Analysis
-
max time kernel
150s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
-
submitted
26-12-2024 02:02
General
-
Target
77a0fdc436dbbcb0d46afb213872950557685968064a87e8de8d001704876c46.exe
-
Size
454KB
-
MD5
114e100b2c654b36c590d8ce7c024311
-
SHA1
ff2061252792bb59729fd0ac1b1c4fd63cf04842
-
SHA256
77a0fdc436dbbcb0d46afb213872950557685968064a87e8de8d001704876c46
-
SHA512
789affbea2bb088847b8a189fad3cf6f54bc46f704bdee9fd9671422f19142d7203c9ffb934fbbe891f1a049fadf02d78a3f0fe337fb7a77dfc077a98b84cc6e
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeq:q7Tc2NYHUrAwfMp3CDq
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 36 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 44 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\77a0fdc436dbbcb0d46afb213872950557685968064a87e8de8d001704876c46.exe"C:\Users\Admin\AppData\Local\Temp\77a0fdc436dbbcb0d46afb213872950557685968064a87e8de8d001704876c46.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\dvvpp.exec:\dvvpp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjppp.exec:\jjppp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1nbhtn.exec:\1nbhtn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5tbhnb.exec:\5tbhnb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lrrlrlr.exec:\lrrlrlr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9nttbh.exec:\9nttbh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rrxxxxf.exec:\rrxxxxf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tthntb.exec:\tthntb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9fxxxxl.exec:\9fxxxxl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bhttth.exec:\bhttth.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfllrrx.exec:\lfllrrx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ffrlxlr.exec:\ffrlxlr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7thntb.exec:\7thntb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rxlfrfr.exec:\rxlfrfr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvvjj.exec:\dvvjj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3rffrxf.exec:\3rffrxf.exe17⤵
- Executes dropped EXE
-
\??\c:\vvdpv.exec:\vvdpv.exe18⤵
- Executes dropped EXE
-
\??\c:\5tnnhh.exec:\5tnnhh.exe19⤵
- Executes dropped EXE
-
\??\c:\jjpvv.exec:\jjpvv.exe20⤵
- Executes dropped EXE
-
\??\c:\fflxlrx.exec:\fflxlrx.exe21⤵
- Executes dropped EXE
-
\??\c:\dvvpp.exec:\dvvpp.exe22⤵
- Executes dropped EXE
-
\??\c:\ffrxflr.exec:\ffrxflr.exe23⤵
- Executes dropped EXE
-
\??\c:\9bhhhb.exec:\9bhhhb.exe24⤵
- Executes dropped EXE
-
\??\c:\xxfrrxl.exec:\xxfrrxl.exe25⤵
- Executes dropped EXE
-
\??\c:\7bhbbb.exec:\7bhbbb.exe26⤵
- Executes dropped EXE
-
\??\c:\9vjdv.exec:\9vjdv.exe27⤵
- Executes dropped EXE
-
\??\c:\bbnnbh.exec:\bbnnbh.exe28⤵
- Executes dropped EXE
-
\??\c:\tthnhh.exec:\tthnhh.exe29⤵
- Executes dropped EXE
-
\??\c:\1btnhn.exec:\1btnhn.exe30⤵
- Executes dropped EXE
-
\??\c:\3hhtbn.exec:\3hhtbn.exe31⤵
- Executes dropped EXE
-
\??\c:\frlfxrl.exec:\frlfxrl.exe32⤵
- Executes dropped EXE
-
\??\c:\bbhttt.exec:\bbhttt.exe33⤵
- Executes dropped EXE
-
\??\c:\7lxfrfl.exec:\7lxfrfl.exe34⤵
- Executes dropped EXE
-
\??\c:\1hbhtb.exec:\1hbhtb.exe35⤵
- Executes dropped EXE
-
\??\c:\dpvvd.exec:\dpvvd.exe36⤵
- Executes dropped EXE
-
\??\c:\1fxxfrf.exec:\1fxxfrf.exe37⤵
- Executes dropped EXE
-
\??\c:\rxrrrrr.exec:\rxrrrrr.exe38⤵
- Executes dropped EXE
-
\??\c:\tthhnb.exec:\tthhnb.exe39⤵
- Executes dropped EXE
-
\??\c:\vvdvv.exec:\vvdvv.exe40⤵
- Executes dropped EXE
-
\??\c:\9xlrxxf.exec:\9xlrxxf.exe41⤵
- Executes dropped EXE
-
\??\c:\fflflxx.exec:\fflflxx.exe42⤵
