Analysis
-
max time kernel
120s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
26/12/2024, 22:18
General
-
Target
ec98b1cd958f44fabf89f07abbba3720fc1570518db27ad209269989673f4ae0N.exe
-
Size
452KB
-
MD5
8a6602ec10ed9cfb6af6a56271242100
-
SHA1
f57d7cccb3f2a7f54b5632059f322b60ee43ee6e
-
SHA256
ec98b1cd958f44fabf89f07abbba3720fc1570518db27ad209269989673f4ae0
-
SHA512
5c78b34777afd24861b2223267efd6c26ec2c7347b123c49edbbdd0bf096c538247af0fbefbb06a74ee6af1df3097b0d034a79fc5992ea8d559331a38f2c1cb5
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbei:q7Tc2NYHUrAwfMp3CDi
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 44 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 45 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ec98b1cd958f44fabf89f07abbba3720fc1570518db27ad209269989673f4ae0N.exe"C:\Users\Admin\AppData\Local\Temp\ec98b1cd958f44fabf89f07abbba3720fc1570518db27ad209269989673f4ae0N.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\rvntlbl.exec:\rvntlbl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrdpn.exec:\xrdpn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dxpxx.exec:\dxpxx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rddvf.exec:\rddvf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ltvlxrp.exec:\ltvlxrp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pxrff.exec:\pxrff.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tvdrv.exec:\tvdrv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dlxjnx.exec:\dlxjnx.exe9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\rhptt.exec:\rhptt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jfhll.exec:\jfhll.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lbtrtn.exec:\lbtrtn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ndpnjj.exec:\ndpnjj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfvffxd.exec:\lfvffxd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hjtxh.exec:\hjtxh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hpfrf.exec:\hpfrf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rrrnjlp.exec:\rrrnjlp.exe17⤵
- Executes dropped EXE
-
\??\c:\xpptxvp.exec:\xpptxvp.exe18⤵
- Executes dropped EXE
-
\??\c:\hvlnjlj.exec:\hvlnjlj.exe19⤵
- Executes dropped EXE
-
\??\c:\bpbhv.exec:\bpbhv.exe20⤵
- Executes dropped EXE
-
\??\c:\vjfnj.exec:\vjfnj.exe21⤵
- Executes dropped EXE
-
\??\c:\xttbxh.exec:\xttbxh.exe22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\tvfjxt.exec:\tvfjxt.exe23⤵
