Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
24-12-2024 20:26
General
-
Target
21f770bb925e78503e397de3b0d29ad5081d3211abbb57733674fb38c90a14f0.exe
-
Size
54KB
-
MD5
b286483fb6d61f417c889121666538d6
-
SHA1
d84d87728b018c74ec989cf5f5b353555b90b678
-
SHA256
21f770bb925e78503e397de3b0d29ad5081d3211abbb57733674fb38c90a14f0
-
SHA512
7890f8e102c7e8d5877661704722c838f9268b3ce18f49ef90b9810f1427ec940c1df24c6c070a2a07e9ad63afafdf396fa897462bb00af084301034a2e79202
-
SSDEEP
1536:mAocdpeVoBDulhzHMb7xNAa04Mcg5IKvlNJt:0cdpeeBSHHMHLf9RyIET
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 63 IoCs
-
Executes dropped EXE 64 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\21f770bb925e78503e397de3b0d29ad5081d3211abbb57733674fb38c90a14f0.exe"C:\Users\Admin\AppData\Local\Temp\21f770bb925e78503e397de3b0d29ad5081d3211abbb57733674fb38c90a14f0.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\xxfffxf.exec:\xxfffxf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhbhnb.exec:\nhbhnb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dddpd.exec:\dddpd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhnthn.exec:\nhnthn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vjpjp.exec:\vjpjp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3pjjp.exec:\3pjjp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ffrxlrl.exec:\ffrxlrl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\llflxfr.exec:\llflxfr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tthbnb.exec:\tthbnb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvpdd.exec:\dvpdd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rrrffrl.exec:\rrrffrl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5xxrxrr.exec:\5xxrxrr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bttntb.exec:\bttntb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbtttb.exec:\bbtttb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjdpp.exec:\pjdpp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frflrxx.exec:\frflrxx.exe17⤵
- Executes dropped EXE
-
\??\c:\ttntnb.exec:\ttntnb.exe18⤵
- Executes dropped EXE
-
\??\c:\bbttbh.exec:\bbttbh.exe19⤵
- Executes dropped EXE
-
\??\c:\pdddp.exec:\pdddp.exe20⤵
- Executes dropped EXE
-
\??\c:\jdjdp.exec:\jdjdp.exe21⤵
- Executes dropped EXE
-
\??\c:\1lffrfr.exec:\1lffrfr.exe22⤵
- Executes dropped EXE
-
\??\c:\tnbhtn.exec:\tnbhtn.exe23⤵
- Executes dropped EXE
-
\??\c:\nntbtb.exec:\nntbtb.exe24⤵
- Executes dropped EXE
-
\??\c:\dddjp.exec:\dddjp.exe25⤵
- Executes dropped EXE
-
\??\c:\ppvdp.exec:\ppvdp.exe26⤵
- Executes dropped EXE
-
\??\c:\llxxffx.exec:\llxxffx.exe27⤵
- Executes dropped EXE
-
\??\c:\7nbhnt.exec:\7nbhnt.exe28⤵
- Executes dropped EXE
-
\??\c:\dvpdp.exec:\dvpdp.exe29⤵
- Executes dropped EXE
-
\??\c:\9vdvv.exec:\9vdvv.exe30⤵
- Executes dropped EXE
-
\??\c:\flxfllr.exec:\flxfllr.exe31⤵
- Executes dropped EXE
-
\??\c:\3lxxrxf.exec:\3lxxrxf.exe32⤵
- Executes dropped EXE
-
\??\c:\nnhhbb.exec:\nnhhbb.exe33⤵
- Executes dropped EXE
-
\??\c:\3nbbbt.exec:\3nbbbt.exe34⤵
- Executes dropped EXE
-
\??\c:\jvpdv.exec:\jvpdv.exe35⤵
- Executes dropped EXE
-
\??\c:\rrfxflr.exec:\rrfxflr.exe36⤵
- Executes dropped EXE
-
\??\c:\hhnbbh.exec:\hhnbbh.exe37⤵
- Executes dropped EXE
-
\??\c:\7bhbbb.exec:\7bhbbb.exe38⤵
- Executes dropped EXE
-
\??\c:\3jdjj.exec:\3jdjj.exe39⤵
- Executes dropped EXE
-
\??\c:\jvdvd.exec:\jvdvd.exe40⤵
- Executes dropped EXE
-
\??\c:\lfxlrlr.exec:\lfxlrlr.exe41⤵
- Executes dropped EXE
-
\??\c:\7hbhnt.exec:\7hbhnt.exe42⤵