- Executes dropped EXE
-
\??\c:\1htttt.exec:\1htttt.exe43⤵
- Executes dropped EXE
-
\??\c:\jjvdd.exec:\jjvdd.exe44⤵
- Executes dropped EXE
-
\??\c:\7frflxl.exec:\7frflxl.exe45⤵
- Executes dropped EXE
-
\??\c:\3nhntb.exec:\3nhntb.exe46⤵
- Executes dropped EXE
-
\??\c:\pjdjp.exec:\pjdjp.exe47⤵
- Executes dropped EXE
-
\??\c:\pjppp.exec:\pjppp.exe48⤵
- Executes dropped EXE
-
\??\c:\7frrxxl.exec:\7frrxxl.exe49⤵
- Executes dropped EXE
-
\??\c:\nnbhnh.exec:\nnbhnh.exe50⤵
- Executes dropped EXE
-
\??\c:\9jvjv.exec:\9jvjv.exe51⤵
- Executes dropped EXE
-
\??\c:\ddpvd.exec:\ddpvd.exe52⤵
- Executes dropped EXE
-
\??\c:\lxxrfxx.exec:\lxxrfxx.exe53⤵
- Executes dropped EXE
-
\??\c:\bbnntt.exec:\bbnntt.exe54⤵
- Executes dropped EXE
-
\??\c:\jjvvd.exec:\jjvvd.exe55⤵
- Executes dropped EXE
-
\??\c:\vvddd.exec:\vvddd.exe56⤵
- Executes dropped EXE
-
\??\c:\9rfxlfr.exec:\9rfxlfr.exe57⤵
- Executes dropped EXE
-
\??\c:\9httbh.exec:\9httbh.exe58⤵
- Executes dropped EXE
-
\??\c:\vvjvj.exec:\vvjvj.exe59⤵
- Executes dropped EXE
-
\??\c:\ffxlrxl.exec:\ffxlrxl.exe60⤵
- Executes dropped EXE
-
\??\c:\7htttb.exec:\7htttb.exe61⤵
- Executes dropped EXE
-
\??\c:\hhnntt.exec:\hhnntt.exe62⤵
- Executes dropped EXE
-
\??\c:\pppvd.exec:\pppvd.exe63⤵
- Executes dropped EXE
-
\??\c:\lfxfrrf.exec:\lfxfrrf.exe64⤵
- Executes dropped EXE
-
\??\c:\hntttt.exec:\hntttt.exe65⤵
- Executes dropped EXE
-
\??\c:\vvdjv.exec:\vvdjv.exe66⤵
-
\??\c:\dpvpv.exec:\dpvpv.exe67⤵
-
\??\c:\1xxfxfr.exec:\1xxfxfr.exe68⤵
-
\??\c:\hhnnnn.exec:\hhnnnn.exe69⤵
-
\??\c:\7jvdd.exec:\7jvdd.exe70⤵
-
\??\c:\1jddj.exec:\1jddj.exe71⤵
-
\??\c:\flxfllr.exec:\flxfllr.exe72⤵
-
\??\c:\1nhhhh.exec:\1nhhhh.exe73⤵
-
\??\c:\bbhtbh.exec:\bbhtbh.exe74⤵
-
\??\c:\jvdvv.exec:\jvdvv.exe75⤵
-
\??\c:\ffrxrxl.exec:\ffrxrxl.exe76⤵
-
\??\c:\lfrrxfr.exec:\lfrrxfr.exe77⤵
-
\??\c:\3thhnb.exec:\3thhnb.exe78⤵
-
\??\c:\jjvvj.exec:\jjvvj.exe79⤵
-
\??\c:\ddjpv.exec:\ddjpv.exe80⤵
-
\??\c:\llxflrx.exec:\llxflrx.exe81⤵
-
\??\c:\3bhtth.exec:\3bhtth.exe82⤵
-
\??\c:\9nbbth.exec:\9nbbth.exe83⤵
-
\??\c:\ppvpv.exec:\ppvpv.exe84⤵
-
\??\c:\lfrxllx.exec:\lfrxllx.exe85⤵
-
\??\c:\tthnbh.exec:\tthnbh.exe86⤵
-
\??\c:\hbhtbt.exec:\hbhtbt.exe87⤵
-
\??\c:\1vvjv.exec:\1vvjv.exe88⤵
-
\??\c:\rfrrlrf.exec:\rfrrlrf.exe89⤵
-
\??\c:\bbtbbh.exec:\bbtbbh.exe90⤵
-
\??\c:\btntbh.exec:\btntbh.exe91⤵
-
\??\c:\5vjpp.exec:\5vjpp.exe92⤵
-
\??\c:\1fflrrf.exec:\1fflrrf.exe93⤵
-
\??\c:\tnbhtt.exec:\tnbhtt.exe94⤵
-
\??\c:\hhbnnt.exec:\hhbnnt.exe95⤵
-
\??\c:\dpdpd.exec:\dpdpd.exe96⤵
-
\??\c:\lrxxfrr.exec:\lrxxfrr.exe97⤵
-
\??\c:\bthntt.exec:\bthntt.exe98⤵
-
\??\c:\vddpd.exec:\vddpd.exe99⤵
-
\??\c:\jvddj.exec:\jvddj.exe100⤵
-
\??\c:\1lfflrf.exec:\1lfflrf.exe101⤵
-
\??\c:\nhttnt.exec:\nhttnt.exe102⤵
-
\??\c:\jpdjd.exec:\jpdjd.exe103⤵
-
\??\c:\7dpdp.exec:\7dpdp.exe104⤵
-
\??\c:\rrllxfr.exec:\rrllxfr.exe105⤵
-
\??\c:\rrflrxl.exec:\rrflrxl.exe106⤵
-
\??\c:\ntbhnt.exec:\ntbhnt.exe107⤵
-
\??\c:\ddpvd.exec:\ddpvd.exe108⤵
- System Location Discovery: System Language Discovery
-
\??\c:\jjvvj.exec:\jjvvj.exe109⤵
-
\??\c:\1xflxfl.exec:\1xflxfl.exe110⤵
-
\??\c:\5nhnht.exec:\5nhnht.exe111⤵
-
\??\c:\ddpvp.exec:\ddpvp.exe112⤵
-
\??\c:\pvjpd.exec:\pvjpd.exe113⤵
- System Location Discovery: System Language Discovery
-
\??\c:\rxlrrxl.exec:\rxlrrxl.exe114⤵
-
\??\c:\hhnnbh.exec:\hhnnbh.exe115⤵
-
\??\c:\vpdjp.exec:\vpdjp.exe116⤵
-
\??\c:\xfrxlrl.exec:\xfrxlrl.exe117⤵
-
\??\c:\1hhthn.exec:\1hhthn.exe118⤵
-
\??\c:\djvvp.exec:\djvvp.exe119⤵
-
\??\c:\jppvj.exec:\jppvj.exe120⤵
-
\??\c:\xxllrxr.exec:\xxllrxr.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-