Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
26-12-2024 03:21
General
-
Target
680a06ace9f201131ea2bef9926c27b1140c795b635a11ae4323fddfc61eff10.exe
-
Size
71KB
-
MD5
d41597c58fc3f2dd0ba1d6db23c596b6
-
SHA1
cde607e425abe274e1ba8e8c43bf33d21ed738fb
-
SHA256
680a06ace9f201131ea2bef9926c27b1140c795b635a11ae4323fddfc61eff10
-
SHA512
d9f9765b9cb68e8ad5ca87cad8147c8f38da1139d61d2113f6b0a31c85dfd520b23424838d61cf7f3631be03e0939459d65d968fbd8935e21cb42571bc5bd9b4
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxND0yUuYp+5C8+LuvdLH+/:ymb3NkkiQ3mdBjF0yMliC/
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 21 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 34 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\680a06ace9f201131ea2bef9926c27b1140c795b635a11ae4323fddfc61eff10.exe"C:\Users\Admin\AppData\Local\Temp\680a06ace9f201131ea2bef9926c27b1140c795b635a11ae4323fddfc61eff10.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\3ttbnt.exec:\3ttbnt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pppvd.exec:\pppvd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvpdj.exec:\dvpdj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9rlrxfl.exec:\9rlrxfl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfxrlfr.exec:\lfxrlfr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ttnnbn.exec:\ttnnbn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddvdp.exec:\ddvdp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ffxrffr.exec:\ffxrffr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbtbbn.exec:\nbtbbn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjjjp.exec:\jjjjp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpddj.exec:\vpddj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxrfrrx.exec:\fxrfrrx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5bbtbh.exec:\5bbtbh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnnbnt.exec:\tnnbnt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1pvdp.exec:\1pvdp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvdjv.exec:\dvdjv.exe17⤵
- Executes dropped EXE
-
\??\c:\rfrxffr.exec:\rfrxffr.exe18⤵
- Executes dropped EXE
-
\??\c:\rfrxffl.exec:\rfrxffl.exe19⤵
- Executes dropped EXE
-
\??\c:\htnhnt.exec:\htnhnt.exe20⤵
- Executes dropped EXE
-
\??\c:\hbbnnt.exec:\hbbnnt.exe21⤵
- Executes dropped EXE
-
\??\c:\tnbbnb.exec:\tnbbnb.exe22⤵
- Executes dropped EXE
-
\??\c:\vjdjp.exec:\vjdjp.exe23⤵
- Executes dropped EXE
-
\??\c:\fxrrffx.exec:\fxrrffx.exe24⤵
- Executes dropped EXE
-
\??\c:\7frxflr.exec:\7frxflr.exe25⤵
- Executes dropped EXE
-
\??\c:\hhthnn.exec:\hhthnn.exe26⤵
- Executes dropped EXE
-
\??\c:\bthntt.exec:\bthntt.exe27⤵
- Executes dropped EXE
-
\??\c:\jdvpj.exec:\jdvpj.exe28⤵
- Executes dropped EXE
-
\??\c:\rrllxfr.exec:\rrllxfr.exe29⤵
- Executes dropped EXE
-
\??\c:\frflrrr.exec:\frflrrr.exe30⤵
- Executes dropped EXE
-
\??\c:\1thhnn.exec:\1thhnn.exe31⤵
- Executes dropped EXE
-
\??\c:\hbhbnt.exec:\hbhbnt.exe32⤵
- Executes dropped EXE
-
\??\c:\vjvpj.exec:\vjvpj.exe33⤵
- Executes dropped EXE
-
\??\c:\pjpvp.exec:\pjpvp.exe34⤵
- Executes dropped EXE
-
\??\c:\xlflrrf.exec:\xlflrrf.exe35⤵
- Executes dropped EXE
-
\??\c:\rlxrrxf.exec:\rlxrrxf.exe36⤵
- Executes dropped EXE
-
\??\c:\hbnntn.exec:\hbnntn.exe37⤵
- Executes dropped EXE
-
\??\c:\hbbbtt.exec:\hbbbtt.exe38⤵
- Executes dropped EXE
-
\??\c:\nnbhnt.exec:\nnbhnt.exe39⤵
- Executes dropped EXE
-
\??\c:\pjpvd.exec:\pjpvd.exe40⤵
- Executes dropped EXE
-
\??\c:\dvpvd.exec:\dvpvd.exe41⤵
- Executes dropped EXE
-