- Executes dropped EXE
-
\??\c:\htxvjp.exec:\htxvjp.exe24⤵
- Executes dropped EXE
-
\??\c:\jtvxfxl.exec:\jtvxfxl.exe25⤵
- Executes dropped EXE
-
\??\c:\fjnfvrf.exec:\fjnfvrf.exe26⤵
- Executes dropped EXE
-
\??\c:\vrljdh.exec:\vrljdh.exe27⤵
- Executes dropped EXE
-
\??\c:\vjbjt.exec:\vjbjt.exe28⤵
- Executes dropped EXE
-
\??\c:\dxvjlpd.exec:\dxvjlpd.exe29⤵
- Executes dropped EXE
-
\??\c:\fvjjf.exec:\fvjjf.exe30⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\xdpxdj.exec:\xdpxdj.exe31⤵
- Executes dropped EXE
-
\??\c:\rrbvltp.exec:\rrbvltp.exe32⤵
- Executes dropped EXE
-
\??\c:\tjtlfhr.exec:\tjtlfhr.exe33⤵
- Executes dropped EXE
-
\??\c:\vnprvhn.exec:\vnprvhn.exe34⤵
- Executes dropped EXE
-
\??\c:\dnvnn.exec:\dnvnn.exe35⤵
- Executes dropped EXE
-
\??\c:\ddntfn.exec:\ddntfn.exe36⤵
- Executes dropped EXE
-
\??\c:\hlbnlh.exec:\hlbnlh.exe37⤵
- Executes dropped EXE
-
\??\c:\hltbtp.exec:\hltbtp.exe38⤵
- Executes dropped EXE
-
\??\c:\rhffpp.exec:\rhffpp.exe39⤵
- Executes dropped EXE
-
\??\c:\fnbhb.exec:\fnbhb.exe40⤵
- Executes dropped EXE
-
\??\c:\jdbdxtf.exec:\jdbdxtf.exe41⤵
- Executes dropped EXE
-
\??\c:\pfhppjx.exec:\pfhppjx.exe42⤵
- Executes dropped EXE
-
\??\c:\ffvjvvf.exec:\ffvjvvf.exe43⤵
- Executes dropped EXE
-
\??\c:\jfnlbt.exec:\jfnlbt.exe44⤵
- Executes dropped EXE
-
\??\c:\ldndthh.exec:\ldndthh.exe45⤵
- Executes dropped EXE
-
\??\c:\nddtn.exec:\nddtn.exe46⤵
- Executes dropped EXE
-
\??\c:\fvlvjpt.exec:\fvlvjpt.exe47⤵
- Executes dropped EXE
-
\??\c:\tbrrrdx.exec:\tbrrrdx.exe48⤵
- Executes dropped EXE
-
\??\c:\xnfjrv.exec:\xnfjrv.exe49⤵
- Executes dropped EXE
-
\??\c:\bjnrtvv.exec:\bjnrtvv.exe50⤵
- Executes dropped EXE
-
\??\c:\jlfphpl.exec:\jlfphpl.exe51⤵
- Executes dropped EXE
-
\??\c:\pdbvll.exec:\pdbvll.exe52⤵
- Executes dropped EXE
-
\??\c:\hrjtn.exec:\hrjtn.exe53⤵
- Executes dropped EXE
-
\??\c:\drvlptt.exec:\drvlptt.exe54⤵
- Executes dropped EXE
-
\??\c:\dtljpt.exec:\dtljpt.exe55⤵
- Executes dropped EXE
-
\??\c:\frxrh.exec:\frxrh.exe56⤵
- Executes dropped EXE
-
\??\c:\pjnnfd.exec:\pjnnfd.exe57⤵
- Executes dropped EXE
-
\??\c:\phdfb.exec:\phdfb.exe58⤵
- Executes dropped EXE
-
\??\c:\lhdhpx.exec:\lhdhpx.exe59⤵
- Executes dropped EXE
-
\??\c:\xxjnvr.exec:\xxjnvr.exe60⤵
- Executes dropped EXE
-
\??\c:\jpdxh.exec:\jpdxh.exe61⤵
- Executes dropped EXE
-
\??\c:\dntbr.exec:\dntbr.exe62⤵
- Executes dropped EXE
-
\??\c:\jrtxt.exec:\jrtxt.exe63⤵
- Executes dropped EXE
