\4800226.exec:\4800226.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhtbnh.exec:\nhtbnh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\8680284.exec:\8680284.exe17⤵
- Executes dropped EXE
-
\??\c:\llfrlfr.exec:\llfrlfr.exe18⤵
- Executes dropped EXE
-
\??\c:\hhtbhn.exec:\hhtbhn.exe19⤵
- Executes dropped EXE
-
\??\c:\20222.exec:\20222.exe20⤵
- Executes dropped EXE
-
\??\c:\008406.exec:\008406.exe21⤵
- Executes dropped EXE
-
\??\c:\lffxxll.exec:\lffxxll.exe22⤵
- Executes dropped EXE
-
\??\c:\86282.exec:\86282.exe23⤵
- Executes dropped EXE
-
\??\c:\lfrflrf.exec:\lfrflrf.exe24⤵
- Executes dropped EXE
-
\??\c:\8662848.exec:\8662848.exe25⤵
- Executes dropped EXE
-
\??\c:\7nttht.exec:\7nttht.exe26⤵
- Executes dropped EXE
-
\??\c:\248808.exec:\248808.exe27⤵
- Executes dropped EXE
-
\??\c:\w64022.exec:\w64022.exe28⤵
- Executes dropped EXE
-
\??\c:\0028660.exec:\0028660.exe29⤵
- Executes dropped EXE
-
\??\c:\00406.exec:\00406.exe30⤵
- Executes dropped EXE
-
\??\c:\602800.exec:\602800.exe31⤵
- Executes dropped EXE
-
\??\c:\88402.exec:\88402.exe32⤵
- Executes dropped EXE
-
\??\c:\btthnb.exec:\btthnb.exe33⤵
- Executes dropped EXE
-
\??\c:\hbbbhh.exec:\hbbbhh.exe34⤵
- Executes dropped EXE
-
\??\c:\nnnnnn.exec:\nnnnnn.exe35⤵
- Executes dropped EXE
-
\??\c:\0488664.exec:\0488664.exe36⤵
- Executes dropped EXE
-
\??\c:\88646.exec:\88646.exe37⤵
- Executes dropped EXE
-
\??\c:\442806.exec:\442806.exe38⤵
- Executes dropped EXE
-
\??\c:\44802.exec:\44802.exe39⤵
- Executes dropped EXE
-
\??\c:\44024.exec:\44024.exe40⤵
- Executes dropped EXE
-
\??\c:\s0842.exec:\s0842.exe41⤵
- Executes dropped EXE
-
\??\c:\6600624.exec:\6600624.exe42⤵
- Executes dropped EXE
-
\??\c:\xxxxflx.exec:\xxxxflx.exe43⤵
- Executes dropped EXE
-
\??\c:\446806.exec:\446806.exe44⤵
- Executes dropped EXE
-
\??\c:\44086.exec:\44086.exe45⤵
- Executes dropped EXE
-
\??\c:\220228.exec:\220228.exe46⤵
- Executes dropped EXE
-
\??\c:\s6468.exec:\s6468.exe47⤵
- Executes dropped EXE
-
\??\c:\008022.exec:\008022.exe48⤵
- Executes dropped EXE
-
\??\c:\620028.exec:\620028.exe49⤵
- Executes dropped EXE
-
\??\c:\nhtbbb.exec:\nhtbbb.exe50⤵
- Executes dropped EXE
-
\??\c:\k06806.exec:\k06806.exe51⤵
- Executes dropped EXE
-
\??\c:\5bhhnn.exec:\5bhhnn.exe52⤵
- Executes dropped EXE
-
\??\c:\bbntbh.exec:\bbntbh.exe53⤵
- Executes dropped EXE
-
\??\c:\dvppv.exec:\dvppv.exe54⤵
- Executes dropped EXE
-
\??\c:\k60006.exec:\k60006.exe55⤵
- Executes dropped EXE
-
\??\c:\pppvj.exec:\pppvj.exe56⤵
- Executes dropped EXE
-
\??\c:\208884.exec:\208884.exe57⤵
- Executes dropped EXE
-
\??\c:\1pvjp.exec:\1pvjp.exe58⤵
- Executes dropped EXE
-