\??\c:\7flrllf.exec:\7flrllf.exe42⤵
- Executes dropped EXE
-
\??\c:\fffxlrx.exec:\fffxlrx.exe43⤵
- Executes dropped EXE
-
\??\c:\rllfxxl.exec:\rllfxxl.exe44⤵
- Executes dropped EXE
-
\??\c:\bhbttt.exec:\bhbttt.exe45⤵
- Executes dropped EXE
-
\??\c:\7bthtt.exec:\7bthtt.exe46⤵
- Executes dropped EXE
-
\??\c:\dvjvd.exec:\dvjvd.exe47⤵
- Executes dropped EXE
-
\??\c:\pjvvj.exec:\pjvvj.exe48⤵
- Executes dropped EXE
-
\??\c:\lfllrrf.exec:\lfllrrf.exe49⤵
- Executes dropped EXE
-
\??\c:\xxrlrfr.exec:\xxrlrfr.exe50⤵
- Executes dropped EXE
-
\??\c:\lrllllr.exec:\lrllllr.exe51⤵
- Executes dropped EXE
-
\??\c:\nhtbbh.exec:\nhtbbh.exe52⤵
- Executes dropped EXE
-
\??\c:\thnbhn.exec:\thnbhn.exe53⤵
- Executes dropped EXE
-
\??\c:\ddvpd.exec:\ddvpd.exe54⤵
- Executes dropped EXE
-
\??\c:\7pvjp.exec:\7pvjp.exe55⤵
- Executes dropped EXE
-
\??\c:\9rrrrxf.exec:\9rrrrxf.exe56⤵
- Executes dropped EXE
-
\??\c:\fxrflrf.exec:\fxrflrf.exe57⤵
- Executes dropped EXE
-
\??\c:\frlrrrx.exec:\frlrrrx.exe58⤵
- Executes dropped EXE
-
\??\c:\bththh.exec:\bththh.exe59⤵
- Executes dropped EXE
-
\??\c:\bbtnth.exec:\bbtnth.exe60⤵
- Executes dropped EXE
-
\??\c:\bthtbb.exec:\bthtbb.exe61⤵
- Executes dropped EXE
-
\??\c:\jdppp.exec:\jdppp.exe62⤵
- Executes dropped EXE
-
\??\c:\3fxfllx.exec:\3fxfllx.exe63⤵
- Executes dropped EXE
-
\??\c:\rfrxffl.exec:\rfrxffl.exe64⤵
- Executes dropped EXE
-
\??\c:\frlrxrf.exec:\frlrxrf.exe65⤵
- Executes dropped EXE
-
\??\c:\hththn.exec:\hththn.exe66⤵
-
\??\c:\3htbnn.exec:\3htbnn.exe67⤵
-
\??\c:\jdpvj.exec:\jdpvj.exe68⤵
-
\??\c:\pjjpd.exec:\pjjpd.exe69⤵
-
\??\c:\dvjvd.exec:\dvjvd.exe70⤵
-
\??\c:\fxlrrxf.exec:\fxlrrxf.exe71⤵
-
\??\c:\fxrxrrl.exec:\fxrxrrl.exe72⤵
-
\??\c:\7tnbnt.exec:\7tnbnt.exe73⤵
-
\??\c:\nnntbh.exec:\nnntbh.exe74⤵
-
\??\c:\5dvjj.exec:\5dvjj.exe75⤵
-
\??\c:\xllrrxl.exec:\xllrrxl.exe76⤵
-
\??\c:\fxxlllr.exec:\fxxlllr.exe77⤵
-
\??\c:\3bbtnt.exec:\3bbtnt.exe78⤵
-
\??\c:\9thntt.exec:\9thntt.exe79⤵
-
\??\c:\pjppd.exec:\pjppd.exe80⤵
-
\??\c:\1jvdp.exec:\1jvdp.exe81⤵
-
\??\c:\fxxxflr.exec:\fxxxflr.exe82⤵
-
\??\c:\rlflxxl.exec:\rlflxxl.exe83⤵
-
\??\c:\1bhttb.exec:\1bhttb.exe84⤵
-
\??\c:\jpvvj.exec:\jpvvj.exe85⤵
-
\??\c:\vppvj.exec:\vppvj.exe86⤵
-
\??\c:\ppdjd.exec:\ppdjd.exe87⤵
-
\??\c:\lfxlxxl.exec:\lfxlxxl.exe88⤵
-
\??\c:\rfxllrf.exec:\rfxllrf.exe89⤵
-
\??\c:\nhnnhn.exec:\nhnnhn.exe90⤵
-
\??\c:\nbbnbb.exec:\nbbnbb.exe91⤵
-
\??\c:\dpjpv.exec:\dpjpv.exe92⤵
-
\??\c:\9vvvd.exec:\9vvvd.exe93⤵
-
\??\c:\9lrxflr.exec:\9lrxflr.exe94⤵
-
\??\c:\llxlxff.exec:\llxlxff.exe95⤵
-
\??\c:\hbbntb.exec:\hbbntb.exe96⤵
-
\??\c:\nnbhtb.exec:\nnbhtb.exe97⤵
-
\??\c:\5nnnhh.exec:\5nnnhh.exe98⤵
-
\??\c:\dvpdv.exec:\dvpdv.exe99⤵
-
\??\c:\jdvjp.exec:\jdvjp.exe100⤵
-
\??\c:\rlllxxf.exec:\rlllxxf.exe101⤵
-
\??\c:\fxfxfff.exec:\fxfxfff.exe102⤵
-
\??\c:\bbthnn.exec:\bbthnn.exe103⤵
-
\??\c:\btbbnt.exec:\btbbnt.exe104⤵
-
\??\c:\dpdjv.exec:\dpdjv.exe105⤵
-
\??\c:\ppjvj.exec:\ppjvj.exe106⤵
-
\??\c:\lffrrrf.exec:\lffrrrf.exe107⤵
-
\??\c:\frrlrrf.exec:\frrlrrf.exe108⤵
-
\??\c:\7bhnbt.exec:\7bhnbt.exe109⤵
-
\??\c:\7hbhtb.exec:\7hbhtb.exe110⤵
-
\??\c:\jppvd.exec:\jppvd.exe111⤵
-
\??\c:\5ppjp.exec:\5ppjp.exe112⤵
-
\??\c:\vvvdv.exec:\vvvdv.exe113⤵
-
\??\c:\frlxlxf.exec:\frlxlxf.exe114⤵
-
\??\c:\xxlfrlf.exec:\xxlfrlf.exe115⤵
-
\??\c:\9bbbnn.exec:\9bbbnn.exe116⤵
-
\??\c:\tnhhnb.exec:\tnhhnb.exe117⤵
-
\??\c:\3pdvd.exec:\3pdvd.exe118⤵
-
\??\c:\3vppd.exec:\3vppd.exe119⤵
-
\??\c:\pjjvp.exec:\pjjvp.exe120⤵
-
\??\c:\rlflxfl.exec:\rlflxfl.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-