- Executes dropped EXE
-
\??\c:\nnnnnt.exec:\nnnnnt.exe43⤵
- Executes dropped EXE
-
\??\c:\9tnttb.exec:\9tnttb.exe44⤵
- Executes dropped EXE
-
\??\c:\1vppd.exec:\1vppd.exe45⤵
- Executes dropped EXE
-
\??\c:\jvdjp.exec:\jvdjp.exe46⤵
- Executes dropped EXE
-
\??\c:\xxxlxxf.exec:\xxxlxxf.exe47⤵
- Executes dropped EXE
-
\??\c:\1nhbbt.exec:\1nhbbt.exe48⤵
- Executes dropped EXE
-
\??\c:\nntntt.exec:\nntntt.exe49⤵
- Executes dropped EXE
-
\??\c:\jjdpd.exec:\jjdpd.exe50⤵
- Executes dropped EXE
-
\??\c:\3jddd.exec:\3jddd.exe51⤵
- Executes dropped EXE
-
\??\c:\flxlrxf.exec:\flxlrxf.exe52⤵
- Executes dropped EXE
-
\??\c:\lllxrxf.exec:\lllxrxf.exe53⤵
- Executes dropped EXE
-
\??\c:\1bbnnt.exec:\1bbnnt.exe54⤵
- Executes dropped EXE
-
\??\c:\ddpvj.exec:\ddpvj.exe55⤵
- Executes dropped EXE
-
\??\c:\llrxxfr.exec:\llrxxfr.exe56⤵
- Executes dropped EXE
-
\??\c:\flfrxxl.exec:\flfrxxl.exe57⤵
- Executes dropped EXE
-
\??\c:\hnthth.exec:\hnthth.exe58⤵
- Executes dropped EXE
-
\??\c:\bntnnn.exec:\bntnnn.exe59⤵
- Executes dropped EXE
-
\??\c:\jppjj.exec:\jppjj.exe60⤵
- Executes dropped EXE
-
\??\c:\llrrxfl.exec:\llrrxfl.exe61⤵
- Executes dropped EXE
-
\??\c:\llxflrf.exec:\llxflrf.exe62⤵
- Executes dropped EXE
-
\??\c:\bhhnbh.exec:\bhhnbh.exe63⤵
- Executes dropped EXE
-
\??\c:\5hbnth.exec:\5hbnth.exe64⤵
- Executes dropped EXE
-
\??\c:\vvvdv.exec:\vvvdv.exe65⤵
- Executes dropped EXE
-
\??\c:\jpdjj.exec:\jpdjj.exe66⤵
-
\??\c:\llffffx.exec:\llffffx.exe67⤵
-
\??\c:\llfxxlx.exec:\llfxxlx.exe68⤵
-
\??\c:\xrxflrf.exec:\xrxflrf.exe69⤵
-
\??\c:\hhbhnh.exec:\hhbhnh.exe70⤵
-
\??\c:\hbntbh.exec:\hbntbh.exe71⤵
-
\??\c:\9pjpd.exec:\9pjpd.exe72⤵
-
\??\c:\vvjvv.exec:\vvjvv.exe73⤵
-
\??\c:\rlrxfxf.exec:\rlrxfxf.exe74⤵
-
\??\c:\1fxxrrx.exec:\1fxxrrx.exe75⤵
-
\??\c:\nnthhh.exec:\nnthhh.exe76⤵
-
\??\c:\5nbbnt.exec:\5nbbnt.exe77⤵
-
\??\c:\ddpdj.exec:\ddpdj.exe78⤵
-
\??\c:\9vpjj.exec:\9vpjj.exe79⤵
-
\??\c:\7xxflxl.exec:\7xxflxl.exe80⤵
-
\??\c:\llfflfr.exec:\llfflfr.exe81⤵
-
\??\c:\tthttn.exec:\tthttn.exe82⤵
-
\??\c:\bbnttb.exec:\bbnttb.exe83⤵
-
\??\c:\5vjjp.exec:\5vjjp.exe84⤵
-
\??\c:\5jddd.exec:\5jddd.exe85⤵
-
\??\c:\lfxrrrr.exec:\lfxrrrr.exe86⤵
-
\??\c:\lfrxxfl.exec:\lfrxxfl.exe87⤵
-
\??\c:\3nhhnb.exec:\3nhhnb.exe88⤵
-
\??\c:\nhntbh.exec:\nhntbh.exe89⤵
-
\??\c:\pjvvd.exec:\pjvvd.exe90⤵
-
\??\c:\rrflflx.exec:\rrflflx.exe91⤵
-
\??\c:\xfxfrrx.exec:\xfxfrrx.exe92⤵
-
\??\c:\nnbhbh.exec:\nnbhbh.exe93⤵
-
\??\c:\hhbbbh.exec:\hhbbbh.exe94⤵
-
\??\c:\nnbhbt.exec:\nnbhbt.exe95⤵
-
\??\c:\djjvj.exec:\djjvj.exe96⤵
-
\??\c:\xxfrrxl.exec:\xxfrrxl.exe97⤵
-
\??\c:\1xrxrxf.exec:\1xrxrxf.exe98⤵
-
\??\c:\5nhnnt.exec:\5nhnnt.exe99⤵
-
\??\c:\1tnntb.exec:\1tnntb.exe100⤵
-
\??\c:\vdpvj.exec:\vdpvj.exe101⤵
-
\??\c:\ddppv.exec:\ddppv.exe102⤵
-
\??\c:\1rfxxfx.exec:\1rfxxfx.exe103⤵
-
\??\c:\rxrfrrf.exec:\rxrfrrf.exe104⤵
-
\??\c:\nbttbt.exec:\nbttbt.exe105⤵
-
\??\c:\5vvjp.exec:\5vvjp.exe106⤵
-
\??\c:\vddjd.exec:\vddjd.exe107⤵
-
\??\c:\1vpvv.exec:\1vpvv.exe108⤵
-
\??\c:\rrfrfrx.exec:\rrfrfrx.exe109⤵
-
\??\c:\1nhnnt.exec:\1nhnnt.exe110⤵
-
\??\c:\bbhhtt.exec:\bbhhtt.exe111⤵
-
\??\c:\nhtttb.exec:\nhtttb.exe112⤵
-
\??\c:\9dppv.exec:\9dppv.exe113⤵
-
\??\c:\5xxxlrf.exec:\5xxxlrf.exe114⤵
-
\??\c:\xfxflxf.exec:\xfxflxf.exe115⤵
-
\??\c:\nntbnt.exec:\nntbnt.exe116⤵
-
\??\c:\bbnnbb.exec:\bbnnbb.exe117⤵
-
\??\c:\vpdjv.exec:\vpdjv.exe118⤵
-
\??\c:\djjvd.exec:\djjvd.exe119⤵
-
\??\c:\1lrffrf.exec:\1lrffrf.exe120⤵
-
\??\c:\ffrfrxl.exec:\ffrfrxl.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-