\??\c:\ppdpj.exec:\ppdpj.exe59⤵
- Executes dropped EXE
-
\??\c:\3dvdp.exec:\3dvdp.exe60⤵
- Executes dropped EXE
-
\??\c:\2262846.exec:\2262846.exe61⤵
- Executes dropped EXE
-
\??\c:\882844.exec:\882844.exe62⤵
- Executes dropped EXE
-
\??\c:\lfxxxxx.exec:\lfxxxxx.exe63⤵
- Executes dropped EXE
-
\??\c:\jjpvj.exec:\jjpvj.exe64⤵
- Executes dropped EXE
-
\??\c:\o862008.exec:\o862008.exe65⤵
- Executes dropped EXE
-
\??\c:\46208.exec:\46208.exe66⤵
-
\??\c:\7bnbbh.exec:\7bnbbh.exe67⤵
-
\??\c:\xxffllx.exec:\xxffllx.exe68⤵
-
\??\c:\5hbntb.exec:\5hbntb.exe69⤵
-
\??\c:\jdjvv.exec:\jdjvv.exe70⤵
-
\??\c:\3xrxflr.exec:\3xrxflr.exe71⤵
-
\??\c:\1rlrlrx.exec:\1rlrlrx.exe72⤵
-
\??\c:\dvjvd.exec:\dvjvd.exe73⤵
-
\??\c:\6840668.exec:\6840668.exe74⤵
-
\??\c:\m2840.exec:\m2840.exe75⤵
-
\??\c:\btbhtt.exec:\btbhtt.exe76⤵
-
\??\c:\8284624.exec:\8284624.exe77⤵
-
\??\c:\1xlxfll.exec:\1xlxfll.exe78⤵
-
\??\c:\rrrxxll.exec:\rrrxxll.exe79⤵
-
\??\c:\6484046.exec:\6484046.exe80⤵
-
\??\c:\bthnhn.exec:\bthnhn.exe81⤵
-
\??\c:\82846.exec:\82846.exe82⤵
-
\??\c:\86480.exec:\86480.exe83⤵
-
\??\c:\tbbtth.exec:\tbbtth.exe84⤵
-
\??\c:\626204.exec:\626204.exe85⤵
-
\??\c:\402220.exec:\402220.exe86⤵
-
\??\c:\1frxxff.exec:\1frxxff.exe87⤵
-
\??\c:\5nhbhh.exec:\5nhbhh.exe88⤵
-
\??\c:\82066.exec:\82066.exe89⤵
-
\??\c:\8828840.exec:\8828840.exe90⤵
-
\??\c:\o024068.exec:\o024068.exe91⤵
-
\??\c:\xxxfxfr.exec:\xxxfxfr.exe92⤵
-
\??\c:\3vdjj.exec:\3vdjj.exe93⤵
-
\??\c:\u422440.exec:\u422440.exe94⤵
-
\??\c:\tnhntb.exec:\tnhntb.exe95⤵
-
\??\c:\48640.exec:\48640.exe96⤵
-
\??\c:\rxlrxxf.exec:\rxlrxxf.exe97⤵
-
\??\c:\2262846.exec:\2262846.exe98⤵
-
\??\c:\llxfxxl.exec:\llxfxxl.exe99⤵
-
\??\c:\jpvvd.exec:\jpvvd.exe100⤵
- System Location Discovery: System Language Discovery
-
\??\c:\7thbtt.exec:\7thbtt.exe101⤵
-
\??\c:\228022.exec:\228022.exe102⤵
-
\??\c:\xxffffr.exec:\xxffffr.exe103⤵
-
\??\c:\3hbhnt.exec:\3hbhnt.exe104⤵
-
\??\c:\480682.exec:\480682.exe105⤵
-
\??\c:\s0284.exec:\s0284.exe106⤵
-
\??\c:\frlrxll.exec:\frlrxll.exe107⤵
-
\??\c:\220040.exec:\220040.exe108⤵
-
\??\c:\202486.exec:\202486.exe109⤵
-
\??\c:\0606004.exec:\0606004.exe110⤵
-
\??\c:\i428062.exec:\i428062.exe111⤵
-
\??\c:\8268060.exec:\8268060.exe112⤵
-
\??\c:\fllflfl.exec:\fllflfl.exe113⤵
- System Location Discovery: System Language Discovery
-
\??\c:\042860.exec:\042860.exe114⤵
-
\??\c:\flrxxfr.exec:\flrxxfr.exe115⤵
-
\??\c:\xxllrxl.exec:\xxllrxl.exe116⤵
-
\??\c:\882028.exec:\882028.exe117⤵
-
\??\c:\226806.exec:\226806.exe118⤵
-
\??\c:\442288.exec:\442288.exe119⤵
-
\??\c:\3bbttb.exec:\3bbttb.exe120⤵
-
\??\c:\nnbbbh.exec:\nnbbbh.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-