-
\??\c:\lnnrbv.exec:\lnnrbv.exe64⤵
- Executes dropped EXE
-
\??\c:\xphfbjd.exec:\xphfbjd.exe65⤵
- Executes dropped EXE
-
\??\c:\phtvp.exec:\phtvp.exe66⤵
-
\??\c:\rnxdnpj.exec:\rnxdnpj.exe67⤵
-
\??\c:\frlndt.exec:\frlndt.exe68⤵
-
\??\c:\dhxtlnr.exec:\dhxtlnr.exe69⤵
-
\??\c:\bdvbt.exec:\bdvbt.exe70⤵
-
\??\c:\jrhxv.exec:\jrhxv.exe71⤵
-
\??\c:\lhdjd.exec:\lhdjd.exe72⤵
-
\??\c:\dlrfh.exec:\dlrfh.exe73⤵
-
\??\c:\nvbxfjb.exec:\nvbxfjb.exe74⤵
-
\??\c:\vbtvx.exec:\vbtvx.exe75⤵
-
\??\c:\htpjn.exec:\htpjn.exe76⤵
-
\??\c:\jnrxv.exec:\jnrxv.exe77⤵
-
\??\c:\dlfftn.exec:\dlfftn.exe78⤵
-
\??\c:\vvjrnpl.exec:\vvjrnpl.exe79⤵
-
\??\c:\xnfxr.exec:\xnfxr.exe80⤵
-
\??\c:\hllpxnx.exec:\hllpxnx.exe81⤵
-
\??\c:\jlvxhlb.exec:\jlvxhlb.exe82⤵
-
\??\c:\nfpljb.exec:\nfpljb.exe83⤵
- System Location Discovery: System Language Discovery
-
\??\c:\nxfbxr.exec:\nxfbxr.exe84⤵
-
\??\c:\pdlfvt.exec:\pdlfvt.exe85⤵
-
\??\c:\xttxrdn.exec:\xttxrdn.exe86⤵
-
\??\c:\txdxflr.exec:\txdxflr.exe87⤵
- System Location Discovery: System Language Discovery
-
\??\c:\plnhd.exec:\plnhd.exe88⤵
-
\??\c:\djpnxn.exec:\djpnxn.exe89⤵
-
\??\c:\vjlrl.exec:\vjlrl.exe90⤵
-
\??\c:\brvbvvf.exec:\brvbvvf.exe91⤵
-
\??\c:\bhnxbht.exec:\bhnxbht.exe92⤵
-
\??\c:\dblbtd.exec:\dblbtd.exe93⤵
-
\??\c:\rnldf.exec:\rnldf.exe94⤵
-
\??\c:\pvlrdt.exec:\pvlrdt.exe95⤵
-
\??\c:\vrxhrxr.exec:\vrxhrxr.exe96⤵
-
\??\c:\dtxnfj.exec:\dtxnfj.exe97⤵
-
\??\c:\nlrnfdf.exec:\nlrnfdf.exe98⤵
-
\??\c:\dnrvjn.exec:\dnrvjn.exe99⤵
-
\??\c:\vbhbpdp.exec:\vbhbpdp.exe100⤵
-
\??\c:\pnhnnv.exec:\pnhnnv.exe101⤵
-
\??\c:\nprhj.exec:\nprhj.exe102⤵
-
\??\c:\vhbddx.exec:\vhbddx.exe103⤵
-
\??\c:\ftnlfd.exec:\ftnlfd.exe104⤵
- System Location Discovery: System Language Discovery
-
\??\c:\vvvhpjb.exec:\vvvhpjb.exe105⤵
-
\??\c:\nxpjj.exec:\nxpjj.exe106⤵
- System Location Discovery: System Language Discovery
-
\??\c:\vjfdxrd.exec:\vjfdxrd.exe107⤵
-
\??\c:\lrfvdx.exec:\lrfvdx.exe108⤵
-
\??\c:\tjdvrjl.exec:\tjdvrjl.exe109⤵
-
\??\c:\vddtddd.exec:\vddtddd.exe110⤵
-
\??\c:\lbhjtl.exec:\lbhjtl.exe111⤵
-
\??\c:\hpjxt.exec:\hpjxt.exe112⤵
-
\??\c:\xrlpvbb.exec:\xrlpvbb.exe113⤵
-
\??\c:\bjnjlf.exec:\bjnjlf.exe114⤵
-
\??\c:\vfdvph.exec:\vfdvph.exe115⤵
-
\??\c:\tfrjf.exec:\tfrjf.exe116⤵
-
\??\c:\tlxbp.exec:\tlxbp.exe117⤵
-
\??\c:\lflhdj.exec:\lflhdj.exe118⤵
-
\??\c:\nddxbhp.exec:\nddxbhp.exe119⤵
-
\??\c:\xndrf.exec:\xndrf.exe120⤵
-
\??\c:\ftdpxhp.exec:\ftdpxhp.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-